Published Copilot Studio AI agents using an author’s personal credentials for authentication pose a security risk by potentially exposing sensitive credentials and enabling unauthorized access. SOC teams should proactively hunt for this behavior to identify and mitigate potential credential misuse and unauthorized agent activity in their Azure Sentinel environment.
KQL Query
let base = AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus == "Published";
let directActions = base
| mv-expand detail = AgentToolsDetails
| where detail.action.connectionProperties.mode == "Maker"
| extend ActionType = "FromTools", Action = detail.action
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns;
let topicActions = base
| mv-expand topic = AgentTopicsDetails
| extend topicActionsArray = topic.beginDialog.actions
| mv-expand Action = topicActionsArray
| where Action.connectionProperties.mode == "Maker"
| extend ActionType = "FromTopic"
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns, Action;
directActions
| union topicActions
| sort by AIAgentId, Timestamp desc
id: 1f6a9b2c-3d4e-5f6a-7b8c-9d0e1f2a3b4c
name: Copilot Studio AI Agents - Published Agents with Author Authentication
description: |
This query identifies Copilot Studio AI agents that are published and use the maker`s personal credentials in their authentication or integration flows.
This configuration introduces security risks because any interaction with the agent could leverage the maker`s privileges, potentially granting access to sensitive resources.
If the agent is compromised, attackers could perform actions with the maker`s permissions, leading to privilege escalation or data exposure.
Recommended Action: Replace maker credentials with secure alternatives such as managed identities or service principals.
Ensure published agents follow least-privilege principles and avoid personal credential usage in production environments.
requiredDataConnectors: []
tactics: []
relevantTechniques: []
query: |
let base = AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus == "Published";
let directActions = base
| mv-expand detail = AgentToolsDetails
| where detail.action.connectionProperties.mode == "Maker"
| extend ActionType = "FromTools", Action = detail.action
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns;
let topicActions = base
| mv-expand topic = AgentTopicsDetails
| extend topicActionsArray = topic.beginDialog.actions
| mv-expand Action = topicActionsArray
| where Action.connectionProperties.mode == "Maker"
| extend ActionType = "FromTopic"
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns, Action;
directActions
| union topicActions
| sort by AIAgentId, Timestamp desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: CreatorAccountUpn
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: AIAgentName
version: 1.0.0Scenario: A system administrator publishes a custom Copilot Studio AI agent for internal use, which uses their personal Microsoft account credentials for authentication to a legacy on-premises service.
Filter/Exclusion: Exclude agents created by users with the role “System Administrator” or where the author’s account is marked as an “Internal Admin” in Azure AD.
Scenario: A scheduled job runs a script that automates the deployment of a Copilot Studio AI agent, and the script uses the admin’s personal credentials to authenticate to an internal API.
Filter/Exclusion: Exclude agents deployed via scheduled jobs or scripts that are tagged with a specific job name or run under a service account.
Scenario: A developer publishes a Copilot Studio AI agent that integrates with an internal authentication system, and for testing purposes, the agent is configured to use the developer’s personal credentials temporarily.
Filter/Exclusion: Exclude agents where the authentication method is explicitly set to “Test Mode” or where the credentials are associated with a temporary or staging environment.
Scenario: An IT team uses Copilot Studio to create an agent for monitoring internal systems, and the agent is configured to use the credentials of a shared service account for authentication.
Filter/Exclusion: Exclude agents where the authentication method is “Service Account” or where the author is part of a predefined “Shared Service Accounts” group.
Scenario: A DevOps team deploys a Copilot Studio AI agent as part of a CI/CD pipeline, and the agent is configured with the personal credentials of a CI/CD pipeline user for testing purposes.
Filter/Exclusion: Exclude agents where the deployment method is “CI/CD Pipeline” or where the author is a member of a “DevOps” or “Pipeline” team in Azure DevOps.