Microsoft Power Platform now has 56 million monthly active users, up 27% year-over-year. Gartner predicts that by end of 2026, 80% of low-code automation users will sit outside traditional IT. And as of May 2026, the CoE Starter Kit is no longer actively maintained, with its core capabilities now delivered natively in the Power Platform admin center. If you are standing up a Power Platform Center of Excellence in the second half of 2026, you are doing it in a fundamentally different environment than the one most guidance was written for.
Yet the failure modes have not changed. Most CoE programs collapse through one of two predictable patterns: over-governing early, where lengthy policy documents get written before anyone has mapped the estate, or under-committing, where a steering group forms, meets quarterly, and produces no structural change. Both paths lead to the same outcome. Makers route around the CoE. Business units ignore it. IT takes the blame.
The conventional diagnosis is that these organizations did not take governance seriously enough, or lacked executive sponsorship. The evidence points to something more specific. Most CoE failures in the first 90 days are not governance failures. They are sequencing failures. The first 90 days should produce a functioning governance capability, not a governance document.
TL;DR
A Power Platform Center of Excellence succeeds or fails in its first 90 days based on the sequence of what gets built, not the comprehensiveness of the governance framework. The right sequence is: visibility first, structure second, operationalization third.
Key Takeaways
- Discovery before policy. Map your estate and identify risk before writing governance rules. Organizations that invert this sequence produce artifacts that get bypassed.
- DLP on Day 1. Deploy a tenant-wide restrictive data policy immediately, then layer environment-specific permissive policies as you classify environments.
- Maker enablement is organizational design. Structure makers into tiers (Casual, Power, Pro) with governance permissions mapped to each tier, not just training curricula.
- Phase gates, not timelines. Each 30-day phase ends with pass/fail criteria that determine readiness to advance. Rushing to Phase 3 without completing Phase 1 is the most common CoE mistake.
- AI governance belongs in the charter from Day 1. Copilot Studio agents are already the fastest-growing workload class on the platform. Your CoE mandate must cover them.
Why Sequencing Matters More Than Comprehensiveness
One organization spent the first four months of its CoE program building a comprehensive governance framework before any structural basics were in place. By the time the framework was ready, two of the three internal champions had moved to other priorities. When the team reset with a lighter approach focused on environments, ownership, and visibility, they made more progress in six weeks than they had in the previous four months.
The lesson is not that governance frameworks are unnecessary. It is that the right framework emerges from understanding the estate, not from anticipating it. Organizations that write policies before mapping what exists build rules for scenarios they imagine rather than scenarios that are real. Multi-stage approval workflows get constructed for edge cases while critical finance flows run unmonitored on a contractor's personal account.
The BabyBots Govern-Enable-Measure framework structures the first 90 days into three sequential phases, each ending with a phase gate: a set of pass/fail criteria that must be met before advancing. This prevents the most common failure of rushing to operationalization before discovery is complete, and gives executives objective progress indicators instead of status updates.
The Govern-Enable-Measure Framework
Phase 1: Discover (Days 1-30)
- Focus: Estate visibility and risk identification
- Phase gate question: Can we see what we have and who built it?
Phase 2: Structure (Days 31-60)
- Focus: Environment strategy, governance tiers, maker classification
- Phase gate question: Can we classify what is risky, enable what is safe, and assign ownership?
Phase 3: Operationalize (Days 61-90)
- Focus: Enablement launch, executive reporting, governance review cycles
- Phase gate question: Is the CoE delivering value that leadership can see and measure?
The first 90 days of a Power Platform CoE should produce a functioning governance capability, not a governance document.
Phase 1: Discover (Days 1-30)
The first 30 days have one objective: visibility. You cannot govern what you cannot see, and most organizations are surprised by what their tenant inventory reveals.
Stand Up the Admin Center Experiences
With the CoE Starter Kit no longer receiving updates, the Power Platform admin center is the starting point. Core CoE toolkit scenarios now map to native admin center capabilities: Inventory (view and govern all apps, flows, and agents), Usage (track adoption and identify top resources), Monitor (track operational health of heavily used resources), and Actions (identify risks and enforce best practices).
Enable these across all environments in the first week. The goal is a complete tenant inventory that includes every app, flow, desktop flow, and Copilot Studio agent, along with ownership, environment, and connector usage data.
Conduct a Risk Assessment
With the inventory in hand, prioritize the estate by risk. Three categories matter immediately:
- Orphaned resources. Apps and flows whose creator has left the organization or changed roles. One team discovered a critical finance approval flow still running on the personal account of a contractor who had left the previous quarter. Nobody had noticed because it had never broken. That is the class of risk this assessment is designed to surface.
