SITE CHANGELOG Β· LAST UPDATED MAY 12, 2026
What's Changed
& When
This site is a living document. Microsoft updates products and capabilities frequently β this log tracks meaningful content changes, corrections, and additions. Minor fixes (typos, link corrections) are not listed.
π How to read this
Entries marked π New are net-new content additions. Entries marked βοΈ Updated are corrections or refinements to existing content. Entries marked β οΈ Correction are cases where earlier content was wrong or misleading and has been fixed.
π¬ NEVER MISS AN UPDATE
Subscribe for monthly change alerts
Get notified when significant changes land β new controls going GA, critical corrections, new gaps discovered. Free, no spam.
Subscribe free β
MAY 12, 2026
Strategy Restructure Β· 12 Content Additions Across Strategy, Risk, Identity, Frameworks, Playbooks
| Type | Change | Page(s) Affected |
|---|
| π§ Restructured |
Strategy page restructured β six-phase rollout replaces eight-pillar framework. The eight-pillar version described what the stack is; the new six-phase framework describes how to roll it out: Discover & Inventory β Identity & Governance β Data Security β Runtime Protection β Monitoring & Detection β Compliance & Governance. Each phase has prerequisites and produces evidence the next phase consumes. Per-pillar deep-dive content lives on its dedicated topic page (playbooks, identity, frameworks, etc.) so the strategy page can stay a strategy page. |
strategy.html |
| π New |
AI Readiness Assessment β pre-Phase-1 framing. Attack surface inventory, legacy estate scale, governance maturity gap, commercial path. Now appears before the six-phase rollout as the question to answer first. |
strategy.html |
| π New |
Four AI security KPIs to track weekly β Risky agents (target zero), Sensitive access events (stable), DLP policy hits (stable post-tuning), Blocked tool actions (rising then stable). Short version on Strategy with reporting cadence; full operational KQL on Playbooks. |
strategy.html, playbooks.html |
| π New |
Quarterly board-level reporting pack β seven-section structure for executive AI risk reporting, sourced from outputs of the six phases and the four weekly KPIs. |
strategy.html |
| π New |
Risk tier classification methodology (H / M / L) β explicit criteria with required action and governance cadence. HIGH = no-auth OR maker credentials OR org-wide sharing OR no owner OR regulated data. Includes the critical "highest match wins, not average" caveat β risk does not average down. |
risk.html |
| π New |
AI Trust and Safety assurance β distinct from security testing. Adelard safety case methodology referenced for citizen-facing or safety-critical agents. Distinguishes security testing (adversarial), Trust & Safety assurance (reliability, fairness), and Responsible AI evaluation (harms). |
risk.html |
| π New |
Agent Approver β third accountability role added to Identity page. Role model extended from Owner / Sponsor / Orphaned to Owner / Sponsor / Approver / Orphaned. The Approver is the IT gatekeeper for any sharing beyond a team or org-wide β what converts sharing limits from policy to enforced gate. |
identity.html |
| π New |
AI Governance Operating Model β five forums with cadence and decision rights. AI Security Working Group (monthly), Agent Lifecycle Board (monthly), Quarterly Governance Sweep, Annual AI Risk Assessment, Agent Red Team Cycle. Fills the human-layer gap between deployed controls and sustained governance. |
frameworks.html |
| π New |
AI Baseline in Purview Compliance Manager β promoted as starting compliance action. Pre-built evaluation against EU AI Act, NIST AI RMF, ISO 42001 with mapped remediation. Established as the recommended Phase 6 first task. |
frameworks.html |
| β οΈ Caveat |
Compliance Manager score β audit-ready compliance assessment. New callout explicitly distinguishing the automated posture score from a structured assessment with evidence collection, control testing, and written findings β suitable for ICO, EU AI Office, internal audit, or board sign-off. Common misconception explicitly corrected. |
frameworks.html |
| π New Playbook |
Playbook 07 β Brief Your Makers (30-minute awareness session). Three parts: five things every maker must know (maker credentials risk, no-auth risk, org-wide sharing, connector scope, Owner/Sponsor); red-flag self-audit checklist before publishing; escalation paths. |
playbooks.html |
| π New Playbook |
Playbook 08 β Vet a Third-Party Agent Before Publish. Five-step checklist: publisher & provenance, connector & data scope, authentication & identity model, DPIA & regulatory trigger, approval & ongoing governance. Default for external agents is "not approved" β opt-in to allow, opposite of internally built agents. |
playbooks.html |
| π§ Fixed |
Frameworks page β orphan callout div closed. The "Full control list" callout at the bottom of the ZT Workshop controls section was an unclosed div from a previous edit β now properly closed with content pointing to the dedicated Zero Trust page. |
frameworks.html |
| π§ Refreshed |
Chat widget suggestion chips refreshed across both modes. Technical mode now surfaces the six-phase rollout, risk tier methodology, four KPIs, Owner/Sponsor/Approver model, and third-party vetting playbook. Business mode now surfaces six-phase (simple), four KPIs for the board, quarterly board pack, governance forums, and risk tier explained. Older chips that overlapped or had aged out (How long does it take?, Biggest mistakes, CISO 90-day plan, Foundry logging, Maker creds + Security Copilot, Detect orphaned agents, Entra Agent ID GA?, What if we do nothing?, Classic vs Modern simple) were retired. Applied identically across all 15 pages with the chat widget. |
All pages with the chat widget (15 files) |
| π§ Updated |
Chat assistant system prompt (chat.js) updated to cover all new content. Added technical-mode sections for: six-phase rollout (with phase ordering rationale), AI Readiness Assessment, risk tier methodology with the "highest match, not average" caveat, four AI security KPIs with KQL, quarterly board reporting pack structure, AI Governance Operating Model (5 forums with cadences), AI Baseline vs structured assessment distinction, AI Trust & Safety assurance (Adelard), third-party agent vetting (5 steps), maker awareness brief. Owner / Sponsor / Orphaned model extended to Owner / Sponsor / Approver / Orphaned. Business mode received plain-English versions of six-phase, four KPIs, board pack, governance forums, and risk tier. Site navigation section updated to reflect new playbooks (PB07, PB08) and the zero-trust.html page. |
chat.js |
π Method
This batch of changes came from a gap analysis of the site against an enterprise AI security implementation plan. Twelve generalisable content gaps were identified; customer-specific content (UK NIN, HMG classification, ICO obligations) was deliberately excluded to keep the site vendor-and-jurisdiction neutral.
