Security teams are already familiar with application risk, identity risk, and data risk. Agentic systems collapse those domains into one operating model. Autonomy introduces a new problem: a system can be “working as designed” while still taking steps that a human would be unlikely to approve, because the boundaries were unclear, permissions were too broad, or tool use was not tightly governed.

The OWASP Top 10 for Agentic Applications (2026) outlines the top ten risks associated with autonomous systems that can act across workflows using real identities, data access, and tools.

This blog is designed to do two things: First, it explores the key findings of the OWASP Top 10 for Agentic Applications. Second, it highlights examples of practical mitigations for risks surfaced in the paper, grounded in Agent 365 and foundational capabilities in Microsoft Copilot Studio.

OWASP helps secure agentic AI around the world

OWASP (the Open Worldwide Application Security Project) is an online community led by a nonprofit foundation that publishes free and open security resources, including articles, tools, and documentation used across the application security industry. In the years since the organization’s founding, OWASP Top 10 lists have become a common baseline in security programs.

In 2023, OWASP identified a security gap that needed urgent attention: traditional application security guidance wasn’t fully addressing the nascent risks stemming from the integration of LLMs and existing applications and workflows. The OWASP Top 10 for Agentic Applications was designed to offer concise, practical, and actionable guidance for builders, defenders, and decision-makers. It is the work of a global community spanning industry, academia, and government, built through an “expert-led, community-driven approach” that includes open collaboration, peer review, and evidence drawn from research and real-world deployments.

Microsoft has been a supporter of the project for quite some time, and members of the Microsoft AI Red Team helped review the Agentic Top 10 before it was published. Pete Bryan, Principal AI Security Research Lead, on the Microsoft AI Red Team, and Daniel Jones, AI Security Researcher on the Microsoft AI Red Team, also served on the OWASP Agentic Systems and Interfaces Expert Review Board.

Agentic AI delivers a whole range of novel opportunities and benefits. However, unless it is designed and implemented with security in mind, it can also introduce risk. OWASP Top 10s have been the foundation of security best practice for years. When the Microsoft AI Red Team gained the opportunity to help shape a new OWASP list focused on agentic applications, we were excited to share our experiences and perspectives. Our goal was to help the industry as a whole create safe and secure agentic experiences.

Pete Bryan, Principal AI Security Research Lead

The 10 failure modes OWASP sees in agentic systems

Read as a set, the OWASP Top 10 for Agentic Applications makes one point again and again: agentic failures are rarely “bad output.” But they are bad outcomes. Many risks show up when an agent can interpret untrusted content as instruction, chain tools, act with delegated identity, and keep going across sessions and systems. Here is a quick breakdown of the types of risk called out in greater detail in the Top 10:

Agent goal hijack (ASI01): Redirecting an agent’s goals or plans through injected instructions or poisoned content.

Tool misuse and exploitation (ASI02): Misusing legitimate tools through unsafe chaining, ambiguous instructions, or manipulated tool outputs.

Identity and privilege abuse (ASI03): Exploiting delegated trust, inherited credentials, or role chains to gain unauthorized access or actions.

Agentic supply chain vulnerabilities (ASI04): Compromised or tampered third-party agents, tools, plugins, registries, or update channels.

Unexpected code execution (ASI05): Turning agent-generated or agent-invoked code into unintended execution, compromise, or escape.

Memory and context poisoning (ASI06): Corrupting stored context (memory, embeddings, RAG stores) to bias future reasoning and actions.

Insecure inter-agent communication (ASI07): Spoofing, intercepting, or manipulating agent-to-agent messages due to weak authentication or integrity checks.

Cascading failures (ASI08): A single fault propagating across agents, tools, and workflows into system-wide impact.

Human–agent trust exploitation (ASI09): Abusing user trust and authority bias to get unsafe approvals or extract sensitive information.

Rogue agents (ASI10): Agents drifting or being compromised in ways that cause harmful behavior beyond intended scope.

For security teams, knowing that these issues are top of mind across the global community of agentic AI users is only the first half of the equation. What comes next is addressing each of them through properly implemented controls and guardrails.

Build observable, governed, and secure agents with Microsoft Copilot Studio

In agentic AI, the risk isn’t just what an agent is designed to do, but how it behaves once deployed. That’s why governance and security must span both in development (where intent, permissions, and constraints are defined), and operation (where behavior must be continuously monitored and controlled). For organizations building and deploying agents, Copilot Studio provides a secure foundation to create trustworthy agentic AI. From the earliest stages of the agent lifecycle, built in capabilities help ensure agents are safe and secure by design. Once deployed, IT and security teams can observe, govern, and secure agents across their lifecycle.

In development, Copilot Studio establishes clear behavioral boundaries. Agents are built using predefined actions, connectors, and capabilities, limiting exposure to arbitrary code execution (ASI05), unsafe tool invocation (ASI02), or uncontrolled external dependencies (ASI04). By constraining how agents interact with systems, the platform reduces the risk of unintended behavior, misuse, or redirection through indirect inputs. Copilot Studio also emphasizes containment and recoverability. Agents run in isolated environments, cannot modify their own logic without republishing (ASI10), and can be disabled or restricted when necessary (ASI07, ASI08). For example, if a deployed support agent is coaxed (via an indirect input) to “add a new action that forwards logs to an external endpoint,” it can’t quietly rewrite its own logic or expand its toolset on the fly; changes require republishing, and the agent can be disabled or restricted immediately if concerns arise. These safeguards prevent localized agent failures from propagating across systems and reinforce a key principle: agents should be treated as managed, auditable applications, not unmanaged automation.

To support governance and security during operation, Microsoft Agent 365 will be generally available on May 1. Currently in preview, Agent 365 enables organizations to observe, govern, and secure agents across their lifecycle, providing IT and security teams with centralized visibility, policy enforcement, and protection capabilities for agentic AI.

Once agents are deployed, Security and IT teams can use Agent 365 to gain visibility into agent usage, manage how agents are used, and enforce organizational guardrails across their environment. This includes insights into agent usage, performance, risks, and connections to enterprise data and tools. Teams can also implement policies and controls to help ensure safe and compliant operations. For example, if an agent accesses a sensitive document, IT and security teams can detect the activity in Agent 365, investigate the associated risk, and quickly restrict access or disable the agent before any impact occurs. Key capabilities include:

Access and identity controls alongside policy enforcement to ensure agents operate within the appropriate user or service context, helping reduce the risk of privilege escalation and applying guardrails like access packages and usage restrictions (ASI03).

Data security and compliance controls to prevent sensitive data leakage and detect risky or non-compliant interactions (ASI09).

Threat protection to identify vulnerabilities (ASI04) and detect incidents such as prompt injection (ASI01), tool misuse (ASI02), or compromised agents (ASI10).

Together, these capabilities provide continuous oversight and enable rapid response when agent behavior deviates from expected boundaries.

Keep learning about agentic AI security

Agentic AI changes not just what software can do, but how it operates, introducing autonomy, delegated authority, and the ability to act across systems. The shift places new demands on how systems are designed, secured, and operated. Organizations that treat agents as privileged applications, with clear identities, scoped permissions, continuous oversight, and lifecycle governance, are better positioned to manage and reduce risk as they adopt agentic AI. Establishing governance early allows teams to scale innovation confidently, rather than retroactively building controls after the agents are embedded in workflows. Here are some resources to look over as the next step in your journey:

OWASP Top 10 for Agentic Applications (2026): The baseline: top risks for agentic systems, with examples and mitigations.

Microsoft AI Red Team: How Microsoft stress-tests AI systems and what teams can learn from that practice.

Microsoft Security for AI: Microsoft’s approach to protecting AI across identity, data, threat protection, and compliance.

Microsoft Agent 365: The enterprise control plane for observing, governing, and securing agents.

Microsoft AI Agents Hub: Role-based readiness resources and guidance for building agents.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

OWASP Top 10 for Agentic Applications content © OWASP Foundation. This content is licensed under CC BY-SA 4.0. For more information, visit https://creativecommons.org/licenses/by-sa/4.0/

The post Addressing the OWASP Top 10 Risks in Agentic AI with Microsoft Copilot Studio appeared first on Microsoft Copilot Blog.

Wave 3 of Microsoft 365 Copilot

Wave 3 marks a new version of Microsoft 365 Copilot, moving beyond assistance to embedded agentic capabilities. And this is just the start, with much more product innovation to follow in the months ahead.

Copilot Cowork

Working closely with Anthropic, we have brought the technology that powers Claude Cowork into Microsoft 365 Copilot. It’s this multimodel advantage that makes Copilot different. Your work is not limited by one brand of models. Copilot hosts the best innovation from across the industry and chooses the right model for the job regardless of who built it. This is a pattern of work that will only become more powerful as new models and ways of working emerge.

