This site is a living document. Microsoft updates products and capabilities frequently β this log tracks meaningful content changes, corrections, and additions. Minor fixes (typos, link corrections) are not listed.
Entries marked π New are net-new content additions. Entries marked βοΈ Updated are corrections or refinements to existing content. Entries marked β οΈ Correction are cases where earlier content was wrong or misleading and has been fixed.
| Type | Change | Page(s) Affected |
|---|---|---|
| π AI IR playbook | Added coverage of Microsoft's new AI Incident Response investigator playbook. Source: Microsoft Security blog, June 9, 2026 ("Reconstructing AI activity in investigations"), by Phillip Misner (Head of AI Incident Detection & Response) and the Microsoft AI Red Team. What it is: a structured investigator playbook for Microsoft 365 Copilot and Azure AI services that turns telemetry already available across Purview, Defender, and Sentinel into a coherent investigation. Methodology: a Scope β Context β Signal sequence β (1) scope: who interacted with AI systems, when, and which services; (2) context: what the system accessed, what data may have been exposed, and how that aligns with expected behavior; (3) signal: detection signals such as prompt injection attempts, anomalous usage patterns, and credential-exposure alerts evaluated within that broader chain. AI telemetry is treated as metadata-first (identity, time, resource context), moving investigations from isolated signals to an account of what happened β normal usage, policy violation, or indicator of compromise. Bundles schema references, KQL queries, and detection logic into one working model and extends to agent-based systems (which agents are deployed, how configured, what data they are authorized to access, and whether that authorization was used as expected). Download: aka.ms/AIIRplaybook. Added: new card under the Detect & Respond / Security Copilot & Autonomous Agents section of product-map.html; chat.js SYSTEM_PROMPT section (technical) plus a plain-language note for business mode. | product-map.html, chat.js, changelog.html |
| Type | Change | Page(s) Affected |
|---|---|---|
| π MDASH deep-dive | Substantial coverage added for Microsoft's autonomous vulnerability discovery system (codename MDASH). Source: Microsoft Security blog, May 12, 2026, by Taesoo Kim (VP Agentic Security, Microsoft). Previously misclassified on the site as part of an "open trust stack" alongside ASSERT and ACS β corrected to its actual category (autonomous vulnerability discovery pipeline, not an open standard). Key facts now on the site: built by Microsoft's Autonomous Code Security (ACS) team, several members from Team Atlanta (DARPA AIxCC winners). Orchestrates 100+ specialised AI agents across an ensemble of frontier + distilled models through Prepare β Scan β Validate β Dedupe β Prove pipeline. Benchmark results: 21/21 planted vulns on private test driver with 0 false positives; 96% recall on 5-year clfs.sys MSRC backlog; 100% recall on tcpip.sys; 88.45% on CyberGym (1,507 real-world vulns) β top score on the leaderboard, ~5 points ahead of next entry (Anthropic at 83.1%). Discovered 16 new CVEs in May 12, 2026 Patch Tuesday, including 4 Critical RCEs (CVE-2026-33824 IKEv2 LocalSystem RCE, CVE-2026-33827 tcpip.sys remote UAF). Currently in limited private preview. Substantive new sections added: threats.html (~200-line section on AI-powered vulnerability discovery + CVE table + benchmark table + strategic implication callouts); product-map.html (new card under AI-Powered SecOps with PRIVATE PREVIEW MAY 2026 badge); chat.js (full technical SYSTEM_PROMPT section + business-language framing for leadership). Strategic framing surfaced: "The harness around the model is most of the engineering" β vendor evaluation criterion shifts from "which model" to "what survives the next model." | threats.html, product-map.html, frameworks.html (correction), chat.js, changelog.html |
| π Date awareness | Chatbot now proactively surfaces relevant dates and deadlines. After testing revealed the chatbot would give a "yes/no" answer to "do I need Agent 365" without flagging the July 1, 2026 transition, two changes were made: (1) Added a "KEY DATES & DEADLINES" registry near the top of both technical and business SYSTEM_PROMPTs β covers upcoming dates (June 2026 Build wave, July 1 Agent 365 mandate + AIAgentsInfo retirement + RT protection block-mode change + third-party connector retirement + MXC Preview, August 2026 EU AI Act, Colorado AI Act, etc.) and recent dates for context. Includes explicit instructions on when to surface dates proactively (licensing questions β July 1; KQL questions β AIAgentsInfo retirement; compliance questions β AI Act dates; etc.) and how to phrase them (explicit date, what happens, days remaining when relevant). (2) Added a "FREQUENTLY ASKED LICENSING QUESTION" section earlier in the technical SYSTEM_PROMPT giving Q&A pattern for "do I need Agent 365?" that the chatbot is instructed to answer with explicit time-bound context (today vs. after July 1, 2026), what's lost without Agent 365 after July 1, and pricing reminders. Same pattern added to the business prompt's KEY BUSINESS MESSAGES. (3) Chat widget chips updated β added "β° July 1, 2026 cutover" to both technical and business modes (replacing the technical "Microsoft's MCP servers" chip); business mode "Compliance deadlines" chip broadened to "Key dates ahead" covering both regulatory and tech cutover dates. | chat.js, all 15 HTML files (chip refresh) |
| π Defender deep-dive | Defender local AI agent discovery + runtime protection β full detail added from the authoritative Microsoft Learn docs and the Microsoft Threat Protection blog. Earlier in this session the site had general coverage of "Defender local agent discovery"; this round adds the specifics. Sources: local agent discovery overview, runtime protection overview, and the Microsoft Threat Protection blog post. Additions: (1) Full 5-category taxonomy of supported agents β CLI agents (Claude Code, Codex CLI, Gemini CLI, GitHub Copilot CLI, OpenCode, Antigravity CLI), Desktop apps (ChatGPT, Claude, Codex, Ollama, Poe), Agentic IDEs (Cursor, Antigravity, Windsurf), VS Code extensions (Claude Code, Cline, Codex, Gemini Code Assist, GitHub Copilot, Roo Code), Claw-based agents (OpenClaw, Clawpilot, Claw/Nanobot) β 20+ specific products. (2) Agent definition clarified: combination of user + device + agent type (one entry per triple, not per project folder). (3) Runtime protection mechanics: 3 hook points (user prompt, pre-tool call, post-tool response); 3 modes (Block/Audit/Disabled with Audit as recommended starting mode); Tamper Protection; alert name "Suspicious AI prompt injection"; currently supports Claude Code + GitHub Copilot CLI via their published hooks frameworks. (4) Three views in the Defender portal: inventory, exposure map (visual relationships between agents/devices/identities/resources), Advanced Hunting. (5) Microsoft's canonical example documented β coding agent fetches doc β hidden inject instructs read of .env + POST to external URL β Defender blocks at post-tool response. (6) Platform clarification: Learn doc is explicit on Windows-only today (blog mentions macOS, likely planned but not in the Learn-authoritative state). product-map.html now has two Defender cards (Discovery + Runtime Protection) instead of one; mcp.html has a new "Endpoint inventory & runtime protection" section since most discovered agents are MCP clients; agent365.html Native Windows table updated with the discovery + runtime protection rows in full detail; chat.js SYSTEM_PROMPT expanded with the full agent list + hooks framework references + canonical example. |
product-map.html, mcp.html, agent365.html, chat.js, content_monitor.py |
| π Build 2026 wave | Comprehensive Build 2026 integration β ten new concepts added. Microsoft Build 2026 (June 2, 2026) introduced a substantial body of capabilities for local agents, runtime containment, and the open AI trust stack. (1) Claws + ClawHub β claws are skills loaded into OpenClaw via the public ClawHub registry; installing a claw is functionally installing privileged code. Section on mcp.html covers the security model and supply-chain attack callout. (2) OpenClaw deeper coverage β self-hosted agent runtime, open-source, runs on Windows via MXC. (3) Microsoft Execution Containers (MXC) SDK (Early Preview) β policy-driven execution layer with composable isolation. New product-map card; mcp.html section. (4) Agent 365 + MXC native integration (Preview July 2026) β Defender/Entra/Intune/Purview converge at the runtime boundary. New agent365.html section. (5) Defender local agent discovery (Preview June 2026) β Defender discovers/profiles supported local AI agents on endpoints. New product-map card. (6) Defender AI model scanning (Preview) β inspect models in registries, workspaces, CI/CD. New product-map card. (7) Defender advanced hunting + exposure graph for agents (Preview coming soon). (8) Native Windows + Intune integration β Intune policies gate agent runtime execution. (9) Foundry Agent Service hosted agents (Preview) β instant-on per-agent sandboxes; cloud equivalent of MXC. New product-map card + foundry.html callout. (10) ASSERT + Agent Control Specification + Codename MDASH β open-source AI trust stack. New frameworks.html section. | product-map.html, mcp.html, threats.html, frameworks.html, foundry.html, agent365.html, playbooks.html, chat.js, content_monitor.py |
| β Real-world threat findings | Two Build-2026-era findings documented in threats.html. (1) Claude Code GitHub Action prompt injection β Microsoft Threat Intelligence identified a pathway allowing access to workflow secrets under specific conditions (Feb 2026 research). Attack pattern: untrusted content (issue body, PR description) becomes prompt input; injection redirects agent to dump secrets.* or call attacker endpoints. Defences documented. (2) Malicious skills on ClawHub β attackers publishing malicious skills disguised as utilities, promoted through community channels. Treat installation as third-party dependency review. Defences: approved-claws list, verified publishers, run OpenClaw inside MXC, enable Purview local-agent observability. |
threats.html, mcp.html |
| π Playbook 07 Rule 6 expanded | Maker rule on local AI agents extended to cover claws and ClawHub. Rule 6 now includes the OpenClaw skill-installation security model β installing a claw is functionally installing privileged code on a developer laptop. Recommendations added: check for approved-claws list, prefer verified publishers, run OpenClaw inside MXC on Windows, treat new claws as third-party dependency review items (same gate as npm or PyPI). | playbooks.html (Playbook 07 Rule 6), chat.js |
