Sr. Content Developer at Microsoft, working remotely in PA, TechBash conference organizer, former Microsoft MVP, Husband, Dad and Geek.
157706 stories
·
33 followers

Copilot Usage-Based Billing Gets a Token Dashboard

1 Share
Microsoft is keeping Visual Studio's new built-in Agent Skills switched off by default while a public dashboard measures whether their performance gains justify the additional tokens they may consume.
Read the whole story
alvinashcraft
2 minutes ago
reply
Pennsylvania, USA
Share this story
Delete

Least privilege for AI agents: Identity, access, and tool binding

1 Share

AI agents aren’t only smarter API callers. They plan, chain actions across systems, and invoke tools in sequences while no single human explicitly approves each step. The architectural reality may introduce identity and authorization challenges that organizations are still evolving to address.

When an agent operates without a managed identity and least-privilege role-based access controls (RBAC), it can access or modify sensitive data beyond intended permissions if controls are not properly configured. Since agents can operate across multiple systems within a single workflow, a misconfigured permission may increase the potential impact compared to traditional service account scenarios, depending on how the system is configured and scoped. Organizations are deploying agentic capabilities (multi-step automation, delegated actions, tool use) faster than their identity and authorization models are evolving to safely constrain them.  

The resulting exposure can be significant and may include risks such as unauthorized data access, unintended writes or deletions, and potential privilege escalation arising from overly broad role assignments. In some cases, these conditions can also contribute to gaps in auditability, which may make cyberattack detection, incident response, and regulatory inquiries more complex than necessary.

The right mental model is to treat every agent as a first-class principal: give it a lifecycle-managed identity, assign explicit roles, scope its permissions tightly, and scope tool usage to a preconfigured tools manifest or configuration. 

Real-world scenarios

The risk can occur in real-world implementations. Consider a common pattern: a team provisions an agent with a broad “Reader” role because it’s quick and the initial use case seems read-only. Then the workflow expands to include fixing issues it finds, and suddenly the agent needs write access too. Rather than rethinking the role design, teams grant something broader than intended and move on.

The scope creep is quiet, incremental, and rarely revisited. A related problem emerges when agents work across multiple tools. An agent with access to email, files, a ticketing system, and a code repository may look low-risk at each individual integration, but the combination lets it correlate data across systems and take actions no one explicitly authorized as a whole. Combined access across systems may result in broader effective permissions than evaluated individually.

Underneath both scenarios is a question that teams consistently fail to answer cleanly: is the agent acting under its own identity, a delegated user scope, or some mix of both? That ambiguity matters because it determines who’s accountable when something goes wrong, and what approvals were actually required.

When the answer isn’t documented and enforced upfront, it shows up later in the worst possible context: an incident where logs might capture what tool was called but can’t answer key questions such as: who authorized the action, under what role, or whether it was within intended scope. Sensitive data may be retrieved or summarized beyond its intended audiences if controls are not properly scoped.

An agent helpfully automates a remediation step and modifies or deletes something it shouldn’t have. Then the investigation stalls not because logs are missing, but because the identity model was never coherent enough to make them meaningful. This leaves organizations in the firefighting mood to resolve and solve questions their leadership cannot fully answer to customers, press, or auditors.

Best Practices: Identity + RBAC + Scope + Safe Tool Binding

For best practices in designing agentic identity and authorization, implementing multiple controls is intended to help reduce the potential impact of agent actions when configured and applied appropriately, while helping make privilege decisions explicit and supporting accountability in the event of unexpected or unintended outcomes.

Recommended practices for teams are generally to establish and document:

(1) a unique, dedicated agent principal with a named owner and an explicit purpose

(2) least-privilege, task-based roles that are scoped to the specific resources and data the agent needs

(3) Controlled tool access intended to limit the agent to approved actions

(4) end-to-end auditability so you can answer “what happened, under what authority, and what changed?” quickly.

In practice, the time-limited aspect should typically apply to entitlements (role activation, tokens, or approvals) rather than trying to create a new identity for every task. Most real-world deployments keep the agent identity stable for lifecycle management, while using just-in-time (JIT) elevation to grant narrowly scoped privileges only for the duration of a specific workflow.