Copilot Cowork brings long‑running, multi‑step work into Microsoft 365 Copilot, moving beyond prompts and responses toward execution that unfolds over time. And, with Work IQ, it has the full context of your work, not just fragments of data, so it can reason over all relevant materials. Instead of asking Copilot to generate a single artifact, Cowork allows you to delegate meaningful work and stay in the loop as that work progresses.

With Cowork, Copilot can break down complex requests into steps, reason across tools and files, and carry work forward with visible progress and opportunities to steer. Tasks are no longer confined to a single turn or a single app. They can run for minutes or hours, coordinating actions and producing real outputs along the way.

Cowork is built with enterprise needs in mind. Work is observable. Actions are transparent. Documents are immediately enterprise knowledge that’s protected and ready to share. Progress can be reviewed, guided, or stopped. And everything operates within Microsoft’s security, identity, and governance framework, so organizations can adopt these capabilities with confidence.

By combining Anthropic’s agentic model for multi-step tasks with Microsoft 365, Cowork delivers a managed, enterprise‑grade experience that pairs powerful reasoning with the controls enterprises expect. This is the promise of Copilot: the best AI innovation from across the industry delivered quickly with the intelligence of Work IQ and trust of Microsoft’s Enterprise Data Protection. Cowork is being tested with a limited set of customers as a research preview and will be available through the Frontier program in March.

Join the Frontier program to get access to Microsoft’s latest AI innovations.

Microsoft 365 Copilot in Word, Excel, PowerPoint, and Outlook 

Today, many AI tools treat the creation of an artifact as a single-shot task. They connect to Microsoft 365 data but miss key context. They create content that doesn’t follow how apps natively work. They create version sprawl by producing files that are locally downloaded. And they do not respect the existing confidentiality protections within an organization.

Wave 3 of Copilot will now work alongside you in Word, Excel, PowerPoint, and Outlook, creating, editing, and refining high-quality content from start to finish inside a document, spreadsheet, presentation, or email. And it uses Work IQ to stay grounded in the context of your work, so edits always reflect what is current and relevant across your files, meetings, chats, and relationships.

Copilot does the heavy lifting by updating existing work: refining a Word document into a polished draft, improving Excel spreadsheets with real formulas, producing slides in PowerPoint that match how your organization builds decks—including understanding layouts, object styles, and brand kits— and drafting and refining emails directly in Outlook. And because this work happens inside the apps where people already work, every change is transparent, reviewable, and reversible as you iterate.

During preview, we described these capabilities as “Agent Mode.” As we moved toward general availability, it became clear that this isn’t a separate mode at all—it’s core to how this next wave of Copilot works.

Microsoft 365 Copilot enforces existing Microsoft 365 permissions and sensitivity labels and saves files to OneDrive and SharePoint—with tenant-level controls—so protected content isn’t processed when extraction isn’t allowed. This means organizations can apply governance, audit, compliance, and retention policies at scale.

These new Copilot experiences are generally available in Excel and Word, with PowerPoint and Outlook starting to roll out over the coming months.

Agents in chat

Not all work starts inside a document or an app. Often, it begins conversationally—with a question, an idea, or a rough intent that needs to be turned into action.

That’s why, in Wave 3, chat in Copilot is the entry point for chat‑first creation and execution. From chat, you can create documents, spreadsheets, and presentations directly from a conversation, or ask Copilot to take common workplace actions—like scheduling a meeting or drafting and sending an email to your team—without copying and pasting between tools or switching contexts. These end‑to‑end workflows move work forward immediately and set Copilot apart.

Chat in Copilot is where the ecosystem comes together. Built‑in agents for Word, Excel, PowerPoint, and Outlook let you move easily from conversation into app‑native work. And with agents in Copilot supporting open standards like Apps SDK and MCP Apps, your apps can now surface directly within chat—enabling live, interactive experiences where work actually happens. From sales and customer service insights in Microsoft Dynamics 365, to custom apps built with Microsoft Power Apps, to partner experiences from Adobe, Monday.com, and Figma, Copilot brings your critical tools and insights together in one place.

Copilot also makes it easy for people across your organization to build agents that support their day‑to‑day work using Agent Builder. Meanwhile, IT and business leaders can create more sophisticated business process agents with Microsoft Copilot Studio—from employee onboarding to procurement. Recent updates to Copilot Studio help organizations evaluate agent quality, coordinate multiple agents, and ensure agents work together across systems—while remaining observable, governable, and secure at enterprise scale. 

Copilot works directly inside apps when work is underway, and agents in chat provide the starting point when work begins with a conversation.

Excel, Word, and PowerPoint Agents are rolling out to generally availability in chat in Copilot. Schedule from chat and custom instructions are available today and send email from chat is rolling out with broad availability this spring. 

Multi‑model intelligence

Wave 3 also advances Microsoft’s commitment to model choice in Copilot, so intelligence can show up in the right way for the work at hand, without requiring you to think about models at all.

Many AI tools lock users into a single vendor’s models. Others force people to choose between tools, experiences, or modes depending on the task. That fragmentation creates friction for individuals and complexity for organizations. Leaders end up managing overlapping tools, inconsistent experiences, and rising costs as teams bring their own AI into the business.

At the same time, IT and business decision‑makers are forced into long‑lived vendor bets, even as the pace of model innovation accelerates and better capabilities emerge elsewhere. The result is broken context for users, unnecessary overhead for organizations, and the burden of model selection pushed onto people who just want to get work done.

In contrast, Microsoft 365 Copilot brings leading models from multiple providers directly into the work experience. With Wave 3, Claude is now available in mainline chat in Copilot via the Frontier program, alongside the latest generation of OpenAI models, which continue to roll out with new releases. This means users can access advanced reasoning and multistep capabilities in their everyday Copilot conversations, not just specialized tools. Copilot automatically applies the right model for the task, all grounded in your enterprise context and protected by Microsoft’s security and governance controls.

Agent 365

As organizations adopt agents as part of everyday work, the challenge shifts from experimentation to operating them with trust, safety, and control at scale. IDC projects agent use will increase by an order of magnitude over the next few years, with hundreds of millions—and soon billions—of agents operating across enterprises.¹ That scale creates a new dilemma for IT and security leaders: how to manage agents across the organization without rebuilding infrastructure, weakening security posture, or slowing innovation. This is exactly the scenario Agent 365 was designed for.

Agent 365 is the control plane for agents. In practical terms, it gives IT and security leaders one place to observe, secure, and govern every agent across the organization, and it provides the confidence to move from agent experimentation to enterprise-scale operations. Agent 365 extends the management, security, and governance processes organizations already use for employees to agents, so they can stay in control as agents become part of daily work.

The idea is simple: there is no need to reinvent the wheel. The fastest path to getting agents under control is to manage them in a similar manner to managing users, using familiar Microsoft solutions including the Microsoft Admin Center for agent management and Microsoft Security solutions like Defender, Entra, and Purview for agent security and governance.

Agent 365 will be generally available on May 1, priced at $15 per user per month.

Introducing Microsoft 365 E7: The Frontier Suite

Frontier transformation is real when both sides of the system move together: people and AI operating across the enterprise.

Microsoft 365 E7: The Frontier Suite closes the gap, equipping employees with AI across email, documents, meetings, spreadsheets, and business application surfaces, while giving IT and security leaders the observability and governance needed to operate AI at enterprise scale.

Copilot and agents work together with shared intelligence, understanding context, history, priorities, and constraints. Trust is built in by default—with user data, enterprise data, and agent actions protected through identity, policy, and observability—so AI can scale across the workforce without compromising security or compliance.

Microsoft 365 E7 will be available for purchase on May 1 at a retail price of $99 per user per month, and includes Microsoft 365 Copilot, Agent 365, Microsoft Entra Suite, and Microsoft 365 E5 with advanced Defender, Entra, Intune, and Purview security capabilities to help secure users, delivering comprehensive protection across agents and users.

Get started today

Wave 3 of Microsoft 365 Copilot marks a turning point in how AI shows up at work. Agentic capabilities are embedded directly into Word, Excel, PowerPoint, Outlook, and Copilot Chat, bringing multi‑model intelligence into everyday workflows. Agent 365 makes this shift operational by giving organizations a way to observe, govern, and secure agents as they move from experimentation to enterprise‑scale use. Microsoft 365 E7 brings it all together by unifying productivity, AI, identity, and security into a single foundation.

Together, these changes make frontier transformation real: intelligence that understands the context of work, and trust that allows AI to scale safely across the workforce. When intelligence and trust move together, AI stops being an experiment and starts becoming how work gets done.

• Visit Microsoft365.com/copilot or download the Microsoft 365 app on your mobile device to get started.
• For the latest research and insights on AI at work, visit WorkLab.
• Learn from our engineering leaders how Microsoft delivers AI built for work at the Microsoft Frontier Transformation digital event on March 9, 2026, at 8:00 AM PT.

