Microsoft’s Power Platform recently introduced an IP-based Firewall feature designed to restrict access to environments based on IP addresses. The goal is to ensure that only users from approved locations can interact with the environment and its resources, such as AI-powered Agents, Power Apps, Flows etc…
However, we have identified a critical security vulnerability that enables users to bypass these firewall restrictions when deploying Declarative Agents from Copilot Studio into Microsoft 365 Copilot. Once an agent is extended beyond Power Platform, it effectively escapes the IP restrictions enforced at the environment level, allowing unauthorized users to interact with it from prohibited IP addresses.
This presents a significant security risk for organizations that rely on environment-based firewall controls to protect sensitive business logic and data.
Power Platform's IP-based Firewall is configured at the environment level via the PP Admin Center, enforcing IP allowlist rules to restrict access to authorized users. Only those accessing from approved IP addresses can interact with the environment’s resources.
Despite these restrictions, Declarative Agents created in Copilot Studio can be published to Microsoft 365 Copilot, which operates outside the firewall-controlled environment. Once deployed, the agent is hosted within Microsoft 365 Copilot’s infrastructure, which does not enforce Power Platform’s firewall policies.
This means that a user, who should be blocked by the Power Platform environment firewall, can still engage with the agent via M365 Copilot, gaining access to protected resources and information.
We recreated this scenario in a test environment to validate the vulnerability, here’s how we did it.
Using a test user, create a new Declarative Agent inside Copilot Studio, within a Power Platform environment protected by firewall rules.
Navigate to Power Platform Admin Center → Environment → Features → Privacy & Security and enable the IP-based firewall rule. Define an allowlist that includes only your approved office IP range.
Note: This feature is available only in Managed Environments.
Publish the agent from Copilot Studio to Microsoft 365 Copilot.
Navigate to Office 365 Admin Center → Integrated Apps → Requested Apps and approve the newly deployed agent.
Once approved, it will appear under ‘Available Apps’, allowing users to install it.
This isn’t just an edge case, it’s a real-world security risk that can catch even experienced admins off guard.
The firewall feature in Power Platform is a step in the right direction, but it’s not enough on its own. As AI agents become more integrated across Microsoft 365, security boundaries need to evolve with them.
If your organization relies on IP restrictions to safeguard business logic, it’s critical to account for how those controls break down when agents are extended beyond the platform.
Until that gap is closed, proactive governance is your best line of defense.
As enterprises rapidly adopt AI Agents to enhance operations, the imperative for robust governance and security...
Microsoft Power Platform, specifically Power Automate and Copilot Studio, makes it easy for organizations to quickly...
Introduction Enterprises are racing to adopt AI copilots and low-code/no-code platforms to innovate and maximize...
We’d love to chat with you about how your team can secure and govern AI Agents everywhere.
Book Demo