Traditional security was built for users, endpoints, and applications. AI agents violate all three assumptions. Field research from Microsoft Security professionals and Microsoft's own agent misconfiguration research reveals the real-world risks are worse than most organisations realise.
| Property | Capability Upside | Security Downside | Risk Severity |
|---|---|---|---|
| Self-initiating | Automates workflows without human prompts | May take unintended actions outside guardrails | HIGH |
| Persistent | Continuous value; handles tasks 24/7 | Over-permissioning drift; undetected misuse; orphaned agents | HIGH |
| Opaque | Abstracts complexity; simplifies workflows | LLM black-box; hard to audit; LLM non-determinism makes output unpredictable | HIGH |
| Prolific | Low-code / no-code creation accelerates adoption | Shadow agents; sprawl; most existing Copilot Studio agents are Classic — outside Entra security perimeter entirely | CRITICAL |
| Tool-invoking | Real actions: email, APIs, file write | Prompt injection converts to real-world harm; MCP tools extend this to any connected system | CRITICAL |
| Context-consuming | Rich reasoning over enterprise data | Sensitive data enters AI context — new exfiltration surface | CRITICAL |
| Maker-authenticated | Creator can configure deep integration at build time | Copilot Studio agents authenticate as their maker, not the user — maker's full permissions extended to every user who interacts with the agent | CRITICAL |
Our Identity page covers the OBO (On-Behalf-Of) token problem. Copilot Studio introduces a more dangerous variant: maker credentials. The agent authenticates to connected services as the person who built it — not the person using it. If a developer with admin rights builds an agent and shares it org-wide with one toggle, every employee in the organisation can interact with it using the maker's admin-level permissions. This is the most widespread and underappreciated privilege escalation risk in current enterprise AI deployments. Field research by Microsoft Security MVP Derk van der Woude confirms this pattern is common in production environments.
Microsoft's own security research team identified the top 10 agent misconfigurations observed in customer tenants. The following are the most structurally dangerous:
UserAuthenticationType = None. Anyone with access to Teams can use the agent — no login required. If the agent has access to internal data via maker credentials, it becomes an unauthenticated endpoint into your data estate. Detectable via KQL: AIAgentsInfo | where UserAuthenticationType == "None"Agent #. Security products like ID Protection and Conditional Access reference these names. In practice this makes per-agent policies in Entra nearly impossible to manage at enterprise scale.AIAgentsInfo Advanced Hunting table both surface agents with missing owners. KQL: AIAgentsInfo | where isempty(OwnerAccountUpns). Ownerless agents cannot be governed through the Agent ID sponsor model.Every entry point into an agent is a potential injection or manipulation vector:
| Risk | Description | Who Owns It | Primary Microsoft Control |
|---|---|---|---|
| Agent sprawl | No inventory of deployed agents; no lifecycle ownership | IT / Security | Agent 365 ⚠ per-user license |
| Classic agents — outside Entra perimeter | Most existing Copilot Studio agents are Classic Service Principals with no Entra security product coverage | IAM / Security | Migration to Modern Agents ⚠ tool not yet available |
| Maker credentials | Copilot Studio agents authenticate as their builder — maker's permissions extended to all users of the agent | IAM / AppSec | Power Platform Managed Environments; enforce end-user auth per agent |
| No-auth agents | Agents set to no authentication — accessible to anyone in Teams with no login | IT / Security | AIAgentsInfo KQL detection; Power Platform admin enforcement |
| Org-wide sharing | One toggle exposes agent to all employees — compounds with maker credentials | IT / Security | Power Platform Managed Environments — set sharing limits |
| Over-permissioned access | Agents granted broad access; OBO inherits user's full rights | IAM / Security | Entra Agent ID ⚠ preview, Modern Agents only |
| Shadow AI / plugins | Business users deploy unsanctioned AI tools and MCP servers outside IT oversight | IT / CASB | Defender for Cloud Apps + Entra Internet Access GA Mar 31 |
| MCP tool misuse | Agents invoke real enterprise tools via MCP — now via official Microsoft MCP server catalog | AppSec / Security | Foundry Guardrails ⚠ preview + Defender for Cloud Apps |
| Prompt injection / XPIA | Malicious inputs hijack agent behaviour mid-task | AppSec / SOC | Prompt Shields + Entra Internet Access Prompt Injection Protection GA Mar 31 |
| Data leakage | Sensitive data enters AI context; exfiltrated via outputs or prompts | DLP / Compliance | Purview DSPM + Purview DLP for Copilot GA Mar 31 |
| Ownerless agents | No accountable owner — agents persist indefinitely with no governance review | IT / IAM | Power Platform Inventory; AIAgentsInfo Advanced Hunting |