| π Purview AI wave | Five new Purview AI announcements added (June 2026 wave). Microsoft announced five capabilities targeting where AI work actually happens β developer endpoints, Foundry workloads, GitHub Copilot, custom apps. (1) Purview for Local & Endpoint Agents (Preview) β extends Purview to GitHub Copilot CLI, Claude Code, OpenAI Codex, OpenClaw. DSPM visibility, real-time DLP, Insider Risk signals, full interaction logs. Closes the "developer endpoint" governance gap. (2) DLP Runtime Controls for Microsoft Foundry (Preview) β inline DLP integrated into prompt handling. SITs detected during execution; can block requests pre-processing. (3) Purview Insights in Foundry Control Plane (GA) β security telemetry surfaces in the developer workflow without leaving Foundry. Three signals: detected sensitive data, share of sensitive interactions, high-risk users. GA on launch. (4) Purview β GitHub Copilot Integration (Preview) β Copilot audit data streams into Purview. Repos, PRs, sessions in one audit/eDiscovery scope. (5) Microsoft Purview SDK for .NET (Preview) β drop-in toolkit so custom AI apps appear in the same Purview governance views as Microsoft-native workloads. Closes the "if you build it yourself, you lose visibility" gap. New product cards added to product-map.html (5 cards with NEW JUNE 2026 / GA JUNE 2026 badges). Foundry-specific callout added to foundry.html. Local-agent callout added to mcp.html (since Claude Code, GitHub Copilot CLI etc. are MCP clients). Comprehensive section added to chat.js SYSTEM_PROMPT. Playbook 07 (Brief Your Makers) expanded from five maker rules to six β added Rule 6 covering local AI agents (GitHub Copilot CLI, Claude Code, OpenAI Codex, OpenClaw) now being in Purview scope. Header updated to "33-Minute Security Awareness" (was 30 min), audience expanded to include laptop AI agent users, escalation list in Part C extended with a local-agent help row. | product-map.html, foundry.html, mcp.html, playbooks.html, chat.js, content_monitor.py |
| β Schema migration | AIAgentsInfo β AgentsInfo migration applied site-wide. Per the Microsoft Learn schema changes notice (June 2026): the AIAgentsInfo table is being replaced by the unified AgentsInfo table. Microsoft Agent 365 customers should use the new table today; the old table remains accessible until July 1, 2026. The new schema unifies agent inventory across Copilot Studio, Microsoft Foundry, Microsoft 365 Copilot, third-party agents, and endpoint-discovered agents. All KQL queries on the site (115 references across 13 files) migrated. Key column changes: AIAgentId β AgentId; AIAgentName β AgentName; AgentStatus="Published" β PublishedStatus="Published"; AgentStatus="Deleted" β LifecycleStatus="Deleted" (split into separate columns with values Active/Blocked/Uninstalled/Deleted); UserAuthenticationType (string) β ToolsAuthenticationType (dynamic) β site uses tostring(ToolsAuthenticationType) contains "None" as a robust pattern; OwnerAccountUpns (string) β Owners (dynamic array) β site uses array_length(Owners) == 0; AgentCreationTime β CreatedDateTime; AgentToolsDetails β DeclaredTools; AgentTopicsDetails β Capabilities (best approximation); AgentChannel β Channels; AgentActionTriggers β Triggers; RegistrySource β Platform (semantic shift β all AgentsInfo rows are A365-registered); IsBlocked β LifecycleStatus == "Blocked"; AIModel β Model; EntraObjectId β EntraAgentId; AgentUsers β SharedWith; KnowledgeDetails β DeclaredDataSources. Prominent migration banner added to playbooks.html with full column mapping table (15+ rows); compact migration callouts on agent365.html, identity.html, gaps.html. AgentsInfo is currently labelled Preview β queries against dynamic columns may need JSON field path adjustment against tenant data. |
13 files β agent365.html, chat.js, copilot-vs-foundry.html, foundry.html, frameworks.html, gaps.html, identity.html, playbooks.html, product-map.html, risk.html, strategy.html, threats.html, content_monitor.py |
| π Microsoft sample queries | Added four more Microsoft-published sample queries to Playbook 01 Step 8 (8eβ8h). Per the Microsoft Learn AIAgentsInfo sample queries page, four additional queries weren't on the site. All migrated to AgentsInfo: 8e β HTTP requests to nonstandard ports (potential C2 or covert channel, anything other than 443/80 warrants investigation); 8f β HTTP requests to graph.microsoft.com / management.azure.com (highest-risk auth pattern indicator β App Registration with tenant-wide application permissions); 8g β Generative orchestration + email send with AI-controlled inputs (XPIA exfiltration risk β if a successful XPIA happens, the agent could exfiltrate data to attacker-controlled recipients); 8h β Hard-coded credentials in Topics/Tools (regex matching covers AWS, GCP, Slack, GitHub, Stripe, SendGrid, Telegram, JWTs, Basic Auth credentials). All four queries are Power-Platform-era JSON shape β caveat noted that these may need JSON path adjustment as the unified schema matures. |
playbooks.html |
| β July 1, 2026 β two more cutover events | Same Microsoft transition adds licence gate and real-time protection table change. Per the transition guide: (1) AI agent security capabilities for Copilot Studio and Foundry agents will require a Microsoft Agent 365 license effective July 1, 2026 β these capabilities are no longer covered by existing Defender for Cloud Apps or Defender for Cloud licenses. (2) Existing Agent 365 real-time protection rules in Block mode stop blocking on July 1, 2026; alerts move to the new BehaviorInfo table in Advanced Hunting; block rules must be redefined under Settings β Security for AI β Policies. (3) Third-party cloud agents are no longer discoverable through Defender for Cloud connectors β use Agent 365 registry sync instead. All three documented in the migration banner on playbooks.html and in chat.js SYSTEM_PROMPT. |
playbooks.html, chat.js |
| π§ Method | Used the Microsoft Learn MCP server to systematically compare site coverage against current Microsoft documentation. Searches across the AI security stack, Foundry Control Plane, Purview DSPM for AI, Sentinel data connectors, Entra Agent ID / Agent Registry / ID Protection, MCP integration, and Zero Trust. Source: Microsoft Learn "What's new in Microsoft AI security" (November 2025 wave) β learn.microsoft.com/security/security-for-ai/whats-new. | All content pages |
| β Correctness reverted | Earlier "Security Dashboard for AI GA β Preview" change was incorrect. I reported correcting this status here but on verification against the authoritative Microsoft Learn page the dashboard has no Preview indicator β it is GA. See the self-correction entry below for the full revert. The original site claim ("Now GA") was correct all along. | index.html |
| π New | "Latest from Microsoft Learn (Nov 2025 wave)" callout on Overview. Summarises the November 2025 Microsoft AI security wave: Entra Agent Platform, Entra Agent Registry, AI Prompt Shield (network-layer), specialized roles for Agent ID management, Copilot Studio AI agent protection in Defender, and the Microsoft Foundry naming change (formerly Azure AI Foundry). | overview.html |
| π New | "Agents at risk" card β Microsoft's formal risk taxonomy. Added the four agent risk types Microsoft surfaces natively in the M365 admin center: Shadow agent (Critical), No owner assigned (Critical), Excessive permissions (Critical), Security misconfiguration (High). Each with source signal mapping (Entra / Purview / Defender). | risk.html |
| β Critical detail | OBO flow risk attribution caveat. Critical technical detail from Microsoft Learn: in On-Behalf-Of flows, risky activity is attributed to the user, not the agent. The agent risk detection table applies only to autonomous agent activity. A delegated-auth agent appearing misbehaved may not appear in the Risky Agents report at all β investigators should check user risk instead. Documented on both risk.html and identity.html. | risk.html, identity.html |
| π New | ID Protection for Agents β five offline risk detections documented. Detailed coverage of the five detections Microsoft lists in ID Protection for agents (Preview): unfamiliarResourceAccess, signInSpike, failedAccessAttempt, adminConfirmedAgentCompromised, threatIntelligenceAccount. Includes 4 response actions, 90-day retention, Microsoft Graph collections (riskyAgents, agentRiskDetections), and required roles (Security Admin/Operator/Reader for reports, Conditional Access Administrator for risk policies). |
identity.html, chat.js |
| π New | Custom Security Attributes for agent segmentation. New section on identity.html covering Microsoft's recommended pattern for scaling CA policy across agent estates β define attributes (Environment, Department, DataSensitivity), assign to agents, use as CA policy conditions. Plus the critical caveat: agents cannot satisfy interactive MFA controls β don't rely on user-targeted CA policies for agents. | identity.html |
| π New | Agent Registry Administrator role + AI security licensing matrix. New Entra built-in role for AI agent management (separate from broader AI Administrator). Plus a clear licensing breakdown: Agent ID (free with Entra), CA for Agents (Entra ID P1), ID Protection for Agents (Entra ID P2), ID Governance (Entra ID P1), Network controls (Entra Internet Access), Agent 365 (per-user, not per-agent). Includes Purview role groups: Data Security Management, Data Security Viewers, Data Security IRM Triage Agent (the new "role assigned to an agent identity" pattern). | identity.html |
| π New | Microsoft's MCP server landscape. Comprehensive table of first-party MCP servers Microsoft now ships or previews: Sentinel MCP server (hosted, Entra-auth), Microsoft Learn MCP server (authless), Foundry MCP integration (server_label + server_url), Windows On-device Agent Registry (ODR) with contained-by-default execution, Copilot Studio MCP onboarding wizard, Microsoft Agent Framework MCP tools. Plus Microsoft's stated position on third-party MCP servers and authoritative security guidance links. |
mcp.html |
| π New | External threat detection for Copilot Studio agents. Pluggable runtime control via REST API endpoint that agents call before tool invocation. Public Preview Sep 4, 2025 Β· GA expected June 2026. Generative agents only. Use cases include corporate-specific data classification, sector-specific guardrails, third-party threat intel integration. Critical caveat: endpoint becomes hard dependency for every tool call β treat as tier-1 service for production. | threats.html |
| π New | Microsoft's nine harm categories (from Copilot Studio Application Card). The official categories Microsoft tests against in internal safety evaluations: hate and unfairness, sexual, violence, self-harm, protected material, indirect jailbreak (XPIA), direct jailbreak (UPIA), code vulnerability, ungrounded attributes. Distinguished from Foundry's nine continuous-evaluation risk dimensions β both apply, complete acceptance tests cover both. | threats.html |
| β Resolved | Zero Trust Assessment AI pillar β now available. Site previously flagged this as "summer 2026" β Microsoft has shipped it. Updated the Frameworks page, Zero Trust page, and Gaps register. Microsoft identifies three common agent issues the assessment helps surface: authentication and policy mismatch, overpermissioned access, lifecycle and accountability gaps. See Configure agent identity security with the Zero Trust Assessment. | frameworks.html, zero-trust.html, gaps.html |
