Onboard Microsoft Copilot Studio to SaaS Agent Security

1. Register a new app in Microsoft Azure.

   1. Log in to Microsoft Azure Portal.
   2. Navigate to or search for App registrations.
   3. Click + New Registrations.
   4. Enter a descriptive Name for the app. For example, PaloAltoNetworks_Agent_Security_Connector.
   5. Register.
2. Configure API permissions for the new app.

   1. From the new app details page, select ManageAPI permissions.
   2. Click + Add a permission.
   3. Add the following Microsoft Graph permissions:

      • Application.Read.All
      • AuditLog.Read.All
      • AuditLogsQuery-CRM.Read.All
      • AuditLogsQuery.Read.All
   4. Click Add permissions to save the app API permissions.
   5. The permissions you added require admin consent. On the Configured permissions page, Grant admin consent for <your-organization>.
   6. In the confirmation page, select Yes to grant admin consent for your organization.
3. Create a Client Secret for the new app.

   1. From the new app details page, select Managecertificates & secrets.
   2. Add a + New client secret.
   3. Enter a description (for example, SaaS_Security_Key) and select an expiration period.
   4. Add the Client Secret.
   5. Copy the Client Secret Value and store it in a secure location.
4. Grant the app access in the Microsoft Power Platform admin center.

   1. Log in to Microsoft Power Platform Admin Center.
   2. Select ManageEnvironments and select your Copilot Studio environment.
   3. Select SettingsUsers + permissionsApplication users and click + New app user.
   4. Click + Add an app and search for the app you created in the previous step.
   5. Select the correct Business unit from the drop-down.
   6. Click the pencil icon next to Security roles and then assign the Service Reader role.
   7. Click Create to save the app access privileges.
5. Gather the required information to onboard Microsoft Copilot Studio to SaaS Agent Security.

   • Environment URL—Found on the environment's main page in the Microsoft Power Platform Admin Center.
   • Application (Client) ID—Displayed in the app Overview in the Microsoft Azure Portal.
   • Directory (Tenant) ID—Displayed in the app Overview in the Microsoft Azure Portal.
   • Client Secret Value—The Client Secret you copied and stored in a secure location when creating the Client Secret for the app.
6. Onboard Microsoft Copilot Studio to SaaS Agent Security.

   1. Log in to Strata Cloud Manager.
   2. Select ConfigurationAgent Security.
   3. Select Agent Platform Onboarding and select Microsoft Copilot Studio.

      Click Next to continue.
   4. Click Get Started.
   5. Enter the required credentials for the Microsoft Copilot Studio app.

      • Tenant ID
      • Client ID
      • Client Secret
   6. Enter the Environment URL for Microsoft Copilot Studio app.

      Click Add Environment to add additional Environment URLs if you have multiple Microsoft Copilot Studio environments you want to monitor with SaaS Agent Security.
   7. Click Next to validate the Microsoft Copilot Studio credentials and environment and complete the onboarding to SaaS Agent Security.

      SaaS Agent Security notifies you when Microsoft Copilot Studio successfully onboards. SaaS Agent Security returns one of the following errors if Microsoft Copilot Studio fails to onboard:

      • Permission Errors during Scan— Verify you entered all credentials correctly and that you granted Admin Consent when you configured the Azure API Permissions.
      • Connection Test Fails— Confirm you assigned the Service Reader role in the Power Platform Admin Center.