AI agents in Copilot Studio that lack authentication mechanisms may indicate a misconfigured environment allowing unauthorized access and potential exploitation by adversaries. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and remediate exposed AI agents before they are leveraged in targeted attacks.
KQL Query
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| where AuthenticationTrigger == "As Needed" or UserAuthenticationType == "None"
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns
id: 2b7c1d3e-4f5a-6b7c-8d9e-0f1a2b3c4d5e
name: Copilot Studio AI Agents - No Authentication Required
description: |
This query identifies Copilot Studio AI agents without authentication mechanisms. Authentication is an agent-level configuration.
Such misconfiguration poses significant security risks because when the agent accesses resources requiring authentication, it authenticates as the agent's creator, not the user interacting with it.
If the agent has access to sensitive information, this could allow users to access resources they shouldn`t. Additionally, it expands the attack surface: if an attacker compromises a user who can access such an agent, the attacker can also authenticate as the maker.
requiredDataConnectors: []
tactics:
- InitialAccess
- PrivilegeEscalation
relevantTechniques:
- T1078
- T1190
query: |
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| where AuthenticationTrigger == "As Needed" or UserAuthenticationType == "None"
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: CreatorAccountUpn
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: AIAgentName
version: 1.0.0
Scenario: Development team uses Copilot Studio for internal prototyping without enabling authentication.
Filter/Exclusion: Exclude agents created under a specific development project or team, e.g., project_name = "dev-prototype".
Scenario: System administrators schedule a daily backup job that uses Copilot Studio to generate reports, but authentication is disabled for simplicity.
Filter/Exclusion: Exclude agents used by scheduled jobs with a known job ID or name, e.g., job_name = "daily-backup-report".
Scenario: IT support team uses Copilot Studio to generate documentation for internal use, and authentication is temporarily disabled for ease of access.
Filter/Exclusion: Exclude agents associated with the “IT Support” team or user group, e.g., user_group = "IT-Support".
Scenario: A DevOps pipeline uses Copilot Studio to auto-generate code snippets during CI/CD, and authentication is bypassed for automation purposes.
Filter/Exclusion: Exclude agents used by CI/CD pipelines, e.g., agent_used_by = "CI-CD-Pipeline" or source = "jenkins".
Scenario: A third-party tool integrates with Copilot Studio to fetch AI-generated content, and authentication is not required for the integration.
Filter/Exclusion: Exclude agents that are part of known third-party integrations, e.g., integration_tool = "third-party-content-fetcher" or source = "external-tool".