Adversaries may exploit publicly shared A365 AI agents to gain unauthorized access to sensitive data or systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential data exposure risks before they are leveraged in an attack.
KQL Query
let IdentityIdtoUPN = materialize (
IdentityInfo
| distinct AccountObjectId, AccountUpn
| extend AccountObjectId = tostring(AccountObjectId)
| where isnotempty(AccountObjectId) and isnotempty(AccountUpn));
AIAgentsInfo
| where RegistrySource == "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| extend RawAgentInfoJson = parse_json(RawAgentInfo)
| extend Scope = tostring(RawAgentInfoJson.scope)
| extend DeveloperName = RawAgentInfoJson.developerName
| extend OwnerId = tostring(RawAgentInfoJson.owners[0].entityId)
| extend CreatorId = tostring(RawAgentInfoJson.creatorId)
| join kind=leftouter IdentityIdtoUPN on $left.OwnerId == $right.AccountObjectId
| project-rename OwnerUpn = AccountUpn
| join kind=leftouter IdentityIdtoUPN on $left.CreatorId == $right.AccountObjectId
| project-rename CreatorUpn = AccountUpn
| where Scope == "public"
| project-away RawAgentInfoJson, OwnerId, CreatorId, AccountObjectId, AccountObjectId1
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, OwnerUpn, CreatorUpn, DeveloperName
id: 8c9d0e1f-2a3b-4c5d-6e7f-8a9b0c1d2e3f
name: A365 AI Agents - Publicly Shared
description: |
This query identifies A365 AI agents that are shared publicly.
Such configurations significantly increase the risk of unauthorized access by unintended users, which could lead to data exposure or misuse of agent capabilities.
Public sharing is especially sensitive because it extends access beyond organizational boundaries.
Recommended Action: Review these agents to confirm whether broad sharing is necessary for the business scenario.
If not, restrict access to specific users or groups and apply least-privilege principles. For public configurations, ensure proper governance and compliance checks are in place.
requiredDataConnectors: []
tactics: []
relevantTechniques: []
query: |
let IdentityIdtoUPN = materialize (
IdentityInfo
| distinct AccountObjectId, AccountUpn
| extend AccountObjectId = tostring(AccountObjectId)
| where isnotempty(AccountObjectId) and isnotempty(AccountUpn));
AIAgentsInfo
| where RegistrySource == "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| extend RawAgentInfoJson = parse_json(RawAgentInfo)
| extend Scope = tostring(RawAgentInfoJson.scope)
| extend DeveloperName = RawAgentInfoJson.developerName
| extend OwnerId = tostring(RawAgentInfoJson.owners[0].entityId)
| extend CreatorId = tostring(RawAgentInfoJson.creatorId)
| join kind=leftouter IdentityIdtoUPN on $left.OwnerId == $right.AccountObjectId
| project-rename OwnerUpn = AccountUpn
| join kind=leftouter IdentityIdtoUPN on $left.CreatorId == $right.AccountObjectId
| project-rename CreatorUpn = AccountUpn
| where Scope == "public"
| project-away RawAgentInfoJson, OwnerId, CreatorId, AccountObjectId, AccountObjectId1
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, OwnerUpn, CreatorUpn, DeveloperName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: CreatorUpn
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: AIAgentName
version: 1.0.0| Sentinel Table | Notes |
|---|---|
IdentityInfo | Ensure this data connector is enabled |
Scenario: AI Agent Shared During a Team Collaboration Session
Description: An admin shares an AI agent with a team using Microsoft Teams or Outlook to facilitate a collaborative project.
Filter/Exclusion: shared_with_team_id in teams or shared_with_group_id in groups to exclude internal team shares.
Scenario: Scheduled Job Configuration with Public Access
Description: A system administrator configures a Power Automate flow that uses an AI agent and sets it to be publicly accessible for integration with third-party services.
Filter/Exclusion: flow_type = “scheduled” and access_level = “private” to exclude public access for scheduled jobs.
Scenario: AI Agent Used for Internal Knowledge Base
Description: An admin creates an AI agent to index internal documents and shares it with a department-wide group for knowledge management purposes.
Filter/Exclusion: shared_with_group_id in groups where group_type = “internal” or group_name contains “Knowledge Base”.
Scenario: AI Agent Shared via Microsoft Graph API for Integration
Description: A developer shares an AI agent with a service that uses Microsoft Graph API for automation, such as a custom application or integration tool.
Filter/Exclusion: shared_with_app_id or shared_with_service_principal_id to exclude API-based integrations.
Scenario: AI Agent Shared for Training or Testing Purposes
Description: A data scientist shares an AI agent with a test environment or training platform (e.g., Azure DevOps, Power BI, or Power BI Report Server) for development and validation.
Filter/Exclusion: shared_with_environment = “test” or shared_with_platform = “development” to exclude non-production shares.