Start by making the agent afirst-class principal. Create a dedicated agent identity (not a shared secret or reused service account), document its purpose statement (“what it is allowed to do and why”), and assign clear human ownership for approvals and incident response.

Build in lifecycle management from day one: onboarding checks, credential rotation, suspension/decommissioning procedures, and a fast shutdown mechanism that actually invalidates credentials and tokens. Then design role-based access controls (RBAC) around discrete tasks, not teams or org charts.

Model roles that match the smallest meaningful units of work, such as “Read-only knowledge retrieval,” “Summarize labeled documents,” “Create a draft ticket.” Avoid bundling unrelated permissions to reduce operational friction. When the workflow includes both evidence gathering and remediation, separate duties: use different roles (or different tools) for read versus write, and gate high-impact actions like delete, export, or privilege changes behind step-up approvals.

Scope everything and do it multiple times. Constrain permissions by resource boundary (tenant/subscription/workspace/site), by data boundary (collection, label, sensitivity), and by operation boundary (read/write/export/admin).  

The goal is to help make the where and what of access as explicit as the who. Pair this with safe tool binding by exposing a curated and approved set of tools/actions to the agent, and require explicit allowlists for high-impact operations.

This is where JIT for agents can help manage privilege exposure when implemented appropriately, such as, keep the baseline role minimal, use time-limited entitlements (temporary role activation, short-lived tokens, or per-action approvals) when the workflow genuinely requires higher privilege—and automatically drop back to the baseline when the workflow completes.

Finally, design systems to verify explicitly at every step whenever feasible. Downstream tools and services must re-check claims, roles, and scope on each call rather than trusting the orchestrator implicitly; otherwise, the “weakest link” becomes any integration that assumes upstream validation is sufficient.

Consider incorporating accountability controls as a core product feature, not an afterthought. Instrument agent actions end-to-end so logs capture the agent identity, role used, effective scope, resource accessed, action taken, “on behalf of” user (if applicable), timestamps, and correlation IDs that stitch together orchestrator → tool call → downstream system.

Without those fields, teams can’t reliably reconstruct intent or containment boundaries during an incident. Build and test revocation and recovery paths the same way you test feature reliability: practice disabling the agent identity, rotating credentials, and executing rollback/compensating actions for common failure cases (e.g., bulk ticket creation gone wrong, unintended writes, or export attempts). Operationalize governance with regular access reviews, removal of stale permissions, and mandatory re-approval when workflows change materially. And don’t stop at individual roles—deploy tools and processes that analyze aggregate permissions, because the real risk often emerges when multiple “reasonable” roles combine to enable a high-impact chain of actions.

Common pitfalls tend to undermine these controls in predictable ways. The fastest way to create long-term risk is granting broad Owner/Admin roles to unblock a pilot, then never coming back to refactor permissions once the workflow “works.” Shared secrets across multiple agents erase accountability and make revocation slow and incomplete.

Relying on prompts or “the agent will only do X” narratives instead of hard authorization boundaries invites prompt injection and workflow drift. Without the underlying tool invocations, scopes, and downstream authorization decisions, logging only the LLM response creates an audit trail that looks present but is useless for forensics.

Temporary access that lacks an expiry mechanism becomes permanent access in practice. Teams can avoid these anti-patterns by defaulting to task-based roles, enforcing explicit scopes and tool allowlists, using JIT time-limited entitlements for elevation, re-checking authorization in every downstream system, and treating access review and revocation testing as required operational hygiene—not optional maturity work.

Looking Ahead

Agents are quickly moving from helpers to autonomous actors across email, files, tickets, and cloud resources; driving tighter coupling between identity governance, fine-grained authorization, and tool/action policy.

In the next 30–90 days, inventory your agent identities, remove broad roles, introduce task-scoped RBAC, and require safe tool binding plus end-to-end audit logs (with monitoring) before expanding deployments—especially for cross-tenant/guest agents, B2C agents, and agent ecosystems.

Read the Pattern & Practice (PnP): Least Privilege for Agents and use it as a checklist to close the gaps that most reduce impact: ownership, scope, tool allowlists, and fast revocation. 

The post Least privilege for AI agents: Identity, access, and tool binding appeared first on Microsoft Security Blog.

