Start by correlating Dataverse agent records with Entra app registrations, then confirm which agents are also exposed in Teams or Microsoft 365 audit logs. The goal is one inventory that ties each agent to an owner, permission set, and connector list. Without that correlation, teams will miss renamed agents and orphaned access paths.
Why This Matters for Security Teams
Copilot agents are not just another app registration to count. They can create or consume data, invoke connectors, and persist across Microsoft 365, Teams, and Dataverse surfaces in ways that make simple tenant lists incomplete. For security teams, the inventory problem is really an identity problem: every agent needs a named owner, a scope of authority, and a clear record of which secrets, permissions, and tool connections it can use. That is why current guidance treats agent inventory as part of NHI governance, not just SaaS administration.
The risk rises quickly when teams assume the UI is the source of truth. Renamed agents, shadow deployments, and stale connector grants often survive longer than the people who created them. The result is a control gap similar to the visibility failures described in The State of Non-Human Identity Security, where 85% of organisations lack full visibility into third-party OAuth apps. For agentic systems, that visibility gap turns into an authorisation gap when a copied workflow inherits access that was never re-reviewed. Security leaders should also anchor their approach in OWASP Top 10 for Agentic Applications 2026 and the NIST AI Risk Management Framework, which both emphasise governance, traceability, and runtime accountability.
In practice, many security teams encounter orphaned agent permissions only after a connector is abused or an owner leaves, rather than through intentional inventory review.
How It Works in Practice
A workable inventory process starts by correlating three records: Dataverse agent entries, Entra app registrations, and activity signals from Teams or Microsoft 365 audit logs. That correlation matters because each surface tells part of the story. Dataverse shows what exists, Entra shows what can authenticate, and audit logs show what has actually been used. The inventory should then attach four minimum fields to each agent: business owner, technical owner, permission set, and connector list. Without those fields, the list is informational rather than actionable.
For agentic workloads, static RBAC alone is not enough. A Copilot agent can behave like an autonomous workload, chaining tools and calling services based on user intent. Best practice is evolving toward intent-based or context-aware authorisation, where the decision is made at runtime against the agent’s task and the data involved. That approach pairs well with just-in-time credentials and short-lived secrets, because the agent only gets what it needs for the current job. Where possible, use workload identity as the primary identity primitive and keep long-lived secrets out of the agent path.
- Inventory the agent, then reconcile it to its Entra app and any connector grants.
- Check Teams, M365, and audit events for evidence of actual use, not just configured use.
- Record who approved the agent, who owns it now, and when its permissions were last reviewed.
- Flag agents with broad connector access, especially those tied to email, files, or external APIs.
This workflow aligns with the threat model in CSA MAESTRO agentic AI threat modeling framework and the governance direction in NIST AI Risk Management Framework. It also reflects lessons from Microsoft Midnight Blizzard breach and OWASP NHI Top 10, where identity sprawl and weak visibility amplify downstream access risk. These controls tend to break down when connector sprawl is unmanaged across multiple tenants because the same agent can hold different effective permissions in each environment.
Common Variations and Edge Cases
Tighter inventory control often increases operational overhead, requiring organisations to balance visibility against deployment speed. That tradeoff is real, especially in Microsoft environments where business teams can rapidly prototype agents. Best practice is evolving, but there is no universal standard for how often every Copilot agent must be re-attested. Many teams start with quarterly reviews for low-risk agents and event-driven reviews for agents that touch sensitive data, external connectors, or admin workflows.
One common edge case is the agent that is duplicated across departments. It may appear to be a single template, but each copy can inherit different permissions and owner relationships. Another is the agent that is exposed in Teams but only partially recorded in Dataverse, which creates the illusion of completeness. Security teams should also be cautious with renamed agents and service principals that outlive the original project team. Those are the cases where the inventory needs to follow the identity chain, not the label.
For environments using more advanced agent orchestration, add runtime policy checks and ephemeral credentials rather than expanding standing privileges. The most resilient approach is to treat the inventory as a live control plane, not a spreadsheet. That is also where the NHIMG guidance in Ultimate Guide to NHIs - 2025 Outlook and Predictions and the standards view in OWASP Agentic AI Top 10 converge: visibility is only useful when it is tied to revocation, review, and time-bound access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Agent inventories must include credential lifecycle and stale access paths. |
| CSA MAESTRO | M1 | MAESTRO maps agent governance to identity, policy, and runtime control. |
| NIST AI RMF | GOVERN | AI RMF governance requires accountability and traceability for agent behaviour. |
Track each agent's secrets, owners, and connector grants, then review them on a fixed rotation.
Related resources from NHI Mgmt Group
- How should security teams govern machine identity credentials in agentic AI environments?
- How should security teams manage permissions for AI agents?
- How should security teams govern AI agents that use OAuth access?
- How should security teams limit the risk from AI agents that have access to production systems?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 30, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
