Enterprise administrators who thought they had locked down Microsoft 365 Copilot agents are discovering that tenant-wide "No users can access" settings have been silently ignored for certain agents, allowing them to remain discoverable and installable by end users. This control-plane failure, confirmed in multiple tenant reports and security investigations, forces organizations into manual per-agent PowerShell blockades and exposes sensitive data to unauthorized access. The flaw is part of a broader set of governance gaps that undermine the audit integrity and sandbox isolation of Copilot's AI ecosystem, leaving defenders scrambling for compensating controls.

Three Interconnected Failures

Recent scrutiny by administrators and security researchers has documented three distinct but mutually reinforcing failure classes: a policy-enforcement gap that ignores tenant-level agent blocks, an audit-telemetry gap that conceals resource access from Purview logs, and a sandbox misconfiguration that enabled privilege escalation within Copilot's live Python environment. Each amplifies the risks of the others, creating a systemic trust deficit in the platform's governance promises.

Policy Enforcement Failure: "NoUsersCanAccessAgent" Ignored

The most operationally disruptive flaw is a policy-enforcement gap in which administrators set agent availability to "No users can access agent"—a global restriction intended to completely hide an agent from all users— yet some agents remain visible or installable. Reports indicate this behavior is most common with Microsoft-published prebuilt agents and a subset of partner agents provisioned through Copilot Studio. The discrepancy suggests a desynchronization between the admin center's UI-state and the runtime code that determines discoverability, or a bypass via privileged provisioning paths that do not evaluate the same tenant-level checks.

Administrators have been forced into a labor-intensive workaround: manually enumerating all agents and running per-agent revocation or blocking commands via PowerShell or REST APIs. This approach does not scale for large tenants with hundreds of agents, introduces human error, and leaves gaps in the remediation timeline. Until a platform-wide fix is fully validated, the only reliable defense is a manual quarantine process.

Audit Telemetry Gap: Missing AccessedResources in Purview

Separately, security researchers reproduced a trivial prompt variation that caused Copilot to summarize a document while the corresponding Purview audit record omitted the AccessedResources file-reference attribute. In practice, this means Copilot presented a summary derived from a tenant file, but standard Purview-driven SIEM correlations and eDiscovery playbooks could not link the action back to the underlying resource. Microsoft acknowledged and applied server-side remediation for the observed case, but the incident exposes a fragile dependency on vendor telemetry alone. Regulated industries, in particular, rely on complete audit trails for compliance and legal discovery; a missing resource reference can void chains of evidence and extend forensic investigations.

Sandbox Misconfiguration: The pgrep Path-Hijack

Independent research by Eye Security demonstrated how Copilot’s live Python/Jupyter sandbox could be provoked such that a writable directory earlier in the $PATH allowed a crafted file to shadow a system binary (e.g., pgrep), enabling root execution inside the container. While container root does not guarantee host escape, it enables telemetry tampering, local log modification, and lateral research that can compound other failures. Microsoft patched the environment following coordinated disclosure, but the finding illustrates how simple configuration oversights can yield powerful privileges inside otherwise isolated sandboxes.

Why This Matters to Enterprises

The real-world risks cascade across data exfiltration, shadow automation, compliance erosion, and operational overhead:

  • Data exfiltration by stealthy agents: An agent that remains discoverable despite a block policy can perform semantic retrievals from SharePoint, OneDrive, or Exchange and return excerpts or summaries to users who shouldn’t have that access. Where agents expose “search” or “export” features, direct leakage can occur.
  • Shadow automation and uncontrolled actions: Agents tied to Power Platform workflows or RPA can execute actions (move files, call connectors, run flows) outside change-control processes if non-admin users can invoke them—creating operational and legal risk, particularly for regulated data.
  • Audit, compliance, and forensics erosion: Missing AccessedResources attributes in Purview events break the chain of evidence that compliance teams and incident responders rely on. A missing audit link is not a minor inconvenience; it materially extends investigation timelines and can fail legal discovery requirements.
  • Operational overhead and human error: The temporary per-agent PowerShell remediation requires admins to enumerate agents, run revokes one by one, and maintain an auditable log. This manual process is slow, error-prone, and unsustainable at scale.
  • Downstream escalation risk from sandbox root: Though container root may not directly escape to the host, it enables deeper attacks if additional misconfigurations exist, undermining the entire trust model of the sandboxed AI environment.

Microsoft’s Response and Official Guidance

Microsoft’s documentation outlines a tiered governance model for agents: Microsoft-installed (like Researcher and Analyst), admin-installed, and user-installed. The admin center provides controls to block, remove, or restrict agents, and the Copilot Control System is meant to be the single pane for governance. Additionally, Microsoft has released PowerShell and REST/SDK pathways for blocking agents, and has emphasized Conditional Access and Purview DLP as compensating controls.

In response to reported issues, Microsoft applied server-side fixes for the Purview audit emission gap and the Jupyter sandbox path-hijack. The sandbox fix was classified at moderate importance, and both remediations required no tenant action. However, the policy-enforcement gap remains a focal point for administrators, as the company’s incremental tooling—such as mid-2025 PowerShell cmdlets for blocking agents—still leaves many environments reliant on manual workarounds until all surfaces are validated.

