AI agents should not be shared with broad access control policies
Descriptionโ
Checks all Copilot Studio agents that are shared to My organization with access for everyone, or Multitenant support enabled, which allows any user (or users across tenants) to interact with the agent.
Agents with broad access control increase the risk of data exposure, unauthorized use of connected systems, and prompt injection attacks from untrusted users.
How to fixโ
In Copilot Studio, go to the agents overview and click on the three dots (...) and "share". From here, select "My organization" and make sure it's set to No permissions, unless specified. Then, in the specific agents settings, go to "Security" and "Authentication" and make sure "Multi-tenant support" is toggled off.
Learn more: Control how agents are shared and share agents with other users
Prerequisitesโ
This test evaluates Copilot Studio agent configurations via the Dataverse API.
Connect-Maester -Service Graph,Dataverse