Footnotes

Microsoft 365 E7 is available with and without Teams.

¹IDC Info Snapshot, sponsored by Microsoft, 1.3 Billion AI Agents by 2028, May 2025 #US53361825

The post Powering Frontier Transformation with Copilot and agents appeared first on Microsoft Copilot Blog.

Microsoft Copilot Studio and Agent Builder in Microsoft 365 Copilot are designed to help customers reliably create agents that scale and deliver real, sustained business value—not just prototypes. Recent enhancements focus on making it easier to move from building an agent to running one confidently across complex, dynamic environments, with consistent quality and the ability to evolve as business needs change.

Discover the latest capabilities in agent evaluations, exciting updates for computer-using agents (including expanded model support), a new Agent Academy Operative training path, and more. Plus, learn how you can use these capabilities to help ensure your agents are ready for scale.

Build trust at scale with enhanced agent evaluations in Copilot Studio

Agents aren’t “set and forget.” Prompts evolve, models update, and data changes—which raises a critical question as agents take on real work: can we trust them at scale? Agent evaluations answer that question with evidence. They’re designed to turn expectations into measurable checks, help teams catch regressions early, and provide a repeatable way to assess agent quality as behavior and context evolve.

For example, a finance leader rolling out an agent for expense policy guidance or month‑end analysis needs to trust its behavior before moving beyond a pilot. With enhanced agent evaluations in Copilot Studio, teams can now validate performance using their own scenarios, policies, and production data—measuring quality, usability, and responsiveness across a full test set instead of isolated cases.

Side‑by‑side comparisons then help catch regressions before changes go live. Meanwhile, built‑in transparency and session replays support internal and external stakeholder review. The result is a clear, evidence‑based path from experimentation to trusted deployment.

Available in public preview, here’s a quick rundown of the latest eval enhancements.

Holistic and multi-dimensional agent evaluation

• Set-level grading framework: You can now evaluate agents across an entire test set instead of individual test cases, enabling an accurate measure of overall quality. By consolidating results from multiple tasks, makers can better understand real-world performance by seeing how agents maintain quality across a range of scenarios.
• Multiple graders per test set: With the ability to apply multiple grading approaches—such as quality, performance, and usability assessments—to the same test set, teams can gain a more complete evaluation without the complexity of managing separate test sets.
• Comparative testing: Teams can compare multiple agent versions side by side, which can make it easier to spot regressions and validate improvements before pushing the best version live.

Improved transparency and control

• User reactions and feedback: Makers can now provide quick feedback on evaluation results using a simple thumbs up or thumbs down action. This feedback helps Copilot Studio capture signals about evaluation accuracy, grader alignment, and edge cases, which means our team can continuously refine our evaluation models and improve result quality for agent makers.
• Open activity map in evaluation: Direct integration with the activity map gives teams immediate insight into how agents executed tasks, helping identify where issues occurred faster and improve optimization.
• Enterprise-grade auditing: Advanced session replays, action logs, and Microsoft Purview integration offer detailed visibility into agent behavior, helping makers preserve quality and streamline troubleshooting.

Streamlined workflow and data integration

• CSV downloadable format: Makers can now download a ready-to-use comma-separated values (CSV) template that follows the exact structure required for importing test cases into evaluation. Instead of creating files from scratch—and running into formatting errors, missing columns, or failed imports—teams can rely on a validated template that can help shorten setup time and remove unnecessary friction.
• Import production data into evaluation: Real-world production data can now be imported directly into evaluations, providing high-quality test sets that reflect actual user interactions. This is designed to improve evaluation accuracy and help makers tune agents more closely to their specific audiences.
• Import and export of test sets, test cases, and results: Makers can import or export test sets, individual test cases, and evaluation results. This helps simplify teamwork and support repeatable testing across environments—essentials for enterprise-scale agent development.

Scale automation across real-world systems with nimbler computer use

Most organizations don’t lack ideas for automation. Instead, the challenge tends to be with fragmented systems, limited APIs, legacy desktop tools, and workflows that go across multiple departments. Replacing everything isn’t realistic. But maintaining brittle, script-based automation isn’t sustainable either.

Copilot Studio’s computer-using agents (CUAs) can address this gap by interacting directly with web and desktop interfaces, supporting automation across systems that weren’t designed to integrate. They facilitate automation in complex, dynamic environments where traditional robotic process automation (RPA) falls short.

Consider a customer support organization handling service requests across disconnected systems. When a customer submits a support request, a computer-using agent can:

1. Retrieve customer and entitlement details from the customer relationship management (CRM) system.
2. Create or update a case in the service management system.
3. Pull relevant troubleshooting steps from a knowledge base.
4. Update the case status and resolution checklist in Microsoft SharePoint.
5. Notify the assigned service representative and escalate if service-level agreements (SLAs) are at risk.

This would be impossible with RPA alone because of the need to transcend systems. Although pieces could be automated, a person historically would need to initiate each step. With computer use, the organization can now accelerate this process and mitigate missed steps, without requiring a redesign of existing systems.

And the latest updates enhance the value of your computer-using agents, adding key capabilities that enable improved flexibility, security, and scalability:

• Expanded model availability: We’ve added Claude Sonnet 4.5 as an additional model choice for CUAs. You can choose between Anthropic models and OpenAI’s Computer-Using Agent to get the best possible results for your task.
• Built-in credentials: Simplify and secure authentication with built-in credentials that require minimal setup. Users simply input their username and password once, and Copilot Studio stores the credentials securely.
• Enterprise-grade logging and auditing: New monitoring tools, integrated with Microsoft Purview, enhance computer-using agent session visibility. This includes detailed logs of agent activity and session replays with screenshots that support traceability and compliance processes.
• Cloud PC pool: Powered by Windows 365 for Agents, this scalable, managed cloud infrastructure integrates with Microsoft Entra and Intune. These PC pools auto-scale based on workload demand, helping you handle spikes without over-provisioning.

We know the more tools that help drive operational efficiency while maintaining control over automated workflows, the more confident teams can be about adopting computer use. That’s why these updates help elevate computer-using agents as a more reliable, adaptable solution for enterprises looking to scale their use of agentic automation.

Learn to build multi-agent systems with the Agent Academy Operative path

Finished the Recruit training from the Copilot Studio Agent Academy and looking to go deeper? The new Operative path unlocks the next level of training for agent makers who are ready to build their skills. It’s designed for practitioners who already have their first agent working and want to expand their skills to build more sophisticated, production-ready solutions.

The Operative path walks learners through building a complex, multi-agent hiring automation system, using it as an applied learning example that can be adapted to any business scenario.

Along the way, participants develop critical skills such as writing clear and effective agent instructions, selecting and evaluating AI models, and applying advanced prompt patterns, agent flow integration, and Model Context Protocol (MCP). The curriculum also emphasizes operational readiness, including feedback loops, telemetry, and AI safety throughout the agent lifecycle.

By the end of the path, learners can gain a deeper understanding of how to design, build, and architect scalable multi-agent systems that can evolve with business needs. For creators ready to move from basic agents to more advanced, reliable solutions, the Operative path provides a practical and structured next step.

What else is new and improved in Copilot Studio

Now, let’s take a quick look at some other exciting updates—all generally available (GA)—that further enhance your Copilot Studio (and Agent Builder) experience:

• Copy agents from Agent Builder into Copilot Studio to scale impact: Agents that start as individual ideas in Agent Builder and prove team-wide value can now be opened directly in Copilot Studio for a more extensive maker experience. This unlocks advanced features such as topics, automations, expanded publishing channels, and enterprise governance controls, including data loss prevention and application lifecycle management. For example, a support representative’s personal helper agent can be expanded into a shared tool that categorizes tickets, suggests responses, and routes issues to the right specialists—without rebuilding from scratch.
• Query your agent inventory from Azure Resource Graph: The Microsoft Power Platform agent inventory, which organizes and displays all your published Copilot Studio and Agent Builder agents, is now generally available. Admins can query this inventory programmatically using Azure Resource Graph to access detailed data about both draft and published agents across the tenant, using Azure portal, CLI, PowerShell, or REST API.
• Generate icons for your agents using AI in Agent Builder: Makers can now generate custom agent icons directly in Agent Builder using AI. Instead of browsing or creating artwork manually, they simply describe how the icon should look—using the agent’s description or a custom prompt—and get a unique icon designed to stand out in the Agent Store.
• Try the Copilot Studio extension for Visual Studio Code: The Copilot Studio extension lets teams version, edit, and deploy agents directly from Visual Studio Code, making it easier to align with existing software development workflows.