| π New | Foundry Control Plane β formal "Operate" toolbar 5-pane structure. Microsoft has standardised the Foundry Control Plane interface around five panes accessible from Operate: Overview (fleet health), Assets (unified inventory), Compliance (policies + Azure Policy/Defender/Purview integration), Quota, Monitoring (App Insights). Plus the Microsoft Foundry naming note (formerly Azure AI Foundry β same product). | foundry.html |
| π New product card | Three new identity product cards on the product map: Microsoft Entra Agent Platform (developer-first identity SDK/API), Microsoft Entra Agent Registry (complete agent inventory including third-party), AI Prompt Shield (network-layer prompt injection blocking via Entra Internet Access). All Preview, all from the November 2025 wave. | product-map.html |
| π New playbook section | Agent 365 Sentinel Data Connector documented. Microsoft-supported connector that ingests agent telemetry from Agent 365 + Microsoft Foundry + Copilot into the Sentinel data lake β single connector, three sources. Enables hunting (KQL + natural language via Sentinel MCP), graph workflows (agent-to-agent and agent-to-tool relationships), and MCP investigation workflows. Deactivation cascade caveat documented. | playbooks.html, agent365.html |
| π New | Agent 365 + Purview integration section. Per Microsoft's dedicated Purview documentation for Microsoft Agent 365: audit an agent instance as you would a user; all agent-to-human, human-to-agent, agent-to-tools, and agent-to-agent interactions captured in unified audit log; Activity Explorer in DSPM shows agent activity under AI activities tab. | agent365.html |
| π§ Chat assistant | chat.js SYSTEM_PROMPT extensively updated. Added: November 2025 wave (Agent Platform, Agent Registry, AI Prompt Shield, Foundry naming); M365 admin center "Agents at risk" card with four risk types; Entra built-in roles for AI agent management (with new Agent Registry Administrator); Purview role groups for AI (including the new IRM Triage Agent role assignable to agent identities); ZT Assessment AI pillar now available; external threat detection for Copilot Studio; Agent 365 Sentinel data connector; Microsoft-provided MCP servers landscape; nine harm categories; Foundry Control Plane Operate pane structure; OBO flow risk attribution; custom security attributes for CA at scale. | chat.js |
| π§ Updated | content_monitor.py updated with comprehensive June 5 covered-topics list. November 2025 wave additions, role groups, Foundry naming, MCP servers landscape, harm categories, ID Protection detection list β all added so the monitor doesn't flag these as new on next sweep. | content_monitor.py |
| π§ Refreshed | Chat widget chips refreshed to surface Microsoft Learn additions. Technical mode added: "Latest from Microsoft" (Nov 2025 wave summary), "ID Protection detections" (the five offline risk detections), "Microsoft's MCP servers" (Sentinel MCP, Windows ODR, Foundry integration). Technical dropped: No-auth KQL (covered by KPI chip), Vet a third-party agent (specialised), Key gaps (too generic). Business mode added: "Latest from Microsoft" (leadership-language Nov 2025 summary). Business dropped: Risk tier explained (overlaps with six-phase). Applied identically across all 15 pages with the chat widget. Verified single MD5 hash across files. | All pages with the chat widget (15 files) |
| π§ Fixed | Home page tagline updated β removed stale "8 sections" reference (legacy from the original eight-pillar framing). New tagline highlights breadth without locking in a number: "This guide covers Microsoft's AI security stack end-to-end β identity, runtime, data, monitoring, governance, and compliance." Echoes the six-phase rollout framework now used in the strategy page. | index.html |
| β Self-correction | Security Dashboard for AI is GA, not Preview β earlier "correction" reverted. Earlier in this session I "corrected" Security Dashboard for AI status from GA to Preview across the site, claiming Microsoft Learn labelled it Preview. On reviewing the authoritative Microsoft Learn article at learn.microsoft.com/security/security-for-ai/security-dashboard-for-ai, there is no Preview indicator anywhere on the page β no preview badge, no prerelease disclaimer, no "feature is in preview" notice. The document describes the dashboard as a live product. The site's original "Now GA" claim was correct. All Security Dashboard for AI status references reverted back to GA across overview.html, frameworks.html, gaps.html, mcp.html, playbooks.html, product-map.html, chat.js, and index.html. | overview.html, frameworks.html, gaps.html, mcp.html, playbooks.html, product-map.html, chat.js, index.html |
This batch came from a structured Microsoft Learn comparison using the Microsoft Learn MCP server. Searches covered each major content page's primary topics; findings were filtered for genuine novelty (not just rephrasing of known material). The site is now aligned with Microsoft's November 2025 wave of AI security announcements. The Microsoft Learn MCP server is recommended as a periodic-sweep tool going forward β natural-language access to current Microsoft documentation without manually crawling the Learn portal.
| Type | Change | Page(s) Affected |
|---|---|---|
| π§ Restructured | Strategy page restructured β six-phase rollout replaces eight-pillar framework. The eight-pillar version described what the stack is; the new six-phase framework describes how to roll it out: Discover & Inventory β Identity & Governance β Data Security β Runtime Protection β Monitoring & Detection β Compliance & Governance. Each phase has prerequisites and produces evidence the next phase consumes. Per-pillar deep-dive content lives on its dedicated topic page (playbooks, identity, frameworks, etc.) so the strategy page can stay a strategy page. | strategy.html |
| π New | AI Readiness Assessment β pre-Phase-1 framing. Attack surface inventory, legacy estate scale, governance maturity gap, commercial path. Now appears before the six-phase rollout as the question to answer first. | strategy.html |
| π New | Four AI security KPIs to track weekly β Risky agents (target zero), Sensitive access events (stable), DLP policy hits (stable post-tuning), Blocked tool actions (rising then stable). Short version on Strategy with reporting cadence; full operational KQL on Playbooks. | strategy.html, playbooks.html |
| π New | Quarterly board-level reporting pack β seven-section structure for executive AI risk reporting, sourced from outputs of the six phases and the four weekly KPIs. | strategy.html |
| π New | Risk tier classification methodology (H / M / L) β explicit criteria with required action and governance cadence. HIGH = no-auth OR maker credentials OR org-wide sharing OR no owner OR regulated data. Includes the critical "highest match wins, not average" caveat β risk does not average down. | risk.html |
| π New | AI Trust and Safety assurance β distinct from security testing. Adelard safety case methodology referenced for citizen-facing or safety-critical agents. Distinguishes security testing (adversarial), Trust & Safety assurance (reliability, fairness), and Responsible AI evaluation (harms). | risk.html |
| π New | Agent Approver β third accountability role added to Identity page. Role model extended from Owner / Sponsor / Orphaned to Owner / Sponsor / Approver / Orphaned. The Approver is the IT gatekeeper for any sharing beyond a team or org-wide β what converts sharing limits from policy to enforced gate. | identity.html |
| π New | AI Governance Operating Model β five forums with cadence and decision rights. AI Security Working Group (monthly), Agent Lifecycle Board (monthly), Quarterly Governance Sweep, Annual AI Risk Assessment, Agent Red Team Cycle. Fills the human-layer gap between deployed controls and sustained governance. | frameworks.html |
| π New | AI Baseline in Purview Compliance Manager β promoted as starting compliance action. Pre-built evaluation against EU AI Act, NIST AI RMF, ISO 42001 with mapped remediation. Established as the recommended Phase 6 first task. | frameworks.html |
| β οΈ Caveat | Compliance Manager score β audit-ready compliance assessment. New callout explicitly distinguishing the automated posture score from a structured assessment with evidence collection, control testing, and written findings β suitable for ICO, EU AI Office, internal audit, or board sign-off. Common misconception explicitly corrected. | frameworks.html |
| π New Playbook | Playbook 07 β Brief Your Makers (30-minute awareness session). Three parts: five things every maker must know (maker credentials risk, no-auth risk, org-wide sharing, connector scope, Owner/Sponsor); red-flag self-audit checklist before publishing; escalation paths. | playbooks.html |
| π New Playbook | Playbook 08 β Vet a Third-Party Agent Before Publish. Five-step checklist: publisher & provenance, connector & data scope, authentication & identity model, DPIA & regulatory trigger, approval & ongoing governance. Default for external agents is "not approved" β opt-in to allow, opposite of internally built agents. | playbooks.html |
| π§ Fixed | Frameworks page β orphan callout div closed. The "Full control list" callout at the bottom of the ZT Workshop controls section was an unclosed div from a previous edit β now properly closed with content pointing to the dedicated Zero Trust page. | frameworks.html |
| π§ Refreshed | Chat widget suggestion chips refreshed across both modes. Technical mode now surfaces the six-phase rollout, risk tier methodology, four KPIs, Owner/Sponsor/Approver model, and third-party vetting playbook. Business mode now surfaces six-phase (simple), four KPIs for the board, quarterly board pack, governance forums, and risk tier explained. Older chips that overlapped or had aged out (How long does it take?, Biggest mistakes, CISO 90-day plan, Foundry logging, Maker creds + Security Copilot, Detect orphaned agents, Entra Agent ID GA?, What if we do nothing?, Classic vs Modern simple) were retired. Applied identically across all 15 pages with the chat widget. | All pages with the chat widget (15 files) |
| π§ Updated | Chat assistant system prompt (chat.js) updated to cover all new content. Added technical-mode sections for: six-phase rollout (with phase ordering rationale), AI Readiness Assessment, risk tier methodology with the "highest match, not average" caveat, four AI security KPIs with KQL, quarterly board reporting pack structure, AI Governance Operating Model (5 forums with cadences), AI Baseline vs structured assessment distinction, AI Trust & Safety assurance (Adelard), third-party agent vetting (5 steps), maker awareness brief. Owner / Sponsor / Orphaned model extended to Owner / Sponsor / Approver / Orphaned. Business mode received plain-English versions of six-phase, four KPIs, board pack, governance forums, and risk tier. Site navigation section updated to reflect new playbooks (PB07, PB08) and the zero-trust.html page. | chat.js |
This batch of changes came from a gap analysis of the site against an enterprise AI security implementation plan. Twelve generalisable content gaps were identified; customer-specific content (UK NIN, HMG classification, ICO obligations) was deliberately excluded to keep the site vendor-and-jurisdiction neutral.
