Copilot Agents User Access
Query
// User Access
CloudAppEvents
| where Application == "Microsoft 365"
| where ActionType == "UpdateTenantSettings"
| extend UserAccessSetting = tostring(parse_json(tostring(RawEventData.Resource)).Property)
| where UserAccessSetting == "EnableCopilotExtensibility"
| extend ForAllUsers = tostring(RawEventData.ForAllUsers)
| extend NewValue = tostring(parse_json(tostring(parse_json(tostring(RawEventData.Resource)).NewValue)))
| extend OriginalValue = tostring(parse_json(tostring(parse_json(tostring(RawEventData.Resource)).OriginalValue)))
| extend RemovedIdentities = parse_json(RawEventData.RemovedIdentities)
| extend AddedIdentities = parse_json(RawEventData.AddedIdentities)
| extend Configuration = "Users who can access Agents"
| extend ConfigurationState = case(
// No Users: was All Users, now explicitly disabled
ForAllUsers == "true" and NewValue == "false", "No Users",
// All Users: enabled for everyone
ForAllUsers == "true" and array_length(AddedIdentities) == 0 and NewValue == "true", "All Users",
// Specific Users or Groups: scoped to identities
ForAllUsers == "false" and array_length(AddedIdentities) > 0, "Specific Users or Groups",
ForAllUsers == "false" and array_length(RemovedIdentities) > 0, "Specific Users or Groups",
"Unknown"
)
| project TimeGenerated, UserAccessSetting, Configuration,ConfigurationState, ForAllUsers, AddedIdentities, RemovedIdentities, OriginalValue, NewValue,AccountDisplayName
| sort by TimeGeneratedAbout this query
Explanation
This KQL (Kusto Query Language) query is designed to track changes in user access settings for Copilot agents within a Microsoft 365 environment. Here's a simplified explanation of what the query does:
-
Data Source: The query pulls data from the
CloudAppEventstable, specifically looking at events related to the "Microsoft 365" application where tenant settings have been updated. -
Focus: It focuses on changes to the "EnableCopilotExtensibility" setting, which controls who in the organization can access and use Copilot agents.
-
User Access Settings:
- All Users: All users in the organization can access agents.
- No Users: No users in the organization can access agents.
- Specific Users/Groups: Only selected users or groups can access agents.
-
Data Processing:
- The query extracts and processes information about the current and previous settings, as well as any users or groups added or removed from access.
- It categorizes the configuration state into "No Users," "All Users," or "Specific Users or Groups" based on the changes detected.
-
Enrichment:
- The query enriches the data by joining with the
IdentityInfotable to get display names for added or removed users/groups. - It ensures that even if no users are added or removed, the data structure remains consistent.
- The query enriches the data by joining with the
-
Output:
- The final output includes the time of the change, the account display name of the person who made the change, the user access setting, the configuration state, and details of any added or removed identities.
- The results are sorted by the time the changes were made.
In summary, this query helps administrators monitor and understand changes to who can access Copilot agents in their organization, providing insights into how access policies are being modified over time.
Details

Alex Verboon
Released: April 20, 2026
Tables
Keywords
Operators