Technical Anatomy: Why Enforcement Can Fail

Analysis points to several platform characteristics that contribute to the observed failures:

  • Control-plane desynchronization: Inventory and UI surfaces in admin centers may not be synchronized with the runtime enforcement code, creating race conditions where an agent appears to users even when policy state should hide it.
  • Privileged provisioning or publisher differentiation: Microsoft-published agents and those provisioned through certain privileged flows may be routed through backend channels that do not evaluate the same tenant-level UI checks, yielding inconsistent behavior across product surfaces (web, Teams, Outlook, mobile).
  • Policy semantics vs. hard-deny enforcement: Some admin toggles are implemented as scoping hints or UX-layer filters rather than authoritative, platform-wide prohibitions. If an admin control only affects the UI layer, other surfaces or privileged provisioning paths can still expose the agent.
  • Telemetry and UI divergence: UI rendering paths can diverge from audit emission paths; suppressing a link in the user-facing response may inadvertently short-circuit the code that emits AccessedResources metadata into Purview, creating audit gaps.

Prioritized Mitigation Checklist for Administrators

While platform fixes evolve, security teams can take immediate, practical steps to reduce risk. The following prioritized checklist draws from official guidance and community-tested workarounds.

Immediate Triage (0–48 hours)

  1. Export and reconcile the Copilot Agent inventory from the Microsoft 365 admin center and Copilot Control System. Treat any unknown publisher or agent as high priority; create a quarantine list.
  2. Reproduce enforcement checks from representative non-admin accounts (including guest profiles) across web, Teams, Outlook, and mobile surfaces. Document discrepancies and open support tickets if tenant behavior contradicts admin settings.
  3. If blocked agents remain discoverable, apply per-agent blocking via documented admin PowerShell or REST/SDK controls to temporarily quarantine them until platform fixes are validated.

Short-term Hardening (48 hours – 2 weeks)

  1. Enforce Conditional Access for Copilot and AI services: require phishing-resistant MFA (FIDO2/Windows Hello for Business), compliant devices, and session controls for high-sensitivity roles.
  2. Apply Purview sensitivity labels and DLP to restrict Copilot’s ability to process high-sensitivity content. Restrict access to HR, legal, or regulated data repositories and validate the effect with simulated Copilot queries.
  3. Harden maker and uploader privileges in Copilot Studio: restrict who can publish agents, require connector approvals, and apply connector management policies.

Detection and Monitoring (2–6 weeks)

  1. Correlate Purview CopilotInteraction/AIAppInteraction records with Microsoft Graph read counters, SharePoint/OneDrive access logs, and agent invocation logs in your SIEM. Create detection rules for anomalous agent usage, unexpected cross-connector retrievals, or spikes in agent-driven exports.
  2. Simulate the “link suppression” edge case in a non-production tenant: ask Copilot to “summarize without including a link” and confirm that a complete AccessedResources event is generated. If not, augment detection with secondary signals (file read counters, API calls).
  3. Route Purview audit logs to immutable storage or a hardened SIEM export to preserve evidence continuity; configure pay-as-you-go and retention controls per compliance needs.

Ongoing Operational Controls

  • Maintain an auditable register of agent revocations and a playbook for per-agent blocking/unblocking. Automate agent inventory reconciliation with daily or weekly checks.
  • Harden oversight consoles (Responsible AI Operation panels) with strict admin separation, vaulted credentials, and dedicated monitoring.

Risk Assessment: Strengths, Gaps, and the Governance Deficit

Notable strengths

  • Microsoft’s layered architecture—containerized sandboxes, network constraints, and centralized telemetry—reflects modern defense-in-depth. Server-side fixes were issued reasonably quickly for disclosed vulnerabilities.
  • Incremental admin tooling (PowerShell, REST APIs, Copilot Control System) and compensating controls (Conditional Access, DLP) give tenants some ability to harden their posture while platform fixes mature.

Significant gaps and risks

  • Multi-surface complexity: The combined attack surface across web, Teams, Outlook, and Studio, along with privileged provisioning paths, makes it likely that policy intent will not match runtime reality—a governance deficit, not merely a coding bug.
  • Telemetry divergence: The possibility that UI decisions suppress audit emissions breaks the core compliance assumption that every AI-driven read of sensitive data produces a durable, attributable record. This has outsized consequences for regulated sectors.
  • Operational cost of manual remediation: At scale, manual agent blocking introduces fatigue and drift, increasing the probability of missed blocks and incomplete remediation.

Longer-Term Implications and Recommendations

Vendors must treat admin toggles as authoritative enforcement primitives—not as UX scoping hints. A tenant’s security posture depends on explicit deny semantics being honored across all product surfaces. Telemetry must be robust, independently verifiable, and accompanied by guarantees about which attributes are emitted for every data access. Coordinated disclosure programs must adequately incentivize researchers to report reproducible bugs, as the sandbox path-hijack case illustrates the value of external scrutiny.

In the end, the Copilot governance failures are a microcosm of modern cloud-AI risk: user-facing convenience, complex multi-surface rollouts, and multiple backend provisioning paths create unanticipated gaps. The technical fixes are necessary, but the enterprise takeaway is operational: assume vendor controls can fail, validate them regularly, and layer compensating controls—Conditional Access, DLP, immutable audit exports, agent inventory reconciliation, and per-agent quarantine processes. Administrators must treat Copilot agents like any other third-party application: insist on explicit deny semantics, test enforcement from real user contexts, require phishing-resistant authentication, and never rely on a single vendor-supplied signal to prove compliance or detect breach.