MAY 4, 2026
Sentinel β Microsoft Copilot Solution: 6 Analytic Rules + Workbook
| Type | Change | Page(s) Affected |
|---|
| π New |
Six Copilot analytic rules for Sentinel contributed to Azure/Azure-Sentinel GitHub by Samik Roy (May 2026): Jailbreak Attempt Detected Β· Access From External IP Β· Plugin Created by Non-Admin User Β· Plugin Enabled After Being Disabled Β· Plugin Tampering (Enable/Disable within 5 minutes) Β· File Uploads Disabled. Deploy via Content Hub β Microsoft Copilot solution. |
playbooks.html, product-map.html |
| π New |
Microsoft Copilot Activity Monitoring workbook β 7 sections: All Events, Activity Overview, User Activity Analysis, Plugin Management, AI Model Usage, Security Insights (jailbreak + IP), Detailed Activity Log. Single pane of glass for CopilotActivity telemetry. Deployable from Sentinel Content Hub as part of Microsoft Copilot solution. |
playbooks.html |
MAY 3, 2026 (2)
Work IQ Three-Layer Architecture Β· MCP Server Renaming to Work IQ Brand
| Type | Change | Page(s) Affected |
|---|
| π Updated |
Work IQ three-layer architecture β Data (M365 signals), Memory (persistent cross-session understanding of how people/teams work), Inference (reasoning + action via Work IQ MCP tools, governed by Agent 365 control plane). M365 Copilot licence required for Work IQ MCP servers. Source: Microsoft Learn Work IQ MCP overview (Preview). |
agent365.html |
| π Updated |
MCP server names updated to Work IQ branding β Copilot Search β Work IQ Copilot Β· Outlook/Teams β Work IQ Calendar / Work IQ Teams Β· SharePoint β Work IQ SharePoint Lists / Work IQ SharePoint and OneDrive (Frontier). Old names remain supported for existing connections. Source: Microsoft Learn Work IQ MCP overview (Preview). |
foundry.html |
MAY 5, 2026
A365 - Monitor OpenClaw β Intune Policy Deep Dive (Derk van der Woude)
| Type | Change | Page(s) Affected |
|---|
| π Updated |
A365 - Monitor OpenClaw policy details β the "Continuously detect managed devices" toggle creates a specific Intune Device Configuration policy: A365 - Monitor OpenClaw. Properties catalog profile (read-only, safe to deploy). Uses new Local AI Agent Settings Catalog node. Runs via Intune Management Extension (IME), inspects disk and memory on managed Windows devices. 24-hour refresh cadence. |
agent365.html |
| π New |
Eight properties collected per device β Agent Name, Agent Version, Host Process, Install Location, Install Scope, Install Scope Platform User ID (Windows SID), Install Scope User ID (Entra UPN), Local AI Agent Execution Context (user/elevated/SYSTEM). The Execution Context property is a key risk signal β SYSTEM-level agent execution indicates significantly elevated risk. |
agent365.html, playbooks.html |
π Source
Derk van der Woude (Rubicon Cloud Advisor / #BBTG) β LinkedIn post, May 5, 2026
MAY 3, 2026
Shadow AI β Two Policy Names Β· Coming Detections Β· Critical Rollback Caveat
| Type | Change | Page(s) Affected |
|---|
| π Updated |
Shadow AI page β two specific Intune policies named: "Continuously detect managed devices" (multi-signal: identity, device, network) and "Block AI Agents from OpenClaw" (Intune baseline policy: A365 - Block OpenClaw). |
agent365.html |
| π New |
Coming Shadow AI detections expanded β beyond Claude Code CLI: Ollama Desktop, OpenAI, Cursor, Poe Desktop. Source: Derk van der Woude (Rubicon Cloud Advisor). |
agent365.html |
| β οΈ Caveat |
Critical operational caveat β Block policy cannot be disabled via Agent 365 portal. Once enabled, rollback requires deleting the Intune security policy (A365 - Block OpenClaw) directly in Intune. The Agent 365 portal does not expose a disable control. Source: Derk van der Woude, May 2026. |
agent365.html, gaps.html |
π Source
Derk van der Woude (Rubicon Cloud Advisor / #BBTG) β LinkedIn post, May 3, 2026
MAY 1, 2026 (4)
Windows 365 for Agents β Full Detail from Tech Community Blog
| Type | Change | Page(s) Affected |
|---|
| π Updated |
Windows 365 for Agents expanded β Windows 365 for Agents callout replaced with full section. Additions: why agents need a managed execution environment (many enterprise apps have no APIs, UI interaction required), the employee analogy (same trust model extended to AI), three explicit benefits, four-layer Microsoft AI stack (Microsoft IQ / Windows 365 for Agents / Azure / Agent 365), prerequisites (Agent 365 + Intune + Azure subscription for compute billing), setup path, who it is for (legacy/UI apps, human-in-the-loop). Source: Windows IT Pro Blog May 1, 2026. |
agent365.html, product-map.html |
MAY 1, 2026 (3)
Three Agent Modes Β· Windows 365 for Agents Β· OpenClaw Β· Network Controls GA Β· Partner Services
| Type | Change | Page(s) Affected |
|---|
| π New |
Three agent operating modes β Delegated access (GA), Own access/autonomous (GA), Agents in team workflows (Public Preview). Full table with how-it-works and examples. Source: Agent 365 GA blog (May 1, 2026). |
agent365.html |
| π New |
Windows 365 for Agents (Public Preview Β· US only) β new class of Cloud PCs purpose-built for agentic workloads. Managed via Intune. Observable in Agent 365. Infrastructure execution layer complementing Agent 365 governance layer. |
agent365.html, product-map.html |
| π New |
Local agent discovery β OpenClaw, GitHub Copilot CLI, Claude Code β new Shadow AI page in Agent 365/M365 admin center. Discover local agents on managed devices, block via Intune. Defender context mapping for local agents June 2026. Gap added: local agents operating outside governance. |
agent365.html, gaps.html |
| π§ Corrected |
Network controls now GA β Secure Web and AI Gateway for Agents is GA as of May 1, 2026 (not Preview). Extends to Copilot Studio agents AND local agents (OpenClaw) running on user endpoint devices. |
agent365.html, product-map.html |
| π New |
Partner services taxonomy β five service categories (Inventory/Ownership, Least Privilege, Compliance, Threats, Ongoing Operations) and five service types (Workshops, Governance, Managed Services, Advisory, Security+Integration). Featured launch partners: Accenture, Bechtle, Capgemini, Insight, KPMG, Protiviti, Slalom. |
strategy.html |
MAY 1, 2026 (2)
Agent 365 GA β New Capabilities, Pricing, GCC, Defender Context Mapping
| Type | Change | Page(s) Affected |
|---|
| π New |
Agent 365 registry sync with AWS Bedrock + Google Cloud (Preview) β automatically discover and inventory agents on AWS Bedrock and Google Gemini Enterprise Agent Platform. Basic lifecycle governance (start/stop/delete) coming soon. Announced GA day, May 1 2026. |
agent365.html |
| π New |
Defender agent context mapping (Preview, June 2026) β relationship map per agent: devices running it, MCP servers configured, associated identities, cloud resources reachable. Blast radius context for security teams. File access and network behaviour investigation. Policy-based controls + runtime blocking via Intune also coming June 2026. |
agent365.html |
| π Updated |
Agent 365 pricing clarification β no additional per-agent charge for first 10,000 managed agents per tenant. Graduated consumption ~$0.15/agent/month thereafter (volume discounts via EA). GCC/GCC High late 2026. DoD early 2027. macOS/Linux: dedicated clients committed by end of 2026. |
agent365.html |
MAY 1, 2026
Foundry Control Plane Β· Nav Restructure Β· 7 Training Gaps Β· Demo Updated
| Type | Change | Page(s) Affected |
|---|
| π New page | Foundry Control Plane (foundry.html) β new page covering: four control plane capabilities, agent lifecycle, three evaluation categories (Quality/Risk+Safety/Agent-specific with all evaluator names), AI Red Teaming Agent (managed vs PyRIT standalone), Content Safety guardrail categories, Purview Data Security Investigations three-stage workflow, AI Baseline in Compliance Manager, Agent 365 MCP tool catalog, Shadow AI discovery 4-step setup, Foundry Projects model. Source: Agent 365 Training Days 2&3. | foundry.html (new) |
| π§ Nav | Nav restructure β CS vs Foundry merged into Agent 365. Changelog moved to footer link. Foundry added as new nav item. 14 nav items total. | All pages |
| π§ Demo | Demo renamed demo.html β Foundry Control Plane page added with evaluation tables, Content Safety categories, Red Teaming Agent, MCP catalog. AI Baseline modal added to Purview recommendations panel. | demo.html |
π Source
Microsoft Partner Project Ready β Implement Agent 365 Training (Day 1, 2, 3) Β· May 2026
APRIL 28, 2026
PyRIT Red Teaming Β· OWASP LLM Top 10 Β· Pre-Deployment Testing Gap
| Type | Change | Page(s) Affected |
|---|
| π New |
Microsoft PyRIT β open-source AI red teaming framework. 53+ adversarial datasets, 70+ converters, 6 attack strategies, 20+ scorers. Battle-tested on 100+ Microsoft products including Copilot. Tests two risk surfaces: security vulnerabilities AND responsible AI harms. MIT licensed. Source: Microsoft Tech Community. |
