Microsoft issues security rules for AI agents that can now send emails and update records

On 30 June 2026 Microsoft published security documentation for AI agents that perform actions rather than only reading files. The guidance covers Microsoft 365 Copilot features such as drafting and sending email, creating documents, and changing calendar entries. It maps controls for risks including tool poisoning through MCP connectors and prompt injection. The advice applies to agents built in Copilot Studio that link to Dataverse, Outlook, and third-party systems. Tenant configuration and licensing still determine which controls are available.
Until now most teams treated Copilot agents as experimental add-ons that only summarised content. The new rules make clear that any agent granted write access must be reviewed against specific attack stages before it touches live data. The shift moves responsibility from Microsoft to the tenant. Teams that have not yet mapped their connectors or set runtime protections now face an explicit list of gaps they must close.
Analysis
Read the attack-stage mapping in the new documentation and list every connector already enabled in your tenant. Turn off any write actions that lack documented controls before someone builds an agent that can act on them.
Pulse published by Collab365 Spaces, reviewed by Helen Jones on . Cite as "Microsoft issues security rules for AI agents that can now send emails and update records", Collab365 Spaces. 1 source referenced.