• 5 min read

Announcing managed security enhancements for Microsoft Copilot Studio

Erez Altus , Principal PM Lead, Microsoft Copilot Studio
A man sitting at a desk looking at a computer screen; button overlay reads "New features now available"
At Microsoft Build 2025, we are excited to introduce a series of new releases focusing on three key areas in managed security for Copilot Studio: proactive governance, Secure by Default, and comprehensive visibility.

Microsoft Copilot Studio helps organizations transform their business processes like never before through conversational and autonomous agents. The ability to streamline or hand off workflows without being a pro developer provides makers with enormous flexibility and power to bring a company’s vision to life. However, with great power comes great responsibility, particularly in the realms of security and governance.

As AI becomes more sophisticated, so do cyber criminals. Microsoft proactively works to mitigate the top risks associated with AI through a system of integrated controls and capabilities for Copilot and agents. This system includes robust security measures to prevent unauthorized access and AI hijacking (wherein malicious actors attempt to manipulate autonomous agents to perform harmful actions).  

Agents interact with sensitive enterprise data that must be guarded in order to prevent data breaches and exposure. Finally, accountability and control continue to be key topics for customers, who seek transparent decision-making processes that help their teams understand and trust AI-driven outcomes.

At Microsoft Build 2025, we are excited to introduce a series of new releases focusing on three key areas in managed security for Copilot Studio: proactive governance, Secure by Default, and comprehensive visibility. These enhancements aim to boost the security, control, and transparency of your Copilot Studio agents to help ensure a secure environment for all users.

Proactive governance features allow admins to utilize the Power Platform admin center and automation capabilities to facilitate agent adoption. Admins can create a “green zone” for makers to experiment with agents in their personal development environments. Additionally, environment routing enables makers to land in these personal dev environments, while rules in environment groups help control which connectors, sharing scopes, and authentication types makers can use. Pipelines can then certify and transfer finished assets to production, making them accessible to a broader group or the entire company.

Then, for Secure by Default, we’re introducing unique security controls to better protect agents from potential attacks such as cross-prompt injection attacks (XPIA) and Jailbreaks. Lastly, in the space of comprehensive visibility, we’re unveiling new capabilities to simplify tracking adoption and refining controls based on system recommendations. These visibility features help to ensure agents are securely built and operated from the outset.

Features of the Securing and Governing Agent, including the abilities to Secure, Control, and Track & Refine

Proactive governance

We aim to provide more control, with less effort, for admins and Chief Information Security Officers. To achieve this, we’re introducing multiple features and capabilities that are now generally available:

  • Federated Identity Credentials (FIC) for agents: Eliminates the need for persisted secrets and certificates, significantly improving the security posture for bot registration in Entra ID
  • IT control to block custom agents: Allows administrators to block custom agents on the spot, preventing risky or harmful agents from acting
  • Option to disable recording transcripts in Dataverse: Protects end-user session confidentiality by disabling recording transcripts and session downloads
  • Customer Managed Encryption Keys (CMK): Customers can now manage their own encryption keys, adding an extra layer of security and control over their data
  • Streamlined data loss prevention enforcement: Aligns with other Power Platform products to eliminate the need for PowerShell opt-in for new and existing tenants
  • Consent requirement for sharing agents: Reduces the risk of unintentional information sharing by requiring consent when sharing an agent with another maker.
  • Environment routing for makers: Enables admins to automatically route makers to dedicated development environments where they can safely experiment and build agents
Screenshot of the ability to set up environmental routing
Tenant admins can turn on environment routing to place makers in personal developer environments

Additionally, we are offering the following features and capabilities in preview:

