How Copilot Studio Agents Can Slip Past Power Platform’s Firewall

Microsoft’s Power Platform recently introduced an IP-based Firewall feature designed to restrict access to environments based on IP addresses. The goal is to ensure that only users from approved locations can interact with the environment and its resources, such as AI-powered Agents, Power Apps, Flows etc…

However, we have identified a critical security vulnerability that enables users to bypass these firewall restrictions when deploying Declarative Agents from Copilot Studio into Microsoft 365 Copilot. Once an agent is extended beyond Power Platform, it effectively escapes the IP restrictions enforced at the environment level, allowing unauthorized users to interact with it from prohibited IP addresses.

This presents a significant security risk for organizations that rely on environment-based firewall controls to protect sensitive business logic and data.

Firewall Rules vs Declarative Agents: An Unexpected Loophole

How the Firewall Works

Power Platform's IP-based Firewall is configured at the environment level via the PP Admin Center, enforcing IP allowlist rules to restrict access to authorized users. Only those accessing from approved IP addresses can interact with the environment’s resources.

How the Bypass Occurs

Despite these restrictions, Declarative Agents created in Copilot Studio can be published to Microsoft 365 Copilot, which operates outside the firewall-controlled environment. Once deployed, the agent is hosted within Microsoft 365 Copilot’s infrastructure, which does not enforce Power Platform’s firewall policies.

This means that a user, who should be blocked by the Power Platform environment firewall, can still engage with the agent via M365 Copilot, gaining access to protected resources and information.

Breaking it Down: How the Bypass Works

We recreated this scenario in a test environment to validate the vulnerability, here’s how we did it.

1. Create a Declarative Agent in Copilot Studio

Using a test user, create a new Declarative Agent inside Copilot Studio, within a Power Platform environment protected by firewall rules.

2. Enable the Firewall Feature

Navigate to Power Platform Admin Center → Environment → Features → Privacy & Security and enable the IP-based firewall rule. Define an allowlist that includes only your approved office IP range.

Note: This feature is available only in Managed Environments.

3. Deploy the Agent to Microsoft 365 Copilot

Publish the agent from Copilot Studio to Microsoft 365 Copilot.

4. Approve the Agent in Microsoft 365 Admin Center

Navigate to Office 365 Admin Center → Integrated Apps → Requested Apps and approve the newly deployed agent.

Once approved, it will appear under ‘Available Apps’, allowing users to install it.

5. Access the Agent from an Unauthorized IP Address

• Use a VPN or mobile hotspot to connect from an IP not included in the allowlist.
• Log in to Microsoft 365 Copilot.
• Install and interact with the agent by either selecting it from the store or using the @AgentName mention.
• Observe that the agent works without any IP restriction, bypassing Power Platform’s firewall controls.

Why This Is a Serious Security Risk

This isn’t just an edge case, it’s a real-world security risk that can catch even experienced admins off guard.

1. Admins Are Unaware:
   1. Power Platform Admins enforce firewall rules assuming they restrict all access.
   2. However, an M365 Admin (who may not be aware of the security policy in Power Platform) can approve an agent’s deployment, inadvertently allowing access from external locations.
2. Data Exposure Risk:
   1. The agent may query internal data sources or interact with sensitive resources that should have been protected by the firewall.
3. Lack of Monitoring:
   1. Since interactions occur within Microsoft 365 Copilot, there are no direct audit logs in Power Platform’s security monitoring.

What Can You Do Right Now

For Organizations:

• Restrict Who Can Build & Deploy Agents: Limit Copilot Studio usage to specific users or teams.
• Implement Review Processes: Before an agent is extended to M365 Copilot, require an internal security review.
• Monitor External Interactions: Use M365 Security Logs to track unexpected access patterns to agents.

Rethinking What “Environment-Based Security” Really Means

The firewall feature in Power Platform is a step in the right direction, but it’s not enough on its own. As AI agents become more integrated across Microsoft 365, security boundaries need to evolve with them.

If your organization relies on IP restrictions to safeguard business logic, it’s critical to account for how those controls break down when agents are extended beyond the platform.

Until that gap is closed, proactive governance is your best line of defense.