The big takeaway: Stronger Copilot Studio tools for more scalable agent experiences

These updates aren’t just new features; they strengthen the tools teams rely on to create agents that scale with their business. By enhancing flexibility, security, and visibility, these updates are designed to make it easier to scale agents without starting over each time.

This continuity helps makers innovate quickly while IT teams maintain control over governance, compliance, and performance—bridging the gap between rapid iteration and enterprise-grade reliability. Why? Because at the end of the day, the best agents are those that are built to grow with your needs, and with these updates, that evolution becomes more attainable every month.

Stay up to date on all things Copilot Studio

Check out all the updates as we ship them, as well as new features releasing in the next few months here: What’s new in Microsoft Copilot Studio.

To learn more about Microsoft Copilot Studio and how it can transform productivity within your organization, visit the Copilot Studio website or sign up for our free trial today.

The post New and improved: Agent evaluations, computer use, and advanced maker training appeared first on Microsoft Copilot Blog.

To help teams like yours answer these complex questions faster and move with confidence, we’ve launched the new agent architecture guidance hub and a refreshed Microsoft Copilot Studio guidance hub. These on-demand resources offer end‑to‑end documentation across the agent lifecycle—from design and planning through operations, governance, and advanced architectural patterns.

Built on established practices from Microsoft engineering teams and real‑world deployments, these hubs give architects, developers, and IT a shared blueprint to work from. And they were designed to help your team make smarter architectural decisions, accelerate delivery with practical how‑to guidance, and scale safely with trusted governance, security, and responsible AI practices.

Whether you’re building your first agent or scaling across your enterprise, these hubs can help you start—and stay—on the right path.

Now, let’s explore what each hub offers and how to put them to work for your organization.

Meet the new agent architecture guidance hub

The new agent architecture guidance hub is a technology‑agnostic playbook for designing secure, reliable, and accountable agents. Unlike the Copilot Studio guidance hub and Azure Well‑Architected guidance, this hub focuses on the principles and patterns required to build scalable agent systems—regardless of platform, tools, or runtime.

Grounded in the same practices Microsoft 365‑grade agents use, this hub distills lessons from real‑world deployments into a single source of truth. It provides clear answers to foundational architecture questions, such as how your agents should be structured, how they should run, and how they should be governed at scale.

Use the agent architecture guidance hub to:

• Identify fit for purpose by mapping your scenario to the right agent flows, components, and reference architectures.
• Design for operability by building reliability in from the start, using deployment lifecycle and evaluation guidance.
• Establish trust, traceability, and transparency through responsible AI practices, governance, auditability, and security practices.
• Optimize search and tool‑use patterns by adopting retrieval, grounding, and tool‑execution approaches used in Microsoft 365 Copilot.

Discover the redesigned Copilot Studio guidance hub

The reimagined Copilot Studio guidance hub is your end‑to‑end playbook for designing, building, and operating agents in Copilot Studio. Unlike architecture‑level resources, such as the agent architecture guidance, this hub focuses on hands‑on implementation—so makers, developers, and IT admins know exactly how to execute their work inside the product.

The newly reorganized and expanded hub now mirrors the full lifecycle of an agent. It’s built around five practical stages—Plan, Implement, Manage, Improve, and Extend—so your team can quickly find the right guidance at the right moment, whether you’re starting fresh or scaling an existing deployment:

• Stage 1: Plan. Align on business goals, define success measures, apply responsible AI considerations, and design effective language understanding before building anything. This helps to ensure every agent starts with a clear purpose, measurable outcomes, and a responsible foundation.
• Stage 2: Implement. Focus on the design and build work inside Copilot Studio. Learn generative orchestration patterns, build topics effectively, integrate systems and APIs, and publish agents with confidence using patterns established to work in production.
• Stage 3: Manage. Operate agents with governance, ALM, capacity planning, project security, testing guidance, and compliance best practices. This stage helps teams define the guardrails and decisions needed to maintain trust, reliability, and control over time.
• Stage 4: Improve. Center continuous optimization around analytics, KPIs, and conversation insights to drive measurable improvements in accuracy, containment, deflection, and user satisfaction—turning real usage data into targeted enhancements.
• Stage 5: Extend. Go beyond out‑of‑the‑box capabilities with hands‑on extension guidance. Use the Copilot Studio Kit and work with the Microsoft 365 Agents SDK to add custom logic, actions, and richer workflows tailored to your organization’s unique scenarios.

Together, these stages make this hub a practical, step-by‑step playbook for building agents in Copilot Studio that are useful, safe, and maintainable from day one—and that can scale as your needs grow.

Build agents with confidence

Successful agents require more than a powerful platform—you also need clearer choices, practical guardrails, and a way to spend less time reinventing the wheel. The new agent architecture guidance hub and Copilot Studio guidance hub (together with our other resources like the Copilot Studio adoption site and Copilot Studio community forum) make it easier to go from early experiments to confident, repeatable delivery.

Use the agent architecture guidance hub to clarify what to build and why. Then, turn to the Copilot Studio guidance hub when you’re ready to design, build, and operate those agents more effectively in Copilot Studio.

Whether you’re experimenting with your first agent or managing a collection of agents in Microsoft Copilot Studio, put these resources to work to make your next build easier, safer, and faster.

The post New resources and guidance to plan, build, and operate enterprise-ready agents appeared first on Microsoft Copilot Blog.

Today’s leading organizations are going through an agentic business transformation. This change takes AI from concept to measurable impact, by automating existing workflows and using agents to enhance productivity and reinvent entire functions. Copilot Studio, Copilot’s agent platform, provides a fully managed solution for accomplishing this.

Using Copilot Studio, organizations around the world can quickly bring the benefits of AI to their business. Copilot Studio empowers companies to streamline and automate their processes with agentic workflows, create single-purpose agents to solve specific problems, and develop multi-agent solutions that drive measurable business outcomes at scale. The result: a scalable, secure, and governable foundation that supports the needs of IT administrators and business owners measuring return on investment (ROI). This system accelerates agentic transformation by delivering speed-to-value without sacrificing quality or control.

At the same time, with Microsoft 365 Copilot, users can easily use AI to improve their personal and team productivity. This tailored experience for Microsoft 365 Copilot users offers a fast, guided way to set up agents to support your work and automate everyday tasks, removing them from your plate.

Today, we’re excited to share new capabilities in Copilot Studio that support all of these scenarios and groups that use our product, making it easier for makers and administrators to shape agent behavior, enforce organizational standards, and extend functionality with AI.

End-user improvements

Our Copilot Studio experience for building agents and workflows, as well as our agent building capabilities in Microsoft 365 Copilot, continue to support agent creation for all users, from professional makers and IT administrators doing enterprise AI transformation, to employees building agents and workflows for their personal use. Recent updates focus on making the process simpler and more efficient.

What’s new in Microsoft 365 Copilot

• Redesigned creation experience: Build and refine agents through an improved conversational interface that guides users and taps into an expanded set of work-related knowledge sources.
• File generation with natural language: Agents built in Microsoft 365 Copilot, can now create Word, Excel, and PowerPoint files in seconds using natural language commands.
• Seamless upgrade path: Copy agents from Microsoft 365 Copilot to Copilot Studio in one click, unlocking advanced AI agent customization.
• Workflows agent in Microsoft 365 Copilot: Create, build, and manage workflows using natural language in chat. Boost productivity with quick scenarios like daily triage, weekly digests, and lightweight approvals—all directly within Copilot.

Maker improvements

IT application developers and other professional makers in the business can already build sophisticated agents in Copilot Studio without needing to code. Copilot Studio includes capabilities such as connecting and acting across more than 1,400 systems of record via Model Context Protocol (MCP), Power Platform connectors, and the Microsoft Graph. It also includes broad and deep tooling like autonomously writing and executing code, delivering rich out-of-the-box agent analytics and ROI measurement, and more, all built on the Microsoft governance and security platform. We’re excited to share new capabilities that give makers even more flexibility and control to design enterprise agents tailored to their unique organizational needs.

• Choose your own model: Select from leading options like OpenAI’s GPT‑5, Anthropic’s Sonnet 4.5, and Opus 4.1 to power your agents. This empowers you to tailor agent intelligence to fit your specific business scenario, optimize performance, experiment with new capabilities, and deliver agents that meet your organization’s unique needs.
• Ensure agents are ready for launch, and don’t regress over time, with Evaluations: Built-in evaluation tools help you test agents against real-world scenarios, compare versions, and track performance with clear metrics. Evaluations can give teams greater confidence that their investments are performing as expected.
• Computer use: Agents can now automate tasks across apps and websites, using secure Windows 365 experiences—from hosted browsers for quick web automation to IT-managed Cloud PC pools for rapid scalability.

Admin improvements

As agents become central to automating work and transforming workflows, Copilot Studio is introducing new governance and protection capabilities designed to help organizations maintain strong oversight.

