{“lastseen”:”2026-02-12T23:02:27″,”description”:”_Organizations are rapidly adopting Copilot Studio agents, but threat actors are equally fast at exploiting misconfigured AI workflows. Mis-sharing, unsafe orchestration, and weak authentication create new identity and data\u2011access paths that traditional controls don\u2019t monitor. As AI agents become integrated into operational systems, exposure becomes both easier and more dangerous. Understanding and detecting these misconfigurations early is now a core part of AI security posture._\\n\\nCopilot Studio agents are becoming a core part of business workflows- automating tasks, accessing data, and interacting with systems at scale.\\n\\nThat power cuts both ways. In real environments, we repeatedly see small, well\u2011intentioned configuration choices turn into security gaps: agents shared too broadly, exposed without authentication, running risky actions, or operating with excessive privileges. These issues rarely look dangerous- until they are abused.\\n\\nIf you want to find and stop these risks before they turn into incidents, this post is for you. We break down ten common Copilot Studio agent misconfigurations we observe in the wild and show how to detect them using Microsoft Defender and Advanced Hunting via the relevant Community Hunting Queries.\\n\\n_Short on time? Start with the table below. It gives you a one\u2011page view of the risks, their impact, and the exact detections that surface them. If something looks familiar, jump straight to the relevant scenario and mitigation._\\n\\n_Each section then dives deeper into a specific risk and recommended mitigations- so you can move from awareness to action, fast._\\n\\n**#**| **Misconfiguration \\u0026 Risk**| **Security Impact**| **Advanced Hunting Community Queries** **(go to: Security portal\\u003eAdvanced hunting\\u003eQueries\\u003e Community Queries\\u003eAI Agent folder)** \\n—|—|—|— \\n1| Agent shared with entire organization or broad groups| Unintended access, misuse, expanded attack surface| \u2022 AI Agents \u2013 Organization or Multi\u2011tenant Shared \\n2| Agents that do not require authentication| Public exposure, unauthorized access, data leakage| \u2022 AI Agents \u2013 No Authentication Required \\n3| Agents with HTTP Request actions using risky configurations| Governance bypass, insecure communications, unintended API access| \u2022 AI Agents \u2013 HTTP Requests to connector endpoints \\n\u2022 AI Agents \u2013 HTTP Requests to non\u2011HTTPS endpoints \\n\u2022 AI Agents \u2013 HTTP Requests to non\u2011standard ports \\n4| Agents capable of email\u2011based data exfiltration| Data exfiltration via prompt injection or misconfiguration| \u2022 AI Agents \u2013 Sending email to AI\u2011controlled input values \\n\u2022 AI Agents \u2013 Sending email to external mailboxes \\n5| Dormant connections, actions, or agents| Hidden attack surface, stale privileged access| \u2022 AI Agents \u2013 Published Dormant (30d) \\n\u2022 AI Agents \u2013 Unpublished Unmodified (30d) \\n\u2022 AI Agents \u2013 Unused Actions \\n\u2022 AI Agents \u2013 Dormant Author Authentication Connection \\n6| Agents using author (maker) authentication| Privilege escalation, separation of duties bypass\u2011of\u2011duties bypass| \u2022 AI Agents \u2013 Published Agents with Author Authentication \\n\u2022 AI Agents \u2013 MCP Tool with Maker Credentials \\n7| Agents containing hard\u2011coded credentials| Credential leakage, unauthorized system access| \u2022 AI Agents \u2013 Hard\u2011coded Credentials in Topics or Actions \\n8| Agents with Model Context Protocol (MCP) tools configured| Undocumented access paths, unintended system interactions| \u2022 AI Agents \u2013 MCP Tool Configured \\n9| Agents with generative orchestration lacking instructions| Prompt abuse, behavior drift, unintended actions| \u2022 AI Agents \u2013 Published Generative Orchestration without Instructions \\n10| Orphaned agents (no active owner)| Lack of governance, outdated logic, unmanaged access| \u2022 AI Agents \u2013 Orphaned Agents with Disabled Owners \\n \\n## Top 10 risks you can detect and prevent\\n\\nImagine this scenario: A help desk agent is created in your organization with simple instructions.\\n\\nThe maker, someone from the support team, connects it to an organizational Dataverse using an MCP tool, so it can pull relevant customer information from internal tables and provide better answers. So far, so good.