Power Platform Community Forum Thread Details

Hi all, can any one tell me how are people protecting their publicly accessible agents from abuse?

So let's I have a PAYG plan and I publish an agent to the internet, what's stopping bot abuse from just running up my bill.

Is it that protection should be at the web page level though something like Cloudflare? or are there built-in protections?

Just wondering what all the options are. Thanks

Categories:

General topics

Hello,

I haven’t published an external Copilot agent yet, but based on my research, the key is layered security: enforce OAuth2/OpenID Connect authentication (e.g., Microsoft Entra ID or Google) to block anonymous access, add a CAPTCHA on the hosting page since Copilot Studio doesn’t support it natively, secure the Web channel with tokens and rate limiting via an API Gateway, and enable monitoring and governance with tools like Purview, Application Insights, and Defender for threat detection.

It’s true that authentication and CAPTCHA can slow down user adoption, and finding the right balance between security and usability is tricky, but they make your agent much safer. Also, in Copilot Studio you can limit the number of Copilot credits your agent consumes and disable it once the limit is reached, which helps prevent unexpected costs if a bot abuses the system.