Microsoft Copilot (Microsoft 365): Copilot extensibility – Developers can use Kiota as an API plugin generation tool

🚨 The Signal: Developers can now use Kiota with Teams Toolkit to build Copilot API plugins more easily. This streamlines plugin creation and maintenance, potentially increasing the number and complexity of integrations available to Copilot.

The Impact

Developers and security teams are affected by new methods for Copilot extensibility, increasing the attack surface if not properly governed.

• Developers: Simplified plugin creation may lead to more integrations, increasing the need for secure coding practices.
• Security Teams: New API plugin capabilities expand the potential attack surface for Copilot, requiring vigilance.
• Data Owners: Increased integrations mean more potential pathways for data access, necessitating careful review.
• Compliance Teams: New data flows via plugins require updated risk assessments and compliance attestations.

The Action

1. Review and update internal policies for Copilot plugin development and third-party API integration.
2. Establish a formal approval process for all Copilot plugins, especially those accessing sensitive data.
3. Implement security reviews and penetration testing for custom-developed Copilot plugins.
4. Educate developers on secure coding practices for API plugins and data handling within Copilot.
5. Monitor Copilot usage and plugin activity for unusual data access patterns or anomalous behavior.

Domain: Agentic-AI · Impact: high · Workload: Other