• Expanded agent analytics: Clear insights into connected and child agent performance, detailed visibility into Copilot Credits consumption and limits, AI-generated summaries of top analytics insights, and interrogating analytics using natural language.
• Real-time protection: Copilot Studio integrates with Microsoft Defender and other trusted security platforms, providing continuous monitoring and protection against threats like prompt injection—helping every agent run more safely.
• Microsoft Entra Agent ID: Every agent made in Copilot Studio now gets a unique Microsoft Entra Agent ID, making it simple to register, manage, and govern your entire agent fleet.

Agent 365 and Copilot Studio: Unified control for agents

Agents are handling more responsibilities across enterprise operations and Copilot Studio is your launchpad for building them. With the introduction of Agent 365—the control plane for agents, the rich governance and management capabilities we offer today including sharing controls, advanced connector policies, agent inventory, zoned environment management, and more, will also be surfaced in the Agent 365 platform when using agents built in Copilot Studio.

Additionally, in Copilot Studio, makers can now build agents that use the new Agent 365 MCP servers. These servers allow agents to schedule meetings in Microsoft Teams, draft documents in Word, send emails in Outlook, and update customer relationship management (CRM) records in Microsoft Dynamics 365. This supports delivery of intelligent, compliant workflows and agents with built-in audit trails and granular policy enforcement—all from one platform.

Agent 365 is available starting today in Microsoft 365 Admin Center with Frontier, Microsoft’s early access program for the latest AI innovations.

Scale to the Frontier Firm with control

True transformation happens when agents are built for scale, governed for compliance, and measured for impact. Copilot Studio delivers that foundation, so organizations can build enterprise multi-agent systems, automate workflows with precision, and reimagine processes while minimizing risk.

EY’s results show what’s possible when you invest in a comprehensive agent platform, built on Microsoft. They are just one of many enterprise organizations implementing agents with Copilot Studio. In this case, their PowerPost Agent built on Copilot Studio led to major improvements in journal processing:

• 95% reduction in lead time
• 37% cost savings¹

Implementing the PowerPost Agent with Microsoft Copilot Studio has fundamentally transformed our journal processing. What once took minutes now happens in seconds—streamlining workflows and improving accuracy.

—Paula Korczak, Product Manager for General Ledger, EY

That’s the difference between cobbling together siloed agent platforms versus investing in a managed scalable agent platform like Copilot Studio: agents and agented process design that is repeatable, auditable, and scalable.

Get started today

To learn more about Copilot Studio and how it can transform your organization’s productivity, visit the Copilot Studio website and sign up for a free trial today. Take the Agent Readiness Assessment to benchmark your organization’s agent maturity across five critical areas—strategy, data, process, culture, and security—and get a personalized report to accelerate scalable agent adoption and drive agentic business transformation.

Want to explore all of Copilot Studio’s adoption content? Visit the Copilot Studio adoption page.

¹ EY redesigns its global finance process with Microsoft Power Platform

The post Why Microsoft Copilot Studio is the foundation for agentic business transformation appeared first on Microsoft Copilot Blog.

In this edition of our monthly roundup, we’re recapping the most exciting new features Microsoft Copilot Studio released in October 2025.

Build and optimize agents

Validate agents at scale with evaluations for automated testing

Agent quality just became significantly easier to measure and improve. With the automated agent evaluation experience, now available in public preview, makers can systematically test and validate their Copilot Studio agents at scale. Instead of running scenarios one by one, they can build and execute evaluation sets directly from the agent or the Test Pane, delivering structured, repeatable insights both before and after publishing.

This new experience offers flexibility in how evaluation sets are created. Makers can upload files with predefined questions and answers, reuse recent Test Pane queries, add cases manually, or instantly generate queries using AI. This approach ensures that test coverage spans organization-specific scenarios while also incorporating AI-suggested questions based on agent metadata and topics, providing a comprehensive view of performance.

Evaluations are powered by a robust grader framework that gives makers control over how accuracy is measured. Options range from strict checks such as Exact Match and Partial/Contains, to semantic comparisons like Similarity and Intent Match, and even AI-powered metrics including relevance, completeness, and groundedness. Each test delivers clear pass/fail results, detailed scores, and drill-down views into the knowledge and topics used.

For cases where reference answers are critical, makers can define expected responses manually or upload them in bulk, ensuring evaluations remain precise, transparent, and aligned with business expectations. AI further the Analytics tab in Copilot Studio accelerates validation by automatically generating test sets that can be executed immediately with AI metrics graders or combined with manual and uploaded sets for broader coverage.

These capabilities introduce a scalable, repeatable framework for agent quality, helping teams identify gaps early, reduce surprises in production, and track improvements over time. While multi-turn testing and additional graders are on the roadmap, this public preview represents a major leap forward in automated validation. 

Evaluations are available now in public preview. You can access them from the agent or test pane by selecting Evaluation.

Build with the latest OpenAI models in Copilot Studio

Copilot Studio continues to evolve with new model updates that improve performance and expand flexibility for makers. Depending on use case and application, different models may provide better responses to users. We’re committed to providing model choices that work for your business processes.

Starting October 27, 2025, GPT-4.1 became the default model for all newly created agents, replacing GPT-4o. Testing shows meaningful gains in both latency and response quality, helping agents deliver faster, more consistent results. GPT-4o will remain available through November 26, 2025, and agents in production will continue to leverage this model until then. However, you can update the model and opt in to GPT-4.1 today through the model-selection experience.

In addition, Copilot Studio is expanding availability of the GPT-5 family of models, first introduced in August 2025. Makers can now use GPT-5 Auto, GPT-5 Chat, and GPT-5 Reasoning not only in test environments but also in deployed agents. These models bring enhanced reasoning, richer dialogue capabilities, and more flexible problem-solving for complex scenarios. Please note that GPT-5 models remain in public preview and are not yet recommended for production use.

Together, these updates give makers access to the latest OpenAI advancements while maintaining continuity for existing agents. You continue to have top model choice at your fingertips to help create and deploy more accurate and effective agents at scale.

Speed up agent flow execution with express mode

Flow execution just got faster in Copilot Studio. Express mode, now in preview, optimizes agent flows to increase the likelihood that they’ll finish the flow within two minutes. This avoids agents or apps timing out while they wait for a response.

Express mode works best in flows that are logic-heavy but data-light. It limits flows to under 100 actions and smaller payloads so that the entire execution is more streamlined. For scenarios where large data sets needs to be moved or loops occur to iterate over large arrays, makers should test both with and without express mode.

This feature is in public preview and on by default. You can find the express mode toggle located on the flow’s Overview page in the editor.

Enable file uploads in omnichannel conversations

Copilot Studio now supports file uploads for custom agents in omnichannel scenarios. This means users can share images, documents, and other supported file types directly during agent interactions. This enhancement makes conversations more dynamic and context-rich by letting customers provide relevant files like receipts, forms, or photos right in the chat.

By enabling end user file uploads, agents can analyze attachments in real-time and deliver more accurate, personalized responses. This is a critical capability for customer service and contact center scenarios, where exchanging documents or screenshots is often key to resolving issues quickly. The feature also unlocks richer use cases for image analysis and document-based reasoning, improving both response quality and customer satisfaction.

File upload support is enabled by default for omnichannel custom agents, with optional controls available for agent makers to restrict supported file types in the agent manifest. All file types supported by Microsoft 365 Copilot are allowed up to 5MB (unless admins add restrictions).

This update enhances both the maker and end-user experience, and brings a richer more comprehensive level of service for end users relying on the agent for support.

Access external files and data with Model Context Protocol resources

Copilot Studio now supports Model Context Protocol (MCP) resources, expanding what agents can do with existing MCP connections. Makers have been able to use MCP tools to trigger actions and retrieve information. Now with resources support in preview, agents can read external content like files, API responses, or database records directly through MCP. This brings richer, real-time context into every interaction.

MCP resources act as file-like data objects that agents can query and reference during conversations. This allows agents to access customer-specific or system-specific content dynamically, without manual updates or re-training. For example, an agent could read the latest policy document stored in an MCP resource, summarize an uploaded file, or use current data from an API—securely and in context.

This enhancement builds upon the existing MCP integration in Copilot Studio, supporting deeper connections between agents and the systems they support. MCP resources are available now in public preview and are on by default for supported environments.

Measure and improve performance

Measure the return on investment (ROI) for conversational agents

Organizations can now view the ROI of conversational agents in Copilot Studio to calculate how much time and money the agent saves compared to other methods. Already available for autonomous agents, this enhancement, now generally available, gives teams a unified view of how all agent types drive direct business impact.

From the Analytics tab, makers can configure savings settings for each agent. This is where you define how much time or cost is saved per interaction or workflow. Copilot Studio then aggregates these metrics automatically. The resulting ongoing view helps quantify the business value agents deliver through reduced manual effort, faster resolutions, or process efficiencies.

