top of page

Security and governance for Agents in Microsoft 365

Writer: Bjørnar AassveenBjørnar Aassveen


Microsoft 365 Copilot offers a variety of agents that can automate tasks and improve productivity, but it's important to implement robust security and governance practices to fully leverage these agents. Here are some key areas to focus on.


DLP policies

Agents and M365 Copilot inherit labels, meaning new content inherits sensitivity labels from the source content. This ensures that data loss prevention (DLP) policies are consistently applied, reducing the risk of data breaches.




Governance on a large scale

Microsoft Copilot offers administration through the Microsoft 365 Admin Center and the Power Platform Admin Center, providing unified management of permissions, policies, and compliance settings across your organization.


But there is always a BUT, this time it is around Sharepoint agents.

  • Sharepoint agents currently lack a governance structure, there is no common administration of these.

  • You can search audit logs and directly in Sharepoint to get an overview of all agents, these are created as .agent files.

  • Sharepoint agents enforce DLP policies in the same way as other agents, you can also choose to exclude the ability to create agents on certain Sharepoint pages - This is a non-scalable solution but can be considered if necessary. Read more here:

    https://learn.microsoft.com/en-us/sharepoint/restricted-content-discovery




Connector policy

When building agents with Microsoft Copilot Studio, you can choose from over 1500 connectors provided by the Power Platform or build custom connectors by calling APIs to enrich the data used with the agents. Therefore, it is important to have a relationship with

which connectors are allowed and not allowed in your Power environments. These connectors are controlled via DLP policies either per environment or for all environments.


Visibility and monitoring

Agents built with Agent Builder appear in the Microsoft 365 admin center and in Copilot Studio, where administrators can view and search the inventory of shared agents and block sharing of agents.


Data Security Posture Management (DSPM) for AI

DSPM for AI provides insights for IT and security teams to proactively detect data risks, such as data in user requests, and receive recommended actions and insights for rapid responses. This tool helps administrators identify potential security risks and take proactive measures to mitigate them.


Detects AI activities in the tenant and can, among other things, send notifications using selected AI tools. Below is an excerpt from the activity log in DPSM for AI.


Agent data - security and compliance

Agents built with Copilot Studio, Copilot Studio agent builder, and SharePoint agents include comprehensive activity logging. All activity is captured in Audit logs similar to other services in Microsoft 365, in addition to providing enhanced insights via DSPM for AI. The agents enforce classification that is in turn used for DLP policies across data and services, in addition to all data and interactions being searchable via eDiscovery.



 

Another tip on the eve is to take a look at the Copilot administration center in Microsoft, for example, aren't you sure you want all users to have the ability to purchase licenses with their own wallet or start trials with a few keystrokes? 🤔




Bjørnar&AI

Recent Posts

See All

Microsoft Defender - Safe Links

🥷Upcoming changes to M365 Copilot Chat include integration with SafeLinks for URL protection. The rollout will begin in late March 2025...

Opmerkingen


bottom of page