Copilot Studio - Connector failure storm
Copilot Studio Connector Error Storm
Query
AppDependencies
| where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector"
| extend ConvId = tostring(Properties["conversationId"]),
ChannelId = tostring(Properties["channelId"])
| where Success == false
| summarize
Failures = count(),
Connectors = make_set(Name, 25),
Targets = make_set(Target, 25),
ResultCodes = make_set(ResultCode, 25),
FirstFailure = min(TimeGenerated),
LastFailure = max(TimeGenerated)
by ConvId, ChannelId
| where Failures >= 10
| extend AccountName = iff(isempty(ConvId), "unknown-conversation", ConvId)
| project
LastFailure, FirstFailure, AccountName, ConvId, ChannelId,
Failures, Connectors, Targets, ResultCodes
| order by Failures descExplanation
This query is designed to monitor and raise an alert when there is an unusual surge in failed connector or action calls within Microsoft Copilot Studio conversations. Specifically, it triggers an incident if there are 10 or more failures within an hour. This could indicate potential issues such as backend enumeration, credential probing, looping actions, or malicious activity.
Here's a simplified breakdown of the query:
-
Data Source: It reads from the
AppDependenciestable, focusing on entries where theDependencyTypeis "Connector" and theAppRoleNameis "Microsoft Copilot Studio". Only failed calls (Success == false) are considered. -
Data Processing:
- Extracts conversation and channel IDs from the properties.
- Counts the number of failures for each conversation and channel.
- Collects details about the connectors, targets, and result codes involved in the failures.
- Determines the time of the first and last failure.
-
Alert Condition: If a conversation has 10 or more failures, it is flagged.
-
Output: The results are sorted by the number of failures, and key details are projected for further analysis.
-
Incident Creation: If the alert condition is met, an incident is created, grouping alerts by account (conversation ID).
-
Configuration: The alert is set to run every hour and is enabled by default. It is tagged for easy identification and categorized under tactics like Discovery and Impact, with relevant techniques noted.
Overall, this query helps in identifying and responding to potential reliability issues or security threats related to connector failures in Copilot Studio.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: PT1H