By expanding savings analytics to include conversational agents, Copilot Studio helps organizations evaluate agent performance and impact consistently across their agent portfolio. With this capability, right inside the Analytics tab in Copilot Studio, makers can make data-driven decisions about where to invest and improve.

Analyze user questions by theme

Copilot Studio now helps makers understand agent performance by intelligently and automatically grouping user questions into themes. The themes give you category-level insights into customer intent and frequent topics, with a more manageable number of groups.

In the Themes list, you can see key metrics such as question volume, response rate, and user satisfaction. This at-a-glance overview makes it easier to see which topics your agent handles well and focus on areas where it may need refinement. Makers with the appropriate permissions can also drill down into each theme to review specific user questions, agent responses, and related metrics. This deeper visibility helps identify patterns in user intent, uncover gaps in coverage, and guide targeted improvements to knowledge and content.

The feature is automatically available for agents that use generative answers and have received at least 50 user questions within the past seven days. Once enabled, insights appear directly in the analytics dashboard, no further setup is required.

By organizing user questions into themes, Copilot Studio gives makers a clearer view of what customers are asking for and how effectively agents are responding. This helps the team continuously improve agent responses for their customers by making data backed improvements to their knowledge sources.

Test and debug faster with an improved activity map

Test and troubleshoot Copilot Studio agents faster and more intuitively, thanks to a series of updates to the activity map and testing experience. These enhancements create a more cohesive view of how agents reason over data and user queries to respond. That, in turn, helps makers debug efficiently and refine performance with less context switching.

Makers can now view the transcript and activity details together, eliminating the need to toggle between separate views. This unified view provides a clearer picture of how each session unfolds, drawing from user input through the agent’s reasoning and response generation. The updated layout also lets makers pin sessions, adjust visible columns, and submit feedback on session details directly to Microsoft—improving collaboration and visibility.

It is now easier then ever to navigate activity data, understand the agent’s chain of thought, and connect analytics insights to individual sessions for deeper evaluation. These enhancements are generally available, with continued refinements releasing progressively across environments.

Manage and govern at scale

Control org-wide sharing of agents in Copilot Studio lite

A new admin control in the Microsoft 365 Admin Center, now generally available, gives organizations stronger governance over how agents created in Microsoft 365 Copilot are shared across the tenant. Admins can now restrict or disable organization-wide sharing of agents built in Copilot Studio lite (formerly known as the agent builder). This ability helps prevent oversharing while supporting safe adoption at scale.

From within the Microsoft 365 Admin Center go to Copilot > Settings > Data Access > Agents page, admins can choose who is allowed to share agents with the entire organization: all users (default), no users, or specific users and groups. When you place restrictions on sharing, the “Anyone in your organization” option in the agent-sharing dialog is disabled. Makers can see a tooltip explaining the policy. Existing access remains unchanged, but makers must comply with the defined settings before updating or broadening sharing.

This control helps ensure that agent collaboration aligns with organizational policies and regulatory requirements. This is particularly important for organizations in spaces like finance, healthcare, and government. By bringing this configuration directly into the Microsoft 365 Admin Center, admins can manage agent governance alongside other Microsoft Copilot and AI settings, simplifying oversight and reducing risk.

Stay up to date on all things Copilot Studio  

Check out all the updates live as we ship them, as well as new features releasing in the next few months here: What’s new in Microsoft Copilot Studio. 

To learn more about Microsoft Copilot Studio and how it can transform your organization’s productivity, visit the Copilot Studio website or sign up for our free trial today.

The post What’s new in Copilot Studio: October 2025 appeared first on Microsoft Copilot Blog.

In this edition of our monthly roundup, we’re recapping the most exciting new features recently released in Microsoft Copilot Studio. 

Build richer agent experiences in Copilot Studio 

Automate UI tasks with computer use, now in public preview 

Computer use in Copilot Studio is now available in public preview for United States-based environments, giving agents the ability to operate apps and websites directly. Describe a task in natural language, and the agent completes it with a virtual mouse and keyboard—clicking, typing, and navigating user interfaces (UIs). This expands automation into areas where no API or Model Context Protocol (MCP) connection exists—such as data entry, reporting, or information gathering. 

The public preview adds several key enhancements. A hosted browser powered by Windows 365 makes it simple to automate web tasks without configuring your own machine, while still supporting local software through registered devices. Templates help makers get started quickly with common workflows.  

In addition, credential management allows agents to securely log into sites and apps during runs. While allow-list controls give admins confidence that agents only interact with approved applications and domains. Together, these updates make computer use more secure, resilient, and accessible for enterprise scenarios. 

Because computer use relies on built-in vision and reasoning, agents can adapt when interfaces change. This makes it easier to bring Copilot Studio agents into day-to-day processes where human-style navigation is required. Learn more from the announcement blog and try computer use today in the Tools tab in Copilot Studio. 

Engage customers on WhatsApp, now generally available 

We’re excited to share that the WhatsApp channel for Microsoft Copilot Studio is now generally available. With more than 2.7 billion users worldwide, WhatsApp is the most widely used messaging platform. Now, makers can seamlessly bring their AI agents to where customers already are. 

Copilot Studio is the only enterprise-grade AI agent platform with native WhatsApp deployment. In just a few clicks, makers can launch agents that deliver rich, interactive experiences to customers on WhatsApp. Agents can authenticate users by phone number, exchange messages that include images or attachments, and follow the same compliance and governance frameworks that support Microsoft 365 and Power Platform, giving organizations peace of mind as they scale. 

This capability opens the door for a wide range of scenarios, from customer support and order tracking to appointment scheduling and product recommendations. By meeting customers in a communication channel they already trust, organizations can reduce friction, accelerate time to market, and strengthen customer relationships. 

With WhatsApp now generally available, Copilot Studio helps ensure that organizations can expand their reach and create high-impact customer experiences at enterprise scale. Learn more. 

Test and enrich prompts in the prompt builder 

Now in preview, makers can systematically test and improve Copilot Studio prompts with new prompt evaluations in the prompt builder. Instead of relying on ad hoc manual testing, you can build comprehensive test sets by uploading cases in bulk, generating them automatically, pulling them from real user activity, or writing them manually. Each evaluation can be customized to focus on what matters most for your use case—tone, clarity, keyword matches, or structured output compliance. Results include both high-level accuracy scores and detailed insights per case, giving makers faster iteration cycles and greater confidence that prompts will perform reliably in real-world scenarios. 

The prompt builder also now supports Power Fx formulas directly inside prompts. This lets you enrich your prompts with dynamic inputs such as the current date, text formatting, calculations, or memory table lookups. By combining Power Fx with prompt testing, you can create more context-aware prompts while keeping the authoring experience simple and consistent across Copilot Studio. 

Together, these updates reduce rework, shorten testing cycles, and make it easier to maintain reliable, high-quality prompts. Prompt Evaluations are available today in preview, and Power Fx support is enabled by default. 

Use file groups as knowledge in Copilot Studio agents, now generally available 

Now generally available, makers can organize locally uploaded files into groups and use them as a single knowledge source in Copilot Studio agents. This update helps reduce clutter from long lists of individual files and provides a more structured way to guide agents toward accurate, context-rich responses. 

With file groups, you can combine up to 25 groups per agent, covering as many as 12,000 files. You can also add variable-based instructions to fine-tune how knowledge is applied, giving you more control over which content the agent should prioritize in specific scenarios. 

File groups can be created during upload or from existing files already added to an agent. Once grouped, the files are treated as one knowledge source. (Note: ungrouping is not yet supported so deleting a file group is required to make changes.) 

This capability helps ensure that makers can better organize and scale knowledge within their agents, while providing users with more relevant and precise answers.

Create reusable component collections 

Managing copilots across environments is simpler with the component collection capability, now generally available in Copilot Studio. Makers can package agent components, including topics, knowledge, actions, and entities, into collections that can be reused across agents or moved between environments to support application lifecycle management. 

To make this process straightforward, you can create solutions to export and import agents and their components using the Copilot Studio Solution Explorer. By grouping everything into a solution, makers can move agents and components across environments in a cohesive, structured way. You can also reuse the agent components to augment other agents in the same environment. 

These component collections help teams create a more predictable, consistent approach to managing changes and scaling agents across environments and make creating or augmenting future agents faster than before.

Enable end users to upload files during agent interactions 

Agents built in Copilot Studio can now accept files from users and pass them into downstream systems through agent flows, Microsoft Power Automate, or connectors. This opens the door to richer scenarios where file inputs are central to the process, such as document summarization, data extraction, or validation workflows. Makers can now handle these processes without leaving the Copilot Studio experience. 

