Listen to this Post

Introduction:
Microsoft Copilot Studio now allows administrators to disable connected agents at the environment level directly from the Power Platform Admin Center. This setting, which blocks Copilot Studio agents from invoking other agents, addresses critical security and governance gaps in agent‑to‑agent (A2A) communication. Without this control, organizations risk unauthorized data flows, compliance violations, and complex dependency chains that undermine zero‑trust principles.
Learning Objectives:
- Understand the security and governance risks of agent‑to‑agent communication in Copilot Studio.
- Learn how to disable connected agents across Power Platform environments using the Admin Center and PowerShell.
- Implement mitigation strategies for ALM, monitoring, and alternative secure A2A architectures.
You Should Know:
- What “Disable Connected Agents” Actually Does – and Why It Matters
The setting “Enabling Copilot Studio agent to invoke another agent” is a tenant‑wide or environment‑level toggle found under Power Platform Admin Center > Copilot > Settings. When unchecked, no agent built in Copilot Studio within that environment can call any other agent, even if they are configured as connected agents. This prevents lateral movement where a compromised agent could invoke another with higher privileges or access sensitive data. It also eliminates hidden dependency chains that are hard to audit.
Step‑by‑step guide to check current status using PowerShell (Power Platform Admin module):
Install the module if not present
Install-Module -Name Microsoft.PowerPlatform.Administration -Force
Connect to your tenant
Add-PowerPlatformAccount -Endpoint prod
List all environments and their Copilot settings
Get-PowerPlatformEnvironment | ForEach-Object {
$envName = $_.Name
$settings = Get-PowerPlatformCopilotSetting -EnvironmentName $envName
[bash]@{
Environment = $envName
ConnectedAgentsEnabled = $settings.EnableConnectedAgents
}
}
To disable via API (REST with Azure AD token):
Using curl on Linux/WSL or Windows (with token)
curl -X PATCH "https://api.powerplatform.com/providers/Microsoft.PowerPlatform/environments/{envId}/copilotSettings" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"properties": {"enableConnectedAgents": false}}'
- Step‑by‑Step: Disable Connected Agents via Power Platform Admin Center
This is the recommended method for most admins.
Step 1: Navigate to https://admin.powerplatform.microsoft.com.
Step 2: On the left menu, select Copilot then Settings.
Step 3: Choose the target environment from the dropdown.
Step 4: Under “Connected agents Copilot Studio”, uncheck “Enabling Copilot Studio agent to invoke another agent”.
Step 5: Click Save. The change takes effect immediately – no agent restart required.
Windows command alternative using Power Platform CLI:
pac admin copilot settings set --environment <EnvironmentId> --enable-connected-agents false
- Security Implications: Preventing Lateral Movement and Data Leakage
When agents can invoke each other, the invoked agent executes under its own identity (often a service principal or user context). If an attacker gains control of a low‑privilege agent, they could chain calls to an agent with access to sensitive databases or external APIs. Disabling connected agents breaks this chain. Additionally, Microsoft Purview currently does not log activities performed by an invoked agent under the calling agent’s ID – a gap explicitly noted in the original discussion. This blind spot makes forensic investigations impossible.
Mitigation: Use Azure API Management as a gateway for any necessary A2A communication. Force all agent calls through a central API with strict authentication (e.g., client certificates or managed identities) and enable diagnostic logging. Example API Management policy snippet:
<inbound>
<choose>
<when condition="@(context.Request.Headers.GetValueOrDefault("X-Agent-ID") != "authorized-agent")">
<return-response>
<set-status code="403" reason="Forbidden" />
</return-response>
</when>
</choose>
</inbound>
4. Compliance and Governance: Meeting Regulatory Requirements
Regulations like GDPR, HIPAA, and FedRAMP require strict data processing records and access controls. Agent‑to‑agent invocations obscure the original caller, making it impossible to produce a complete audit trail. By disabling connected agents, you enforce a policy where every agent interaction must be explicitly approved and logged at the entry point.
