Novo: AIBOM: uma lista de materiais em tempo real de cada agente, ferramenta e conector. Veja como
Docs / Agentes incorporados em SaaS / Microsoft 365 Copilot

Microsoft 365 Copilot

The Microsoft 365 connector discovers your tenant's Copilot deployment and its published agents, imports directory audit activity as MITRITY audit events, and reads tenant security posture — through a read-only Entra (Azure AD) app using application permissions. It never writes to your tenant.

Read SaaS-Embedded Agent Governance first for the connector model; this page covers Microsoft 365 specifics. All connector paths use the generally-available Microsoft Graph v1.0 API.

What it discovers

  • The tenant's Microsoft 365 Copilot deployment as a governed agent.
  • Org-published app-catalog entries — the v1.0 proxy for declarative agents, because Microsoft Graph does not yet expose a stable declarative-agent inventory API.

Requirements

RequirementDetail
LicensingA Microsoft 365 Copilot-licensed tenant for Copilot discovery.
RoleA Global Administrator (or Privileged Role Admin) to grant admin consent.
MITRITY planPro or Enterprise; Owner or Manager role.

Step 1 — Register an Entra app

  1. In the Microsoft Entra admin center → App registrations → New registration, name it (e.g. mitrity-governance) and register. No redirect URI is needed — the connector uses the client-credentials (app-only) flow, not interactive sign-in.
  2. Note the Application (client) ID and the Directory (tenant) ID on the Overview page.
  3. Under Certificates & secrets → New client secret, create a secret and copy its value immediately (it is shown only once). This is the secret MITRITY stores, encrypted.

Step 2 — Grant read-only application permissions

Under API permissions → Add a permission → Microsoft Graph → Application permissions, add the read-only permissions the connector uses, then click Grant admin consent:

PermissionUsed for
AuditLog.Read.AllDirectory audit activity (Observe)
Policy.Read.AllAuthorization policy & security defaults (Posture)
SecurityEvents.Read.AllSecure Score (Posture)
AppCatalog.Read.AllPublished agents / app catalog (Discover)
Directory.Read.AllTenant + Copilot deployment metadata (Discover)

Application permissions require admin consent — until an administrator grants it, the connector cannot read anything. Add only the read permissions above; the connector never needs write scope.

Step 3 — Connect in MITRITY

In Settings → Platforms → Connect a platform, choose Microsoft 365 and provide:

FieldValue
Account / OrganizationYour tenant domain, e.g. acme.onmicrosoft.com
Client secretThe secret value from Step 1
Directory (tenant) IDFrom the app Overview page
Client IDThe Application (client) ID from Step 1

Save, then click Sync now. The connector exchanges the client secret for a short-lived Graph token (scope https://graph.microsoft.com/.default) at sync time and runs Discover → Observe → Posture.

Observe

The connector imports directory audit activity from auditLogs/directoryAudits, advancing a timestamp high-water-mark cursor each sync so it never re-imports the same event. Imported events carry source = m365, are marked observed (recorded, not gated), and flow to the audit log, Insights, and any configured SIEM destination.

Posture

Posture findings are read from authorizationPolicy, security-defaults, and Secure Score. As with every connector, a control that cannot be read is recorded as Unknown rather than OK. See Posture & Security.

Graceful degradation

If the tenant is not Copilot-licensed, or a Graph permission was not consented, the connector records Unknown findings and imports whatever it can rather than failing the sync. Grant the missing permission (and admin consent) and re-sync to fill the gaps.

Governing a discovered agent

Assign a policy to a discovered agent to move it to governed (governance mode Constrained), or suppress it. Microsoft 365-embedded agents are observed, not enforced in-band, in this release — see read-only by design.

Microsoft 365 Copilot — Documentation | MITRITY