- High-usage resources without named owners. Anything used by more than 50 people or integrated with a line-of-business system needs a named owner who is accountable for its lifecycle.
- Resources in the default environment connected to sensitive data. The default environment is not intended for long-term or permanent work beyond Microsoft 365 personal productivity scenarios. Anything connecting to financial, HR, or customer data from the default environment is a remediation priority.
Map Your Stakeholders
A CoE needs three roles filled before any governance decisions are made: an executive sponsor who owns the business case and removes organizational blockers, a CoE lead who runs day-to-day operations (this can be a fractional role in mid-market organizations), and departmental champions who represent the maker community and provide ground-level intelligence on what is actually being built.
Citizen developers come from all parts of the organization and do not traditionally sit in IT. Because they have day jobs, they report to leaders who need to buy in to the transformation. Without that buy-in, the CoE becomes an IT initiative that the business tolerates rather than a shared capability the business uses.
Deploy Your Day-1 DLP Baseline
Data loss prevention policies should be the first governance control you deploy. Not the first you design; the first you activate. As an administrator taking over an environment or starting to support use of Power Platform, data policies should be one of the first things you set up.
The Day-1 baseline follows Microsoft's recommended strategy:
- Tenant-wide restrictive policy. Create a policy spanning all environments except selected ones. Keep available connectors limited to Microsoft 365 and other standard microservices in the Business data group. Block access to everything else. This policy applies to the default environment and any unclassified environments.
- Environment-specific permissive policies. Create more permissive data policies for shared user and team productivity environments where the CoE has classified the data sensitivity and connector requirements.
This is not the permanent DLP architecture. It is the Day-1 safety net that prevents new high-risk connections while you complete the estate assessment. You will refine it in Phase 2 as your environment strategy takes shape.
Phase 1 Gate Deliverables
- Complete tenant inventory with resource counts by type and environment
- Risk-ranked asset list with orphaned, unowned, and high-risk resources flagged
- Named executive sponsor, CoE lead, and at least two departmental champions
- Tenant-wide DLP baseline policy active
Phase 2: Structure (Days 31-60)
Phase 1 told you what you have. Phase 2 determines how you organize it. This is where environment strategy, maker classification, and ownership assignments come together into a governance framework that reflects reality rather than theory.
Establish Your Environment Strategy
Environment sprawl is one of the most common CoE failures in large enterprises. Organizations end up with hundreds of environments because no one established a policy before adoption scaled. The corrective is a tiered model that separates experimentation from production.
A key element of the transition to enterprise scale is to enhance the shared, central environment strategy for makers by making it easier for them to use personal, development environments. The three-tier model that works:
- Personal developer environments. Low-risk sandboxes where individual makers experiment. Limited connector access. No shared data. Auto-expire after 90 days of inactivity.
- Shared sandbox environments. Team development spaces with broader connector access and Dataverse provisioning. Require a lightweight intake process: business justification, data classification, expected user count. A 24-hour turnaround on those requests eliminates the shadow environment problem without blocking legitimate work.
- Managed production environments. Production-grade environments with managed environment capabilities enabled, providing greater visibility and control. Only resources that pass application lifecycle management (ALM) review are promoted here.
Define Your Maker Tiers
Most organizations treat maker enablement as a training problem: run a workshop, share some documentation, hope for the best. The organizations that scale citizen development treat it as an organizational design question. The citizen developer governance model that works uses tiered maker classifications, each mapping to specific governance permissions.
Maker Tiering Framework
Casual Maker
- Access: Default and personal developer environments only
- Connectors: Microsoft 365 connectors (SharePoint, Outlook, Teams, Excel)
- Governance: Tenant-wide DLP policy applies. No premium connector access.
- Enablement: Self-service templates, community access, welcome automation
Power Maker
- Access: Shared sandbox environments plus personal developer environments
- Connectors: Broader connector library including approved third-party connectors
- Governance: Environment-specific DLP policies. Pattern library access. Peer review before production promotion.
- Enablement: Office hours with CoE team, advanced training tracks, solution checker integration
Pro Maker
- Access: Production managed environments via ALM pipeline
- Connectors: Full connector library including premium connectors with approval workflow for new additions
- Governance: Solution-level DLP policies. CI/CD pipeline participation. Mandatory code review for custom connectors.
- Enablement: Direct CoE collaboration, architecture review sessions, access to preferred solutions catalog
Advancement between tiers should be criteria-based, not manager-approved. A Casual Maker who has completed required training, built three solutions that pass solution checker, and demonstrated data classification awareness qualifies for Power Maker status. This removes politics from the process and creates a clear path that motivated makers can navigate themselves.