Read the whole story
alvinashcraft
2 minutes ago
reply
Pennsylvania, USA
Share this story
Delete

Artisanal Open Souurce Code

1 Share
From: Fritz's Tech Tips and Chatter
Duration: 2:12:09
Views: 161

Let's do a little old school C# coding today

Read the whole story
alvinashcraft
3 minutes ago
reply
Pennsylvania, USA
Share this story
Delete

Build Once, Run Everywhere: Unified Manifest for Office Add-Ins now Generally Available

1 Share

We’re excited to announce the general availability of unified manifest support for Word, Excel, PowerPoint Add-ins, in addition to Outlook Add-ins. Unified manifest support first launched for Outlook Add-ins. Now, it extends across Word, Excel, and PowerPoint, making it possible to build a single app that works across Microsoft 365 apps. This update helps developers deliver a more consistent experience for users and gives IT admins a simpler deployment model.

Why it matters

The unified manifest brings Microsoft 365 extensibility closer to a single, consistent model for Teams apps, Office Add-ins, and Copilot agents. Developers have already used the unified manifest in Outlook Add-ins to simplify distribution, reduce customer friction, and increase adoption. A common request was to bring these same benefits to Word, Excel, and PowerPoint Add-ins. Over the last two years, teams across Microsoft have invested in making this possible. You can now bring existing add-ins forward with less effort and take advantage of a more streamlined path to support additional Microsoft 365 apps.

What you can do with the unified manifest

  • Build once, distribute everywhere — Use one manifest to power experiences across Office Add-ins, Teams apps, and Microsoft 365 Copilot.
  • Simplify deployment — Manage app access centrally through the Integrated Apps page in the Microsoft 365 admin center.
  • Deliver a consistent experience — Help users find and use your app more consistently across supported Microsoft 365 surfaces.

A great example of what this makes possible is Script Lab Unity. Previously, developers needed separate Script Lab add-ins for Outlook and for Word, Excel, and PowerPoint. Using the manifest converter tool, the team combined those experiences into a single app with minimal rework. The result is Script Lab Unity — one app that’s easier to acquire and use across Microsoft 365.

Script lab unity image

What’s available

Developers can now publish unified manifest add-ins for:

  • Outlook
  • Word
  • Excel
  • PowerPoint

Users can install and use these add-ins across Office for the web, Windows, and Mac. For more details, see client and platform support.

Another example of this model is the Tableau Cloud app developed by one of our partners.

Tableau catalog image

Get started

Ready to get started? Begin with the unified manifest overview, then choose the path that fits your scenario:

We’d love to hear from you!

feedback button shadow imageWe value your feedback and suggestions. You can submit feedback directly within Office apps such as Excel by clicking the Feedback button in the upper-right corner, or by going to Help > Feedback. You can also connect with us through the Office Add-ins developer community.

Happy coding!

 

The post Build Once, Run Everywhere: Unified Manifest for Office Add-Ins now Generally Available appeared first on Microsoft 365 Developer Blog.

Read the whole story
alvinashcraft
3 minutes ago
reply
Pennsylvania, USA
Share this story
Delete

AI hasn’t shifted the bottleneck from coding to code review

1 Share
Abstract dark blue digital corridor with geometric grid blocks and a central neon light beam, illustrating a software pipeline bottleneck.

Why we’ve stopped noticing the real improvement opportunity

Since AI arrived, many people have mentioned that the bottleneck has shifted from coding to code review. This isn’t quite right, as coding wasn’t the bottleneck in the first place, and it’s not code review now. The reason we think either of these things is constraining the flow of value is that mossy hill we all stare past when we look at the mountains.

Here’s a simple test. For the application or service you work on, how many changes have passed code review but haven’t yet been deployed and enabled for users? If the answer is none or one, accept my apologies: in your specific case, I’m wrong. But I rarely get that answer. It’s usually more than one, and that tells you the bottleneck is elsewhere.

Bar chart showing number of changes per deployment batch.
Number of changes per deployment batch (Source: Octopus Deploy)

We’re conducting original research in this area right now, and half of all teams have between 2 and 10 changes sitting in a batch, and a quarter have 11-50. Overall, more than 90% of teams ship in batches rather than one change at a time.