\\n\\nThen the maker decides, on their own, that the agent doesn\u2019t need authentication. After all, it\u2019s only shared internally, and the data belongs to employees anyway (See example in Figure 1). That might already sound suspicious to you. But it doesn\u2019t to everyone.\\n\\nYou might be surprised how often agents like this exist in real environments and how rarely security teams get an active signal when they\u2019re created. No alert. No review. Just another _helpful_ agent quietly going live.\\n\\nNow here\u2019s the question: Out of the 10 risks described in this article, how many do you think are already present in this simple agent?\\n\\nThe answer comes at the end of the blog.\\n\\nFigure 1 – Example Help Desk agent.\\n\\n### 1: Agent shared with the entire organization or broad groups\\n\\nSharing an agent with your entire organization or broad security groups exposes its capabilities without proper access boundaries. While convenient, this practice expands the attack surface. Users unfamiliar with the agent’s purpose might unintentionally trigger sensitive actions, and threat actors with minimal access could use the agent as an entry point.\\n\\nIn many organizations, this risk occurs because broad sharing is fast and easy, often lacking controls to ensure only the right users have access. This results in agents being visible to everyone, including users with unrelated roles or inappropriate permissions. This visibility increases the risk of data exposure, misuse, and unintended activation of sensitive connectors or actions.\\n\\n### 2: Agents that do not require authentication\\n\\nAgents that you can access without authentication, or that only prompt for authentication on demand, create a significant exposure point. When an agent is publicly reachable or unauthenticated, anyone with the link can use its capabilities. Even if the agent appears harmless, its topics, actions, or knowledge sources might unintentionally reveal internal information or allow interactions that were never for public access.\\n\\nThis gap appears because authentication was deactivated for testing, left in its default state, or misunderstood as optional. The results in an agent that behaves like a public entry point into organizational data or logic. Without proper controls, this creates a risk of data leakage, unintended actions, and misuse by external or anonymous users.\\n\\n### 3: Agents with HTTP request action with risky configurations\\n\\nAgents that perform direct HTTP requests introduce a unique risks, especially when those requests target non-standard ports, insecure schemes, or sensitive services that already have built in Power Platform connectors. These patterns often bypass the governance, validation, throttling, and identity controls that connectors provide. As a result, they can expose the organization to misconfigurations, information disclosure, or unintended privilege escalation.\\n\\nThese configurations appear unintentionally. A maker might copy a sample request, test an internal endpoint, or use HTTP actions for flexibility during testing and convenience. Without proper review, this can lead to agents issuing unsecured calls over HTTP or invoking critical Microsoft APIs directly through URLs instead of secured connectors. Each of these behaviors represent an opportunity for misuse or accidental exposure of organizational data.\\n\\n### 4: Agents capable of email-based aata exfiltration\\n\\nAgents that send emails using dynamic or externally controlled inputs present a significant risk. When an agent uses generative orchestration to send email, the orchestrator determines the recipient and message content at runtime. In a successful cross-prompt injection (XPIA) attack, a threat actor could instruct the agent to send internal data to external recipients.\\n\\nA similar risk exists when an agent is explicitly configured to send emails to external domains. Even for legitimate business scenarios, unaudited outbound email can allow sensitive information to leave the organization. Because email is an immediate outbound channel, any misconfiguration can lead to unmonitored data exposure.\\n\\nMany organizations create this gap unintentionally. Makers often use email actions for testing, notifications, or workflow automation without restricting recipient fields. Without safeguards, these agents can become exfiltration channels for any user who triggers them or for a threat actor exploiting generative orchestration paths.