Microsoft Message Center MC908119 has many scrambling for answers

Organizations that have Microsoft 365 Copilot licenses received word from Microsoft that starting November 11th, any user with a Copilot license will have access to extensibility features, and admins will lose tenant-level control over who can use Copilot agents.

What does this mean?

This means that business users can enable 3rd party extensions and plugins that are built using Copilot’s extension framework, Copilot Studio. This can lead to data loss and leakage, as well as bad actors leveraging these extensions to lure end users to malicious sites or downloads.

One of the most common misconfigurations is improper or non-existent authentication mechanisms in front of these powerful resources. If you’d like to understand your current landscape of public bots that are built using Copilot Studio and over-shared, check out Copilot Hunter.

What can I do about this?

Zenity has a purpose built solution that has long helped enterprises reduce the risk that comes when business users are building and using plugins and extensions as part of Microsoft 365 Copilot workflows.

We do this by:

• Identifying any plugins and extensions that are built using Copilot Studio
• Running deep analysis on each plugin and extension to understand the underlying business logic and context
• Identifying vulnerabilities of those 3rd party extensions and plugins and mitigate risks of data leakage and loss
• Implement guardrails for secure development on Copilot Studio to make sure any extension or plugin adheres to corporate standards for risk and compliance