product-map.html |
| π New |
OWASP LLM Top 10 (2025) β distinct from OWASP Agentic AI Top 10. Full table with 10 risk categories mapped to AI agent controls: LLM01 Prompt Injection, LLM02 Sensitive Info, LLM03 Supply Chain, LLM04 Data Poisoning, LLM05 Improper Output Handling, LLM06 Excessive Agency, LLM07 System Prompt Leakage, LLM08 Vector Weaknesses, LLM09 Misinformation, LLM10 Unbounded Consumption. |
frameworks.html |
| π New |
Playbook 05b β Pre-Deployment AI Agent Red Teaming with PyRIT β four escalating attack phases (plain β encoded β semantic β multi-turn), OWASP mapping, CI/CD release gate configuration (YAML config, exit code 0/1). When to run: quick on every merge, full pre-release. |
playbooks.html |
| π New |
Gap: No pre-deployment security testing for AI agents β most agents ship with zero adversarial testing. No mandatory security gate in the Microsoft platform equivalent to OWASP ZAP or DAST for web apps. PyRIT + CI/CD integration is the current recommended mitigation. |
gaps.html |
APRIL 27, 2026
Secure Web and AI Gateway Β· Foundry Auto-Provisioning Β· App Service Agent ID Β· Frontier Path
| Type | Change | Page(s) Affected |
|---|
| π New |
Secure Web and AI Gateway for Agents (Preview) β Global Secure Access network security controls extended to Copilot Studio agent outbound traffic. Covers HTTP Node, Custom connectors, and MCP Server Connector traffic. Configured in Power Platform Admin Center. Applies web content filtering, threat intelligence, and network file filtering to agent traffic before it reaches external resources. Source: Microsoft Learn. |
identity.html, product-map.html |
| π New |
Foundry auto-provisioning of agent identities β Microsoft Foundry automatically provisions Blueprint and Agent Identity when first agent is created in a project. Publishing an agent creates a dedicated Blueprint and Agent Identity. Foundry supports Agent ID for MCP and A2A tool authentication. Source: Microsoft Learn ID Governance for Agents. |
identity.html |
| π New |
App Service and Azure Functions Agent ID support β existing serverless workloads can use Entra Agent Identity Platform to connect as agents without rebuilding. Source: Microsoft Learn App Service Agent Identity. |
identity.html |
| π Updated |
Frontier programme path β specific navigation: M365 admin center β Copilot β Settings β User access β Copilot Frontier. Requires M365 Copilot licence. |
identity.html |
APRIL 24, 2026
Entra Agent ID Deep-Dive Β· Strategy Page Β· RSAC 2026 Β· Copilot Data Connector
| Type | Change | Page(s) Affected |
|---|
| π New |
Strategy page β eight-pillar agentic AI defense framework β new page covering Visibility & Inventory, Identity, Data Security, Endpoints & Cloud, Zero Trust for AI, Agents in Security Workflows, Agentic SIEM Platform, and Technical & Governance Partners. Each pillar maps controls, products, and honest gaps. Includes maturity model, summary table, and consultant service packaging guide. Source: Microsoft RSAC 2026 / Vasu Jakkal. |
strategy.html (new) |
| π New |
Seven governance pillars for Entra Agent ID β CA, ID Governance, Access Packages, ID Protection, Network Controls, Sign-in & Audit Logs, Consent & Sign-in. New sections: Access Packages as the governance layer above CA (permission lifecycle, time-bound grants), InheritDelegatedPermissions property (disabled by default, increases Blueprint blast radius when enabled), single-tenant enforcement (agent identities always single-tenant even when Blueprint supports multi-tenancy), Object ID = App ID for agent identities. Source: Carlos Suarez (Microsoft Senior Security Solution Engineer) β contosec.com/articles/EntraAgentID. |
identity.html |
| π Updated |
Blueprint credential preference order corrected β updated from "FIC recommended" to three-tier preference: (1) Managed Identity via FIC (most preferred for production β platform manages lifecycle), (2) FIC (preferred when MI not available), (3) Secrets/Certificates (dev/test only). Source: Carlos Suarez (Microsoft). |
identity.html |
| π Updated |
Updated agent access model terminology β Microsoft has standardised new names: "Agents with delegated access" (formerly OBO agents), "Agents with own access / Autonomous" (formerly non-OBO agents). Agent entities authenticate as confidential clients only β no redirect URIs, no /authorize endpoint. Source: Carlos Suarez (Microsoft). |
identity.html |
| π New |
Copilot Data Connector (Sentinel) β full details β 21 record types with event numbers, source confirmed as Purview UAL (default enabled), single-tenant only caveat, Content Hub deployment path, Global/Security Admin required. Includes CloudAppEvents table card with key ActionTypes, prerequisite M365 activities checkbox, metadata-only limitation, and "Defender for AI" umbrella term clarification. Source: Microsoft Sentinel Blog Feb 3 2026. |
product-map.html |
| π New |
Agent model inventory KQL β EUDB compliance β new KQL query extracting modelNameHint from RawAgentInfo to identify which AI model each Copilot Studio agent uses (Anthropic, OpenAI, environment default) with EU Data Boundary compliance status per agent. Anthropic models process outside EUDB regardless of tenant geo β high severity compliance gap. Source: Blue161616/Agent-Identity (GitHub). |
playbooks.html, gaps.html |
| π New |
Work IQ and partner ecosystem added to Agent 365 β Work IQ contextual intelligence engine (AI Tour Paris March 2026) grounds agents in org knowledge with sensitivity label inheritance. Partner ecosystem: Adobe, SAP, ServiceNow, Workday, Databricks, NVIDIA, Glean, n8n + open-source LangChain, OpenAI SDK, Anthropic SDK, Crew.ai, Cursor, Perplexity, Vercel. Ignite 2025 announcement context added. |
agent365.html, demonew.html |
| π New |
Sentinel + Defender combined coverage table β callout on products page showing how Sentinel and Defender work together for AI agent security: real-time blocking vs correlation, CloudAppEvents vs CopilotActivity, 90-day vs long-term retention, SOAR automation. GDAP + unified RBAC for cross-tenant Sentinel management (Preview, RSAC 2026) added for MSSP scenarios. |
product-map.html, gaps.html |
| π New |
Defender Predictive Shielding (Preview, RSAC 2026) β dynamically adjusts identity and access policies during active attacks, reducing exposure and limiting impact. Added to Threat Detection section. |
product-map.html |
| π New |
"Frontier Firms" framing added to overview β Microsoft's term for AI-native enterprises anchored in intelligence and trust. Microsoft scale stats added: 100 trillion daily signals, 1.6M customers, 1B identities, 24B Copilot interactions. |
overview.html |
APRIL 23, 2026 (2)
ATG SOC-ready alerts Β· AI model lifecycle five-stage framework
| Type | Change | Page(s) Affected |
|---|
| π Updated |
ATG SOC-ready alerts β every ATG block generates a comprehensive alert explaining what was stopped, why it was risky, and which agent/user/tool were involved. Blocks occur before tool invocation. Alerts flow into Defender XDR SOC workflows. Added to ATG descriptions on product map and agent365. |
product-map.html, agent365.html |
| π New |
AI model lifecycle β five-stage control framework β supply chain β development β pre-deployment β production β end of life. Each stage requires specific controls. "If a model hasn't been scanned, it shouldn't be pushed." Added to Threat Scenario 6 (AI Model Supply Chain). |
threats.html |
APRIL 23, 2026 (2)
Agent Model Inventory KQL β EUDB Compliance Gap
| Type | Change | Page(s) Affected |
|---|
| π New |
Agent model inventory with EUDB compliance status β new KQL query that extracts modelNameHint from RawAgentInfo to identify which AI model each Copilot Studio agent uses (Anthropic, OpenAI, environment default). Flags EU Data Boundary status per agent β Anthropic models (Sonnet/Haiku/Opus) process data outside EUDB regardless of tenant geo. Source: Blue161616/Agent-Identity on GitHub. |
playbooks.html |
| π New |
EUDB compliance gap added β no native visibility or policy to prevent makers selecting out-of-EUDB models. Model selection buried in RawAgentInfo, not surfaced in any admin UI. High severity for EU organisations. |
gaps.html |
APRIL 23, 2026
AI Red Teaming Agent Β· Agentic Risk Categories Β· Agent Map Β· Orphaned Agents Β· Stateful Agents
| Type | Change | Page(s) Affected |
|---|
| π New |
AI Red Teaming Agent (Foundry Preview) + PyRIT β automated adversarial testing for AI models and agents. Generates Attack Success Rate (ASR) metrics and deployment scorecard. Three agentic-specific risk categories (cloud-only): prohibited actions (3-tier taxonomy), sensitive data leakage via tool calls, task adherence. Built on PyRIT open-source framework. Added to product map. |
