Detecting and mitigating common agent misconfigurations

Source: Microsoft Security Blog

Author: Microsoft Defender Security Research Team

URL: https://www.microsoft.com/en-us/security/blog/2026/02/12/copilot-studio-agent-security-top-10-risks-detect-prevent/

Detecting and mitigating common agent misconfigurations

ONE SENTENCE SUMMARY:

Agent misconfigurations in Copilot Studio create hidden access paths; use Defender hunting queries and governance controls to detect, mitigate.

MAIN POINTS:

  1. Rapid agent adoption increases exposure from mis-sharing, unsafe orchestration, and weak authentication.
  2. Broad organizational sharing expands attack surface and enables unintended sensitive actions.
  3. Unauthenticated agents become public entry points enabling unauthorized access and data leakage.
  4. Risky HTTP Request actions bypass connector governance, enabling insecure endpoints and privilege escalation.
  5. Email actions with AI-controlled inputs can enable prompt-injection-driven data exfiltration.
  6. Dormant agents, actions, and connections create forgotten attack surface with stale privileged access.
  7. Author (maker) authentication enables privilege escalation by running under creator permissions.
  8. Hardcoded credentials in topics/actions cause secret leakage and uncontrolled reuse.
  9. MCP tools can introduce undocumented integrations and unintended system interactions without oversight.
  10. Generative orchestration without instructions increases drift, prompt abuse, and unsafe action selection.

TAKEAWAYS:

  1. Run Microsoft Defender Advanced Hunting “AI Agents” community queries to surface misconfigurations early.
  2. Enforce Entra ID authentication and restrict sharing using Managed Environments and environment strategy.
  3. Prefer governed connectors over raw HTTP; apply data/advanced connector policies and enforce HTTPS.
  4. Reduce exfiltration paths by controlling email actions, adding runtime protection, and requiring human approvals.
  5. Establish lifecycle governance: inventory reviews, active ownership, deprecation/quarantine, and Key Vault-backed secrets.