Description
An XrmToolBox plugin to audit, secure, and validate Microsoft Copilot Studio agents across Power Platform / Dataverse environments.
Features:
- Dashboard: KPI cards (incl. Dormant/Orphaned) and risk-ranked agent table with health colour coding; one-click Governance Report export
- Agent Inventory: Full agent list with filter, owner info, auth mode, solution membership, and expandable bot components
- Security Scanner: Automated 0-100 security score mapped to Microsoft's Top 10 Copilot Studio agent security risks (SEC-01 No Auth, SEC-03 HTTP Actions, SEC-04 Email Exfiltration, SEC-05 Orphaned Owner, SEC-06 Maker Auth, SEC-07 Not in Solution, SEC-08 MCP/Custom Tools, SEC-10 Hardcoded Secrets) with per-issue remediation steps
- Sharing & Access: Audit who each agent is shared with (users/teams) and at what access level; flags broadly-shared agents
- Knowledge Sources: Inventory of grounding sources; flags public-website grounding and inactive knowledge components
- Adoption & Lifecycle: Flags dormant and orphaned agents using owner/edit-age signals plus real conversation usage when available
- Deployment Readiness: Four pre-deployment checks (DEP-01 through DEP-04) with optional target-org verification
- ALM Diff: Side-by-side bot component comparison across two environments (Match / Content Differs / Missing in Target / Only in Target)
- ALM & Dependencies: Per-agent solution membership and forward dependency map (connection references, environment variables, cloud flows, knowledge targets, MCP tools) with ALM transport risk flags (orphaned/Default-only agents, unpackaged or unconfigured dependencies)
- Governance Report: Self-contained HTML report aggregating all findings with a Microsoft Top-10 scorecard
Read-only - never writes to your environment. Requires Dataverse online with Copilot Studio enabled.
Latest version release notes
1.2.0 - New "ALM & Dependencies" tab. Maps each agent's solution membership (managed/unmanaged, Default-only orphans) and forward dependency graph using the Dataverse RetrieveRequiredComponents API plus content analysis: connection references, environment variables, cloud flows, knowledge-source targets, and MCP/custom tools. Flags ALM transport risks ALM-01 through ALM-08 (not in a solution, orphaned in Default, dependencies not packaged with the agent, unconfigured connection references, environment variables without values, cloud flow not co-packaged, external grounding targets, managed-only). Adds a "Not ALM-deployable" KPI and an ALM section to the Governance Report. Read-only.
1.1.0 - Major feature release. New tabs: Sharing & Access audit, Knowledge Sources inventory, and Adoption & Lifecycle (dormant/orphaned-agent analytics). Security Scanner expanded to Microsoft's Top 10 Copilot Studio agent security risks: added SEC-04 (email exfiltration), SEC-06 (maker authentication), SEC-08 (MCP/custom tools), SEC-10 (hardcoded secrets), and hardened SEC-03 (insecure HTTP). New one-click Governance Report (HTML) export from the Dashboard, plus a Dormant/Orphaned KPI card.
1.0.8 - Use real XrmToolBox dependency version 1.2023.10.67 (1.2024.9.69 didn't exist on nuget.org which caused xrmtoolbox.com validator to reject as "version dependency missing")
1.0.7 - Wrap XrmToolBox dependency in
with range version
1.0.6 - Switched to iconUrl and removed NuGet 5+ features (icon/license/readme elements) to fix xrmtoolbox.com validator dependency format
1.0.5 - Updated nuspec to 2013 schema; DLL target net472
1.0.4 - Fixed DLL target path to lib\net452\Plugins
1.0.3 - Fixed NuGet dependency ID to XrmToolBox
1.0.2 - Flattened NuGet dependency format
1.0.1 - Added 128x128 icon; fixed license expression and readme in package
1.0.0 - Initial release: Dashboard, Agent Inventory, Security Scanner, Deployment Readiness, ALM Diff
Versions
| Version |
Release date |
Number of downloads |
Rating |
| 1.2.0 |
6/16/2026 4:48:58 AM |
0 |
0 |
| 1.0.8 |
6/15/2026 6:25:38 PM |
0 |
0 |
Ratings
Latest version
Other versions
No feedback.
