baref00t.io

// copilot assessments / copilot-agent-inventory

Copilot Agent Inventory & Governance Audit

Your users have built agents in Copilot Studio. You probably don’t know which ones, what tools they can call, or whether Microsoft has flagged any of them. This audit reads Microsoft’s Entra Agent ID API to inventory every autonomous agent in your tenant, calls discoverCopilotTools to surface every MCP tool your agents can invoke, and risk-classifies each tool (admin Graph, computer use, external services, file system) so you know which surfaces deserve scrutiny. Connect a Copilot-licensed probe account (a single read-only sign-in, shared with the Red-Team Probe) and the audit also pulls Microsoft’s Copilot Package Management catalogue — third-party Office add-ins and Teams apps with Copilot extensibility — for per-package publisher trust, deployment scope, and block-hygiene scoring. Microsoft documents that endpoint as delegated-only, which is exactly what the probe-account connection provides.

One-off
$859

Single report, no commitment.

Monthly
$99/month

Continuous monitoring — fresh report every 30 days.

Available in AUD, USD, GBP, EUR, SGD. MSP partners get volume discounts via the partner programme.

What it scores

AG1

Inventory Coverage

Entra Agent IDs registered in your tenant: count, enabled vs disabled, Microsoft kill-switch state. Per-agent display name + creator (Copilot Studio etc.).

AG2

Publisher Trust

Microsoft-published vs customer-authored ratio. Detects which agents your tenant built vs which inherited from Microsoft. (Third-party Office add-in trust scoring lands with Package Management.)

AG3

Element Risk

Copilot tool inventory (MCP servers): admin Graph, computer use, external services (Salesforce, web search), file system access. Each tool risk-graded LOW / MEDIUM / HIGH so high-blast-radius tools are named in the verdict.

AG4

Deployment Scope

Org-wide vs targeted reach. Currently surfaces Entra Agent ID account status; the org-wide/targeted distribution split lands with Package Management.

AG5

Ownership Hygiene

Orphaned agents (owner left org), Microsoft-disabled agents, agent creator audit trail. (Package owner reassignment cadence ships with Package Management.)

AG6

Block Hygiene

Microsoft-disabled status across the agent identity surface. (Tenant-admin block hygiene for Package Management entries ships with Package Management.)

Microsoft APIs

  • Microsoft Entra Agent ID API (`/servicePrincipals/microsoft.graph.agentIdentity`) — app-only
  • Copilot Tools discovery (`/agents/discoverCopilotTools()`) — app-only
  • Copilot Package Management API — pending delegated probe-user flow

Customer prerequisites

  • Microsoft Agent 365 licence on customer tenant (detected via subscribedSkus; named in the verdict)
  • AgentIdentity.Read.All scope (admin-consented)
  • CopilotPackages.Read.All scope (reserved — activates once the delegated probe-user flow ships)

Other Copilot Assessments

copilot
Copilot Readiness Audit

Pre-deployment data hygiene scoring across 7 dimensions plus live retrieval-surface measurement and an agent catalogue teaser.

copilot-roi
Copilot ROI Report

Per-user, per-surface Copilot activity vs licence spend — with named-user reclaim list.

copilot-interaction-compliance
Copilot Interaction Compliance Audit

Sample Copilot prompts and responses, PII-scan them, score compliance posture.