Query Details
Copilot Agents Allowed Agent Types
Query
# Copilot - Agents - Allowed Agent Types
## Query Information
### Description
Retrieve Copilot - Agent - Allowed Agent Types Settings changes
Allowed agent types allows control of which types of agents users can view and install from the agent catalog. You can select from the following options:
- Allow apps and agents built by Microsoft - Enables users to install agents created by Microsoft.
- Allow apps and agents built by your organization - Enables users to install custom agents developed within your tenant.
- Allow apps and agents built by external publishers - Enables users to install non-Microsoft agents built by external developers.
If you disable an option, agents of that type don't appear for users in the Agent store. Agents built by Microsoft are visible to users even if the setting is disabled. Users aren't able to install those agents.
#### References
- [Agent settings in Microsoft 365 admin center](https://learn.microsoft.com/en-us/microsoft-365/admin/manage/agent-settings?view=o365-worldwide)
### Author
- **Alex Verboon**
## Defender XDR
Agent Settings - Allowed Agent Types
```kql
CloudAppEvents
| where Application == "Microsoft 365"
| where ActionType == "UpdateTenantSettings"
| extend AgentTypeSetting = tostring(parse_json(tostring(RawEventData.Resource)).Property)
| where AgentTypeSetting in ("AllowFirstParty","AllowThirdParty","AllowLOB")
| extend NewValue = tostring(parse_json(tostring(parse_json(tostring(RawEventData.Resource)).NewValue)))
| extend OriginalValue = tostring(parse_json(tostring(parse_json(tostring(RawEventData.Resource)).OriginalValue)))
| extend Configuration = case(
AgentTypeSetting == "AllowFirstParty", "Allow Apps and Agents built by Microsoft",
AgentTypeSetting == "AllowThirdParty", "Allow Apps and Agents built by external publishers",
AgentTypeSetting == "AllowLOB", "Allow Apps and Agent Built by your organization",
"Unknown"
)
| extend ConfigurationState = case(
NewValue == "True", "Enabled",
NewValue == "False", "Disabled",
"Unknown"
)
| project TimeGenerated, AgentTypeSetting, Configuration, ConfigurationState,AccountDisplayName
| sort by TimeGenerated
```
Explanation
This KQL query is designed to track changes in the settings for allowed agent types within Microsoft 365. It focuses on the configurations that determine which types of agents users can view and install from the agent catalog. Here's a simple breakdown of what the query does:
-
Data Source: It pulls data from
CloudAppEventsrelated to the "Microsoft 365" application. -
Action Filter: It specifically looks for events where the action type is "UpdateTenantSettings," indicating changes to tenant settings.
-
Agent Type Settings: The query extracts the specific agent type setting that was changed. It identifies three types of agent settings:
- "AllowFirstParty": Agents built by Microsoft.
- "AllowThirdParty": Agents built by external publishers.
- "AllowLOB": Agents built by your organization.
-
Value Extraction: It retrieves the new and original values of these settings to determine if they were enabled or disabled.
-
Configuration Mapping: The query maps the agent type settings to more descriptive labels:
- "Allow Apps and Agents built by Microsoft"
- "Allow Apps and Agents built by external publishers"
- "Allow Apps and Agents built by your organization"
-
State Determination: It determines whether each configuration is currently enabled or disabled based on the new value.
-
Output: The query outputs the time of the change, the type of agent setting, the descriptive configuration, its current state (enabled or disabled), and the account name of the person who made the change.
-
Sorting: Finally, the results are sorted by the time the change was generated.
This query helps administrators monitor and audit changes to agent installation permissions within their Microsoft 365 environment.
Details
Alex Verboon
Released: April 20, 2026
Tables
Keywords
Operators