Add FAQ: CoE environment access control and maker group auto-enrollment

[Copilot]

Users frequently misconfigure CoE environment security by conflating environment security groups (controls environment access) with maker M365 groups (used for app sharing and communications). This leads to unauthorized environment access when the Admin | Add Maker to Group flow auto-enrolls discovered makers.

Documentation Added

FAQ: CoE Environment Access Control and Visibility

File: CenterofExcellenceResources/FAQ-EnvironmentAccessControl.md

Addresses three common questions:

1. RBAC implementation: Step-by-step guide to restrict CoE environment access using Entra ID security groups
2. User removal impact: Explains consequences of removing users from environment security groups vs. maker M365 groups (critical: service account must remain)
3. Auto-enrollment behavior: Documents Admin | Add Maker to Group flow that automatically adds users to M365 group when inventory discovers them as makers

Key sections:

• Architecture diagrams showing proper group separation
• Resolution workflow for environments accidentally exposed to all users
• Security best practices (service accounts, DLP policies, conditional access)
• Troubleshooting guide for flow failures and access control issues

Issue Response Template

File: docs/ISSUE-RESPONSE-EnvironmentAccessControl.md

Quick reference for maintainers responding to similar issues.

Documentation Index

File: docs/README.md

Added references under "Administration" and "Issue Response Templates" sections.

Technical Context

The AdminAddMakertoGroup flow (Core Components) triggers when new records are added to the admin_Maker table. It uses the Power Platform Maker Group ID environment variable to add users to an M365 group via the Office 365 Groups connector. This is intended behavior for maker identification but often misconfigured as an environment security group, granting unintended access.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[CoE Starter Kit - QUESTION] QUESTION: We created a dedicated environment for COE Toolkit, which is visible to everyone in the organization</issue_title>
<issue_description>### Does this question already exist in our backlog?

• I have checked and confirm this is a new question.

What is your question?

We created a dedicated environment for COE Toolkit, which is visible to everyone in the organization due to which people are using this environment for Power Apps creation or any new feature creation in Power platform.

We created an AD group, which was not a dynamic user group, still all the users got added in it due to which the people who got added in the maker group are able to view this environment. Now below are my questions:

1. Can we implement a RBAC model on this dedicated environment?
2. Can we remove all the users from this group to revoke the access, if yes, will it impact the COE Toolkit functionality?
3. Does the COE toolkit have any cloud flow which adds the users in this maker group based on any resource already owned by these users?

What solution are you experiencing the issue with?

Core

What solution version are you using?

January 2026

What app or flow are you having the issue with?

No response

What method are you using to get inventory and telemetry?

None</issue_description>

<agent_instructions>Analyze why We created a dedicated environment for COE Toolkit, which is visible to everyone in the organization and troubleshoot the question and provide the solution for this question</agent_instructions>

Comments on the Issue (you are @copilot in this section)

Custom agent used: CoE Custom Agent
Specialized agent for triaging and fixing issues in the CoE Starter Kit. Always consult the official CoE docs and the team’s SharePoint notes first, then mine prior GitHub issues and the CoE Common Responses playbook.

• Fixes [CoE Starter Kit - QUESTION] QUESTION: We created a dedicated environment for COE Toolkit, which is visible to everyone in the organization #10799

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.