With this update, agents can collect both the file and its metadata (including name, content type, and content) and hand it off for downstream processing. This helps streamline end-to-end processes while reducing the need for workarounds or manual steps. 

This enhancement helps ensure that agents can better support real-world business processes, making Copilot Studio a more powerful tool for scenarios where files play a critical role. Learn more about the benefits of file upload for your agents’ users and get started today.  

Extend and customize with advanced tools 

Unlock advanced scenarios with code interpreter, now generally available 

Code interpreter is now generally available in Copilot Studio and Copilot Studio lite (formerly called the Microsoft 365 agent builder), bringing powerful new ways to generate and execute Python code directly within an agent. Makers can use natural language to create Python-based actions, edit the generated code, and save prompts for reuse. At runtime, the agent executes that same code, enabling richer outputs and new possibilities for customization. 

With this general availability release, the prompt builder now supports create, read, update, and delete (CRUD) operations on Dataverse tables. That means makers can use natural language prompts to perform these actions without leaving Copilot Studio. Furthermore, agents can dynamically generate visualizations and extend their responses, improving efficiency and quality of consistent reusable logic.  

Enabling code interpreter is simple and can be done in two ways. Turning it on at the agent level means that every prompt and action within that agent can execute Python. This is ideal for scenarios that require consistent logic across conversations. The other option is enabling code interpreter in the prompt builder (inside your Tools tab) within an agent, which is more lightweight and specific. This is useful for testing or using one-off prompts without impacting the entire agent.  

Get started using code interpreter to generate and execute Python code today.

Integrate Copilot agents into native apps with the Agents Client SDK 

The new Agents Client SDK makes it easy for developers to embed Copilot Studio agents directly into their Android, iOS, and Windows applications. With this integration, end users can interact with agents inside the apps they already use, starting with multimodal conversations through text and adaptive cards. Support for additional modalities, including voice, image, video, and context sharing, are on their way. 

With the SDK, developers can seamlessly extend agents into mobile and desktop environments, enabling richer conversational experiences and unlocking new workflows where customers are most engaged. This creates opportunities to add agent-driven intelligence directly into day-to-day applications, without requiring users to switch contexts. 

Platform-specific documentation and packages are also available for Windows, iOS, and Android. The Agents Client SDKs for text and adaptive card conversations are generally available now.

Create MCP connectors directly in Copilot Studio 

You can now connect MCP servers to Copilot Studio with just a few clicks. This feature, now in public preview, makes it easier than ever to extend your agents by bringing in MCP connectors without the need for manual setup or custom development. 

Makers can simply provide an MCP host URL and Copilot Studio will handle the rest. Within minutes, your MCP servers can be connected and ready to power agent experiences—helping expand the reach of your agents while reducing setup time and complexity. 

This update also introduces support for MCP resources, such as files and images. As the MCP ecosystem continues to evolve, resource support expands the kinds of data and interactions you can bring into your agents, helping you design richer and more flexible experiences. 

By making MCP integration simpler and adding resource support, Copilot Studio helps ensure that makers can focus on building impactful agent experiences while seamlessly tapping into the growing power of the MCP ecosystem. 

These capabilities are on by default, so you can start using them right away to extend your agents with MCP. 

Manage and measure agents at scale 

Manage agent billing with a dedicated environment in Copilot Studio lite 

We’re making it easier to manage agent billing with the introduction of a dedicated environment for Copilot Studio lite (formerly called the agent builder). 

This environment surfaces optional admin-level information around billing and consumption. If your organization has enabled billing for Microsoft 365 Copilot, admins can check message usage directly in the Environments tab, making it simpler to track capacity and stay ahead of demand.

For makers, nothing changes and you can continue creating agents without extra steps. Copilot Studio lite checks for and creates the environment automatically if one does not already exist. The result is a smoother authoring experience for makers and clearer administrative oversight for admins, all aligned with how your organization already manages Microsoft 365 Copilot.

This update helps ensure that admins have the transparency and control they need to manage agent cost controls.

Analyze agent performance and measure impact with new metrics 

Several new analytics capabilities in Copilot Studio give makers and admins deeper visibility into how agents are used, how effective they are, and the value they deliver. 

Themes for generative AI questions in public preview

This feature looks at generative AI questions from the previous week and groups them into suggested themes. The themes show what types of questions customers are asking most and provide a detailed analysis of how well the agent responded. This helps makers quickly identify gaps in coverage and focus improvements where they matter most. This feature is in preview for all customers using generative answers for agents meeting the minimum threshold of 50 weekly questions. 

Insights for unanswered generative AI questions in public preview

Copilot Studio now surfaces themes for unanswered generative AI questions directly in the Analytics dashboard. Makers can quickly spot patterns in what users are asking but not getting answers for, helping them prioritize knowledge updates and reduce coverage gaps with less manual review. 

Agent monthly consumption limits (general availability) 

Analytics now display each agent’s monthly Copilot credits limit (as set in the Power Platform admin center) alongside month-to-date usage. Makers no longer need to switch tools to monitor consumption and can act earlier if an agent is trending toward its limit. 

Active users metric (general availability)

A new view provides visibility into the unique users interacting with an agent. Custom reports include data on daily active users, trend lines over time, and monthly active users. This metric helps teams understand engagement patterns beyond session counts. This data is generally available for agents that are configured for authenticated users.  

ROI analysis for agent runs (general availability)

Makers can now define and track savings for autonomous agent runs segmented by time, money, or both. These can be tracked at either the run or tool level. Results are calculated automatically for the selected analytics period, with settings applied retroactively to past runs. This makes it simple to measure ROI in real time and guide investment decisions with data. 

These various enhancements expand the analytics toolkit, helping teams measure adoption, spot performance issues, and quantify the business value of their Copilot Studio agents. Learn more about analyzing conversational agent effectiveness. 

Upskill with agents 

Build your skills with Copilot Studio Agent Academy 

We’re excited to introduce Copilot Studio Agent Academy: a free, self-paced curriculum designed to help makers and developers build real, useful agents with Microsoft Copilot Studio. 

The curriculum is structured into three progressive levels: Recruit (available now), Operative (coming soon), and Commander (coming early next year). Each level builds on the last, guiding learners from foundational concepts to advanced enterprise deployment. The Recruit module covers how to set up your environment, create your first agent, add topics and generative answers, and publish it to Microsoft Teams. Every module includes guided labs created by the Microsoft Power Platform Advocacy team. 

For experienced makers, Agent Academy is a chance to pick up new tips and tricks, strengthen your best practices, and point your colleagues to an approachable way to get started. With a low barrier to entry and room to grow, the curriculum provides a clear path from first steps to organizational scale. As an added bonus, the first 100 learners to complete Recruit will receive a Credly badge for their agents. 

Your learning journey starts today. Explore Agent Academy and help bring more makers into the Copilot Studio community.

Stay up to date on all things Copilot Studio  

Check out all the updates live as we ship them, as well as new features releasing in the next few months here: What’s new in Microsoft Copilot Studio. 

To learn more about Microsoft Copilot Studio and how it can transform your organization’s productivity, visit the Copilot Studio website or sign up for our free trial today.

The post What’s new in Copilot Studio: September 2025 appeared first on Microsoft Copilot Blog.

This capability enhances security for AI agents by enabling organizations to connect their own monitoring system such as Microsoft Defender as well as security platforms by other providers, or their own custom-built tools. These integrations allow for real-time evaluation and control of agent behavior during runtime.

When connected, the external systems become part of the agent’s decision-making process. They can block unsafe actions, even if the agent plans to execute them. For example, if the external system determines that the agent is planning to send an email that is oversharing information, it can block the email from being sent.

Admins can apply these protections across multiple agents and environments using the Power Platform Admin Center – no code required.

Copilot Studio agents: secure by default

AI agents face unique threats. One major risk is injection of prompts to the agent from an external source (also known as cross prompt injection attacks, or XPIA), where malicious prompts trick agents into leaking data or misusing tools. Copilot Studio includes default protections against both XPIA and user prompt injection attacks (UPIA). These defenses block suspicious prompts in real time, reducing the risk of data loss or unauthorized actions.

However, for organizations with advanced security needs, built-in protections may not be enough. That’s where the real-time protection comes in with an additional layer of defense.

Real-time protection in action

With advanced runtime protection, Copilot Studio calls the connected security system during the agent’s runtime. The system reviews the agent’s planned actions and decides whether to approve or block them. If it detects a threat, it stops the agent immediately and notifies the user. If the action is safe, the agent continues without delay or disruption.

This setup gives organizations stronger control over agent behavior while preserving a smooth user experience. It supports a “bring your own protection” model, allowing integration with:

• Microsoft Defender (available today – learn more)
• Third-party security providers
• Custom-built monitoring tools

This flexibility helps organizations align security for AI agents with internal policies, industry standards, and regional compliance.

