>
    Strata Copilot
    Microsoft Copilot Studio Connection Method (For Agent Only)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. AI Red Teaming
    4. Identify AI System Risks with AI Red Teaming
    5. Get Started with Prisma AIRS AI Red Teaming
    6. Targets
    7. Microsoft Copilot Studio Connection Method (For Agent Only)
    Download PDF
    Prisma AIRS

    Microsoft Copilot Studio Connection Method (For Agent Only)

    Table of Contents

    Microsoft Copilot Studio Connection Method (For Agent Only)

    This topic introduces Microsoft Copilot Studio agents and the components needed to configure red teaming assessments.
    Microsoft Copilot Studio is a low-code development platform that enables you to build conversational AI agents for your enterprise. These agents can interact with users through natural language, execute business workflows, and integrate with various Microsoft services and third-party applications. When you deploy Copilot Studio agents in your environment, they often have access to sensitive internal tools, data sources, and automation capabilities through Power Automate flows, making them potential targets for security vulnerabilities that require thorough assessment.
    When you configure a Microsoft Copilot Studio agent as a target in AI Red Teaming, the system establishes a native connection to your Copilot deployment through the Power Platform APIs. This connection enables the AI Red Teaming engine to interact with your agent in the same manner that end users would, sending conversational inputs and observing the agent's responses and tool invocations.
    When you connect to Microsoft Copilot Studio agents through AI Red Teaming, you must authenticate using delegated permissions as required by the Power Platform APIs. This authentication flow necessitates that you physically log in through Microsoft's login page to verify your identity and provide consent for the application to act on your behalf. Service-to-service authentication is not available for this integration, as support for this capability depends on Microsoft's own implementation roadmap and timeline for enabling application permissions in the Power Platform APIs. When adding a MS Copilot Studio agent as your target, you can use either No Authentication or Authenticate using Microsoft.
    Prerequisites
    Register your application in Microsoft Entra ID and configure Microsoft Copilot Studio authentication to enable AI Red Teaming to access and test protected resources.
    1. After specifying Target Details, set the Connection Method to Microsoft Copilot Studio.
    2. Get the Agent information.
      1. Login to https://copilotstudio.microsoft.com/.
      2. On the left panel, click on Agents.
      3. Search for your agent.
      4. Select your agent and then Settings.
      5. Navigate to AdvancedMetadata.
      6. Make a note of the Environment ID and Schema Name for future reference.
      7. Keep a record of the Tenant ID.
        The agent and application registration that you will create should be in the same tenant.
    3. Configure Endpoint Accessibility. This field indicates if your endpoint is Public or Private (secured within a private network).
    4. Select Add/Verify Parameters.
      Microsoft Copilot Studio agents currently utilize Power Platform APIs that exclusively support delegated permissions, requiring you to authenticate through Microsoft's login page to verify their identity and grant consent for the app to act on their behalf. Service-to-Service authentication is not currently supported and depends on Microsoft's future implementation roadmap.
      1. Configure Access Credentials.
        1. Client ID—The application identifier assigned to your registered application in Azure Active Directory. This ID uniquely identifies the AI Red Teaming application when it requests access to your Copilot Studio agent on your behalf. You obtain the Client ID when you register an application in the Azure Portal to enable API access.
        2. Secret—The confidential credential associated with your registered application that proves the application's identity during the authentication process. This secret works in combination with the Client ID to securely authenticate API requests to your Copilot Studio agent through the Power Platform APIs. You generate the Client Secret in the Azure Portal when configuring your application registration, and you should treat it as a password that must be kept secure.
        3. Tenant ID—The unique identifier for your Microsoft Azure Active Directory tenant. This ID specifies which organizational directory contains your Copilot Studio resources and determines the authentication boundary for accessing your agents. You can find your Tenant ID in the Azure Portal under Azure Active Directory properties.
      2. Add Agent Configuration.
        1. Schema Name—The unique identifier for your specific Copilot Studio agent within your Microsoft environment. This name corresponds to the schema name assigned to your copilot when it was created in Copilot Studio and is used to route API requests to the correct agent instance.
        2. Environment ID—The unique identifier for the Power Platform environment where your Copilot Studio agent is deployed. This ID specifies which organizational environment contains your copilot resources and ensures that Prisma AIRS connects to the correct deployment instance.
      Following message is displayed when the authentication is successful.
    5. Click Next: Advanced Configurations.
      In the Advanced Configurations page you'll configure Rate Limits and set Guardrails/Content Filters.
    6. (Optional) Enable Rate Limits for applications on the target endpoint.
      1. Specify the Endpoint Rate Limit. This value represents the maximum number of allowed requests per minute for the specified endpoint.
      2. Specify the Endpoint Rate Limit Error Code. This field represents the error code your system uses for rate limiting violations.
