AI agents should not be shared with broad access control policies
Why This Matters
Exposing AI agents to your entire organization or enabling multitenant support can allow unauthorized users to interact with sensitive corporate data through Copilot Studio agents. This broad access increases the risk of data leakage and unauthorized operations, as anyone with access to the agent can potentially query or manipulate information they should not have access to. Restricting agent sharing to specific users or groups is essential for maintaining data security and compliance.
What Aether365 Checks
This check, identified as AE.1113 in the Aether365 dashboard under microsoft-365 checks, examines all Copilot Studio agents for configurations that share agents with the entire organization ("My organization") or enable multitenant support. It flags any agent where access control is set too broadly, which could allow any user or users across tenants to interact with the agent.