“Coding wasn’t the bottleneck in the first place, and it’s not code review now.”

This number reveals an industry-wide visibility gap. People believe Claude Code, Cursor, and GitHub Copilot have shifted the bottleneck from coding to code review, but that ignores everything that happens after the review, and that’s not a personal failing; it’s an industry-wide misperception.

We’ve grown so used to working in batches that the practice looks like it belongs. It’s overgrown with moss, indistinguishable from the surrounding hills. When you search for ways to speed up software delivery, you won’t see it, because it doesn’t look like a problem. It looks just as things have always been.

What happens when AI floods a batch

Writing code is a small part of a longer value stream that starts with an opportunity and ends when a user gets the value they need. The impact across this whole value stream is lumpy. AI will help more in some areas than others, and the end-to-end benefit depends on you noticing the areas where work accumulates.

GitLab’s 2026 AI Accountability Report found that 85% of respondents agree AI has shifted the bottleneck from writing code to reviewing it. Yet we can see from deployment batches that 92% of these people are likely wrong, because if there’s accumulation after the code review, it means code review isn’t the bottleneck. It also means speeding up the reviews will make the real bottleneck worse.

This isn’t to say increased coding speed doesn’t put pressure on code review. Faros AI’s research across 10,000 developers found that teams with high AI adoption merge 98% more pull requests, but review time for those changes increases by 91%, and the average pull request size increases by 154%. Cursor’s own study, run with a University of Chicago economist, found companies merge 39% more pull requests once its coding agent becomes the default.

However, approving changes faster only works if the change then flows smoothly into production. In the majority of cases, it simply moves into the queue of changes awaiting further handling, such as testing and deployment. If you up the rate and size of changes passing through the review stage, pressure is simply transferred to the real bottleneck.

“If you up the rate and size of changes passing through the review stage, pressure is simply transferred to the real bottleneck.”

Code review looks like a constraint only because it has a visible queue, while the downstream queues are hidden by their general acceptance across the industry. The job of your pipeline is to get changes to production, where they can be used, not to gather them in a “pending deployment” queue.

And as all those unreleased changes accumulate, risk increases with them.

Batches are signposts

Ask the batch-size question, and you’ll find what’s really constraining your value stream: a manual verification step, a cumbersome change approval or release train process, or no easy way to deploy changes. Not coding. Not code review.

You were likely working in batches before you started your AI initiative. The introduction of AI will increase your batch sizes, which can cause problems. Increasing code review throughput doesn’t solve the problem; it simply moves changes to the bottleneck faster.

Using the true constraint to set the pace of your whole value stream will help you invest in solving the right problem. If your retrospectives keep failing to produce noticeable improvements, you’re likely missing the batch problem. It’s why some AI initiatives pay off while others flop.

The studies miss it, too

Research on the impact of AI is useful, but, like many studies on this topic, it stops at the point where code is merged. It looks at open pull requests, merged pull requests, and hours spent reviewing. None of it asks how long changes wait after the review, or how many are bundled together before anyone sees them in production. Without that number, you can’t find the real constraint.

Having invested in AI to speed up coding, you’ll be tempted to fix code review next, or give up on code reviews altogether. If you’re shipping in batches, neither will make much difference to how quickly you remove risk or deliver value to the people using the software.

The reason your organization resists fixing the batch problem is the real problem you need to solve.

The post AI hasn’t shifted the bottleneck from coding to code review appeared first on The New Stack.

Read the whole story
alvinashcraft
3 minutes ago
reply
Pennsylvania, USA
Share this story
Delete

Evolving Spec-Driven Development: Conductor Now Supports Antigravity

1 Share
Conductor has evolved from a Gemini CLI extension into a portable plugin, bringing conversational Spec-Driven Development (SDD) to ecosystems like Antigravity CLI and Claude. Rather than relying on strict command sequences, developers can now chat naturally with their AI assistant while it dynamically manages persistent markdown artifacts (like spec.md and plan.md) in the background. This update eliminates workflow friction while ensuring your repository remains a version-controlled, single source of truth for your project's architecture and state across different AI tools.
Read the whole story
alvinashcraft
3 minutes ago
reply
Pennsylvania, USA
Share this story
Delete
Next Page of Stories