      3. Provide a Sample Exception JSON.
    7. (Optional) Enable Guardrails/Content Filters. These fields are used for output guardrails or content filters applicable on the target endpoint.
      1. Specify the Error code for Guardrails or Content Filters. This field represents the error code your system uses when a response is prevented by filters or safeguards.
      2. Provide a Sample Exception JSON.
      3. Select
        .
        Only after a target is successfully validated, you can add target background information.
    8. Configure Target Background.
      Agentic Profiling in Red Teaming helps gather all relevant context about a target endpoint such as its business use case, background, key capabilities, technical architecture and other critical information. This is carried out by an autonomous agent probing the target endpoint with the right prompts. All information gathered through this exercise is presented as the Target's profile and is used downstream in Red Teaming Scans using the Agent.
      Target profiling allows you to either manually provide the required background information or use Agentic profiling (Fetch through Agentic Profiling) to automatically discover and populate these fields through AI-driven analysis of your endpoints. You can also modify the information collected with Agentic Profiling by updating the fields.
      1. Add Industry information.
      2. Add Use Case, that is specific role of the target such as customer service or additional comments.
      3. (Optional) Select Add Competitor to add the list of Competitors.
      AI Red Teaming collects and organizes critical information about your target endpoint, such as:
      • Target background—Encompasses mandatory elements such as, industry classification, use case definition, and competitive landscape analysis, along with optional documentation uploads including company policy documents and other relevant materials.
        • Target background information is mandatory for AI applications and AI agents but optional for AI models, which may result in different levels of contextual analysis depending on your endpoint type.
        • Company policy documents and other relevant materials are limited to PDF format uploads only.
      • (Optional) Additional Context—Captures technical architecture details including base models, core architecture patterns such as single LLM implementations, LLM with RAG, tool-calling capabilities, or multi-agent systems, accessibility scope, supported languages, banned keywords, accessible tools for agents, and system prompt configurations that govern endpoint behavior.
      When you add a target, the target profiling process begins. Once a target is successfully added to your environment, AI Red Teaming continues background profiling to gather comprehensive details across all categories, ensuring your target profiles remain current and complete without requiring constant manual intervention.
      • If you attempt to start a scan while Agentic profiling is still in progress, you will need to either wait for completion or manually enter the required fields to proceed immediately.
      • The Target Profile view clearly highlights fields that were populated using AI (Agentic Profiling) so that users can edit it if it is not accurate or needs more nuance.
      • AI Red Teaming maintains awareness of your ongoing profiling activities, providing you with appropriate notifications when background discovery is in progress and offering you options to proceed with manual configuration or wait for automated completion, ensuring you can balance your immediate assessment needs with comprehensive contextual analysis for optimal security evaluation outcomes.
      When you access individual target profiles through the Target endpoint interface, you can view and modify all gathered context information, with clear distinctions between user-provided data and system-discovered information.
    9. Configure additional context related to target.
      If you populate the Target Background information automatically by selecting Fetch through Agentic Profiling, AI Red Teaming will also auto-fill the Additional Context fields.
      When conducting a thorough assessment of an AI agent or language model system, it's essential to gather detailed information across multiple dimensions.
      • Base Model—The underlying foundation model that powers the AI system. This represents the pre-trained language model at the core of the agent's intelligence. For example, GPT-4o, Claude 3.5 Sonnet, Claude 3 Opus, and Llama 3 / Llama 3.1.
      • Core Architecture—The structural implementation and design pattern of the AI agent system, determining how the base model is deployed and augmented. For example, Single LLM, LLM with RAG (Retrieval-Augmented Generation), LLM with Tool Calling / Function Calling, Multi-Agent System, and Hybrid Architectures.
      • System Prompt—The foundational instructions, persona definitions, and behavioral guidelines that govern the agent's responses and decision-making processes. For example, role definition, behavioral guidelines, and safety instructions.
      • Languages Supported—The complete set of natural languages the target system can understand, process, and generate responses in, including proficiency levels. For example, English, Spanish, French, and German.
      • Banned Keywords—Trigger words, phrases, or patterns that cause the target to refuse a response, activate safety filters, or modify behavior regardless of the prompt's actual intent or context. For example, self-harm, violence, illegal activity keywords.
      • Tools Accessible—The complete schema and specifications for all external functions, APIs, and capabilities available to the agent for extending its functionality beyond text generation.
    10. Select Submit.
      Once the target is created you can start a scan, or view previously created targets:

    © 2026 Palo Alto Networks, Inc. All rights reserved.