\\n\\n### 5: Dormant connections, actions, or agents within the organization\\n\\nDormant agents and unused components might seem harmless, but they can create significant organizational risk. Unmonitored entry points often lack active ownership. These include agents that haven\u2019t been invoked for weeks, unpublished drafts, or actions using Maker authentication. When these elements stay in your environment without oversight, they might contain outdated logic or sensitive connections That don\u2019t meet current security standards.\\n\\nDormant assets are especially risky because they often fall outside normal operational visibility. While teams focus on active agents, older configurations are easily forgotten. Threat actors, frequently target exactly these blind spots. For example:\\n\\n * A published but unused agent can still be called.\\n * A dormant maker-authenticated action might trigger elevated operations.\\n * Unused actions in classic orchestration can expose sensitive connectors if they are activated.\\n\\n\\n\\nWithout proper governance, these artifacts can expose sensitive connectors if they are activated.\\n\\n### 6: Agents using author authentication\\n\\nWhen agents use the maker’s personal authentication, they act on behalf of the creator rather than the end user. In this configuration, every user of the agent inherits the maker’s permissions. If those permissions include access to sensitive data, privileged operations, or high impact connectors, the agent becomes a path for privilege escalation.\\n\\nThis exposure often happens unintentionally. Makers might allow author authentication for convenience during development or testing because it is the default setting of certain tools. However, once published, the agent continues to run with elevated permissions even when invoked by regular users. In more severe cases, Model Context Protocol (MCP) tools configured with maker credentials allow threat actors to trigger operations that rely directly on the creator’s identity.\\n\\nAuthor authentication weakens separation of duties and bypasses the principle of least privilege. It also increases the risk of credential misuse, unauthorized data access, and unintended lateral movement\\n\\n### 7: Agents containing hard-coded credentials\\n\\nAgents that contain hard-coded credentials inside topics or actions introduce a severe security risk. Clear-text secrets embedded directly in agent logic can be read, copied, or extracted by unintended users or automated systems. This often occurs when makers paste API keys, authentication tokens, or connection strings during development or debugging, and the values remain embedded in the production configuration. Such credentials can expose access to external services, internal systems, or sensitive APIs, enabling unauthorized access or lateral movement.\\n\\nBeyond the immediate leakage risk, hard-coded credentials bypass the standard enterprise controls normally applied to secure secret storage. They are not rotated, not governed by Key Vault policies, and not protected by environment variable isolation. As a result, even basic visibility into agent definitions may expose valuable secrets.\\n\\n### 8: Agents with model context protocol (MCP) tools configured\\n\\nAI agents that include Model Context Protocol (MCP) tools provide a powerful way to integrate with external systems or run custom logic. However, if these MCP tools aren\u2019t actively maintained or reviewed, they can introduce undocumented access patterns into the environment.\\n\\nThis risk when MCP configurations are:\\n\\n * Activated by default\\n * Copied between agents\\n * Left active after the original integration is no longer needed\\n\\n\\n\\nUnmonitored MCP tools might expose capabilities that exceed the agent\u2019s intended purpose. This is especially true if they allow access to privileged operations or sensitive data sources. Without regular oversight, these tools can become hidden entry points that user or threat actors might trigger unintended system interactions.\\n\\n### 9: Agents with generative orchestration lacking instructions\\n\\nAI agents that use generative orchestration without defined instructions face a high risk of unintended behavior. Instructions are the primary way to align a generative model with its intended purpose. If instructions are missing, incomplete, or misconfigured, the orchestrator lacks the context needed to limit its output. This makes the agent more vulnerable to user influence from user inputs or hostile prompts.\\n\\nA lack of guidance can cause an agent to;\\n\\n * Drift from its expected behaviors. The agent might not follow its intended logic.