Adversaries may leverage shared or multi-tenant Copilot Studio AI agents to gain unauthorized access to sensitive data across an organization. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or lateral movement risks associated with misconfigured AI agent access.
KQL Query
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| where AccessControlPolicy in ("Any", "Any (multi-tenant)")
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns
id: 4a8b2c5d-6e7f-8a9b-0c1d-2e3f4a5b6c7d
name: Copilot Studio AI Agents - Organization or Multi-tenant Shared
description: |
This query identifies Copilot Studio AI agents that are shared broadly-either with the entire organization or configured for multi-tenant access.
Such configurations significantly increase the risk of unauthorized access by unintended users, which could lead to data exposure or misuse of agent capabilities.
Multi-tenant sharing is especially sensitive because it extends access beyond organizational boundaries.
Recommended Action: Review these agents to confirm whether broad sharing is necessary for the business scenario.
If not, restrict access to specific users or groups and apply least-privilege principles. For multi-tenant configurations, ensure proper governance and compliance checks are in place.
requiredDataConnectors: []
tactics: []
relevantTechniques: []
query: |
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| where AccessControlPolicy in ("Any", "Any (multi-tenant)")
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: CreatorAccountUpn
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: AIAgentName
version: 1.0.0Scenario: Admin Task - Creating a Shared AI Agent for Team Collaboration
Description: A system administrator creates a shared AI agent in Copilot Studio to allow multiple teams to collaborate on a common AI model.
Filter/Exclusion: agent_creation.source = "admin_console" AND agent_creation.team_scope = "specific_team"
Scenario: Scheduled Job - Regularly Exporting AI Agent Configurations
Description: A scheduled job runs to export AI agent configurations for backup or version control purposes, which may trigger the rule due to the shared nature of the export process.
Filter/Exclusion: event_type = "scheduled_job_export" AND job_name LIKE "%backup%"
Scenario: Multi-Tenant Environment - Shared AI Agent for a SaaS Platform
Description: A SaaS provider uses Copilot Studio to host a shared AI agent for multiple tenant organizations, which is a legitimate use case in a multi-tenant architecture.
Filter/Exclusion: agent_configuration.tenant_mode = "multi_tenant" AND agent_name LIKE "%saas_platform%"
Scenario: DevOps Practice - CI/CD Pipeline Deploying AI Agent Templates
Description: A CI/CD pipeline deploys pre-configured AI agent templates to multiple environments, which may be flagged as shared or multi-tenant.
Filter/Exclusion: event_type = "ci_cd_pipeline" AND pipeline_name LIKE "%agent_template%"
Scenario: Compliance Audit - Generating Reports on Shared AI Agents
Description: A compliance auditor generates a report on shared AI agents across the organization as part of a security review.
Filter/Exclusion: event_type = "compliance_audit" AND audit_type = "agent_access_review"