product-map.html |
| π New |
Threat Scenario 8b β Agentic Risk: Prohibited Actions, Data Leakage & Task Deviation β three-tier prohibited actions taxonomy (Prohibited/High-risk/Irreversible), sensitive data leakage via agent tool calls, task adherence failure dimensions. Purple environment concept for pre-deployment red teaming. Controls: AI Red Teaming Agent, ATG, human-in-the-loop gates. |
threats.html |
| π New |
Agent Map β visual risk intelligence in Agent 365 portal. Shows agent-to-resource connections and cross-pillar risk signals. One-click block from map view. Added to agent365.html with KQL for ownerless agent detection. |
agent365.html |
| π Updated |
Orphaned agents β two scenarios documented β Scenario A (Blueprint deleted, Entra) was already on site. Added Scenario B: agents built by employees who left the company, still running with full permissions and no owner. Most common real-world scenario. Updated gaps register with both scenarios. |
agent365.html, gaps.html |
| π New |
Stateful agents / Dataverse memory β Agent 365 agents retain long-term memory via Dataverse across sessions. Persistent memory accumulates sensitive context and requires governance: access controls, retention policies, Purview DLP inclusion. Not automatically covered by existing M365 data policies. |
agent365.html |
APRIL 23, 2026
Agent 365 β Work IQ, partner ecosystem, Ignite 2025 context
| Type | Change | Page(s) Affected |
|---|
| π New |
Work IQ β contextual intelligence engine that grounds agents in org knowledge (collaboration graph, project context, delegation patterns). Agents grounded via Work IQ inherit sensitivity label governance automatically. Announced Microsoft AI Tour Paris March 2026, now available as standalone agentic building block. |
agent365.html |
| π New |
Partner ecosystem β enterprise partners already integrating with Agent 365 at GA: Adobe, SAP, ServiceNow, Workday, Databricks, NVIDIA, Glean, n8n, Cognition, Genspark, Kasisto, Manus. Open-source: LangChain, OpenAI Agents SDK, Anthropic SDK, Crew.ai, Cursor, Perplexity, Vercel. Source: Microsoft 365 Blog. |
agent365.html |
| π Updated |
Timeline context β Agent 365 announced at Microsoft Ignite November 2025. Added to hero badge and intro. |
agent365.html |
APRIL 22, 2026 (2)
Agent Identity β Three Critical Security Properties
| Type | Change | Page(s) Affected |
|---|
| π New |
Three critical Agent Identity security properties documented β (1) No admin token generation: no one in the tenant including Global Admins can generate agent identity tokens β Microsoft controls the Blueprint and authentication mechanism, preventing lateral movement via token theft. (2) Tenant-bound: agent identity tokens only valid in their home tenant, cannot access other tenants. (3) Impersonation model: Blueprint performs token exchange, Agent Identity appears as client in audit logs β a Blueprint credential compromise affects all child agent identities. Sources: Microsoft Learn + Copilot Studio documentation. |
identity.html |
APRIL 22, 2026
Copilot Studio Automatic Security Scan Β· Agent Runtime Protection Status
| Type | Change | Page(s) Affected |
|---|
| π New |
Copilot Studio automatic security scan β pre-publish scan warns makers when three secure defaults are changed: authentication set to None, maker-provided credentials selected, agent shared org-wide. Advisory only β maker can proceed. Does not detect all misconfigurations (e.g. App Reg Application Permissions not flagged). Added to identity page runtime protection section and threat scenario 1 controls. |
identity.html, threats.html |
| π New |
Agent runtime protection status column β Copilot Studio Agents page now shows Protection Status per published agent: Protected (π‘), Needs review (β ), Unknown (?). Three underlying categories: Authentication, Policies, Content Moderation. Security Analytics shows blocked message trends at 7/14/30 day intervals. All published agents have threat detection active by default. |
identity.html |
APRIL 21, 2026
M365 Copilot Automated Readiness Assessment (ARA) β Open Source Tool
| Type | Change | Page(s) Affected |
|---|
| π New |
M365 Copilot Automated Readiness Assessment (ARA) β new open-source Microsoft tool for pre-deployment Copilot readiness. Queries tenant APIs (Graph, Defender, Exchange Online, Power Platform) across six domains: M365 licensing, Entra identity, Defender security, Purview compliance, Power Platform governance, Copilot Studio. 200+ feature evaluations. Outputs prioritised CSV/Excel reports with remediation links. Read-only permissions, no data egress, free. Added to product map alongside Agent Governance Toolkit, referenced in Playbook 01 as a pre-audit step, and as an automated gap discovery tool on the gaps page. |
product-map.html, playbooks.html, gaps.html |
APRIL 20, 2026 (2)
CA for Agent ID Preview Β· ID Protection for Agents Β· Agent Segmentation
| Type | Change | Page(s) Affected |
|---|
| π Updated |
Conditional Access for Agent ID (Preview) β CA now applies to Modern agents (Agent Identities + Agent Users) as first-class identities. Updated scope table: Modern Copilot Studio (Entra Agent ID), Foundry, MS-built Security Copilot agents all covered. Classic Copilot Studio agents remain excluded. CA carve-outs documented: Blueprint creation flows and T1 token exchange are excluded by design. Source: Microsoft Learn. |
identity.html, product-map.html |
| π New |
ID Protection for Agents (Preview) β six risk detections documented: unfamiliar resource access, sign-in spike, failed access attempt, sign-in by risky user, confirmed compromised, threat intelligence. Risk signals feed into CA for Agent ID policies (auto-block on High risk). Roles required: Security Administrator/Operator/Reader for reports, CA Administrator for policies. Graph API: riskyAgents and agentRiskDetections collections. Requires Entra P2. |
identity.html |
| π New |
Agent segmentation with custom security attributes β recommended CA governance model. Assign custom security attributes to agents (e.g. AgentApprovalStatus) and resources (e.g. Department). CA policies target attribute combinations β enables scalable, precise agent access governance without managing object IDs. Source: Microsoft Learn CA for Agent ID. |
identity.html |
APRIL 20, 2026
Registry Convergence Β· Two-Portal Model Β· AI Reader / AI Administrator Roles
| Type | Change | Page(s) Affected |
|---|
| π New |
Registry convergence documented β Agent 365 (M365 admin center) is now the single control plane for comprehensive agent inventory. Entra admin center focuses on identity and access management only. Two-portal model added with clear table showing what each portal does, what agents are visible, and which roles are needed. |
agent365.html, identity.html, product-map.html |
| π New |
AI Administrator and AI Reader roles documented β two new roles for Agent 365 inventory. AI Reader is the recommended least-privilege role for agent visibility in M365 admin center. Distinct from Agent ID Administrator (Entra admin center). No licence required for inventory-only access. |
agent365.html, identity.html |
| π Clarified |
No licence needed for basic agent inventory β viewing all agents in M365 admin center (Agent 365) requires no product licence, only the AI Administrator or AI Reader role. Licence required only when applying security controls (CA, identity governance). |
agent365.html |
APRIL 19, 2026
T1/T2 Authentication Flow Β· Federated Identity Credentials Β· Blueprint Scopes
| Type | Change | Page(s) Affected |
|---|
| π New |
T1/T2 authentication flow documented β Blueprint authentication uses two phases: T1 (Exchange Token / trust phase, controlled by Blueprint credential type) and T2 (Access Token / authorisation phase, controlled by Agent Identity permissions). These govern independently β a critical conceptual gap in our previous documentation. Source: Derk van der Woude (April 2026). |
identity.html |
| π New |
Federated Identity Credentials (FIC) documented β FIC is the recommended Blueprint credential type. No stored secrets β uses trust against an external identity provider (e.g. Azure Managed Identity). Three required properties: issuer, subject, audiences. Critical gotcha: match is case-sensitive. OIDC tokens are short-lived (minutes). Added to Blueprint credential model section with comparison table against secrets/certificates. |
identity.html, agent365.html |
| π New |