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Six Copilot analytic rules for Sentinel contributed to Azure/Azure-Sentinel GitHub by Samik Roy (May 2026): Jailbreak Attempt Detected Β· Access From External IP Β· Plugin Created by Non-Admin User Β· Plugin Enabled After Being Disabled Β· Plugin Tampering (Enable/Disable within 5 minutes) Β· File Uploads Disabled. Deploy via Content Hub β Microsoft Copilot solution. | playbooks.html, product-map.html |
| π New | Microsoft Copilot Activity Monitoring workbook β 7 sections: All Events, Activity Overview, User Activity Analysis, Plugin Management, AI Model Usage, Security Insights (jailbreak + IP), Detailed Activity Log. Single pane of glass for CopilotActivity telemetry. Deployable from Sentinel Content Hub as part of Microsoft Copilot solution. | playbooks.html |
Samik Roy β Azure/Azure-Sentinel GitHub β Microsoft Copilot solution Β· LinkedIn article May 4, 2026
| Type | Change | Page(s) Affected |
|---|---|---|
| π Updated | Work IQ three-layer architecture β Data (M365 signals), Memory (persistent cross-session understanding of how people/teams work), Inference (reasoning + action via Work IQ MCP tools, governed by Agent 365 control plane). M365 Copilot licence required for Work IQ MCP servers. Source: Microsoft Learn Work IQ MCP overview (Preview). | agent365.html |
| π Updated | MCP server names updated to Work IQ branding β Copilot Search β Work IQ Copilot Β· Outlook/Teams β Work IQ Calendar / Work IQ Teams Β· SharePoint β Work IQ SharePoint Lists / Work IQ SharePoint and OneDrive (Frontier). Old names remain supported for existing connections. Source: Microsoft Learn Work IQ MCP overview (Preview). | foundry.html |
| Type | Change | Page(s) Affected |
|---|---|---|
| π Updated | A365 - Monitor OpenClaw policy details β the "Continuously detect managed devices" toggle creates a specific Intune Device Configuration policy: A365 - Monitor OpenClaw. Properties catalog profile (read-only, safe to deploy). Uses new Local AI Agent Settings Catalog node. Runs via Intune Management Extension (IME), inspects disk and memory on managed Windows devices. 24-hour refresh cadence. |
agent365.html |
| π New | Eight properties collected per device β Agent Name, Agent Version, Host Process, Install Location, Install Scope, Install Scope Platform User ID (Windows SID), Install Scope User ID (Entra UPN), Local AI Agent Execution Context (user/elevated/SYSTEM). The Execution Context property is a key risk signal β SYSTEM-level agent execution indicates significantly elevated risk. | agent365.html, playbooks.html |
Derk van der Woude (Rubicon Cloud Advisor / #BBTG) β LinkedIn post, May 5, 2026
| Type | Change | Page(s) Affected |
|---|---|---|
| π Updated | Shadow AI page β two specific Intune policies named: "Continuously detect managed devices" (multi-signal: identity, device, network) and "Block AI Agents from OpenClaw" (Intune baseline policy: A365 - Block OpenClaw). |
agent365.html |
| π New | Coming Shadow AI detections expanded β beyond Claude Code CLI: Ollama Desktop, OpenAI, Cursor, Poe Desktop. Source: Derk van der Woude (Rubicon Cloud Advisor). | agent365.html |
| β οΈ Caveat | Critical operational caveat β Block policy cannot be disabled via Agent 365 portal. Once enabled, rollback requires deleting the Intune security policy (A365 - Block OpenClaw) directly in Intune. The Agent 365 portal does not expose a disable control. Source: Derk van der Woude, May 2026. |
agent365.html, gaps.html |
Derk van der Woude (Rubicon Cloud Advisor / #BBTG) β LinkedIn post, May 3, 2026
| Type | Change | Page(s) Affected |
|---|---|---|
| π Updated | Windows 365 for Agents expanded β Windows 365 for Agents callout replaced with full section. Additions: why agents need a managed execution environment (many enterprise apps have no APIs, UI interaction required), the employee analogy (same trust model extended to AI), three explicit benefits, four-layer Microsoft AI stack (Microsoft IQ / Windows 365 for Agents / Azure / Agent 365), prerequisites (Agent 365 + Intune + Azure subscription for compute billing), setup path, who it is for (legacy/UI apps, human-in-the-loop). Source: Windows IT Pro Blog May 1, 2026. | agent365.html, product-map.html |
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Three agent operating modes β Delegated access (GA), Own access/autonomous (GA), Agents in team workflows (Public Preview). Full table with how-it-works and examples. Source: Agent 365 GA blog (May 1, 2026). | agent365.html |
| π New | Windows 365 for Agents (Public Preview Β· US only) β new class of Cloud PCs purpose-built for agentic workloads. Managed via Intune. Observable in Agent 365. Infrastructure execution layer complementing Agent 365 governance layer. | agent365.html, product-map.html |
| π New | Local agent discovery β OpenClaw, GitHub Copilot CLI, Claude Code β new Shadow AI page in Agent 365/M365 admin center. Discover local agents on managed devices, block via Intune. Defender context mapping for local agents June 2026. Gap added: local agents operating outside governance. | agent365.html, gaps.html |
| π§ Corrected | Network controls now GA β Secure Web and AI Gateway for Agents is GA as of May 1, 2026 (not Preview). Extends to Copilot Studio agents AND local agents (OpenClaw) running on user endpoint devices. | agent365.html, product-map.html |
| π New | Partner services taxonomy β five service categories (Inventory/Ownership, Least Privilege, Compliance, Threats, Ongoing Operations) and five service types (Workshops, Governance, Managed Services, Advisory, Security+Integration). Featured launch partners: Accenture, Bechtle, Capgemini, Insight, KPMG, Protiviti, Slalom. | strategy.html |
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Agent 365 registry sync with AWS Bedrock + Google Cloud (Preview) β automatically discover and inventory agents on AWS Bedrock and Google Gemini Enterprise Agent Platform. Basic lifecycle governance (start/stop/delete) coming soon. Announced GA day, May 1 2026. | agent365.html |
| π New | Defender agent context mapping (Preview, June 2026) β relationship map per agent: devices running it, MCP servers configured, associated identities, cloud resources reachable. Blast radius context for security teams. File access and network behaviour investigation. Policy-based controls + runtime blocking via Intune also coming June 2026. | agent365.html |
| π Updated | Agent 365 pricing clarification β no additional per-agent charge for first 10,000 managed agents per tenant. Graduated consumption ~$0.15/agent/month thereafter (volume discounts via EA). GCC/GCC High late 2026. DoD early 2027. macOS/Linux: dedicated clients committed by end of 2026. | agent365.html |
Microsoft Security Blog β Agent 365 GA (May 1, 2026) Β· Nirav Shah, Rob Lefferts, Jason Roszak
| Type | Change | Page(s) Affected |
|---|---|---|
| π New page | Foundry Control Plane (foundry.html) β new page covering: four control plane capabilities, agent lifecycle, three evaluation categories (Quality/Risk+Safety/Agent-specific with all evaluator names), AI Red Teaming Agent (managed vs PyRIT standalone), Content Safety guardrail categories, Purview Data Security Investigations three-stage workflow, AI Baseline in Compliance Manager, Agent 365 MCP tool catalog, Shadow AI discovery 4-step setup, Foundry Projects model. Source: Agent 365 Training Days 2&3. | foundry.html (new) |
| π§ Nav | Nav restructure β CS vs Foundry merged into Agent 365. Changelog moved to footer link. Foundry added as new nav item. 14 nav items total. | All pages |
| π§ Demo | Demo renamed demo.html β Foundry Control Plane page added with evaluation tables, Content Safety categories, Red Teaming Agent, MCP catalog. AI Baseline modal added to Purview recommendations panel. | demo.html |
Microsoft Partner Project Ready β Implement Agent 365 Training (Day 1, 2, 3) Β· May 2026
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Microsoft PyRIT β open-source AI red teaming framework. 53+ adversarial datasets, 70+ converters, 6 attack strategies, 20+ scorers. Battle-tested on 100+ Microsoft products including Copilot. Tests two risk surfaces: security vulnerabilities AND responsible AI harms. MIT licensed. Source: Microsoft Tech Community. | product-map.html |
| π New | OWASP LLM Top 10 (2025) β distinct from OWASP Agentic AI Top 10. Full table with 10 risk categories mapped to AI agent controls: LLM01 Prompt Injection, LLM02 Sensitive Info, LLM03 Supply Chain, LLM04 Data Poisoning, LLM05 Improper Output Handling, LLM06 Excessive Agency, LLM07 System Prompt Leakage, LLM08 Vector Weaknesses, LLM09 Misinformation, LLM10 Unbounded Consumption. | frameworks.html |
| π New | Playbook 05b β Pre-Deployment AI Agent Red Teaming with PyRIT β four escalating attack phases (plain β encoded β semantic β multi-turn), OWASP mapping, CI/CD release gate configuration (YAML config, exit code 0/1). When to run: quick on every merge, full pre-release. | playbooks.html |
| π New | Gap: No pre-deployment security testing for AI agents β most agents ship with zero adversarial testing. No mandatory security gate in the Microsoft platform equivalent to OWASP ZAP or DAST for web apps. PyRIT + CI/CD integration is the current recommended mitigation. | gaps.html |
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Secure Web and AI Gateway for Agents (Preview) β Global Secure Access network security controls extended to Copilot Studio agent outbound traffic. Covers HTTP Node, Custom connectors, and MCP Server Connector traffic. Configured in Power Platform Admin Center. Applies web content filtering, threat intelligence, and network file filtering to agent traffic before it reaches external resources. Source: Microsoft Learn. | identity.html, product-map.html |
| π New | Foundry auto-provisioning of agent identities β Microsoft Foundry automatically provisions Blueprint and Agent Identity when first agent is created in a project. Publishing an agent creates a dedicated Blueprint and Agent Identity. Foundry supports Agent ID for MCP and A2A tool authentication. Source: Microsoft Learn ID Governance for Agents. | identity.html |
| π New | App Service and Azure Functions Agent ID support β existing serverless workloads can use Entra Agent Identity Platform to connect as agents without rebuilding. Source: Microsoft Learn App Service Agent Identity. | identity.html |
| π Updated | Frontier programme path β specific navigation: M365 admin center β Copilot β Settings β User access β Copilot Frontier. Requires M365 Copilot licence. | identity.html |
Microsoft Learn β Secure Web and AI Gateway for Copilot Studio agents (Preview) Β· Microsoft Learn β Governing Agent Identities (Preview)
Identified by content monitor Β· GitHub Issue Β· 2026-04-27
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Strategy page β eight-pillar agentic AI defense framework β new page covering Visibility & Inventory, Identity, Data Security, Endpoints & Cloud, Zero Trust for AI, Agents in Security Workflows, Agentic SIEM Platform, and Technical & Governance Partners. Each pillar maps controls, products, and honest gaps. Includes maturity model, summary table, and consultant service packaging guide. Source: Microsoft RSAC 2026 / Vasu Jakkal. | strategy.html (new) |
| π New | Seven governance pillars for Entra Agent ID β CA, ID Governance, Access Packages, ID Protection, Network Controls, Sign-in & Audit Logs, Consent & Sign-in. New sections: Access Packages as the governance layer above CA (permission lifecycle, time-bound grants), InheritDelegatedPermissions property (disabled by default, increases Blueprint blast radius when enabled), single-tenant enforcement (agent identities always single-tenant even when Blueprint supports multi-tenancy), Object ID = App ID for agent identities. Source: Carlos Suarez (Microsoft Senior Security Solution Engineer) β contosec.com/articles/EntraAgentID. | identity.html |
| π Updated | Blueprint credential preference order corrected β updated from "FIC recommended" to three-tier preference: (1) Managed Identity via FIC (most preferred for production β platform manages lifecycle), (2) FIC (preferred when MI not available), (3) Secrets/Certificates (dev/test only). Source: Carlos Suarez (Microsoft). | identity.html |
| π Updated | Updated agent access model terminology β Microsoft has standardised new names: "Agents with delegated access" (formerly OBO agents), "Agents with own access / Autonomous" (formerly non-OBO agents). Agent entities authenticate as confidential clients only β no redirect URIs, no /authorize endpoint. Source: Carlos Suarez (Microsoft). | identity.html |
| π New | Copilot Data Connector (Sentinel) β full details β 21 record types with event numbers, source confirmed as Purview UAL (default enabled), single-tenant only caveat, Content Hub deployment path, Global/Security Admin required. Includes CloudAppEvents table card with key ActionTypes, prerequisite M365 activities checkbox, metadata-only limitation, and "Defender for AI" umbrella term clarification. Source: Microsoft Sentinel Blog Feb 3 2026. | product-map.html |