Assign Ownership to High-Risk Assets
Every resource flagged as high-risk in Phase 1 must have a named owner by the end of Phase 2. This is the hardest deliverable of the entire 90 days because it requires conversations that cross organizational boundaries. The app that finance uses daily may have been built by someone in operations who no longer supports it. The flow that onboards new hires may run through three departments' data without any single department claiming accountability.
These conversations are not technical. They are political. The CoE lead needs executive sponsor support to resolve ownership disputes, and the resolution must be documented in the admin center, not in a spreadsheet.
Make the Tooling Decision
While the admin center now covers inventory and monitoring, there is still a meaningful gap between what the admin center provides today and what most organizations need to run a full governance model. Compliance detail requests, orphan cleanup automation, maker nurture campaigns, and innovation backlog management are capabilities the Starter Kit addressed that the admin center has not fully absorbed.
The pragmatic approach: deploy the native admin center as your primary governance surface. Supplement with CoE Starter Kit components only for the specific gaps that matter to your operating model, and plan to retire those components as native equivalents arrive. Do not build new governance automation on the Starter Kit foundation.
Phase 2 Gate Deliverables
- Environment strategy documented with three tiers and creation governance
- Maker tiering framework defined with governance permissions per tier
- 100% of Phase 1 high-risk assets have named owners in the admin center
- Tooling deployed (admin center experiences active, supplemental Starter Kit components where needed)
- DLP policies refined to align with environment tiers
Phase 3: Operationalize (Days 61-90)
Phases 1 and 2 built the infrastructure. Phase 3 is where the CoE starts delivering visible value. If your leadership team cannot see what the CoE is doing by Day 90, it will not survive the next budget cycle.
Launch the Maker Enablement Program
The Power Platform maker enablement program turns governance structure into maker experience. Four components should be live by Day 90:
- Welcome automation. When someone creates their first app or flow, they receive an automated message introducing the CoE, linking to approved templates, and pointing to community resources. This is the moment when governance and enablement are the same thing.
- Approved template library. A curated set of starter templates that follow your DLP policies, use approved connectors, and demonstrate good architectural patterns. The goal is to make the right way to build also the easy way to build.
- Maker community. A Teams channel or similar space where makers ask questions, share solutions, and learn from peers. This is not optional. It is the intelligence network that tells the CoE what makers are actually building and where they are hitting friction.
- First lunch-and-learn. One live session, with a real demo of something built on the platform that solved a real business problem. Nothing builds credibility faster than a peer showing what they accomplished.
Build the Executive Dashboard
The Usage and Monitor telemetry from the admin center provides the raw data. The executive dashboard translates it into four metrics your sponsor cares about:
- Estate visibility. Percentage of total resources inventoried and classified. Target: 95% by Day 90.
- Ownership coverage. Percentage of high-risk assets with named owners. Target: 100% of Phase 1 flagged assets.
- DLP coverage. Percentage of environments with active, tier-appropriate data policies. Target: 100%.
- Maker engagement. Percentage of active makers who have accessed enablement resources (templates, community, training). Target: 40% by Day 90.
These are not vanity metrics. They answer the four questions every executive sponsor will ask: Do we know what we have? Do we know who is responsible? Are we protected? Are makers using the platform the way we intended?
Run the First Governance Review
Before Day 90, the CoE should complete one full governance review cycle: examine DLP violation logs, assess environment compliance against the tiered strategy, review ownership gaps for newly created resources, and evaluate whether maker tier assignments reflect actual usage patterns. This first cycle establishes the cadence. Monthly is appropriate for most organizations; weekly is warranted for tenants with more than 10,000 active makers.
Draft the AI Governance Charter
Copilot Studio agents are not a future consideration. More than 230,000 organizations, including 90% of the Fortune 500, already use Copilot Studio to create and customize agents. Your CoE mandate must cover them.
The AI governance charter does not need to be comprehensive in Phase 3. It needs to establish three things: that agents are governed as first-class resources alongside apps and flows, that a zoned governance model applies (Zone 1 for personal experimentation, Zone 2 for team collaboration, Zone 3 for enterprise-managed production agents), and that agent connector permissions follow the same DLP tiering as traditional workloads. For a deeper treatment of agent-specific governance, including Entra Agent ID, MCP server controls, and evaluation frameworks, see BabyBots' 2026 Blueprint for AI Agent CoE design.
Phase 3 Gate Deliverables
- Maker enablement program live with all four components operational
- Executive dashboard deployed with four baseline metrics
- First governance review cycle completed with findings documented
- AI governance charter drafted and reviewed by CoE forum
- Success metrics baselined for ongoing measurement
After Day 90: What Mature Looks Like
Day 90 is not the finish line. It is the point where the CoE has earned enough credibility to govern. Organizations with mature CoEs achieve 67% faster solution delivery and 72% improved security posture compared to ungoverned environments. That maturity is built in quarters two through four, not in the first 90 days.