PowerShell script to audit environments where connected agents are still enabled:
$allEnvs = Get-PowerPlatformEnvironment
$violations = @()
foreach ($env in $allEnvs) {
$setting = Get-PowerPlatformCopilotSetting -EnvironmentName $env.Name
if ($setting.EnableConnectedAgents -eq $true) {
$violations += $env.Name
}
}
Write-Host "Environments with connected agents ENABLED: $violations" -ForegroundColor Red
5. ALM Challenges and Mitigation Strategies
One major issue raised in the discussion: if a connected agent changes, all consuming agents may need republishing and verification. This creates brittle ALM pipelines. When you disable connected agents, you eliminate this hidden coupling. For existing solutions that rely on A2A, refactor them into a single agent that handles all required logic, or expose the functionality as a secure custom connector with versioned APIs.
Step‑by‑step to refactor:
- Identify all agent‑to‑agent invocations using Power Platform logs (or cross‑reference solution dependencies).
- For each invoked agent, extract its core logic into a reusable custom connector that authenticates via managed identity.
- Update the calling agent to call the custom connector instead of another agent.
- Deploy the connector and the updated agent together as a single solution to maintain version alignment.
6. Alternative Architectures for Secure Agent Collaboration
If your business absolutely requires agent‑to‑agent interaction (e.g., a “master orchestrator” and specialized sub‑agents), do not use Copilot Studio’s native connected agents. Instead:
– Host sub‑agents as Azure Functions or Logic Apps behind a private endpoint.
– Use Azure API Management with OAuth 2.0 (client credentials flow) and IP whitelisting.
– Implement mutual TLS between agents.
– Log every request to a centralized SIEM (Sentinel or Splunk).
Example Azure Function with authentication (C):
[FunctionName("SecureAgent")]
public static async Task<IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Function, "post")] HttpRequest req,
ILogger log)
{
// Validate a custom API key or JWT
if (!req.Headers.TryGetValue("X-API-Key", out var apiKey) || apiKey != Environment.GetEnvironmentVariable("ALLOWED_KEY"))
return new UnauthorizedResult();
// Process request
}
7. Monitoring and Auditing After Disabling Connected Agents
Once disabled, monitor the Power Platform audit logs for any attempts to invoke a connected agent (the action will fail with a policy violation). Use Azure Monitor to create alerts.
KQL query for Azure Log Analytics:
PowerPlatformActivity | where OperationName == "InvokeCopilotAgent" | where ResultStatus == "Failure" | where Properties has "connected agents disabled" | project TimeGenerated, UserId, EnvironmentName, AgentId | summarize Attempts = count() by EnvironmentName, UserId
Set up an alert rule when `Attempts > 5` within 1 hour – this may indicate a misconfigured app or an attacker probing.
What Undercode Say:
- Key Takeaway 1: Disabling connected agents is not just a feature toggle – it is a foundational security control that closes a major lateral movement vector in AI‑driven automation platforms.
- Key Takeaway 2: Without this control, compliance and auditing become impossible because Microsoft Purview does not track invoked agent activity under the original caller’s identity.
The original post highlights a real‑world demand from large enterprises: a simple, environment‑level kill switch for agent‑to‑agent calls. Many organizations are already struggling with governance gaps in low‑code AI tools. By exposing this setting, Microsoft acknowledges that A2A communication introduces unacceptable risk in sensitive environments. Security teams should treat Copilot Studio agents like any other service account – enforce least privilege, require explicit trust, and log every interaction. The absence of built‑in auditing for connected agents means the only safe default is off.
Prediction:
Within 18 months, Microsoft will be forced to either deprecate native connected agents or implement mandatory, unbypassable audit trails for every agent invocation. Meanwhile, third‑party governance tools (e.g., from AvePoint, Rencore) will rush to provide visibility into agent dependencies. Enterprises that disable connected agents now will avoid costly incident response later, as attackers increasingly target AI agent orchestration as a soft entry point into cloud tenants.
▶️ Related Video (70% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Ishakapoor Copilotstudio – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


