Applies to Product - Power Apps
What’s happening?
Users are able to publish agents in Copilot Studio without requiring authentication, specifically when the setting "No Authentication" is enabled. This poses a security concern as unauthenticated users can access bots.
Reason:
The current configuration allows users to publish agents without authentication despite attempts to enforce authentication settings through existing documentation and policies.
Resolution:
- Access the Microsoft 365 admin center to block specific apps or extensions that allow publishing without authentication.
- Review existing policies for agent publishing and authentication within Copilot Studio.
- Enforce Microsoft Entra ID authentication through Azure AD Conditional Access Policies.
- Utilize Role-Based Access Control (RBAC) to ensure that only authorized users can publish agents.
- Configure Data Loss Prevention (DLP) policies in the Power Platform admin center to block unauthenticated agents.
- Specifically, create a tenant-level block for the connector "Chat without Microsoft Entra ID" to prevent the publishing of agents that do not require authentication.
- Follow the documentation provided for setting up DLP policies to ensure compliance with authentication requirements.
