Microsoft Security
Products for AI

Unified control plane for all agents. Inventory, governance, and security posture across Microsoft and partner agents. Licensing is per-user, not per-agent — governance scope does not scale with agent count. Includes new Defender, Entra, and Purview capabilities to secure agent access and prevent data oversharing.

Unified CISO-level AI risk aggregation from Defender + Entra + Purview. AI inventory covering agents, MCP servers, models, apps — including third-party AI (ChatGPT, Gemini). Security Copilot NL-driven risk exploration. Now generally available — previously preview.

Assign control collections to specific models or agents in Microsoft Foundry. Limits tools available to each agent, constrains output behaviour, enforces content safety at the orchestration layer. Only applies to Foundry-deployed agents.

Bundles M365 Copilot + Agent 365 + Entra Suite + M365 E5. Agent 365 included but inherits the same per-user licensing model. Best for orgs where agents are tightly coupled to named users.

Register agents as non-human identities. Human sponsor required. Lifecycle automation. Currently limited preview — frontier/large enterprise only. Agents still use OBO flow underneath. Only applies to Modern Agents — most existing Copilot Studio agents are Classic Agents (Service Principals) and receive no Entra Agent ID protection. Migration tool from Classic to Modern does not yet exist. Agent names do not sync on rename — original "Agent #" name persists in Entra.

Registry convergence (April 2026): The Entra admin center now focuses on identity and access management only — it shows agents with Entra Agent ID only. For comprehensive inventory of all agents (including those without an identity), use Agent 365 via M365 admin center → Agents → All agents. Roles: Agent ID Administrator for Entra operations; AI Administrator or AI Reader for Agent 365 inventory (no licence required for inventory view).

Today's real-world primitive for non-human identities. Designed for apps/services — not purpose-scoped for individual agents. Lacks agent-specific lifecycle governance and sponsor model. The current stopgap while Agent ID matures.

CA for Agent ID (Preview) — extends Zero Trust Conditional Access to AI agents as first-class identities. Applies to Modern agents with Entra Agent ID (Agent Identities + Agent Users). Supports: block by agent risk level (from ID Protection), target by custom security attributes, scope by Blueprint, or select specific agent object IDs. Does NOT apply to: Classic Copilot Studio agents (OBO/maker/service principal auth), custom Security Copilot agents ("Connect with existing user account"). CA carve-outs by design: Blueprint token acquisition (T1/creation flows) and intermediate token exchange are excluded — agentic task flows (T2) are protected.

Secure web and AI gateway. Shadow AI Detection now GA on March 31 — uses network layer to identify unknown AI applications. Prompt Injection Protection also GA March 31 2026 — enforces universal network-level policies to block malicious AI prompts across apps and agents.

Extends Global Secure Access network security controls to Copilot Studio agent outbound traffic — the same policies applied to user browser traffic now apply to agent HTTP, custom connector, and MCP Server Connector calls. Agent traffic is forwarded from Power Platform to Global Secure Access's proxy. Policies evaluated before traffic reaches external resources.

Traffic covered: HTTP Node, Custom connectors, MCP Server Connector.
Configure: Power Platform Admin Center → per-environment or per-environment-group.
Policy via: Global Secure Access baseline profile (tenant-level).
Prerequisite: Entra Agent ID (Frontier programme) + M365 Copilot licence.

Connect external MFA providers directly with Microsoft Entra — leverage pre-existing MFA investments or use highly specialised MFA methods alongside Entra authentication flows. New at RSAC 2026.

Automated backup of Entra directory objects to enable rapid recovery in case of accidental deletion or unauthorised changes. New resilience capability for identity infrastructure.

Discover unmanaged (shadow) Entra tenants and establish consistent tenant policies and governance in multi-tenant environments. Addresses the risk of unsanctioned AI deployments creating orphaned tenants.

New dashboard in Microsoft Defender highlighting the most impactful insights across human and non-human identities. New identity risk score unifies account-level risk signals for real-time access decisions and SecOps investigations.

Runtime defence against direct and indirect prompt injection at the orchestration layer. Inspects user inputs AND content retrieved by the agent (RAG, tool outputs) before it reaches the model decision loop.

API-level model I/O filters: harmful content, jailbreak attempts, protected material, groundedness violations. Operates at the model boundary — separate from Prompt Shields which operates at the orchestration layer.

Dynamically adjusts identity and access policies during active attacks — reducing exposure and limiting lateral movement in real time. Applies to both human and agent identities during incidents. New at RSAC 2026.

CSPM and runtime threat protection for AI infrastructure. Monitors model deployments, API access patterns, and agent behaviour. Expanded container security at RSAC 2026 including binary drift and antimalware prevention.