Instant alerts, actionable logs

In addition to the ability to block threats before they happen, Copilot Studio creates detailed audit logs for every interaction with the external system. Admins can use these logs to track attempted breaches, identify vulnerable agents, and improve future deployments.

These logs also help evaluate how well the external monitoring system performs. Admins can analyze trends, refine policies, and guide agent creators in building more secure agents. This feedback loop strengthens overall security for AI agents.

How advanced real-time protection works

When a user sends a prompt, the agent formulates a plan to respond. This plan includes the tools and actions it will use. Before the agent begins execution, Copilot Studio sends this plan to the external monitoring system via an API call. The data includes:

• The user’s prompt and chat history
• Tool details and input values
• Metadata like agent ID, user ID, and tenant ID

The external system has one second to respond. If it approves the action, the agent proceeds. If it blocks the action, the agent stops and informs the user. If no response arrives in time, the agent assumes approval and continues.

Setup and management

Admins can configure external monitoring in the Power Platform Admin Center. They can apply settings to one environment, multiple environments, or specific environment groups. Different environments can use different monitoring systems. If needed, admins can disable the integration with a single setting.

Data sharing and compliance

To enable split-second decisions, Copilot Studio shares specific data with the external system. This includes prompts, chat history, tool inputs, and metadata. This data sharing is not customizable. Organizations should only enable the feature if they’re comfortable with the data being shared.

External providers may handle data differently than Microsoft. Some may store or process data outside your region. It’s important to review your provider’s policies and ensure they meet your compliance standards.

Why this feature matters

Advanced security for AI agents is no longer optional. As agents are increasingly equipped with autonomous triggers and take on more complex and sensitive tasks, organizations need real-time oversight. External monitoring gives them the tools to enforce compliance, detect and block threats, and gain visibility – without compromising performance.

This new, groundbreaking capability in Copilot Studio empowers organizations to take control of their AI agent security strategy. It’s a critical step toward safer, more reliable AI deployments.

Next steps

The public preview is rolling out worldwide, with availability to all customers by Wednesday, September 10th. To learn how to get started, visit the Microsoft Learn documentation for advanced real-time protection during agent runtime.

Resources 

• Learn more in the feature’s public documentation
• Link to the developer documentation
• Learn about Microsoft Defender’s solution for agent threat protection 
• Configure the feature in the Power Platform Admin Center PPAC

The post Strengthen agent security with real-time protection in Microsoft Copilot Studio appeared first on Microsoft Copilot Blog.

As AI becomes more sophisticated, so do cyber criminals. Microsoft proactively works to mitigate the top risks associated with AI through a system of integrated controls and capabilities for Copilot and agents. This system includes robust security measures to prevent unauthorized access and AI hijacking (wherein malicious actors attempt to manipulate autonomous agents to perform harmful actions).  

Agents interact with sensitive enterprise data that must be guarded in order to prevent data breaches and exposure. Finally, accountability and control continue to be key topics for customers, who seek transparent decision-making processes that help their teams understand and trust AI-driven outcomes.

At Microsoft Build 2025, we are excited to introduce a series of new releases focusing on three key areas in managed security for Copilot Studio: proactive governance, Secure by Default, and comprehensive visibility. These enhancements aim to boost the security, control, and transparency of your Copilot Studio agents to help ensure a secure environment for all users.

Proactive governance features allow admins to utilize the Power Platform admin center and automation capabilities to facilitate agent adoption. Admins can create a “green zone” for makers to experiment with agents in their personal development environments. Additionally, environment routing enables makers to land in these personal dev environments, while rules in environment groups help control which connectors, sharing scopes, and authentication types makers can use. Pipelines can then certify and transfer finished assets to production, making them accessible to a broader group or the entire company.

Then, for Secure by Default, we’re introducing unique security controls to better protect agents from potential attacks such as cross-prompt injection attacks (XPIA) and Jailbreaks. Lastly, in the space of comprehensive visibility, we’re unveiling new capabilities to simplify tracking adoption and refining controls based on system recommendations. These visibility features help to ensure agents are securely built and operated from the outset.

Proactive governance

We aim to provide more control, with less effort, for admins and Chief Information Security Officers. To achieve this, we’re introducing multiple features and capabilities that are now generally available:

• Federated Identity Credentials (FIC) for agents: Eliminates the need for persisted secrets and certificates, significantly improving the security posture for bot registration in Entra ID
• IT control to block custom agents: Allows administrators to block custom agents on the spot, preventing risky or harmful agents from acting
• Option to disable recording transcripts in Dataverse: Protects end-user session confidentiality by disabling recording transcripts and session downloads
• Customer Managed Encryption Keys (CMK): Customers can now manage their own encryption keys, adding an extra layer of security and control over their data
• Streamlined data loss prevention enforcement: Aligns with other Power Platform products to eliminate the need for PowerShell opt-in for new and existing tenants
• Consent requirement for sharing agents: Reduces the risk of unintentional information sharing by requiring consent when sharing an agent with another maker.
• Environment routing for makers: Enables admins to automatically route makers to dedicated development environments where they can safely experiment and build agents

Additionally, we are offering the following features and capabilities in preview:

• Advanced Connector Policies (ACP): A new rule allowing admins to define exactly which connectors are permitted at the environment group level. ACP gives organizations precise control over data access during all stages of agent, app, and flow development, reducing the risk of sensitive or unmanaged connector usage early in the lifecycle
• Network isolation: Supports IP Firewall and VNET for App Insight and HTTP connectors, enhancing network isolation for Copilot Studio agents
• Delete declarative agents: Allows admins to scrape harmful or unused agents, including any associated files
• Sensitive data masking and audio suppression at runtime: Safeguards sensitive data during agent interactions, helping to ensure compliance with data privacy regulations
• Auto-label Dataverse tables with the Data Map Dataverse Connector: Mitigates risks of oversharing by scanning Dataverse columns and applying Microsoft Purview Information Protection (MIP) sensitivity labels, which help to ensure sensitive data is discovered and protected consistently by triggering encryption, access restrictions, or other policies you have in place
• Protect Dataverse data used in MCS with label inheritance: Carries MIP labels over to custom agent actions and outputs, helping to keep those protections in place wherever the data is used
• Surface MIP labels across MCS: Mitigates risks of oversharing by providing label visibility and inheritance from first party data sources across knowledge and actions for MCS custom agents
• Personalized privacy message configuration: Admins can now configure a personalized privacy message with an editable URL, enhancing user experience and compliance with industry regulations
• Enforced end-user authentication: Admins can require authentication when an agent tries to access or invoke connectors, flows, and actions, which helps prevent oversharing with end users who lack access to the agent’s resources and data
• Microsoft Entra ID authentication requirement: Admins can require Microsoft Entra ID authentication on all agent interactions, significantly reducing the risk of data exfiltration and bolstering the overall security posture. A Power Policy rule is also provided to streamline the configuration process

Secure by Default and Secure by Design

Two of Microsoft’s core security principles are Secure by Default and Secure by Design. Copilot Studio is committed to these principles and has built the following features and capabilities to support this effort:

• Out-of-box cross-prompt injection attack (XPIA) protection (now generally available): Offers real-time monitoring and intervention during the agent’s runtime, ensuring malicious inputs or actions are detected and blocked
• Agent protection status for makers: Increases the sense of security for makers building agents inside Copilot Studio by showing each agent’s threat protection status, required authentication level, and applicable security policies

Comprehensive visibility

Makers and admins need a valuable view of their agents created in Microsoft Copilot Studio. As part of this effort in managed security for Copilot Studio, we are introducing:

• Audit logs for Jailbreak/XPIA events in custom agents: Enables near-real-time monitoring, immediate detection, and rapid response to potential security breaches. This feature, now generally available, helps prevent potential crucial compliance issues and helps administrators understand the context and impact of various events, which creates an environment for better decision-making

All together, these new releases help provide a more secure, controlled, and transparent environment for all users. This is part of the Copilot Control System (CCS), our unified framework of enterprise-grade controls and capabilities designed to help IT administrators and security professionals manage, secure, and analyze the use of Microsoft 365 Copilot, Copilot Studio, and AI agents across an organization—so you can innovate with confidence.

For more Microsoft Build 2025-related updates, read Corporate Vice President Vasu Jakkal’s blog as well.

More ways to stay up to date on all things Copilot Studio

Check out all the updates live as we ship them, as well as new features releasing in the next few months here: What’s new in Microsoft Copilot Studio – Microsoft Copilot Studio | Microsoft Learn

To learn more about Microsoft Copilot Studio and how it can transform your organization’s productivity, visit the Copilot Studio website or sign up for our free trial today.

The post Announcing managed security enhancements for Microsoft Copilot Studio appeared first on Microsoft Copilot Blog.