AI-Generated Microsoft 365 Workflows Create Hidden Security Risks

A security analyst at a large enterprise recently discovered sensitive HR documents being automatically copied into a Microsoft Teams channel accessible to hundreds of employees. The culprit wasn't a malicious insider or compromised account—it was a Power Automate workflow generated by an AI coding assistant.

The workflow had been created to automate document approvals between SharePoint and Teams. It functioned exactly as intended: documents moved, notifications sent, approvals accelerated. But no one had reviewed the permissions, data flow, or security implications before deployment.

This incident, detailed by Yelena Mujibur Sheikh, a cybersecurity engineer at BNSF Railway, illustrates a growing blind spot in enterprise security. AI coding assistants now generate scripts, workflows, and integrations at unprecedented speed, while Microsoft 365 sits at the center of most organizations, holding emails, documents, Teams conversations, and business-critical data. Together, they create what Sheikh calls "automation that works, but nobody fully understands."

Why it matters

Unlike traditional software development with code review and security checks, Microsoft 365 automation—Power Automate flows, Graph API scripts, SharePoint integrations—is often built by business analysts and power users whose primary goal is speed, not security. AI assistants have eliminated the technical barriers to creating powerful automation, but they haven't eliminated the security risks. Organizations now face a proliferation of shadow automation running with privileged access to sensitive data, often invisible to security teams.

Three critical failure modes

AI-generated Microsoft 365 automation fails in predictable patterns. First, excessive permissions become normalized. AI-generated Microsoft Graph scripts frequently request broad, tenant-level permissions because wide access makes code more likely to work on the first try. A developer asks for a script to read SharePoint files and post Teams updates; the generated code requests access far beyond the specific site or channel needed. If that service account or app registration is later compromised, attackers inherit far more access than the use case required.

Second, workflows become silent data leakage channels. Power Automate's strength—moving information seamlessly between SharePoint, Teams, Outlook, OneDrive, and external SaaS tools—becomes a liability. A flow designed to distribute monthly reports can accidentally send payroll data, customer records, or legal documents to the wrong Teams channel or external recipient. Because these workflows run automatically, exposure can continue for weeks before detection. The breach looks like normal business activity.

Third, compliance automation creates legal exposure. Security teams increasingly use AI to generate eDiscovery searches, audit queries, and retention workflows. A poorly constructed eDiscovery query can collect excessive data, miss critical evidence, expose privileged communications, or mishandle preservation requirements—creating audit findings and regulatory exposure in regulated industries.

The speed problem

The fundamental challenge is velocity. Building enterprise automation once required time and specialized knowledge. Today, any user can generate a PowerShell script, Graph API integration, or Power Automate workflow in minutes. Security teams cannot review automation at the pace it's being created. The assumption that only experienced developers build production workflows no longer holds.

Practical controls

Sheikh argues that banning AI assistants or blocking automation isn't realistic. Instead, organizations should treat AI-generated automation like code requiring review before production use. Power Automate flows, Graph scripts, app registrations, and service accounts need security assessment.

Organizations must enforce least privilege across Microsoft 365 automation, treating broad Graph permissions, standing admin access, and over-permissioned connectors as high-risk findings. Security teams need an inventory of workflows and scripts running across Microsoft 365—unknown workflows can't be risk-assessed. Continuous monitoring should track new flows, connector changes, permission grants, external sharing activity, and unusual file movement.

Developers and citizen developers need clear guidance: AI-generated code is a draft requiring human review, not approved automation.

The next major enterprise security blind spot may not be AI-generated malware, Sheikh warns. It may be AI-generated business automation that passes functional testing while quietly introducing excessive permissions, data exposure, and compliance failures into Microsoft 365. The workflow won't look suspicious or trigger alarms—it will simply do what it was asked to do.

These details were first reported by Yelena Mujibur Sheikh in Dark Reading.