Blueprint Graph API scopes documented β AgentIdentityBlueprint.Create, AgentIdentityBlueprint.AddRemoveCreds.All, AgentIdentityBlueprintPrincipal.Create, AgentIdentity.ReadWrite.All. Previously only read scope (AgentIdentity.Read.All) was documented. Full scope table added for Blueprint lifecycle operations. |
identity.html |
APRIL 17, 2026
New Page: Agent 365 Β· Contact + Privacy merged Β· Nav restructured
| Type | Change | Page(s) Affected |
|---|
| π New page |
Agent 365 β dedicated deep-dive page β covers what Agent 365 actually is (enterprise control plane, not a builder), six capability cards (Entra identity, ATG, OpenTelemetry, Blueprint governance, M365 notifications, Defender integration), platform support (8 platforms including Claude Code SDK, Bedrock, Vertex AI), licensing ($15 standalone vs $99 E7 with full breakdown), Frontier programme getting-started steps, security coverage matrix by agent type, and three A365 KQL queries. Added between Products and Identity in nav. |
agent365.html |
| π Merged |
Privacy Policy merged into Contact page β Privacy no longer has a separate nav item. Content lives at contact.html#privacy. privacy.html redirects automatically. Nav restructured from 14 to 13 items (before Agent 365 addition) β Agent 365 page now sits between Products and Identity. |
contact.html, privacy.html |
π Nav is now 14 pages
Home Β· Overview Β· AI Risk Β· Products Β· Agent 365 Β· Identity Β· MCP Β· Threats Β· Frameworks Β· Gaps Β· Playbooks Β· CS vs Foundry Β· Changelog Β· Contact
APRIL 16, 2026 (3)
RegistrySource Column Β· A365 KQL Queries Β· ATG Detail + Limitation Β· Capability Matrix
| Type | Change | Page(s) Affected |
|---|
| π New |
RegistrySource column documented β new AIAgentsInfo column distinguishing agent source: "A365" (Agent 365 registered) vs "PowerPlatform" (Copilot Studio). Added to identity and playbooks pages with guidance on when to use each filter. |
identity.html, playbooks.html |
| π New |
Four new A365 KQL queries in Playbook 01 Step 8 β all A365 agents, published agents with no instructions (prompt injection risk), agents with MCP tools (expanded attack surface), agents using non-HTTPS endpoints. All use RegistrySource == "A365" filter. Direct portal URL added: security.microsoft.com/securitysettings/security_for_ai |
playbooks.html |
| π Updated |
ATG blocks specific categories documented β credential exfiltration, data leakage via tool calls, routing to malicious destinations, obfuscated content manipulation. Critical limitation added: ATG only operates on tool execution path β does NOT inspect model reasoning between tool calls. |
product-map.html |
| π New |
Capability matrix documented β different coverage depth by agent type: Copilot Studio (deepest), Agent 365 SDK agents (near-real-time detection + ATG), Foundry/Bedrock/Vertex AI (UI inventory + posture, less depth). Agent 365 platform-agnostic nature documented β works with OpenAI Agents SDK, Claude Code SDK, LangChain SDK, AWS/GCP-hosted agents. |
product-map.html |
APRIL 16, 2026 (2)
Agent 365 + Defender Integration Β· AIAgentsInfo Expanded Β· Agent Tooling Gateway
| Type | Change | Page(s) Affected |
|---|
| π Updated |
AIAgentsInfo table expanded beyond Copilot Studio β now includes additional columns covering Microsoft Foundry agents, 3rd-party marketplace agents, and custom LOB agents β where registered with Agent 365 or using the Agent 365 SDK. Previously documented as Copilot Studio only. KQL guidance updated across playbooks and identity pages. |
product-map.html, playbooks.html, identity.html |
| π New |
Agent Tooling Gateway (ATG) β Agent 365 concept. Agents onboarded via ATG get real-time protection from Defender β tool actions evaluated and blocked before execution. Equivalent to existing Copilot Studio Defender RT protection but for the Agent 365 ecosystem. Added as a significant gap: coverage depends on explicit ATG onboarding by the agent builder. |
product-map.html, gaps.html |
| π New |
Agent 365 SDK integration with Defender β agents built with the Agent 365 SDK get near-real-time detections, alerts, and Advanced Hunting coverage automatically. Defender now explicitly discovers agents registered with Agent 365. |
product-map.html |
π Sources
LinkedIn post from Microsoft Defender team Β· Microsoft Learn: Discover AI agents and assess security posture using Microsoft Defender (Preview) Β· Detect, block, and investigate threats to AI agents using Microsoft Defender (Preview)
APRIL 16, 2026
Security for AI β New Home in Defender Portal
| Type | Change | Page(s) Affected |
|---|
| β οΈ Navigation change |
Security for AI agents moved to new location in Defender portal β previously accessed via Settings β Cloud Apps β AI Agents. Now: Settings β Security for AI. Currently rolling out to some tenants (preview). All playbook navigation paths updated. Feature now covers runtime monitoring for Copilot Studio, Microsoft Foundry, Agent 365, and Microsoft 365 (not just Copilot Studio). Detects suspicious behaviour, prompt injection, data leakage, and misconfigurations. |
playbooks.html, product-map.html, copilot-vs-foundry.html |
β οΈ If you can't find the new path
The move to Settings β Security for AI is rolling out gradually. If your tenant hasn't received it yet, the old path (Settings β Cloud Apps β AI Agents) still works. Check back in coming weeks if the new path isn't visible.
APRIL 15, 2026
DLP All Storage Locations Β· Copilot Background Indexing Threat Scenario
| Type | Change | Page(s) Affected |
|---|
| π Updated |
DLP for M365 Copilot β all storage locations β previously, label-blocking only applied to SharePoint and OneDrive. Rolling out mid-April to May 2026: DLP label-blocking now applies to Word, Excel, and PowerPoint files regardless of where they are stored (local device, network shares, non-Microsoft cloud). No policy changes needed. Existing rules apply automatically. Triggered by incident CW1226324 (January 2026). |
product-map.html |
| π New scenario |
Threat Scenario 8 β Copilot Background Indexing Bypasses DLP Labels β new threat scenario documenting the real-world CW1226324 incident. Copilot indexed confidential emails in Outlook Drafts/Sent Items for ~1 month despite active DLP labels. Root cause: AugLoop relied on SharePoint/OneDrive URLs for label retrieval β folders outside those locations had no check. Includes structural lesson and current controls. |
threats.html |
| π New gap |
DLP storage location gap added to gaps register β noted as resolving AprilβMay 2026, with caveat that unlabelled files remain unblocked regardless of policies. |
gaps.html |
APRIL 13, 2026 (2)
SharePoint Advanced Management Β· Oversharing Risk Β· IRM Adaptive Protection Β· Compliance Manager
| Type | Change | Page(s) Affected |
|---|
| π New |
SharePoint Advanced Management (SAM) β new product card. Included with M365 Copilot licences at no extra cost. Covers Restricted Content Discovery (RCD β excludes sites from Copilot grounding), Content Management Assessment, Site Access Reviews, and Restricted Access Control. Added to Copilot vs Foundry comparison table. |
product-map.html, copilot-vs-foundry.html |
| π New gap |
SharePoint oversharing β silent Copilot data exposure vector β M365 Copilot surfaces data from any site a user has access to. EEEU access, broken inheritance, and anonymous links all become Copilot exposure vectors predating Copilot deployment. Added to Significant Gaps with SAM remediation guidance and link to Microsoft's three-step blueprint. |
gaps.html |
| π New |
IRM Adaptive Protection for AI β new product card. IRM detects inappropriate Copilot usage patterns and automatically enrolls risky users into more restrictive DLP policies without manual intervention. Closes the detection-to-enforcement gap for AI misuse. |
product-map.html |
| π New |
Purview Compliance Manager for AI regulations β new product card and frameworks callout. Compliance Manager includes AI-specific assessment templates (EU AI Act, NIST AI RMF) that surface prioritised improvement actions. The operational tool for closing August 2026 and June 2026 regulatory deadlines. |
product-map.html, frameworks.html |
APRIL 13, 2026
Microsoft Access Strategy Research β Stats, Access Fabric, Vendor Sprawl
| Type | Change | Page(s) Affected |
|---|
| π New |
Research statistics added to overview β 97% of organisations had an identity/access incident in the past year; 70% tied to AI-related activity; 47% of incidents were accidental not malicious. Source: Microsoft Secure Access in the Age of AI report (March 2026). |
overview.html, risk.html |
| π New |
Access Fabric concept β Microsoft's architectural framing for AI-scale access: identity as the consistent decision point, near-real-time enforcement across environments, common foundation for employees, workloads, and AI agents. Added to Frameworks page alongside ZT4AI. Connected to Classic Agent gap as a concrete example of what access fabric fragmentation looks like. |
