Bypassing Tenant Isolation in Microsoft Power Platform: A Security Loophole You Should Know

Microsoft Power Platform, specifically Power Automate and Copilot Studio, makes it easy for organizations to quickly build automations and AI agents. To keep them secure and compliant, Tenant Isolation is a critical feature designed to prevent unauthorized cross-tenant communication.

However, in our latest research, we discovered a high-severity vulnerability that bypasses Tenant Isolation policies using the HTTP Connector - potentially exposing sensitive data and enabling unauthorized actions.

Here’s what we found, why it matters, and what you need to do.

The Problem: Tenant Isolation Isn’t Foolproof

When Power Automate Flows or Copilot Studio agents use the HTTP Connector, Power Platform doesn’t dynamically validate tenant identities at runtime. Instead, it relies on static values encoded in bearer tokens, specifically tenant identifiers, that can be manipulated.

This creates a loophole: if a Flow or Agent includes a token from an external Microsoft tenant, the HTTP request can still succeed, even if Tenant Isolation is enabled.

This vulnerability applies to any Power Automate Flows or Copilot Studio Agents that:
- Use the HTTP Connector to send authenticated requests
- Include a bearer token tied to a different Microsoft tenant
- Rely on Power Platform’s Tenant Isolation feature for protection

In practice, here’s how the bypass works:
1) A Flow or Agent is created using the HTTP Connector.
2) The request includes a valid authentication token—but that token belongs to a different Microsoft tenant.
3) The Flow sends the request to that external tenant to trigger an action (like spinning up a Flow on the other side).
4) Power Platform accepts and executes the request, even though it violates Tenant Isolation policies.

Bottom line? The HTTP Connector honors the token, not the isolation policy. And that opens the door to cross-tenant communication - without visibility or enforcement.

Why This Matters: Security & Compliance Risks

Tenant Isolation is a foundational security measure for many organizations, especially those operating in regulated industries or with strict data requirements. When that isolation can be bypassed, it opens the door to sensitive data being sent to external tenants without detection, and creates an opportunity for attackers to exploit stolen or misused tokens to trigger unauthorized actions.

For organizations governed by frameworks like GDPR, HIPPA, or SOC 2, this kind of cross-tenant communication, especially when it happens unknowingly, poses serious compliance risks and audit challenges.

What You Can Do: Mitigation Strategies

To reduce the risk of unauthorized cross-tenant communication, organizations should begin by closely monitoring and auditing usage of the HTTP Connector across Power Automate and Copilot Studio. Pay particular attention to flows or agents that initiate requests to external tenants, as these may indicate policy gaps or misuse. Visibility into these interactions is key to identifying suspicious behavior before it turns into a security incident.

In parallel, it’s important to tighten governance policies around connector usage. Implementing Data Loss Prevention (DLP) policies to restrict or block the HTTP Connector, especially in environments where it’s not required, can prevent unintended data exposure. Think of it like securing any high-risk endpoint - if you can’t fully control or monitor it, you should limit access by default and allow only what’s necessary for business function.

Final Thoughts: The Need for Stricter Security in Low-Code Platforms

This vulnerability is a signal of a broader issue - static controls aren’t enough in low-code platforms. AI agents and automations operate in complex, dynamic environments. Your security controls need to do the same.

That means moving beyond one-time configurations and embracing realtime-enforcement, context-aware policy, and behavioral monitoring. Low-code platforms unlock incredible agility, but without visibility and guardrails, they can also create new pathways for risk.