Fix Risk Assessment State inconsistency for Bots and Custom Connectors

[Copilot]

Bots and Custom Connectors required all fields populated to transition Risk Assessment State from "Requested" to "Submitted", while Apps, Flows, and other resources accepted partial submissions. Users received "saved" confirmations but state remained "Requested", causing continued email reminders.

Changes

Modified PowerFx OnButtonSelect handlers in two Canvas Apps to remove conditional validation wrapper:

Affected files:

• admin_developercompliancecenterbotspage_208a6_DocumentUri.msapp (Controls\87.json)
• admin_developercompliancecentercustomconnecto80628_DocumentUri.msapp (Controls\57.json)

Before (Bots)

If(
    And(
        !IsBlank(vSelectedBot.'Bot Description'), 
        !IsBlank(vSelectedBot.'Maker Requirement - Business Justification'),
        // ... 4 more field checks
        vSelectedBot.'Mitigation Plan Provided'='Mitigation Plan Provided (PVA Bots)'.Yes
    ), 
    // State update only executes if all conditions met
    UpdateIf('PVA Bots', PVA=vSelectedBot.PVA, 
        {'Admin Requirement - Risk Assessment State': 'Risk Assessment State Choice'.Submitted}
    );
)

After (Bots)

/* Validation checks moved to comments */

// State update now executes unconditionally
UpdateIf('PVA Bots', PVA=vSelectedBot.PVA, 
    {'Admin Requirement - Risk Assessment State': 'Risk Assessment State Choice'.Submitted}
);

Same pattern applied to Custom Connectors page.

Rationale

Aligns with behavior established across Apps/Flows/Desktop Flows/Environments pages (per issue #2092, 2022). Admin review workflow determines submission completeness rather than client-side validation.

Impact

• Partial submissions now transition state to "Submitted"
• Email notifications stop after any submission
• Admins can return incomplete submissions for revision
• Consistent UX across all resource types

Documentation

• RISK_ASSESSMENT_STATE_FIX.md - Issue analysis and solution details
• CHANGE_DETAILS.md - Line-by-line code comparison
• VISUAL_FLOW_DIAGRAM.md - State transition diagrams

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• aka.ms
  • Triggering command: wget REDACTED -O pac.tar.gz (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[CoE Starter Kit - BUG] Developer Compliance Center is inconsistent when setting the Risk Assessment State between Apps, Bots, and Flows</issue_title>
<issue_description>### Does this bug already exist in our backlog?

• I have checked and confirm this is a new bug.

Describe the issue

The compliance request submission for Copilot Studio Agents (bots) and Custom Connectors do not move Admin Requirement - Risk Assessment State is set from "Requested" to "Submitted" when completed unless:

1. All fields are populated
2. In the case of Copilot Agents, Mitigation plan must also be set to Yes.
   Custom Connector

Bots (Copilot Agents)

On-screen messaging indicates a successful save which the user interprets as a successful submission

Expected Behavior

When compliance information is requested for Desktop Flows, Cloud Flows, Canvas apps, Environments, Model-Driven Apps from a maker, if the user submits anything, the value of Admin Requirement - Risk Assessment State is set from "Requested" to "Submitted" preventing future request emails until the submission is marked complete or returned for review. This logic occurs in the OnButtonSelect in each of the panSupportDetails components.

I think this behavior makes sense. The platform admins and internal policy should drive what information each of us need from end users.

It appears this behavior was adjusted from requiring all fields to accepting any submission in 2022. #2092 (comment)

If that is not possible to remove the checks, an indication by model or Notify() banner to the user that this will not complete the compliance request.

What solution are you experiencing the issue with?

Governance

What solution version are you using?

3.27.3

What app or flow are you having the issue with?

Developer Compliance Center

What method are you using to get inventory and telemetry?

Cloud flows

Steps To Reproduce

1. Request information for a Bot (Copilot Agent)

2. Have the maker leave "Mitigation Plan Provided" set to NO but fill out the rest.

3. Request never moves to "submitted" and user continues to recieve notices requesting compliance information.

4. Return and set "Mitigation Plan Provided" set to YES and the submission will move to submitted.

Anything else?

No response</issue_description>

<agent_instructions>Analyze the issue and troubleshoot with proper solution why Developer Compliance Center is inconsistent when setting the Risk Assessment State between Apps, Bots, and Flows.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [CoE Starter Kit - BUG] Developer Compliance Center is inconsistent when setting the Risk Assessment State between Apps, Bots, and Flows #10463

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.