frameworks.html |
| π New |
Identity tool fragmentation gap β orgs use an average of 5 identity + 4 network access tools, nearly half report vendor sprawl overwhelm. Added to Significant Gaps with mitigation guidance. |
gaps.html |
APRIL 12, 2026 (2)
ZT4AI Blog β Control Count Corrected Β· Ephemerality Β· Double Agents Β· Agent 365 Pricing
| Type | Change | Page(s) Affected |
|---|
| β οΈ Correction |
ZT Workshop AI control count corrected: 80+ β 700+ β the site previously cited "80+ controls". The actual ZT Workshop AI pillar contains 700 security controls across 116 logical groups and 33 functional swim lanes. Corrected everywhere it appeared. |
frameworks.html, identity.html, product-map.html |
| π New |
Ephemerality Controls β JIT for agents β agents should receive short-lived credentials that expire when their specific task completes. Part of ZT4AI framework. Limits blast radius of a compromised agent to minutes. Added as new product card and explained in ZT section of Frameworks. |
product-map.html, frameworks.html |
| π New |
"Double agents" framing from ZT4AI announcement β overprivileged, manipulated, or misaligned agents can act against the outcomes they were built to support. Added to AI Risk agent properties table and ZT section. |
risk.html, frameworks.html |
| π Updated |
Agent 365 GA date and pricing β GA May 1, 2026 at $15/user/month. Added to Agent 365 product card. |
product-map.html |
| π Updated |
ZT Assessment tool β Data and Networking pillars β in addition to the AI pillar (due summer 2026), the ZT Assessment tool has been updated with new Data and Networking pillars. Noted in Frameworks page control list callout. |
frameworks.html |
APRIL 16, 2026 (3)
RegistrySource Column Β· A365 KQL Queries Β· ATG Detail + Limitation Β· Capability Matrix
| Type | Change | Page(s) Affected |
|---|
| π New |
RegistrySource column documented β new AIAgentsInfo column distinguishing agent source: "A365" (Agent 365 registered) vs "PowerPlatform" (Copilot Studio). Added to identity and playbooks pages with guidance on when to use each filter. |
identity.html, playbooks.html |
| π New |
Four new A365 KQL queries in Playbook 01 Step 8 β all A365 agents, published agents with no instructions (prompt injection risk), agents with MCP tools (expanded attack surface), agents using non-HTTPS endpoints. All use RegistrySource == "A365" filter. Direct portal URL added: security.microsoft.com/securitysettings/security_for_ai |
playbooks.html |
| π Updated |
ATG blocks specific categories documented β credential exfiltration, data leakage via tool calls, routing to malicious destinations, obfuscated content manipulation. Critical limitation added: ATG only operates on tool execution path β does NOT inspect model reasoning between tool calls. |
product-map.html |
| π New |
Capability matrix documented β different coverage depth by agent type: Copilot Studio (deepest), Agent 365 SDK agents (near-real-time detection + ATG), Foundry/Bedrock/Vertex AI (UI inventory + posture, less depth). Agent 365 platform-agnostic nature documented β works with OpenAI Agents SDK, Claude Code SDK, LangChain SDK, AWS/GCP-hosted agents. |
product-map.html |
APRIL 16, 2026 (2)
Agent 365 + Defender Integration Β· AIAgentsInfo Expanded Β· Agent Tooling Gateway
| Type | Change | Page(s) Affected |
|---|
| π Updated |
AIAgentsInfo table expanded beyond Copilot Studio β now includes additional columns covering Microsoft Foundry agents, 3rd-party marketplace agents, and custom LOB agents β where registered with Agent 365 or using the Agent 365 SDK. Previously documented as Copilot Studio only. KQL guidance updated across playbooks and identity pages. |
product-map.html, playbooks.html, identity.html |
| π New |
Agent Tooling Gateway (ATG) β Agent 365 concept. Agents onboarded via ATG get real-time protection from Defender β tool actions evaluated and blocked before execution. Equivalent to existing Copilot Studio Defender RT protection but for the Agent 365 ecosystem. Added as a significant gap: coverage depends on explicit ATG onboarding by the agent builder. |
product-map.html, gaps.html |
| π New |
Agent 365 SDK integration with Defender β agents built with the Agent 365 SDK get near-real-time detections, alerts, and Advanced Hunting coverage automatically. Defender now explicitly discovers agents registered with Agent 365. |
product-map.html |
π Sources
LinkedIn post from Microsoft Defender team Β· Microsoft Learn: Discover AI agents and assess security posture using Microsoft Defender (Preview) Β· Detect, block, and investigate threats to AI agents using Microsoft Defender (Preview)
APRIL 16, 2026
Security for AI β New Home in Defender Portal
| Type | Change | Page(s) Affected |
|---|
| β οΈ Navigation change |
Security for AI agents moved to new location in Defender portal β previously accessed via Settings β Cloud Apps β AI Agents. Now: Settings β Security for AI. Currently rolling out to some tenants (preview). All playbook navigation paths updated. Feature now covers runtime monitoring for Copilot Studio, Microsoft Foundry, Agent 365, and Microsoft 365 (not just Copilot Studio). Detects suspicious behaviour, prompt injection, data leakage, and misconfigurations. |
playbooks.html, product-map.html, copilot-vs-foundry.html |
β οΈ If you can't find the new path
The move to Settings β Security for AI is rolling out gradually. If your tenant hasn't received it yet, the old path (Settings β Cloud Apps β AI Agents) still works. Check back in coming weeks if the new path isn't visible.
APRIL 15, 2026
DLP All Storage Locations Β· Copilot Background Indexing Threat Scenario
| Type | Change | Page(s) Affected |
|---|
| π Updated |
DLP for M365 Copilot β all storage locations β previously, label-blocking only applied to SharePoint and OneDrive. Rolling out mid-April to May 2026: DLP label-blocking now applies to Word, Excel, and PowerPoint files regardless of where they are stored (local device, network shares, non-Microsoft cloud). No policy changes needed. Existing rules apply automatically. Triggered by incident CW1226324 (January 2026). |
product-map.html |
| π New scenario |
Threat Scenario 8 β Copilot Background Indexing Bypasses DLP Labels β new threat scenario documenting the real-world CW1226324 incident. Copilot indexed confidential emails in Outlook Drafts/Sent Items for ~1 month despite active DLP labels. Root cause: AugLoop relied on SharePoint/OneDrive URLs for label retrieval β folders outside those locations had no check. Includes structural lesson and current controls. |
threats.html |
| π New gap |
DLP storage location gap added to gaps register β noted as resolving AprilβMay 2026, with caveat that unlabelled files remain unblocked regardless of policies. |
gaps.html |
APRIL 13, 2026 (2)
SharePoint Advanced Management Β· Oversharing Risk Β· IRM Adaptive Protection Β· Compliance Manager
| Type | Change | Page(s) Affected |
|---|
| π New |
SharePoint Advanced Management (SAM) β new product card. Included with M365 Copilot licences at no extra cost. Covers Restricted Content Discovery (RCD β excludes sites from Copilot grounding), Content Management Assessment, Site Access Reviews, and Restricted Access Control. Added to Copilot vs Foundry comparison table. |
product-map.html, copilot-vs-foundry.html |
| π New gap |
SharePoint oversharing β silent Copilot data exposure vector β M365 Copilot surfaces data from any site a user has access to. EEEU access, broken inheritance, and anonymous links all become Copilot exposure vectors predating Copilot deployment. Added to Significant Gaps with SAM remediation guidance and link to Microsoft's three-step blueprint. |
gaps.html |
| π New |
IRM Adaptive Protection for AI β new product card. IRM detects inappropriate Copilot usage patterns and automatically enrolls risky users into more restrictive DLP policies without manual intervention. Closes the detection-to-enforcement gap for AI misuse. |
product-map.html |
| π New |
Purview Compliance Manager for AI regulations β new product card and frameworks callout. Compliance Manager includes AI-specific assessment templates (EU AI Act, NIST AI RMF) that surface prioritised improvement actions. The operational tool for closing August 2026 and June 2026 regulatory deadlines. |
product-map.html, frameworks.html |
APRIL 13, 2026
Microsoft Access Strategy Research β Stats, Access Fabric, Vendor Sprawl
| Type | Change | Page(s) Affected |
|---|
| π New |
Research statistics added to overview β 97% of organisations had an identity/access incident in the past year; 70% tied to AI-related activity; 47% of incidents were accidental not malicious. Source: Microsoft Secure Access in the Age of AI report (March 2026). |