  • Advanced Connector Policies (ACP): A new rule allowing admins to define exactly which connectors are permitted at the environment group level. ACP gives organizations precise control over data access during all stages of agent, app, and flow development, reducing the risk of sensitive or unmanaged connector usage early in the lifecycle
  • Network isolation: Supports IP Firewall and VNET for App Insight and HTTP connectors, enhancing network isolation for Copilot Studio agents
  • Delete declarative agents: Allows admins to scrape harmful or unused agents, including any associated files
  • Sensitive data masking and audio suppression at runtime: Safeguards sensitive data during agent interactions, helping to ensure compliance with data privacy regulations
  • Auto-label Dataverse tables with the Data Map Dataverse Connector: Mitigates risks of oversharing by scanning Dataverse columns and applying Microsoft Purview Information Protection (MIP) sensitivity labels, which help to ensure sensitive data is discovered and protected consistently by triggering encryption, access restrictions, or other policies you have in place
  • Protect Dataverse data used in MCS with label inheritance: Carries MIP labels over to custom agent actions and outputs, helping to keep those protections in place wherever the data is used
  • Surface MIP labels across MCS: Mitigates risks of oversharing by providing label visibility and inheritance from first party data sources across knowledge and actions for MCS custom agents
  • Personalized privacy message configuration: Admins can now configure a personalized privacy message with an editable URL, enhancing user experience and compliance with industry regulations
  • Enforced end-user authentication: Admins can require authentication when an agent tries to access or invoke connectors, flows, and actions, which helps prevent oversharing with end users who lack access to the agent’s resources and data
  • Microsoft Entra ID authentication requirement: Admins can require Microsoft Entra ID authentication on all agent interactions, significantly reducing the risk of data exfiltration and bolstering the overall security posture. A Power Policy rule is also provided to streamline the configuration process
Screenshot of Dataverse table with security levels labeled for each entry
Sensitivity labels applied to Dataverse table columns using Microsoft Purview Information Protection auto-labeling

Secure by Default and Secure by Design

Two of Microsoft’s core security principles are Secure by Default and Secure by Design. Copilot Studio is committed to these principles and has built the following features and capabilities to support this effort:

  • Out-of-box cross-prompt injection attack (XPIA) protection (now generally available): Offers real-time monitoring and intervention during the agent’s runtime, ensuring malicious inputs or actions are detected and blocked
  • Agent protection status for makers: Increases the sense of security for makers building agents inside Copilot Studio by showing each agent’s threat protection status, required authentication level, and applicable security policies
Screenshot of agent showing Protected status
Agent protection status in grid view

Comprehensive visibility

Makers and admins need a valuable view of their agents created in Microsoft Copilot Studio. As part of this effort in managed security for Copilot Studio, we are introducing:

  • Audit logs for Jailbreak/XPIA events in custom agents: Enables near-real-time monitoring, immediate detection, and rapid response to potential security breaches. This feature, now generally available, helps prevent potential crucial compliance issues and helps administrators understand the context and impact of various events, which creates an environment for better decision-making

All together, these new releases help provide a more secure, controlled, and transparent environment for all users. This is part of the Copilot Control System (CCS), our unified framework of enterprise-grade controls and capabilities designed to help IT administrators and security professionals manage, secure, and analyze the use of Microsoft 365 Copilot, Copilot Studio, and AI agents across an organization—so you can innovate with confidence.

For more Microsoft Build 2025-related updates, read Corporate Vice President Vasu Jakkal’s blog as well.

More ways to stay up to date on all things Copilot Studio

Check out all the updates live as we ship them, as well as new features releasing in the next few months here: What’s new in Microsoft Copilot Studio – Microsoft Copilot Studio | Microsoft Learn

To learn more about Microsoft Copilot Studio and how it can transform your organization’s productivity, visit the Copilot Studio website or sign up for our free trial today.

Erez Altus

Erez Altus

Principal PM Lead, Microsoft Copilot Studio
Erez is a product lead at Microsoft Copilot Studio, with over 15 years of experience in business development and innovation. His significant product expertise lies in conversational AI, responsible AI, digital assistants, sales, and security.
See more articles from this author

Related Posts

Try Copilot Studio

Streamline business processes across your organization by building custom agents with low-code tools and generative AI.

Try for free
Learn more
A man looking at his phone