What the roadmap beyond Day 90 typically includes: licensing optimization as you understand actual usage patterns, reusable component libraries that eliminate redundant development, advanced ALM with pipelines and preferred solutions, expanded agent governance as Copilot Studio workloads scale, and adoption of the Agentic Center of Enablement as its three AI-powered governance agents (Highlights, Insights, and Action Plan) move from public preview to general availability.
The organizations that get the first 90 days right have a CoE that can absorb these capabilities as they arrive. The ones that skip discovery or rush to operationalization are still rebuilding their foundation when the next wave of platform capability lands.
Frequently Asked Questions
Should we still deploy the CoE Starter Kit now that Microsoft has stopped maintaining it?
Use the native Power Platform admin center as your primary governance surface. The Starter Kit still works today, but without ongoing updates, there is a risk that parts of it may fall out of step as the platform evolves. Deploy Starter Kit components only for specific gaps the admin center does not yet cover, such as compliance detail requests, orphan cleanup automation, and maker nurture campaigns, and plan to retire them as native replacements arrive.
How do we staff a CoE with limited IT resources?
A mid-market CoE does not require a dedicated team. The minimum viable structure is a fractional CoE lead (an existing platform admin who allocates 40-50% of their time), an executive sponsor who removes blockers monthly, and two departmental champions who spend two to three hours per week surfacing maker needs. The native admin center capabilities serve as force multipliers, replacing custom Starter Kit maintenance with out-of-the-box telemetry. Scale staffing only as the estate and maker population grow.
What should our DLP policy baseline look like on Day 1?
Create a policy spanning all environments except selected ones, keep the available connectors limited to Microsoft 365 and other standard microservices, and block access to everything else. Then create more permissive data policies for environments you have explicitly classified. This two-layer approach prevents new high-risk connections from forming in unclassified environments while preserving development velocity where the CoE has assessed the risk.
Who should own the CoE: IT, a shared services function, or the business?
The CoE works best as a shared function with IT providing the platform and governance infrastructure, and business units providing the maker community and use-case prioritization. The fusion team operating model applies here: IT owns the platform controls, business owns the build. The CoE is the coordination layer between them. Pure IT ownership produces bureaucracy; pure business ownership produces ungoverned sprawl.
How do we govern Copilot Studio agents within the CoE?
Traditional governance models designed for low-code apps and automation can be reused and evolved to meet increasing demands from more capable agents. Apply the same DLP policies, managed environments, and role-based access controls. The additional requirement is a zoned governance model that defines autonomy tiers: personal productivity agents that only answer questions receive lighter governance than enterprise agents that execute transactions autonomously. Start with the charter in Phase 3 and expand it as agent adoption scales.
Sources
- Microsoft FY25 Q3 Earnings Call, Microsoft Investor Relations, April 2025
- Gartner Called It: Low-Code Is Eating Software Development, Ninox, 2025
- Power Platform CoE Starter Kit Transition, Microsoft Learn, 2026
- Implement a Data Policy Strategy, Microsoft Learn
- Develop a Tenant Environment Strategy, Microsoft Learn
- Evolving Power Platform Governance for AI Agents, Microsoft Power Platform Blog, July 2025
- Automate Governance with Agentic Center of Enablement, Microsoft Learn, 2026 Release Wave 1
- Power Platform at Scale: Governance and Building a Center of Excellence, Valorem Reply, August 2025
- Microsoft Is No Longer Maintaining the Power Platform CoE Starter Kit, Intelogy, May 2026
- The First 90 Days of a Power Platform Centre of Excellence, Flyte, March 2026
- The Total Economic Impact of Microsoft Power Platform, Forrester, July 2024
- Microsoft Build 2025 Announcements, Microsoft 365 Blog, May 2025
- Get Executive Sponsorship, Microsoft Learn
Conclusion
The Power Platform Center of Excellence you build in the first 90 days determines whether your organization governs its low-code estate deliberately or reactively for years to come. Forrester's research puts Power Platform ROI at 224% over three years for organizations that invest in the infrastructure to scale it properly. The organizations that capture that return are not the ones with the most comprehensive governance documents. They are the ones that got the sequence right: visibility before policy, structure before restriction, measurement before optimization.
At BabyBots, we consistently observe that the organizations able to extend their governance posture to new workload classes, whether AI agents, desktop flows, or cross-tenant integrations, are the ones that invested in CoE infrastructure before those workloads arrived. The ones that skipped the first 90 days of disciplined foundation-building are governing with the same ad-hoc approach that created platform sprawl in the first place. If you are launching a CoE this quarter, the question is not whether you can afford 90 days of structured setup. It is whether you can afford not to.

.avif)
.avif)