LogoAgentHunter
  • Submit
  • Industries
  • Categories
  • Agency
Logo
LogoAgentHunter

Discover, Compare, and Leverage the Best AI Agents

Featured On

Featured on yo.directory
yo.directory
Featured on yo.directory
Featured on Startup Fame
Startup Fame
Featured on Startup Fame
AIStage
Listed on AIStage
Sprunkid
Featured on Sprunkid
Featured on Twelve Tools
Twelve Tools
Featured on Twelve Tools
Listed on Turbo0
Turbo0
Listed on Turbo0
Featured on Product Hunt
Product Hunt
Featured on Product Hunt
Game Sprunki
Featured on Game Sprunki
AI Toolz Dir
Featured on AI Toolz Dir
Featured on Microlaunch
Microlaunch
Featured on Microlaunch
Featured on Fazier
Fazier
Featured on Fazier
Featured on Techbase Directory
Techbase Directory
Featured on Techbase Directory
backlinkdirs
Featured on Backlink Dirs
Featured on SideProjectors
SideProjectors
Featured on SideProjectors
Submit AI Tools
Featured on Submit AI Tools
AI Hunt
Featured on AI Hunt
Featured on Dang.ai
Dang.ai
Featured on Dang.ai
Featured on AI Finder
AI Finder
Featured on AI Finder
Featured on LaunchIgniter
LaunchIgniter
Featured on LaunchIgniter
Imglab
Featured on Imglab
AI138
Featured on AI138
600.tools
Featured on 600.tools
Featured Tool
Featured on Featured Tool
Dirs.cc
Featured on Dirs.cc
Ant Directory
Featured on Ant Directory
Featured on MagicBox.tools
MagicBox.tools
Featured on MagicBox.tools
Featured on Code.market
Code.market
Featured on Code.market
Featured on LaunchBoard
LaunchBoard
Featured on LaunchBoard
Genify
Featured on Genify
Copyright © 2025 All Rights Reserved.
Product
  • AI Agents Directory
  • AI Agent Glossary
  • Industries
  • Categories
Resources
  • AI Agentic Workflows
  • Blog
  • News
  • Submit
  • Coummunity
  • Ebooks
Company
  • About Us
  • Privacy Policy
  • Terms of Service
  • Sitemap
Friend Links
  • AI Music API
  • ImaginePro AI
  • Dog Names
  • Readdit Analytics
Back to News List

Microsoft Copilot Agents Bypass Access Policy Putting Data at Risk

August 25, 2025•Florence Nightingale•Original Link•2 minutes
MicrosoftCopilot
DataSecurity
AIPolicyFlaw

Security researchers found Microsoft Copilot agents ignore the NoUsersCanAccessAgent policy, allowing unauthorized access to sensitive data despite admin settings.

Key Takeaways:

  • The "NoUsersCanAccessAgent" policy is bypassed, leaving some Copilot Agents installable.
  • Manual per-agent PowerShell revocations add overhead and risk.
  • Mitigate by auditing inventories, enforcing Conditional Access, and monitoring.

Microsoft Copilot Agent Policy Flaw

Shortly after the May 2025 rollout of 107 Copilot Agents in Microsoft 365 tenants, security specialists discovered that the "Data Access" restriction meant to block agent availability is being ignored.

Despite administrators configuring the Copilot Agent Access Policy to disable user access, certain Microsoft-published and third-party agents remain readily installable, potentially exposing sensitive corporate data and workflows to unauthorized use.

Policy Bypass Details

Testing by cybersecurity researcher Steven Lim shows that agents such as "ExpenseTrackerBot" and "HRQueryAgent" continue to appear in the Copilot panel despite the global policy restriction.

Microsoft Copilot Agent Policy Flaw

Risks of Unauthorized Access

  • Data exfiltration via agents like "ExportDataAgent" or "SearchFileAgent" that query SharePoint or OneDrive content beyond intended scope.
  • Execution of custom RPA workflows through agents like "AutoInvoiceProcessor" without formal change control.
  • Compliance violations if unapproved AI models process sensitive PII or regulated data.

Recommended Mitigations

  1. Run weekly discovery scripts to detect policy-bypassing agents:
    Discovery Script Example
  2. Integrate Azure AD Conditional Access to require MFA for agent installation.
  3. Monitor agent invocation logs via Microsoft 365 compliance tools.

As AI agents become integral to productivity, administrators must proactively audit and enforce controls to prevent inadvertent exposure of enterprise data.

Related News

August 26, 2025•Unknown

Microsoft Copilot policy flaw exposes AI agents to unauthorized access

Microsoft Copilot's NoUsersCanAccessAgent policy fails to restrict AI agent access, requiring manual PowerShell fixes and raising data security risks.

MicrosoftCopilot
AISecurity
DataExposure
August 4, 2025•Business Wire

Skyflow Launches MCP Data Security Platform for AI Agents

Skyflow introduces MCP Data Security Platform to mitigate risks in AI agent adoption, ensuring secure access to customer data.

DataSecurity
AI
EnterpriseTech

About the Author

Dr. Lisa Kim

Dr. Lisa Kim

AI Ethics Researcher

Leading expert in AI ethics and responsible AI development with 13 years of research experience. Former member of Microsoft AI Ethics Committee, now provides consulting for multiple international AI governance organizations. Regularly contributes AI ethics articles to top-tier journals like Nature and Science.

Expertise

AI Ethics
Algorithmic Fairness
AI Governance
Responsible AI
Experience
13 years
Publications
95+
Credentials
2
LinkedInResearchGate

Agent Newsletter

Get Agentic Newsletter Today

Subscribe to our newsletter for the latest news and updates