| π New | Agent model inventory KQL β EUDB compliance β new KQL query extracting modelNameHint from RawAgentInfo to identify which AI model each Copilot Studio agent uses (Anthropic, OpenAI, environment default) with EU Data Boundary compliance status per agent. Anthropic models process outside EUDB regardless of tenant geo β high severity compliance gap. Source: Blue161616/Agent-Identity (GitHub). | playbooks.html, gaps.html |
| π New | Work IQ and partner ecosystem added to Agent 365 β Work IQ contextual intelligence engine (AI Tour Paris March 2026) grounds agents in org knowledge with sensitivity label inheritance. Partner ecosystem: Adobe, SAP, ServiceNow, Workday, Databricks, NVIDIA, Glean, n8n + open-source LangChain, OpenAI SDK, Anthropic SDK, Crew.ai, Cursor, Perplexity, Vercel. Ignite 2025 announcement context added. | agent365.html, demonew.html |
| π New | Sentinel + Defender combined coverage table β callout on products page showing how Sentinel and Defender work together for AI agent security: real-time blocking vs correlation, CloudAppEvents vs CopilotActivity, 90-day vs long-term retention, SOAR automation. GDAP + unified RBAC for cross-tenant Sentinel management (Preview, RSAC 2026) added for MSSP scenarios. | product-map.html, gaps.html |
| π New | Defender Predictive Shielding (Preview, RSAC 2026) β dynamically adjusts identity and access policies during active attacks, reducing exposure and limiting impact. Added to Threat Detection section. | product-map.html |
| π New | "Frontier Firms" framing added to overview β Microsoft's term for AI-native enterprises anchored in intelligence and trust. Microsoft scale stats added: 100 trillion daily signals, 1.6M customers, 1B identities, 24B Copilot interactions. | overview.html |
Carlos Suarez (Microsoft) β Entra Agent ID Architecture (April 2026) Β· Microsoft Security Blog β Secure Agentic AI End-to-End (RSAC 2026) Β· Microsoft Sentinel Blog β Copilot Data Connector (Feb 2026) Β· Blue161616/Agent-Identity β EUDB Model Inventory KQL Β· Devoteam β Microsoft Agent 365
| Type | Change | Page(s) Affected |
|---|---|---|
| π Updated | ATG SOC-ready alerts β every ATG block generates a comprehensive alert explaining what was stopped, why it was risky, and which agent/user/tool were involved. Blocks occur before tool invocation. Alerts flow into Defender XDR SOC workflows. Added to ATG descriptions on product map and agent365. | product-map.html, agent365.html |
| π New | AI model lifecycle β five-stage control framework β supply chain β development β pre-deployment β production β end of life. Each stage requires specific controls. "If a model hasn't been scanned, it shouldn't be pushed." Added to Threat Scenario 6 (AI Model Supply Chain). | threats.html |
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Agent model inventory with EUDB compliance status β new KQL query that extracts modelNameHint from RawAgentInfo to identify which AI model each Copilot Studio agent uses (Anthropic, OpenAI, environment default). Flags EU Data Boundary status per agent β Anthropic models (Sonnet/Haiku/Opus) process data outside EUDB regardless of tenant geo. Source: Blue161616/Agent-Identity on GitHub. |
playbooks.html |
| π New | EUDB compliance gap added β no native visibility or policy to prevent makers selecting out-of-EUDB models. Model selection buried in RawAgentInfo, not surfaced in any admin UI. High severity for EU organisations. | gaps.html |
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | AI Red Teaming Agent (Foundry Preview) + PyRIT β automated adversarial testing for AI models and agents. Generates Attack Success Rate (ASR) metrics and deployment scorecard. Three agentic-specific risk categories (cloud-only): prohibited actions (3-tier taxonomy), sensitive data leakage via tool calls, task adherence. Built on PyRIT open-source framework. Added to product map. | product-map.html |
| π New | Threat Scenario 8b β Agentic Risk: Prohibited Actions, Data Leakage & Task Deviation β three-tier prohibited actions taxonomy (Prohibited/High-risk/Irreversible), sensitive data leakage via agent tool calls, task adherence failure dimensions. Purple environment concept for pre-deployment red teaming. Controls: AI Red Teaming Agent, ATG, human-in-the-loop gates. | threats.html |
| π New | Agent Map β visual risk intelligence in Agent 365 portal. Shows agent-to-resource connections and cross-pillar risk signals. One-click block from map view. Added to agent365.html with KQL for ownerless agent detection. | agent365.html |
| π Updated | Orphaned agents β two scenarios documented β Scenario A (Blueprint deleted, Entra) was already on site. Added Scenario B: agents built by employees who left the company, still running with full permissions and no owner. Most common real-world scenario. Updated gaps register with both scenarios. | agent365.html, gaps.html |
| π New | Stateful agents / Dataverse memory β Agent 365 agents retain long-term memory via Dataverse across sessions. Persistent memory accumulates sensitive context and requires governance: access controls, retention policies, Purview DLP inclusion. Not automatically covered by existing M365 data policies. | agent365.html |
Microsoft Learn β AI Red Teaming Agent (Preview) Β· Devoteam β Microsoft Agent 365 Β· Devoteam β AI Tour Paris (March 2026)
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Work IQ β contextual intelligence engine that grounds agents in org knowledge (collaboration graph, project context, delegation patterns). Agents grounded via Work IQ inherit sensitivity label governance automatically. Announced Microsoft AI Tour Paris March 2026, now available as standalone agentic building block. | agent365.html |
| π New | Partner ecosystem β enterprise partners already integrating with Agent 365 at GA: Adobe, SAP, ServiceNow, Workday, Databricks, NVIDIA, Glean, n8n, Cognition, Genspark, Kasisto, Manus. Open-source: LangChain, OpenAI Agents SDK, Anthropic SDK, Crew.ai, Cursor, Perplexity, Vercel. Source: Microsoft 365 Blog. | agent365.html |
| π Updated | Timeline context β Agent 365 announced at Microsoft Ignite November 2025. Added to hero badge and intro. | agent365.html |
Microsoft 365 Blog β Agent 365 control plane (Nov 2025) Β· Devoteam β AI Tour Paris (March 2026)
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Three critical Agent Identity security properties documented β (1) No admin token generation: no one in the tenant including Global Admins can generate agent identity tokens β Microsoft controls the Blueprint and authentication mechanism, preventing lateral movement via token theft. (2) Tenant-bound: agent identity tokens only valid in their home tenant, cannot access other tenants. (3) Impersonation model: Blueprint performs token exchange, Agent Identity appears as client in audit logs β a Blueprint credential compromise affects all child agent identities. Sources: Microsoft Learn + Copilot Studio documentation. | identity.html |
Microsoft Learn β App registration, agent identities and authentication (Copilot Studio) Β· Microsoft Learn β Agent identities, service principals and applications
Identified by content monitor Β· GitHub Issue #4 Β· 2026-04-22
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Copilot Studio automatic security scan β pre-publish scan warns makers when three secure defaults are changed: authentication set to None, maker-provided credentials selected, agent shared org-wide. Advisory only β maker can proceed. Does not detect all misconfigurations (e.g. App Reg Application Permissions not flagged). Added to identity page runtime protection section and threat scenario 1 controls. | identity.html, threats.html |
| π New | Agent runtime protection status column β Copilot Studio Agents page now shows Protection Status per published agent: Protected (π‘), Needs review (β ), Unknown (?). Three underlying categories: Authentication, Policies, Content Moderation. Security Analytics shows blocked message trends at 7/14/30 day intervals. All published agents have threat detection active by default. | identity.html |
Microsoft Learn β Automatic security scan in Copilot Studio Β· Microsoft Learn β Agent runtime protection status
Identified by content monitor Β· GitHub Issue #3 Β· 2026-04-21
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | M365 Copilot Automated Readiness Assessment (ARA) β new open-source Microsoft tool for pre-deployment Copilot readiness. Queries tenant APIs (Graph, Defender, Exchange Online, Power Platform) across six domains: M365 licensing, Entra identity, Defender security, Purview compliance, Power Platform governance, Copilot Studio. 200+ feature evaluations. Outputs prioritised CSV/Excel reports with remediation links. Read-only permissions, no data egress, free. Added to product map alongside Agent Governance Toolkit, referenced in Playbook 01 as a pre-audit step, and as an automated gap discovery tool on the gaps page. | product-map.html, playbooks.html, gaps.html |
Microsoft Tech Community β Accelerating M365 Copilot Adoption with Automated Readiness Assessment (January 2026) Β· GitHub: microsoft/m365-copilot-automated-readiness-assessment
| Type | Change | Page(s) Affected |
|---|---|---|
| π Updated | Conditional Access for Agent ID (Preview) β CA now applies to Modern agents (Agent Identities + Agent Users) as first-class identities. Updated scope table: Modern Copilot Studio (Entra Agent ID), Foundry, MS-built Security Copilot agents all covered. Classic Copilot Studio agents remain excluded. CA carve-outs documented: Blueprint creation flows and T1 token exchange are excluded by design. Source: Microsoft Learn. | identity.html, product-map.html |
| π New | ID Protection for Agents (Preview) β six risk detections documented: unfamiliar resource access, sign-in spike, failed access attempt, sign-in by risky user, confirmed compromised, threat intelligence. Risk signals feed into CA for Agent ID policies (auto-block on High risk). Roles required: Security Administrator/Operator/Reader for reports, CA Administrator for policies. Graph API: riskyAgents and agentRiskDetections collections. Requires Entra P2. | identity.html |
| π New | Agent segmentation with custom security attributes β recommended CA governance model. Assign custom security attributes to agents (e.g. AgentApprovalStatus) and resources (e.g. Department). CA policies target attribute combinations β enables scalable, precise agent access governance without managing object IDs. Source: Microsoft Learn CA for Agent ID. | identity.html |
Microsoft Learn β Conditional Access for Agent ID (Preview) Β· Microsoft Learn β ID Protection for Agents (Preview)
Identified by content monitor Β· GitHub Issue #2 Β· 2026-04-20
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Registry convergence documented β Agent 365 (M365 admin center) is now the single control plane for comprehensive agent inventory. Entra admin center focuses on identity and access management only. Two-portal model added with clear table showing what each portal does, what agents are visible, and which roles are needed. | agent365.html, identity.html, product-map.html |
| π New | AI Administrator and AI Reader roles documented β two new roles for Agent 365 inventory. AI Reader is the recommended least-privilege role for agent visibility in M365 admin center. Distinct from Agent ID Administrator (Entra admin center). No licence required for inventory-only access. | agent365.html, identity.html |
| π Clarified | No licence needed for basic agent inventory β viewing all agents in M365 admin center (Agent 365) requires no product licence, only the AI Administrator or AI Reader role. Licence required only when applying security controls (CA, identity governance). | agent365.html |
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | T1/T2 authentication flow documented β Blueprint authentication uses two phases: T1 (Exchange Token / trust phase, controlled by Blueprint credential type) and T2 (Access Token / authorisation phase, controlled by Agent Identity permissions). These govern independently β a critical conceptual gap in our previous documentation. Source: Derk van der Woude (April 2026). | identity.html |
| π New | Federated Identity Credentials (FIC) documented β FIC is the recommended Blueprint credential type. No stored secrets β uses trust against an external identity provider (e.g. Azure Managed Identity). Three required properties: issuer, subject, audiences. Critical gotcha: match is case-sensitive. OIDC tokens are short-lived (minutes). Added to Blueprint credential model section with comparison table against secrets/certificates. | identity.html, agent365.html |
| π New | Blueprint Graph API scopes documented β AgentIdentityBlueprint.Create, AgentIdentityBlueprint.AddRemoveCreds.All, AgentIdentityBlueprintPrincipal.Create, AgentIdentity.ReadWrite.All. Previously only read scope (AgentIdentity.Read.All) was documented. Full scope table added for Blueprint lifecycle operations. | identity.html |
| Type | Change | Page(s) Affected |
|---|---|---|
| π New page | Agent 365 β dedicated deep-dive page β covers what Agent 365 actually is (enterprise control plane, not a builder), six capability cards (Entra identity, ATG, OpenTelemetry, Blueprint governance, M365 notifications, Defender integration), platform support (8 platforms including Claude Code SDK, Bedrock, Vertex AI), licensing ($15 standalone vs $99 E7 with full breakdown), Frontier programme getting-started steps, security coverage matrix by agent type, and three A365 KQL queries. Added between Products and Identity in nav. | agent365.html |