\\n * Use unexpected reasoning. The model might follow logic paths that don\u2019t align with business needs.\\n * Interact with connected systems in unintended ways. The agent might trigger actions that were never planned.\\n\\n\\n\\nFor organizations that need predictable and safe behavior, behavior, missing instructions area significant configuration gap.\\n\\n### 10: Orphaned agents\\n\\nOrphaned agents are agents whose owners are no longer with organization or their accounts deactivated. Without a valid owner, no one is responsible for oversight, maintenance, updates, or lifecycle management. These agents might continue to run, interact with users, or access data without an accountable individual ensuring the configuration remains secure.\\n\\nBecause ownerless agents bypass standard review cycles, they often contain outdated logic, deprecated connections, or sensitive access patterns that don\u2019t align with current organizational requirements.\\n\\nRemember the help desk agent we started with? That simple agent setup quietly checked off more than half of the risks in this list.\\n\\nKeep reading and running the Advanced Hunting queries in the AI Agents folder, to find agents carrying these risks in your own environment before it\u2019s too late.\\n\\nFigure 2: The example Help Desk agent was detected by a query for unauthenticated agents.\\n\\n## From findings to fixes: A practical mitigation playbook\\n\\nThe 10 risks described above manifest in different ways, but they consistently stem from a small set of underlying security gaps: over\u2011exposure, weak authentication boundaries, unsafe orchestration, and missing lifecycle governance.\\n\\nFigure 3 – Underlying security gaps.\\n\\nDamage doesn\u2019t begin with the attack. It starts when risks are left untreated.\\n\\nThe section below is a practical checklist of validations and actions that help close common agent security gaps _before_ they\u2019re exploited. Read it once, apply it consistently, and save yourself the cost of cleaning up later. Fixing security debt is always more expensive than preventing it.\\n\\n### 1\\\\. Verify intent and ownership\\n\\nBefore changing configurations, confirm whether the agent\u2019s behavior is intentional and still aligned with business needs.\\n\\n * Validate the business justification for broad sharing, public access, external communication, or elevated permissions with the agent owner.\\n * Confirm whether agents without authentication are explicitly designed for public use and whether this aligns with organizational policy.\\n\\n\\n * Review agent topics, actions, and knowledge sources to ensure no internal, sensitive, or proprietary information is exposed unintentionally.\\n * Ensure every agent has an active, accountable owner. Reassign ownership for orphaned agents or retire agents that no longer have a clear purpose. For step-by-step instructions, see Microsoft Copilot Studio: Agent ownership reassignment.\\n * Validate whether dormant agents, connections, or actions are still required, and decommission those that are not.\\n * Perform periodic reviews for agents and establish a clear organizational policy for agents\u2019 creation. For more information, see Configure data policies for agents.\\n\\n\\n\\n### 2\\\\. Reduce exposure and tighten access boundaries\\n\\nMost Copilot Studio agent risks are amplified by unnecessary exposure. Reducing who can reach the agent, and what it can reach, significantly lowers risk.\\n\\n * Restrict agent sharing to well\u2011scoped, role\u2011based security groups instead of entire organizations or broad groups. See Control how agents are shared.\\n\\n\\n * Establish and enforce organizational policies defining when broad sharing or public access is allowed and what approvals are required.\\n * Enforce full authentication by default. Only allow unauthenticated access when explicitly required and approved. For more information see Configure user authentication.\\n * Limit outbound communication paths: \\n * Restrict email actions to approved domains or hard\u2011coded recipients.\\n * Avoid AI\u2011controlled dynamic inputs for sensitive outbound actions such as email or HTTP requests.\\n * Perform periodic reviews of shared agents to ensure visibility and access remain appropriate over time.\\n\\n\\n\\n### 3\\\\. Enforce strong authentication and least privilege\\n\\nAgents must not inherit more privilege than necessary, especially through development shortcuts.