overview.html, risk.html |
| π New |
Access Fabric concept β Microsoft's architectural framing for AI-scale access: identity as the consistent decision point, near-real-time enforcement across environments, common foundation for employees, workloads, and AI agents. Added to Frameworks page alongside ZT4AI. Connected to Classic Agent gap as a concrete example of what access fabric fragmentation looks like. |
frameworks.html |
| π New |
Identity tool fragmentation gap β orgs use an average of 5 identity + 4 network access tools, nearly half report vendor sprawl overwhelm. Added to Significant Gaps with mitigation guidance. |
gaps.html |
APRIL 12, 2026 (2)
ZT4AI β Least Agency Concept + Reference Architecture
| Type | Change | Page(s) Affected |
|---|
| π New |
Least agency concept β extension of least privilege specific to AI agents. Not enough to limit data sources β must also limit the APIs, UI actions, and side effects an agent can invoke. Each connector added to an agent (CRM, ticketing, database) expands its blast radius if manipulated. Added to the Least Privilege ZT principle on the Frameworks page. |
frameworks.html |
| π New |
ZT4AI reference architecture β properly surfaced β the Microsoft Zero Trust for AI reference architecture published at RSAC 2026 is now a prominent resource callout with direct links, replacing an in-passing mention. Covers full AI lifecycle from data ingestion through agent behaviour. |
frameworks.html |
APRIL 12, 2026
Owner vs Sponsor Β· Orphaned Agents Β· Blueprint Model Β· Two-Layer Protection Β· Graph API Scripts
| Type | Change | Page(s) Affected |
|---|
| π New |
Owner vs Sponsor distinction β formally documented as two separate governance roles. Owner = technical admin (credentials, monitoring). Sponsor = business accountable (lifecycle, Access Package approvals). Both optional at creation but both required for proper governance. Neither is enforced by Microsoft at agent creation time. |
identity.html, playbooks.html |
| π New |
Orphaned Agent Identities & Agent Users β new concept distinct from ownerless. When a Blueprint is deleted, Agent Identities remain with all permissions intact but cannot authenticate. Agent Users remain as normal-looking user accounts with no flag. Microsoft does not detect these automatically. Added detection scripts and gap entry. |
identity.html, gaps.html, playbooks.html |
| π New |
Third agent category β "Agents with no identities" β agents in Agent Registry with no Entra Agent ID at all. Previously only documented Classic vs Modern. Now three categories: Modern (Agent ID), Classic (service principal), No Identity (invisible to security tooling). |
identity.html |
| π New |
Blueprint credential model β credentials live on the Blueprint, not the Agent Identity. When Blueprint is deleted, credentials gone but permissions remain. Root cause of orphaned identity debt. |
identity.html |
| π New |
Graph API PowerShell detection scripts β Playbook 01 Steps 6 and 7: detect Modern agents missing Owner/Sponsor, and detect orphaned Agent Identities via Graph API cross-reference. Includes gotcha: Global Reader returns 403, requires Agent ID Administrator role. |
playbooks.html |
| π New |
Two-layer protection architecture β Responsible AI (conversational, always on, "Content filtered" message) vs Defender for Cloud Apps RT protection (action level, must be configured, "Blocked by threat protection" message). Different triggers, different moments, different messages. 1-second timeout caveat documented. |
identity.html, copilot-vs-foundry.html |
APRIL 11, 2026 (3)
Correction β Security Copilot Agent Identity: Microsoft-built vs Custom agents
| Type | Change | Page(s) Affected |
|---|
| β οΈ Correction |
Security Copilot custom agent maker credentials risk β custom and partner Security Copilot agents use "Connect with existing user account", storing the configuring user's credentials for all executions. Security Copilot users are typically high-privilege accounts. A custom agent built by a Global Admin extends admin-level access to Sentinel, Defender, Entra, and threat intelligence to every user who runs it β with no CA for Agents or ID Protection coverage. Added as a significant gap with mitigation guidance. Described as "maker credentials problem in disguise" on the identity page. |
identity.html, copilot-vs-foundry.html, gaps.html |
| β οΈ Correction |
CA for Agents β Security Copilot nuance β the site previously stated CA for Agents applies to "Security Copilot and AI Foundry agents" without qualification. Field research from Microsoft Learn (April 2026) clarifies: Security Copilot offers two identity options. Microsoft-built agents use a dedicated Entra Agent ID β CA for Agents and ID Protection apply. Custom and partner Security Copilot agents use "Connect with existing user account" β the agent runs using the configuring user's credentials. This is functionally identical to Copilot Studio's Agent's User Account pattern (β€) β CA for Agents does NOT apply. Corrected across identity page, product map CA card, and Copilot vs Foundry comparison table. |
identity.html, product-map.html, copilot-vs-foundry.html |
APRIL 11, 2026 (2)
Agent Governance Toolkit Β· OWASP Agentic AI Top 10 Β· Regulatory Deadlines
| Type | Change | Page(s) Affected |
|---|
| π New |
Agent Governance Toolkit β new product card β open-source MIT-licensed toolkit from Microsoft providing runtime security governance for autonomous AI agents. Seven packages covering policy enforcement, cryptographic identity, execution rings, circuit breakers, kill switch, plugin signing, and compliance mapping. Framework-agnostic, sub-millisecond latency. Available April 2026. |
product-map.html |
| π New |
OWASP Top 10 for Agentic Applications 2026 β added to Frameworks page. First formal taxonomy of risks specific to autonomous AI agents (December 2025): goal hijacking, tool misuse, identity abuse, memory poisoning, cascading failures, rogue agents and four others. Full table mapping each risk to Microsoft controls and Agent Governance Toolkit coverage. |
frameworks.html |
| π New |
Regulatory deadlines β EU AI Act (August 2026) and Colorado AI Act (June 2026) β both apply to organisations deploying high-risk AI agents. Added to Frameworks page with key obligations and a callout on how the Classic Agent gap compounds regulatory risk. |
frameworks.html |
| β οΈ Updated |
Kill switch gap updated β previously documented as "No platform-level agent kill switch". Agent Governance Toolkit now provides an open-source programmatic kill switch with ring isolation and trust decay. Gap updated to reflect this partial resolution. |
gaps.html |
APRIL 11, 2026
Purview Data Security β Three DLP Layers, Agentic Governance, DSPM Unification
| Type | Change | Page(s) Affected |
|---|
| π New |
Browser-layer DLP β Edge for Business inline protection β operates at browser layer natively in Edge via Intune policy sync. Inspects typed prompt submissions to any GenAI app including shadow AI. Activates without endpoint DLP deployment. Extends to unmanaged (BYOD) devices where users are signed into Edge for Business profile. Added to product map with architecture callout explaining all three DLP layers. |
product-map.html |
| π New |
Network Data Security (network-layer DLP) β covers the gap endpoint and browser DLP cannot reach: unmanaged devices, desktop apps, Office add-ins, API calls. Delivered via Microsoft Entra Global Secure Access (preview). Added to product map and gaps page. |
product-map.html, gaps.html |
| π New |
Agentic data governance β DLP policies now extend to agent-to-human, agent-to-tools, and agent-to-agent interactions. Sensitive files can be blocked from being used as grounding data. Agent instances in Agent 365 automatically enrolled for audit and data classification at creation. IRM, DLM, and eDiscovery apply to agent-generated content. |
product-map.html, copilot-vs-foundry.html |
| π Updated |
DSPM for AI card updated β now reflects broader scope covering Copilot, Foundry/Entra apps, and third-party GenAI tools via browser telemetry. Notes upcoming unification of DSPM and DSPM for AI into single pane. |
product-map.html |
| π New gap |
DLP coverage gap on unmanaged non-Edge devices β browser-layer DLP only covers Edge for Business. Chrome/Firefox/Safari users on BYOD have no browser-layer coverage until Network Data Security (GSA) reaches GA. |
gaps.html |
π Source
LinkedIn post by Microsoft Purview field research team (April 11, 2026) covering DSPM for AI, Edge for Business inline protection, Network Data Security, and agentic data governance.