| π Merged | Privacy Policy merged into Contact page β Privacy no longer has a separate nav item. Content lives at contact.html#privacy. privacy.html redirects automatically. Nav restructured from 14 to 13 items (before Agent 365 addition) β Agent 365 page now sits between Products and Identity. |
contact.html, privacy.html |
Home Β· Overview Β· AI Risk Β· Products Β· Agent 365 Β· Identity Β· MCP Β· Threats Β· Frameworks Β· Gaps Β· Playbooks Β· CS vs Foundry Β· Changelog Β· Contact
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | RegistrySource column documented β new AIAgentsInfo column distinguishing agent source: "A365" (Agent 365 registered) vs "PowerPlatform" (Copilot Studio). Added to identity and playbooks pages with guidance on when to use each filter. | identity.html, playbooks.html |
| π New | Four new A365 KQL queries in Playbook 01 Step 8 β all A365 agents, published agents with no instructions (prompt injection risk), agents with MCP tools (expanded attack surface), agents using non-HTTPS endpoints. All use RegistrySource == "A365" filter. Direct portal URL added: security.microsoft.com/securitysettings/security_for_ai | playbooks.html |
| π Updated | ATG blocks specific categories documented β credential exfiltration, data leakage via tool calls, routing to malicious destinations, obfuscated content manipulation. Critical limitation added: ATG only operates on tool execution path β does NOT inspect model reasoning between tool calls. | product-map.html |
| π New | Capability matrix documented β different coverage depth by agent type: Copilot Studio (deepest), Agent 365 SDK agents (near-real-time detection + ATG), Foundry/Bedrock/Vertex AI (UI inventory + posture, less depth). Agent 365 platform-agnostic nature documented β works with OpenAI Agents SDK, Claude Code SDK, LangChain SDK, AWS/GCP-hosted agents. | product-map.html |
| Type | Change | Page(s) Affected |
|---|---|---|
| π Updated | AIAgentsInfo table expanded beyond Copilot Studio β now includes additional columns covering Microsoft Foundry agents, 3rd-party marketplace agents, and custom LOB agents β where registered with Agent 365 or using the Agent 365 SDK. Previously documented as Copilot Studio only. KQL guidance updated across playbooks and identity pages. | product-map.html, playbooks.html, identity.html |
| π New | Agent Tooling Gateway (ATG) β Agent 365 concept. Agents onboarded via ATG get real-time protection from Defender β tool actions evaluated and blocked before execution. Equivalent to existing Copilot Studio Defender RT protection but for the Agent 365 ecosystem. Added as a significant gap: coverage depends on explicit ATG onboarding by the agent builder. | product-map.html, gaps.html |
| π New | Agent 365 SDK integration with Defender β agents built with the Agent 365 SDK get near-real-time detections, alerts, and Advanced Hunting coverage automatically. Defender now explicitly discovers agents registered with Agent 365. | product-map.html |
LinkedIn post from Microsoft Defender team Β· Microsoft Learn: Discover AI agents and assess security posture using Microsoft Defender (Preview) Β· Detect, block, and investigate threats to AI agents using Microsoft Defender (Preview)
| Type | Change | Page(s) Affected |
|---|---|---|
| β οΈ Navigation change | Security for AI agents moved to new location in Defender portal β previously accessed via Settings β Cloud Apps β AI Agents. Now: Settings β Security for AI. Currently rolling out to some tenants (preview). All playbook navigation paths updated. Feature now covers runtime monitoring for Copilot Studio, Microsoft Foundry, Agent 365, and Microsoft 365 (not just Copilot Studio). Detects suspicious behaviour, prompt injection, data leakage, and misconfigurations. | playbooks.html, product-map.html, copilot-vs-foundry.html |
The move to Settings β Security for AI is rolling out gradually. If your tenant hasn't received it yet, the old path (Settings β Cloud Apps β AI Agents) still works. Check back in coming weeks if the new path isn't visible.
| Type | Change | Page(s) Affected |
|---|---|---|
| π Updated | DLP for M365 Copilot β all storage locations β previously, label-blocking only applied to SharePoint and OneDrive. Rolling out mid-April to May 2026: DLP label-blocking now applies to Word, Excel, and PowerPoint files regardless of where they are stored (local device, network shares, non-Microsoft cloud). No policy changes needed. Existing rules apply automatically. Triggered by incident CW1226324 (January 2026). | product-map.html |
| π New scenario | Threat Scenario 8 β Copilot Background Indexing Bypasses DLP Labels β new threat scenario documenting the real-world CW1226324 incident. Copilot indexed confidential emails in Outlook Drafts/Sent Items for ~1 month despite active DLP labels. Root cause: AugLoop relied on SharePoint/OneDrive URLs for label retrieval β folders outside those locations had no check. Includes structural lesson and current controls. | threats.html |
| π New gap | DLP storage location gap added to gaps register β noted as resolving AprilβMay 2026, with caveat that unlabelled files remain unblocked regardless of policies. | gaps.html |
Microsoft 365 Message Center β MC1234661 Β· BleepingComputer β Microsoft adds Copilot data controls to all storage locations (Feb 2026)
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | SharePoint Advanced Management (SAM) β new product card. Included with M365 Copilot licences at no extra cost. Covers Restricted Content Discovery (RCD β excludes sites from Copilot grounding), Content Management Assessment, Site Access Reviews, and Restricted Access Control. Added to Copilot vs Foundry comparison table. | product-map.html, copilot-vs-foundry.html |
| π New gap | SharePoint oversharing β silent Copilot data exposure vector β M365 Copilot surfaces data from any site a user has access to. EEEU access, broken inheritance, and anonymous links all become Copilot exposure vectors predating Copilot deployment. Added to Significant Gaps with SAM remediation guidance and link to Microsoft's three-step blueprint. | gaps.html |
| π New | IRM Adaptive Protection for AI β new product card. IRM detects inappropriate Copilot usage patterns and automatically enrolls risky users into more restrictive DLP policies without manual intervention. Closes the detection-to-enforcement gap for AI misuse. | product-map.html |
| π New | Purview Compliance Manager for AI regulations β new product card and frameworks callout. Compliance Manager includes AI-specific assessment templates (EU AI Act, NIST AI RMF) that surface prioritised improvement actions. The operational tool for closing August 2026 and June 2026 regulatory deadlines. | product-map.html, frameworks.html |
Microsoft β Secure & Governed Data Foundation Blueprint (April 2026) Β· Microsoft β Configure secure governed foundation for M365 Copilot
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Research statistics added to overview β 97% of organisations had an identity/access incident in the past year; 70% tied to AI-related activity; 47% of incidents were accidental not malicious. Source: Microsoft Secure Access in the Age of AI report (March 2026). | overview.html, risk.html |
| π New | Access Fabric concept β Microsoft's architectural framing for AI-scale access: identity as the consistent decision point, near-real-time enforcement across environments, common foundation for employees, workloads, and AI agents. Added to Frameworks page alongside ZT4AI. Connected to Classic Agent gap as a concrete example of what access fabric fragmentation looks like. | frameworks.html |
| π New | Identity tool fragmentation gap β orgs use an average of 5 identity + 4 network access tools, nearly half report vendor sprawl overwhelm. Added to Significant Gaps with mitigation guidance. | gaps.html |
Microsoft Entra Blog β As AI adoption scales, is your access strategy still viable? (March 19, 2026) Β· Secure Access in the Age of AI research report
| Type | Change | Page(s) Affected |
|---|---|---|
| β οΈ Correction | ZT Workshop AI control count corrected: 80+ β 700+ β the site previously cited "80+ controls". The actual ZT Workshop AI pillar contains 700 security controls across 116 logical groups and 33 functional swim lanes. Corrected everywhere it appeared. | frameworks.html, identity.html, product-map.html |
| π New | Ephemerality Controls β JIT for agents β agents should receive short-lived credentials that expire when their specific task completes. Part of ZT4AI framework. Limits blast radius of a compromised agent to minutes. Added as new product card and explained in ZT section of Frameworks. | product-map.html, frameworks.html |
| π New | "Double agents" framing from ZT4AI announcement β overprivileged, manipulated, or misaligned agents can act against the outcomes they were built to support. Added to AI Risk agent properties table and ZT section. | risk.html, frameworks.html |
| π Updated | Agent 365 GA date and pricing β GA May 1, 2026 at $15/user/month. Added to Agent 365 product card. | product-map.html |
| π Updated | ZT Assessment tool β Data and Networking pillars β in addition to the AI pillar (due summer 2026), the ZT Assessment tool has been updated with new Data and Networking pillars. Noted in Frameworks page control list callout. | frameworks.html |
Microsoft Security Blog β New tools and guidance: Announcing Zero Trust for AI (March 19, 2026)
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | RegistrySource column documented β new AIAgentsInfo column distinguishing agent source: "A365" (Agent 365 registered) vs "PowerPlatform" (Copilot Studio). Added to identity and playbooks pages with guidance on when to use each filter. | identity.html, playbooks.html |
| π New | Four new A365 KQL queries in Playbook 01 Step 8 β all A365 agents, published agents with no instructions (prompt injection risk), agents with MCP tools (expanded attack surface), agents using non-HTTPS endpoints. All use RegistrySource == "A365" filter. Direct portal URL added: security.microsoft.com/securitysettings/security_for_ai | playbooks.html |
| π Updated | ATG blocks specific categories documented β credential exfiltration, data leakage via tool calls, routing to malicious destinations, obfuscated content manipulation. Critical limitation added: ATG only operates on tool execution path β does NOT inspect model reasoning between tool calls. | product-map.html |
| π New | Capability matrix documented β different coverage depth by agent type: Copilot Studio (deepest), Agent 365 SDK agents (near-real-time detection + ATG), Foundry/Bedrock/Vertex AI (UI inventory + posture, less depth). Agent 365 platform-agnostic nature documented β works with OpenAI Agents SDK, Claude Code SDK, LangChain SDK, AWS/GCP-hosted agents. | product-map.html |
| Type | Change | Page(s) Affected |
|---|---|---|
| π Updated | AIAgentsInfo table expanded beyond Copilot Studio β now includes additional columns covering Microsoft Foundry agents, 3rd-party marketplace agents, and custom LOB agents β where registered with Agent 365 or using the Agent 365 SDK. Previously documented as Copilot Studio only. KQL guidance updated across playbooks and identity pages. | product-map.html, playbooks.html, identity.html |
| π New | Agent Tooling Gateway (ATG) β Agent 365 concept. Agents onboarded via ATG get real-time protection from Defender β tool actions evaluated and blocked before execution. Equivalent to existing Copilot Studio Defender RT protection but for the Agent 365 ecosystem. Added as a significant gap: coverage depends on explicit ATG onboarding by the agent builder. | product-map.html, gaps.html |
| π New | Agent 365 SDK integration with Defender β agents built with the Agent 365 SDK get near-real-time detections, alerts, and Advanced Hunting coverage automatically. Defender now explicitly discovers agents registered with Agent 365. | product-map.html |
LinkedIn post from Microsoft Defender team Β· Microsoft Learn: Discover AI agents and assess security posture using Microsoft Defender (Preview) Β· Detect, block, and investigate threats to AI agents using Microsoft Defender (Preview)
| Type | Change | Page(s) Affected |
|---|---|---|
| β οΈ Navigation change | Security for AI agents moved to new location in Defender portal β previously accessed via Settings β Cloud Apps β AI Agents. Now: Settings β Security for AI. Currently rolling out to some tenants (preview). All playbook navigation paths updated. Feature now covers runtime monitoring for Copilot Studio, Microsoft Foundry, Agent 365, and Microsoft 365 (not just Copilot Studio). Detects suspicious behaviour, prompt injection, data leakage, and misconfigurations. | playbooks.html, product-map.html, copilot-vs-foundry.html |
The move to Settings β Security for AI is rolling out gradually. If your tenant hasn't received it yet, the old path (Settings β Cloud Apps β AI Agents) still works. Check back in coming weeks if the new path isn't visible.