\\n\\nReplace author (maker) authentication with user\u2011based or system\u2011based authentication wherever possible. For more information, see Control maker-provided credentials for authentication – Microsoft Copilot Studio | Microsoft Learn and Configure user authentication for actions.\\n\\n * Review all actions and connectors that run under maker credentials and reconfigure those that expose sensitive or high\u2011impact services.\\n * Audit MCP tools that rely on creator credentials and remove or update them if they are no longer required.\\n * Apply the principle of least privilege to all connectors, actions, and data access paths, even when broad sharing is justified.\\n\\n\\n\\n### 4\\\\. Harden orchestration and dynamic behavior\\n\\nGenerative agents require explicit guardrails to prevent unintended or unsafe behavior.\\n\\n * Ensure clear, well\u2011structured instructions are configured for generative orchestration to define the agent\u2019s purpose, constraints, and expected behavior. For more information, see Orchestrate agent behavior with generative AI.\\n * Avoid allowing the model to dynamically decide: \\n * Email recipients\\n * External endpoints\\n * Execution logic for sensitive actions\\n * Review HTTP Request actions carefully: \\n * Confirm endpoint, scheme, and port are required for the intended use case.\\n * Prefer built\u2011in Power Platform connectors over raw HTTP requests to benefit from authentication, governance, logging, and policy enforcement.\\n * Enforce HTTPS and avoid non\u2011standard ports unless explicitly approved.\\n\\n\\n\\n#### 5\\\\. Eliminate Dead Weight and Protect Secrets\\n\\nUnused capabilities and embedded secrets quietly expand the attack surface.\\n\\n * Remove or deactivate: \\n * Dormant agents\\n * Unpublished or unmodified agents\\n * Unused actions\\n * Stale connections\\n * Outdated or unnecessary MCP tool configurations\\n * Clean up Maker\u2011authenticated actions and classic orchestration actions that are no longer referenced.\\n * Move all secrets to Azure Key Vault and reference them via environment variables instead of embedding them in agent logic.\\n * When Key Vault usage is not feasible, enable secure input handling to protect sensitive values.\\n * Treat agents as production assets, not experiments, and include them in regular lifecycle and governance reviews.\\n\\n\\n\\nEffective posture management is essential for maintaining a secure and predictable Copilot Studio environment. As agents grow in capability and integrate with increasingly sensitive systems, organizations must adopt structured governance practices that identify risks early and enforce consistent configuration standards.\\n\\nThe scenarios and detection rules presented in this blog provide a foundation to help you;\\n\\n * Discovering common security gaps\\n * Strengthening oversight\\n * Reduce the overall attack surface\\n\\n\\n\\nBy combining automated detection with clear operational policies, you can ensure that their Copilot Studio agents remain secure, aligned, and resilient.\\n\\n_This research is provided by Microsoft Defender Security Research with contributions from Dor Edry and Uri Oren._\\n\\n## **Learn more**\\n\\n * Read about the AI agents inventory at: AI agents inventory in Microsoft Defender\\n * Learn how to secure AI agents using Microsoft Defender: How to secure AI agents using Microsoft Defender\\n * Read our blog on Real-Time Protection for AI agents: From runtime risk to real\u2011time defense: Securing AI agents | Microsoft Security Blog\\n\\n\\n\\nThe post Copilot Studio agent security: Top 10 risks you can detect and prevent appeared first on Microsoft Security Blog.”,”published”:”2026-02-12T20:38:49″,”modified”:”2026-02-12T20:38:49″,”type”:”mssecure”,”title”:”Copilot Studio agent security: Top 10 risks you can detect and prevent”,”source”:””,”references”:””,”id”:”MSSECURE:97B196E0FF6A0C55E114825C12A230F6″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/02\/12\/copilot-studio-agent-security-top-10-risks-detect-prevent\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-12T23:02:27″,”description”:”_Organizations are rapidly adopting Copilot Studio agents, but threat actors are equally fast at exploiting misconfigured AI workflows. Mis-sharing, unsafe orchestration, and weak authentication create…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,110,13,33,7,11,5],"class_list":["post-40719","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-mssecure","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n