APRIL 10, 2026
New Page: Copilot Studio vs Microsoft Foundry Β· Playbook 05 Β· Merge: Frameworks + Zero Trust
| Type | Change | Page(s) Affected |
|---|
| π New page |
Copilot Studio vs Microsoft Foundry β condensed security handbook β single page covering both platforms side by side: five Copilot Studio auth patterns, Classic vs Modern gap, 30-minute audit KQL, critical gaps, Foundry resource/project model, four logging layers, what to enable for SecOps, and Foundry-specific gotchas. Added between Playbooks and Changelog in nav. |
copilot-vs-foundry.html |
| π New |
Playbook 05 β Microsoft Foundry Security Logging β five-step runbook: Activity Log routing, Diagnostic Settings at resource level (Audit + RequestResponse), Diagnostic Settings at project level (separate β does not cascade), Entra ID logs at tenant level, Application Insights connection. Includes content capture governance guidance and a deployment checklist. Sourced from Cyphora.io Foundry logging overview (April 10, 2026). |
playbooks.html |
| π Merged |
Zero Trust for AI merged into Frameworks page β Zero Trust principles, maturity model, and 12 priority controls now sit alongside NIST AI RMF and ISO 42001 on a single "Frameworks, Standards & Zero Trust" page. zero-trust.html retired. Nav reduced from 13 to 12 pages (before CS vs Foundry addition). |
frameworks.html |
| π Renamed |
Azure AI Foundry β Microsoft Foundry across all pages β effective January 1, 2026, Microsoft renamed Azure AI Foundry to Microsoft Foundry in the January 2026 Product Terms. This was the third rename in two years (Azure AI Studio β Azure AI Foundry β Microsoft Foundry). |
All pages |
APRIL 7, 2026
Agent Identity Architecture β Five Patterns, A2A Protocol, Agent Sprawl
| Type | Change | Page(s) Affected |
|---|
| π New |
Agent's User Account β fifth authentication pattern β an agent provisioned with a full human user account (mailbox, calendar, Teams membership). Highest risk pattern: compromised agent is indistinguishable from a human user. Added to the authentication patterns table. |
identity.html |
| π New |
Agent sprawl β named concept and lifecycle risk section β Microsoft formally defines agent sprawl as uncontrolled expansion of agents without visibility, management, or lifecycle controls. Added to identity page and gaps page with consequences and mitigations. |
identity.html, gaps.html |
| π New |
A2A (Agent-to-Agent) protocol β emerging standard for authenticated inter-agent communication, supported by Entra Agent ID alongside MCP. Added to identity page and MCP page with comparison table and risk callout. |
identity.html, mcp.html |
| π New |
Agent-to-agent propagation β new threat scenario (Scenario 7) β compromised orchestration agent propagates compromise to sub-agents across the entire agent chain. Full attack chain with controls and A2A gap note. |
threats.html |
| π New |
Microsoft Managed Policies for agents β new significant gap β automatic baseline CA policies that block high-risk agents. Many organisations unaware of or not using these. Added to gaps page. |
gaps.html |
| π New page |
Zero Trust for AI β new dedicated page β covers the three Zero Trust principles applied specifically to AI agents, a three-stage maturity model (Visibility β Control β Automation), and 12 priority controls from the Microsoft Zero Trust Workshop AI section with implementation effort ratings. Added to nav between Frameworks and Gaps. |
zero-trust.html |
MARCH 30, 2026
Agent Authentication Patterns + CA for Agents Correction
| Type | Change | Page(s) Affected |
|---|
| β οΈ Correction |
Conditional Access for Agents does NOT apply to Copilot Studio agents β corrected on both the identity page and product map card. CA for Agents only triggers during modern Agent ID authentication (OAuth 2.0), used by Security Copilot and AI Foundry. Copilot Studio agents use OBO, maker credentials, or service principal β none of which trigger CA for Agents. Field-validated by Derk van der Woude (March 2026). |
identity.html, product-map.html |
| π New |
Four Copilot Studio authentication patterns table β new section on identity page covering all four patterns: End User Credentials (OBO), Maker-Provided Credentials, App Registration Delegated, App Registration Application Permissions. Includes risk rating and detection method for each. |
identity.html |
| π New |
Precise maker credentials KQL β upgraded Playbook 01 Step 4 with Derk's field-validated query that checks both AgentToolsDetails and AgentTopicsDetails for maker mode connections. More precise than the previous agent-level auth type check. |
playbooks.html |
| π New |
App Registration Graph API detection KQL β new Playbook 01 Step 4b detects agents using HTTP Request actions to graph.microsoft.com or management.azure.com, identifying potential application permission agents (very high risk β tenant-wide access). |
playbooks.html |
| π New |
Change-detection KQL for auth type downgrade β added to Playbook 01 Step 1. Detects when a published agent's authentication is changed to None β designed to be saved as a Sentinel Analytics Rule for real-time alerting. Sourced from Derk's AI Agent Inventory blog (November 2025). |
playbooks.html |
| π New |
Any user can change another agent's auth type β new significant gap β by design in Copilot Studio, any tenant user can downgrade another agent's authentication to No Authentication, even without being the owner. Added to Significant Gaps with interim mitigations. |
gaps.html |
| π New |
Community Queries tip added to Playbook 01 β Defender Advanced Hunting has a dedicated AI Agents section with queries from the Microsoft Product Group. Callout added to Playbook 01 checklist. |
playbooks.html |
MARCH 27, 2026
AI Model Supply Chain Coverage + Field Research Integration
| Type | Change | Page(s) Affected |
|---|
| π New |
AI Model Scanning (Defender for Cloud) β new product card added covering malware, unsafe operator, and backdoor scanning for Azure ML models. Includes CLI integration, CI/CD gating, and Defender XDR alert integration. Sourced from Microsoft Defender for Cloud Blog RSAC 2026 announcement. |
product-map.html |
| π New |
AI Model Supply Chain Attack scenario β new threat scenario added covering poisoned pretrained models (Hugging Face/Azure ML), training data poisoning, CI/CD pipeline injection, and unsafe ML serialisation operators. Includes controls and gap assessment. |
threats.html |
| π New |
AI model supply chain risk row β added to the AI Risk Taxonomy table covering pre-deployment model risks that traditional AppSec doesn't address. |
risk.html |
| π New |
Agent 365 Tools Gateway (ATG) RT protection β clarified that Defender RT protection integrates with Agent 365's tools gateway, not just Copilot Studio. Every agent tool invocation through ATG is evaluated before execution with SOC-ready alerts. |
product-map.html |
π Sources for this update
Microsoft Defender for Cloud Blog β "Defending the AI Era: New Microsoft Capabilities to Protect AI" (March 20, 2026) Β· Microsoft Security Blog β "Secure Agentic AI End-to-End" (March 20, 2026)
MARCH 28, 2026
Purview DLP External Web Search Blocking
| Type | Change | Page(s) Affected |
|---|
| π New |
Purview DLP external web search blocking (Coming June/July 2026) β new DLP policy option to prevent Copilot from sending prompts containing selected Sensitive Information Types (SITs) to external web search. When triggered, Copilot continues responding using internal Microsoft Graph data only. Alerts in DLP Alerts and Activity Explorer under DSPM for AI. GA June/July 2026, opt-in required. |
product-map.html, gaps.html |
| β οΈ Correction |
Purview DLP SIT blocking description corrected β initial entry incorrectly stated: (a) the feature was "coming June/July 2026" β it is already in Preview, June/July is the GA target; (b) Copilot "continues responding using internal Graph sources" when triggered β it does not respond at all; (c) only external web search was blocked β both internal and external searches are blocked. Also added: files uploaded directly into prompts are not scanned by DLP (only typed text); the two DLP conditions (SITs and sensitivity labels) cannot be in the same rule. |
product-map.html, gaps.html |
MARCH 26, 2026
Initial Public Release + Major Content Update
| Type | Change | Page(s) Affected |
|---|
| π New |
Copilot Data Connector for Microsoft Sentinel β new product card added covering the CopilotActivity table, supported record types (CopilotInteraction, plugin lifecycle, CopilotPromptBook, CopilotAgentManagement), Sentinel data lake integration, and MCP server integration. Sourced from Microsoft Sentinel Community Hub blog (February 4, 2026). |
product-map.html |
| π New |
CopilotActivity prompt data sensitivity gap β new significant gap added: ingesting prompt content into Sentinel creates a sensitive artifact. Ingestion costs apply. Interim mitigations: field-level masking, restricted table access, retention policies, staged rollout. |
gaps.html |
| βοΈ Updated |
Microsoft Sentinel card updated β UEBA Behaviors layer now GA, Custom Guidebooks for Copilot Guided Response now GA, Connector Builder Agent preview (March 31) added to card. |
product-map.html |
| π New |
10,000ft stack visualisation β interactive 5-layer diagram on the Overview page showing the full AI security stack with GA/Preview/Gap status at a glance. Each layer is clickable. |
overview.html |
| π New |
Image & URL-based XPIA variant β new sub-scenario added to the XPIA threat chain covering how attackers embed malicious instructions in images or URLs to bypass text-based injection filters. Includes the Block Images and URLs control. |
threats.html |
| π New |
Classic vs Modern agent security product coverage table β 10-row table showing exactly which Defender and Entra security products apply to Classic agents vs Modern agents. |
identity.html |
| π New |
Field research callout on Identity page β two-column reference section linking to official Microsoft Learn docs and field research covering Classic & Modern agent security controls. |
identity.html |
| π New |
Portal inventory count inconsistency gap β Agent 365, Security Dashboard, and Entra Agent ID portal show different agent counts. Microsoft confirmed this is a known issue. Added to Significant Gaps. |
gaps.html |
| π New |
Purview triage agent 90-day re-auth gap β Purview Security Copilot triage agents stop running after 90 days without a manual config re-save. No automatic renewal. Added to Significant Gaps. |
gaps.html |
π Sources for this release
Microsoft Security Blog (RSAC 2026, March 20 2026) Β· Microsoft Tech Community Β· learn.microsoft.com Β· Microsoft Copilot Studio agent security field research Β· NIST AI RMF 1.0 Β· ISO/IEC 42001:2023 Β· Derk van der Woude Medium blog series (Microsoft Security MVP)
STAY UPDATED
Get notified when Microsoft AI security changes
Monthly updates on new controls, GA announcements, and critical gaps β direct to your inbox.
Subscribe to updates β
aiagentsecurity.substack.com Β· Free Β· No spam