| Type | Change | Page(s) Affected |
|---|---|---|
| π Updated | DLP for M365 Copilot β all storage locations β previously, label-blocking only applied to SharePoint and OneDrive. Rolling out mid-April to May 2026: DLP label-blocking now applies to Word, Excel, and PowerPoint files regardless of where they are stored (local device, network shares, non-Microsoft cloud). No policy changes needed. Existing rules apply automatically. Triggered by incident CW1226324 (January 2026). | product-map.html |
| π New scenario | Threat Scenario 8 β Copilot Background Indexing Bypasses DLP Labels β new threat scenario documenting the real-world CW1226324 incident. Copilot indexed confidential emails in Outlook Drafts/Sent Items for ~1 month despite active DLP labels. Root cause: AugLoop relied on SharePoint/OneDrive URLs for label retrieval β folders outside those locations had no check. Includes structural lesson and current controls. | threats.html |
| π New gap | DLP storage location gap added to gaps register β noted as resolving AprilβMay 2026, with caveat that unlabelled files remain unblocked regardless of policies. | gaps.html |
Microsoft 365 Message Center β MC1234661 Β· BleepingComputer β Microsoft adds Copilot data controls to all storage locations (Feb 2026)
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | SharePoint Advanced Management (SAM) β new product card. Included with M365 Copilot licences at no extra cost. Covers Restricted Content Discovery (RCD β excludes sites from Copilot grounding), Content Management Assessment, Site Access Reviews, and Restricted Access Control. Added to Copilot vs Foundry comparison table. | product-map.html, copilot-vs-foundry.html |
| π New gap | SharePoint oversharing β silent Copilot data exposure vector β M365 Copilot surfaces data from any site a user has access to. EEEU access, broken inheritance, and anonymous links all become Copilot exposure vectors predating Copilot deployment. Added to Significant Gaps with SAM remediation guidance and link to Microsoft's three-step blueprint. | gaps.html |
| π New | IRM Adaptive Protection for AI β new product card. IRM detects inappropriate Copilot usage patterns and automatically enrolls risky users into more restrictive DLP policies without manual intervention. Closes the detection-to-enforcement gap for AI misuse. | product-map.html |
| π New | Purview Compliance Manager for AI regulations β new product card and frameworks callout. Compliance Manager includes AI-specific assessment templates (EU AI Act, NIST AI RMF) that surface prioritised improvement actions. The operational tool for closing August 2026 and June 2026 regulatory deadlines. | product-map.html, frameworks.html |
Microsoft β Secure & Governed Data Foundation Blueprint (April 2026) Β· Microsoft β Configure secure governed foundation for M365 Copilot
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Research statistics added to overview β 97% of organisations had an identity/access incident in the past year; 70% tied to AI-related activity; 47% of incidents were accidental not malicious. Source: Microsoft Secure Access in the Age of AI report (March 2026). | overview.html, risk.html |
| π New | Access Fabric concept β Microsoft's architectural framing for AI-scale access: identity as the consistent decision point, near-real-time enforcement across environments, common foundation for employees, workloads, and AI agents. Added to Frameworks page alongside ZT4AI. Connected to Classic Agent gap as a concrete example of what access fabric fragmentation looks like. | frameworks.html |
| π New | Identity tool fragmentation gap β orgs use an average of 5 identity + 4 network access tools, nearly half report vendor sprawl overwhelm. Added to Significant Gaps with mitigation guidance. | gaps.html |
Microsoft Entra Blog β As AI adoption scales, is your access strategy still viable? (March 19, 2026) Β· Secure Access in the Age of AI research report
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Least agency concept β extension of least privilege specific to AI agents. Not enough to limit data sources β must also limit the APIs, UI actions, and side effects an agent can invoke. Each connector added to an agent (CRM, ticketing, database) expands its blast radius if manipulated. Added to the Least Privilege ZT principle on the Frameworks page. | frameworks.html |
| π New | ZT4AI reference architecture β properly surfaced β the Microsoft Zero Trust for AI reference architecture published at RSAC 2026 is now a prominent resource callout with direct links, replacing an in-passing mention. Covers full AI lifecycle from data ingestion through agent behaviour. | frameworks.html |
Microsoft Security Blog β New tools and guidance: Announcing Zero Trust for AI (March 19, 2026)
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Owner vs Sponsor distinction β formally documented as two separate governance roles. Owner = technical admin (credentials, monitoring). Sponsor = business accountable (lifecycle, Access Package approvals). Both optional at creation but both required for proper governance. Neither is enforced by Microsoft at agent creation time. | identity.html, playbooks.html |
| π New | Orphaned Agent Identities & Agent Users β new concept distinct from ownerless. When a Blueprint is deleted, Agent Identities remain with all permissions intact but cannot authenticate. Agent Users remain as normal-looking user accounts with no flag. Microsoft does not detect these automatically. Added detection scripts and gap entry. | identity.html, gaps.html, playbooks.html |
| π New | Third agent category β "Agents with no identities" β agents in Agent Registry with no Entra Agent ID at all. Previously only documented Classic vs Modern. Now three categories: Modern (Agent ID), Classic (service principal), No Identity (invisible to security tooling). | identity.html |
| π New | Blueprint credential model β credentials live on the Blueprint, not the Agent Identity. When Blueprint is deleted, credentials gone but permissions remain. Root cause of orphaned identity debt. | identity.html |
| π New | Graph API PowerShell detection scripts β Playbook 01 Steps 6 and 7: detect Modern agents missing Owner/Sponsor, and detect orphaned Agent Identities via Graph API cross-reference. Includes gotcha: Global Reader returns 403, requires Agent ID Administrator role. | playbooks.html |
| π New | Two-layer protection architecture β Responsible AI (conversational, always on, "Content filtered" message) vs Defender for Cloud Apps RT protection (action level, must be configured, "Blocked by threat protection" message). Different triggers, different moments, different messages. 1-second timeout caveat documented. | identity.html, copilot-vs-foundry.html |
Thalpius β Real-Time Protection for AI Agents (Jan 2026) Β· Thalpius β Ownerless Agents (Mar 2026) Β· Thalpius β Orphaned Agent Identities (Mar 2026) Β· Thalpius β Entra Agent ID Blueprints Guide (Mar 2026)
| Type | Change | Page(s) Affected |
|---|---|---|
| β οΈ Correction | Security Copilot custom agent maker credentials risk β custom and partner Security Copilot agents use "Connect with existing user account", storing the configuring user's credentials for all executions. Security Copilot users are typically high-privilege accounts. A custom agent built by a Global Admin extends admin-level access to Sentinel, Defender, Entra, and threat intelligence to every user who runs it β with no CA for Agents or ID Protection coverage. Added as a significant gap with mitigation guidance. Described as "maker credentials problem in disguise" on the identity page. | identity.html, copilot-vs-foundry.html, gaps.html |
| β οΈ Correction | CA for Agents β Security Copilot nuance β the site previously stated CA for Agents applies to "Security Copilot and AI Foundry agents" without qualification. Field research from Microsoft Learn (April 2026) clarifies: Security Copilot offers two identity options. Microsoft-built agents use a dedicated Entra Agent ID β CA for Agents and ID Protection apply. Custom and partner Security Copilot agents use "Connect with existing user account" β the agent runs using the configuring user's credentials. This is functionally identical to Copilot Studio's Agent's User Account pattern (β€) β CA for Agents does NOT apply. Corrected across identity page, product map CA card, and Copilot vs Foundry comparison table. | identity.html, product-map.html, copilot-vs-foundry.html |
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Agent Governance Toolkit β new product card β open-source MIT-licensed toolkit from Microsoft providing runtime security governance for autonomous AI agents. Seven packages covering policy enforcement, cryptographic identity, execution rings, circuit breakers, kill switch, plugin signing, and compliance mapping. Framework-agnostic, sub-millisecond latency. Available April 2026. | product-map.html |
| π New | OWASP Top 10 for Agentic Applications 2026 β added to Frameworks page. First formal taxonomy of risks specific to autonomous AI agents (December 2025): goal hijacking, tool misuse, identity abuse, memory poisoning, cascading failures, rogue agents and four others. Full table mapping each risk to Microsoft controls and Agent Governance Toolkit coverage. | frameworks.html |
| π New | Regulatory deadlines β EU AI Act (August 2026) and Colorado AI Act (June 2026) β both apply to organisations deploying high-risk AI agents. Added to Frameworks page with key obligations and a callout on how the Classic Agent gap compounds regulatory risk. | frameworks.html |
| β οΈ Updated | Kill switch gap updated β previously documented as "No platform-level agent kill switch". Agent Governance Toolkit now provides an open-source programmatic kill switch with ring isolation and trust decay. Gap updated to reflect this partial resolution. | gaps.html |
Microsoft Open Source Blog β Introducing the Agent Governance Toolkit (April 2, 2026) Β· OWASP Top 10 for Agentic Applications 2026
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Browser-layer DLP β Edge for Business inline protection β operates at browser layer natively in Edge via Intune policy sync. Inspects typed prompt submissions to any GenAI app including shadow AI. Activates without endpoint DLP deployment. Extends to unmanaged (BYOD) devices where users are signed into Edge for Business profile. Added to product map with architecture callout explaining all three DLP layers. | product-map.html |
| π New | Network Data Security (network-layer DLP) β covers the gap endpoint and browser DLP cannot reach: unmanaged devices, desktop apps, Office add-ins, API calls. Delivered via Microsoft Entra Global Secure Access (preview). Added to product map and gaps page. | product-map.html, gaps.html |
| π New | Agentic data governance β DLP policies now extend to agent-to-human, agent-to-tools, and agent-to-agent interactions. Sensitive files can be blocked from being used as grounding data. Agent instances in Agent 365 automatically enrolled for audit and data classification at creation. IRM, DLM, and eDiscovery apply to agent-generated content. | product-map.html, copilot-vs-foundry.html |
| π Updated | DSPM for AI card updated β now reflects broader scope covering Copilot, Foundry/Entra apps, and third-party GenAI tools via browser telemetry. Notes upcoming unification of DSPM and DSPM for AI into single pane. | product-map.html |
| π New gap | DLP coverage gap on unmanaged non-Edge devices β browser-layer DLP only covers Edge for Business. Chrome/Firefox/Safari users on BYOD have no browser-layer coverage until Network Data Security (GSA) reaches GA. | gaps.html |
LinkedIn post by Microsoft Purview field research team (April 11, 2026) covering DSPM for AI, Edge for Business inline protection, Network Data Security, and agentic data governance.
