Automatic security scan in Copilot Studio

By default, agents are secure. However, you can modify the default security settings for valid scenarios without knowing the risk. Copilot Studio automatically runs a security scan and warns makers before publishing.

Makers see risks when the following secure default settings are updated:

• Set the authentication mode for an agent to No authentication to allow anyone who has the link to interact with the agent. The default agent authentication mode is Authenticate with Microsoft but makers can select No authentication instead. For more information, see Choose an authentication option.

• The maker selects Author authentication option under User authentication for connectors and flows. The default option for connectors and flows is User authentication, and the security scan provides a warning if the maker changes it to Author authentication. For more information, see Use connectors with agent author's credentials.

• The maker shares an agent with everyone in the organization. The default agent is shared with no one and makers can then share it with everyone in the organization. For more information, see Share an agent with everyone in the organization.

Related content

• Configure user authentication
• Use connectors with agent author's credentials
• Share a cloud flow with run-only permissions
• Share an agent with everyone in the organization