Why the same tools making your business more efficient could be exposing your data

When you focus on Microsoft automation security, you quickly realise that embracing tools like Power Automate or Copilot to streamline your operations is a sensible decision, but only if handled correctly. These tools genuinely transform how small and medium-sized businesses work.

However, there is something you need to know: the very features that make these tools powerful also create security risks that most SMEs are not equipped to manage. The consequences of getting it wrong can be severe. I am not trying to alarm you; I am trying to make sure you have the information you need to protect your business.

What is Actually Happening inside Power Platform?

Here is the situation in plain terms.

Power Automate allows you to create workflows that are triggered by external requests. These are called HTTP triggers. When you set one up, Microsoft creates a web address (an endpoint) that anyone with the right URL can call. Think of it like giving someone a direct phone line to a specific department in your company. It is useful for legitimate integrations, but potentially dangerous if the wrong person gets the number.

Copilot agents can connect to your emails, calendar, SharePoint files, and other Microsoft 365 data through something called MCP (Model Context Protocol) servers. This is how Copilot can read your emails and summarise them, or find documents you have been working on.

The problem arises when these capabilities are combined without proper Microsoft automation security controls. An external system, even a simple automated script, could potentially:

  1. Call an exposed Power Automate endpoint
  2. Trigger a workflow that accesses your business data
  3. Retrieve information from emails, documents, or other systems
  4. Send that data elsewhere

This is not theoretical. Security researchers have demonstrated these attack patterns, and Microsoft’s Security Response Center has had to patch several related vulnerabilities this year.

Why SMEs Need Better Microsoft Automation Security

Large enterprises typically have dedicated security teams who review every automation before it goes live. They implement governance frameworks, data loss prevention policies, and continuous monitoring. Most Manchester SMEs do not have that luxury.

If you are running a business with 15 to 80 staff, you probably fall into one of these categories:

Scenario A: You have an IT person (or a small IT team) who manages everything from laptops to the phone system. They are talented and hardworking, but Microsoft automation security is not their speciality. They have enabled the tools because they are useful, but have not had time to implement comprehensive controls.

Scenario B: You rely on an external IT provider who manages your infrastructure. They are good at keeping things running, but they may not have deep expertise in Power Platform governance. The default settings are “good enough” until they are not.

Scenario C: A keen team member has started building automations using Power Automate because they have discovered it can save hours of manual work. Brilliant initiative, but no one has reviewed the security implications of what they have created.

Sound familiar?

Real Risks, Real Consequences

Let me give you some concrete scenarios to illustrate why this matters.

The Orphaned Automation

A developer creates a Power Automate flow with an HTTP trigger for a specific integration project. They use their own Microsoft 365 account to set up the connections. The project finishes, the developer moves on to another role, and the flow sits there, forgotten.

That flow still works. It still has access to whatever the developer’s account had access to. The endpoint URL might be sitting in documentation, a shared folder, or worse, a public code repository. Anyone who finds it can trigger the automation and potentially access data.

The Overly Helpful AI Assistant

A Copilot agent is deployed to help staff search through company emails and documents. To make it “work properly,” it is given broad access to mailboxes and SharePoint. Someone sends a carefully crafted email to an employee; it looks normal enough to receive, but contains hidden instructions that the AI agent picks up and acts on.

This is not science fiction. The “EchoLeak” vulnerability disclosed earlier this year (see the NCSC Weekly Threat Report for similar context) showed exactly this kind of attack working against Microsoft 365 Copilot.

The Convenience Configuration

An administrator sets up a Power Automate flow to accept requests from a partner system. To avoid authentication headaches, they configure it to accept requests from anyone, planning to “tighten it up later.” Later never comes. The endpoint is effectively public, protected only by the obscurity of its URL, which provides no real security at all.

Implementing Robust Microsoft Automation Security: What You Should Ask

If you are responsible for your organisation’s technology, here are the questions you should be able to answer:

  1. How many Power Automate flows in our organisation use HTTP triggers? If you do not know, that is your first problem.
  2. What authentication is required to trigger those flows? The answer should be specific, not “Microsoft handles it” or “it’s secure.”
  3. Do we have Data Loss Prevention (DLP) policies controlling which connectors can be used together? If you have not explicitly configured DLP policies, you are running on defaults that may not suit your risk profile.
  4. When did we last review the permissions our Copilot agents have? If the answer is “never” or “when we set them up,” that is a concern.
  5. What happens when someone who created automations leaves the company? There should be a documented process.

If you cannot answer these questions confidently, you have work to do on your Microsoft automation security strategy.

What Good Looks Like

Proper Power Platform security do not require massive investment or enterprise-grade complexity. It requires attention and appropriate controls. Here is what it looks like for a typical Manchester SME:

Visibility: You know what automations exist, who created them, and what they can access. You have a register of HTTP-triggered flows and review it regularly.

Authentication: Every HTTP-triggered flow requires proper authentication; Microsoft Entra ID (Azure AD) tokens from specific users or service accounts, not just “anyone with the URL.”

Boundaries: Data Loss Prevention policies prevent accidental data exposure. The HTTP connector is not freely available for anyone to use in any environment.

Monitoring: You receive alerts when new HTTP-triggered flows are created or when unusual activity occurs. You do not rely on noticing problems by accident.

Lifecycle Management: When someone leaves, their flows are reviewed, transferred, or disabled. Nothing gets orphaned.

The Uncomfortable Truth

The uncomfortable truth is this: Microsoft provides powerful tools and expects organisations to implement appropriate governance. The documentation exists. The controls exist. But configuring them properly requires expertise that many SMEs do not have in-house.

This is exactly why businesses like yours need specialist help with Microsoft automation security. Not to do everything for you indefinitely, but to:

  • Assess your current exposure
  • Implement appropriate controls
  • Train your team on what “good” looks like
  • Provide ongoing guidance as the platform evolves

The alternative, hoping nothing goes wrong, is a gamble with your business data, your client confidentiality, and potentially your regulatory compliance.

Taking Action on Microsoft Automation Security

If this article has raised concerns about your security setup, here is what I would suggest:

This week: Ask your IT team or provider whether they can answer the five questions above. Their response will tell you a lot about your current position.

This month: Request an audit of your HTTP-triggered Power Automate flows. Even a basic inventory is better than not knowing what exists.

Before your next board meeting: Understand your organisation’s exposure and have a plan to address it. This is a governance issue, not just a technical one.

How We Can Help

At The Fabrik, we specialise in Microsoft Power Platform for SMEs in Greater Manchester and the surrounding areas. We understand both the potential of these tools and the risks they carry.

Our Power Platform Security Assessment is designed specifically for businesses like yours. In two to three days, we will:

  • Audit all your Power Automate flows, focusing on HTTP triggers and external connections
  • Review your Copilot agent configurations and permissions
  • Assess your current DLP policies against best practices
  • Identify your most significant risks
  • Provide a prioritised remediation plan with clear actions
  • Deliver an executive summary you can share with your board or leadership team

We do not believe in creating fear to sell services. We believe in giving you the information you need to make informed decisions about your business technology.

If you would like to discuss your Microsoft automation security, I am happy to have an initial conversation at no charge. We can talk through your setup, your concerns, and whether a formal assessment makes sense for your situation.

Contact us: hello@thefabrik.co.uk or book a call

Darren Jones is the founder of The Fabrik, a business automation consultancy helping SMEs in Greater Manchester get more from their Microsoft 365 investment. He is a Microsoft Power Platform specialist with a particular interest in helping businesses balance capability with security.