| Type | Change | Page(s) Affected |
|---|---|---|
| π New page | Copilot Studio vs Microsoft Foundry β condensed security handbook β single page covering both platforms side by side: five Copilot Studio auth patterns, Classic vs Modern gap, 30-minute audit KQL, critical gaps, Foundry resource/project model, four logging layers, what to enable for SecOps, and Foundry-specific gotchas. Added between Playbooks and Changelog in nav. | copilot-vs-foundry.html |
| π New | Playbook 05 β Microsoft Foundry Security Logging β five-step runbook: Activity Log routing, Diagnostic Settings at resource level (Audit + RequestResponse), Diagnostic Settings at project level (separate β does not cascade), Entra ID logs at tenant level, Application Insights connection. Includes content capture governance guidance and a deployment checklist. Sourced from Cyphora.io Foundry logging overview (April 10, 2026). | playbooks.html |
| π Merged | Zero Trust for AI merged into Frameworks page β Zero Trust principles, maturity model, and 12 priority controls now sit alongside NIST AI RMF and ISO 42001 on a single "Frameworks, Standards & Zero Trust" page. zero-trust.html retired. Nav reduced from 13 to 12 pages (before CS vs Foundry addition). | frameworks.html |
| π Renamed | Azure AI Foundry β Microsoft Foundry across all pages β effective January 1, 2026, Microsoft renamed Azure AI Foundry to Microsoft Foundry in the January 2026 Product Terms. This was the third rename in two years (Azure AI Studio β Azure AI Foundry β Microsoft Foundry). | All pages |
Cyphora.io β Microsoft Foundry Logging (April 10, 2026) Β· Microsoft Product Terms January 2026 (Foundry rename) Β· Derk van der Woude MVP field research Β· Microsoft Entra security for AI overview
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Agent's User Account β fifth authentication pattern β an agent provisioned with a full human user account (mailbox, calendar, Teams membership). Highest risk pattern: compromised agent is indistinguishable from a human user. Added to the authentication patterns table. | identity.html |
| π New | Agent sprawl β named concept and lifecycle risk section β Microsoft formally defines agent sprawl as uncontrolled expansion of agents without visibility, management, or lifecycle controls. Added to identity page and gaps page with consequences and mitigations. | identity.html, gaps.html |
| π New | A2A (Agent-to-Agent) protocol β emerging standard for authenticated inter-agent communication, supported by Entra Agent ID alongside MCP. Added to identity page and MCP page with comparison table and risk callout. | identity.html, mcp.html |
| π New | Agent-to-agent propagation β new threat scenario (Scenario 7) β compromised orchestration agent propagates compromise to sub-agents across the entire agent chain. Full attack chain with controls and A2A gap note. | threats.html |
| π New | Microsoft Managed Policies for agents β new significant gap β automatic baseline CA policies that block high-risk agents. Many organisations unaware of or not using these. Added to gaps page. | gaps.html |
| π New page | Zero Trust for AI β new dedicated page β covers the three Zero Trust principles applied specifically to AI agents, a three-stage maturity model (Visibility β Control β Automation), and 12 priority controls from the Microsoft Zero Trust Workshop AI section with implementation effort ratings. Added to nav between Frameworks and Gaps. | zero-trust.html |
Microsoft Entra security for AI overview (learn.microsoft.com, updated April 3 2026) Β· Microsoft Zero Trust Assessment Workshop β AI section
| Type | Change | Page(s) Affected |
|---|---|---|
| β οΈ Correction | Conditional Access for Agents does NOT apply to Copilot Studio agents β corrected on both the identity page and product map card. CA for Agents only triggers during modern Agent ID authentication (OAuth 2.0), used by Security Copilot and AI Foundry. Copilot Studio agents use OBO, maker credentials, or service principal β none of which trigger CA for Agents. Field-validated by Derk van der Woude (March 2026). | identity.html, product-map.html |
| π New | Four Copilot Studio authentication patterns table β new section on identity page covering all four patterns: End User Credentials (OBO), Maker-Provided Credentials, App Registration Delegated, App Registration Application Permissions. Includes risk rating and detection method for each. | identity.html |
| π New | Precise maker credentials KQL β upgraded Playbook 01 Step 4 with Derk's field-validated query that checks both AgentToolsDetails and AgentTopicsDetails for maker mode connections. More precise than the previous agent-level auth type check. | playbooks.html |
| π New | App Registration Graph API detection KQL β new Playbook 01 Step 4b detects agents using HTTP Request actions to graph.microsoft.com or management.azure.com, identifying potential application permission agents (very high risk β tenant-wide access). | playbooks.html |
| π New | Change-detection KQL for auth type downgrade β added to Playbook 01 Step 1. Detects when a published agent's authentication is changed to None β designed to be saved as a Sentinel Analytics Rule for real-time alerting. Sourced from Derk's AI Agent Inventory blog (November 2025). | playbooks.html |
| π New | Any user can change another agent's auth type β new significant gap β by design in Copilot Studio, any tenant user can downgrade another agent's authentication to No Authentication, even without being the owner. Added to Significant Gaps with interim mitigations. | gaps.html |
| π New | Community Queries tip added to Playbook 01 β Defender Advanced Hunting has a dedicated AI Agents section with queries from the Microsoft Product Group. Callout added to Playbook 01 checklist. | playbooks.html |
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | AI Model Scanning (Defender for Cloud) β new product card added covering malware, unsafe operator, and backdoor scanning for Azure ML models. Includes CLI integration, CI/CD gating, and Defender XDR alert integration. Sourced from Microsoft Defender for Cloud Blog RSAC 2026 announcement. | product-map.html |
| π New | AI Model Supply Chain Attack scenario β new threat scenario added covering poisoned pretrained models (Hugging Face/Azure ML), training data poisoning, CI/CD pipeline injection, and unsafe ML serialisation operators. Includes controls and gap assessment. | threats.html |
| π New | AI model supply chain risk row β added to the AI Risk Taxonomy table covering pre-deployment model risks that traditional AppSec doesn't address. | risk.html |
| π New | Agent 365 Tools Gateway (ATG) RT protection β clarified that Defender RT protection integrates with Agent 365's tools gateway, not just Copilot Studio. Every agent tool invocation through ATG is evaluated before execution with SOC-ready alerts. | product-map.html |
Microsoft Defender for Cloud Blog β "Defending the AI Era: New Microsoft Capabilities to Protect AI" (March 20, 2026) Β· Microsoft Security Blog β "Secure Agentic AI End-to-End" (March 20, 2026)
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Purview DLP external web search blocking (Coming June/July 2026) β new DLP policy option to prevent Copilot from sending prompts containing selected Sensitive Information Types (SITs) to external web search. When triggered, Copilot continues responding using internal Microsoft Graph data only. Alerts in DLP Alerts and Activity Explorer under DSPM for AI. GA June/July 2026, opt-in required. | product-map.html, gaps.html |
| β οΈ Correction | Purview DLP SIT blocking description corrected β initial entry incorrectly stated: (a) the feature was "coming June/July 2026" β it is already in Preview, June/July is the GA target; (b) Copilot "continues responding using internal Graph sources" when triggered β it does not respond at all; (c) only external web search was blocked β both internal and external searches are blocked. Also added: files uploaded directly into prompts are not scanned by DLP (only typed text); the two DLP conditions (SITs and sensitivity labels) cannot be in the same rule. | product-map.html, gaps.html |
Microsoft Purview product announcement (March 2026) Β· learn.microsoft.com β DLP for M365 Copilot (official docs, updated Feb 2026)
| Type | Change | Page(s) Affected |
|---|---|---|
| π New | Copilot Data Connector for Microsoft Sentinel β new product card added covering the CopilotActivity table, supported record types (CopilotInteraction, plugin lifecycle, CopilotPromptBook, CopilotAgentManagement), Sentinel data lake integration, and MCP server integration. Sourced from Microsoft Sentinel Community Hub blog (February 4, 2026). | product-map.html |
| π New | CopilotActivity prompt data sensitivity gap β new significant gap added: ingesting prompt content into Sentinel creates a sensitive artifact. Ingestion costs apply. Interim mitigations: field-level masking, restricted table access, retention policies, staged rollout. | gaps.html |
| βοΈ Updated | Microsoft Sentinel card updated β UEBA Behaviors layer now GA, Custom Guidebooks for Copilot Guided Response now GA, Connector Builder Agent preview (March 31) added to card. | product-map.html |
| π New | 10,000ft stack visualisation β interactive 5-layer diagram on the Overview page showing the full AI security stack with GA/Preview/Gap status at a glance. Each layer is clickable. | overview.html |
| π New | Image & URL-based XPIA variant β new sub-scenario added to the XPIA threat chain covering how attackers embed malicious instructions in images or URLs to bypass text-based injection filters. Includes the Block Images and URLs control. | threats.html |
| π New | Classic vs Modern agent security product coverage table β 10-row table showing exactly which Defender and Entra security products apply to Classic agents vs Modern agents. | identity.html |
| π New | Field research callout on Identity page β two-column reference section linking to official Microsoft Learn docs and field research covering Classic & Modern agent security controls. | identity.html |
| π New | Portal inventory count inconsistency gap β Agent 365, Security Dashboard, and Entra Agent ID portal show different agent counts. Microsoft confirmed this is a known issue. Added to Significant Gaps. | gaps.html |
| π New | Purview triage agent 90-day re-auth gap β Purview Security Copilot triage agents stop running after 90 days without a manual config re-save. No automatic renewal. Added to Significant Gaps. | gaps.html |
Microsoft Security Blog (RSAC 2026, March 20 2026) Β· Microsoft Tech Community Β· learn.microsoft.com Β· Microsoft Copilot Studio agent security field research Β· NIST AI RMF 1.0 Β· ISO/IEC 42001:2023 Β· Derk van der Woude Medium blog series (Microsoft Security MVP)