The case
As a Power Platform admin I want to remediate the Default environment to deploy a DLP policy so I could get to the Power Platform maturity level 200 for the Admin and Governance.
Olena
We notified users with non-compliant assets to back up or move their apps and automation, as they are going to break during the remediation. Some of the users got back to me, and we had some happy and unhappy conversations. One case stood out, so I decided to share it with you.
A user contacted us to ask if we could help him to back up assets. His assets appear in our reports as they use a Dataverse connection. I was curious about what Dataverse is being used for. After the screenshare, we discovered that the data source in the automation is SharePoint and the data target is Excel Online, both compliant and classified as Business connectors. Where does the Dataverse connector come from?
In the 3-step automation, the step in the middle was an action Extract information from documents using the Document Processing AI model.
Usually, I don’t work with AI builders. I prefer to use a custom connector with an Azure-hosted AI model instead for better value and flexibility.
Microsoft docs
AI Builder requires the use of Microsoft Dataverse, which is the data platform for Microsoft Power Platform that allows you to store and manage business data. Dataverse is the platform on which Dynamics 365 apps are built. This means if you’re a Dynamics 365 customer, your data is already in Dataverse.
From the Microsoft documentation here: https://learn.microsoft.com/en-us/ai-builder/build-model
Therefore, using the AI Builder action in Power Automate equals using the Dataverse connector indirectly.
Will it break?
We are deploying a DLP policy tier 0 where Dataverse is classified as a Non-Business connector. In the automation described above all actions except for the AI Builder one belong to Business connectors. It will break.
However, the Dataverse connector usage is indirect so there is a 0.5% chance it survives the remediation.
POC
If I am not sure how it works I create POC.
For this one I had to create an environment first, then a DLP policy with the required setup then a custom model and train it then create an automation. Lots of moving parts but I was too curious to think it through.
So the steps are:
Create an environment first as we don’t want to break anything existing.
Create DLP policy but keep a Dataverse connector as Business for now.
On the environment create a custom Document Processing model.
Create an automation using the model. Note it shows the Microsoft Dataverse connector in the list of connections for AI Builder. Also, notice the successful run and the status of the job.
After the job testing let’s modify the policy moving the Dataverse connector to Non-business.
It breaks!
Solution – no solution
We suggested the user back up his jobs and models as the DLP policy deployment is going to impact the non-compliant assets.
Carefully read the article here: https://learn.microsoft.com/en-us/ai-builder/distribute-model
Something Awesome About ... Power Platform and BizApps..Dev and Ops 
What do you think of setting up an environment specifically for AI-based solutions and AI Builder? Thinking ways to govern AI Builder specifically, since it uses credits and anyone in the environment can use the credits – I feel like if we assign them to a specific environment it becomes easier to monitor/govern. People could submit a form with their use case to gain access.
LikeLike
Thank you very much for asking!
Well…there is a bit of a mystery here as well. I couldn’t find any billing traces for the user for the past 3 years he’s been using AI Builder on the Default. No Premium Power Automate license or add-ons or something either. It’s either a feature or a bug or…Anyway, I feel like moving all happy users somewhere else will immediately trigger the delayed billing. It’s all my guessing, have no idea to play with it now as we have to finish the remediation.
To your idea re common AI environment, here we have very limited tools available for the charge-back model, I know only PAYG which makes sense, how do we charge teams, departments, squads back if we put them all on the common environment? There are also some data security concerns but let’s say, billing would be an issue.
What do you think?
LikeLike
Re: billing, I haven’t worked with all that many organizations but the ones I have all billed the M365 costs centrally in IT. I guess you could divide it up by department. Mainly thinking AI governance is something that is popping up all over the place all of a sudden, and the way AI Builder is licensed right now literally anyone can use it by default with no limitations unless you assign the credits to specific environments. Not sure it’s an issue yet until more people discover it and then Joe in data runs a flow on his SQL database that uses all the org credits in one go… 🙂
LikeLiked by 1 person
There is a tickbox in the tenant setting. I found it after our discussion.
LikeLike
@QUETZALPIE Yeah tenant level resource allocation is a fav topic. There is a lot to uncover moving forward. As we deploy the default tenant policy on PROD makers will be forced to talk to us first so we will very much across things (I hope) Nobody like $$$$$$$$ bills.
LikeLike