Public Preview (February 3, 2026). Ingests Copilot audit logs from the Purview Unified Audit Log (UAL) — which is enabled by default for all tenants — into the CopilotActivity table in Sentinel. Eliminates the need to go to the Purview portal to see Copilot activity; data is proactively available in Sentinel for analytic rules, workbooks, hunting queries, and automation.

21 supported record types (full list):
261 CopilotInteraction · 310-314 Plugin lifecycle (create/update/delete/enable/disable) · 315-319 Workspace lifecycle · 320-324 PromptBook lifecycle · 325 UpdateCopilotSettings · 334 TeamCopilotInteraction · 363 Microsoft365CopilotScheduledPrompt · 371 OutlookCopilotAutomation · 389 CopilotForSecurityTrigger · 390 CopilotAgentManagement

Deployment: Sentinel Content Hub → search "Copilot" → Install solution → Open Connector Page → Enable. Requires Global Administrator or Security Administrator role.

Sentinel data lake: Also supports data lake ingestion — lower cost, longer retention, integrates with Custom Graphs, MCP server, and Power BI.

Critical caveats:
⚠ Single-tenant only — not designed for multi-tenant or MSSP scenarios.
⚠ Ingestion costs apply — billed at workspace or data lake tier pricing.
⚠ Prompt content is a sensitive artifact — apply field-level masking and strict access controls on the CopilotActivity table. Not all record types include prompt text, but CopilotInteraction and CopilotForSecurityTrigger may.

Advanced Hunting table in Defender XDR capturing all M365 Copilot and Security Copilot audit activity, agent lifecycle events, DLP rule matches, and cloud app activity across M365 and connected SaaS apps. Populated by Defender for Cloud Apps.

Key ActionTypes for AI security: UpdateCopilotAgent, CopilotInteraction, CopilotForSecurityTrigger, DLPRuleMatch, plugin lifecycle events (create/update/delete).

Prerequisites: Settings → Cloud Apps → App connectors → Microsoft 365 → select Microsoft 365 activities checkbox. Without this, CloudAppEvents queries return no results.

Critical limitation: Metadata only — user identity, app name, agent name, ActionType, timestamp. No prompt content, no response text. For full prompt/response visibility, pivot to Purview DSPM for AI Activity Explorer.

Also available in Sentinel: Enable Defender raw event logs in your Sentinel workspace. CloudAppEvents flows in automatically — no separate connector needed. Enables cross-signal KQL correlation: CloudAppEvents + EmailEvents + IdentityLogonEvents + AIAgentsInfo.

Sample cross-correlation query: Copilot agent change → suspicious email from same account (join CloudAppEvents where ActionType startswith "UpdateCopilotAgent" with EmailEvents where Subject has "confidential").

Scans AI models in Azure ML registries and workspaces for malware, unsafe operators, and backdoors across common model formats. Recurring scans surface as security recommendations per model. High-confidence detections generate Defender XDR SOC alerts. CLI integration enables in-pipeline scanning during CI/CD build. Gating capability blocks unsafe models from reaching a registry. New at RSAC 2026.

Governs how AI agents and MCP tools access SaaS. Discovers shadow AI, governs OAuth permissions, detects over-privileged agent-to-SaaS access. For Copilot Studio specifically: provides real-time protection — blocks tool invocations if a prompt is suspicious. 1-second timeout: if no decision returned in time, tool executes. Not a guaranteed prevention control.

Microsoft's open-source AI red teaming framework for automated adversarial testing of AI agents and LLM applications before deployment. Battle-tested on 100+ Microsoft products including Copilot. MIT licensed, 3,800+ GitHub stars.

53+ adversarial datasets: AIRT, HarmBench, AdvBench, XSTest — curated prompts covering content harms, jailbreaks, data exfiltration, and social bias.
70+ prompt converters: Base64, ROT13, Leetspeak, Unicode confusables, LLM-powered rephrasing, translation, multimodal injection. Converters stack — a prompt can be translated, Base64-encoded, then embedded in an image.
6 attack strategies: PromptSendingAttack (single-turn), CrescendoAttack (gradual escalation), TreeOfAttacksWithPruning (TAP), and multi-turn dialogue attacks.
20+ scorers: LLM-as-judge, Azure AI Content Safety, true/false classifiers, Likert scales.
10+ targets: OpenAI, Azure, HuggingFace, HTTP endpoints, Playwright, WebSockets.

Key distinction: Tests two risk surfaces simultaneously — security vulnerabilities (prompt injection, data exfiltration) AND responsible AI harms (bias, toxicity, manipulation). Traditional pen testers focus on one.

Open-source Microsoft tool for pre-deployment Copilot readiness assessment. Queries your tenant APIs directly (Microsoft Graph, Defender, Exchange Online, Power Platform) and generates a prioritised, actionable report in minutes — not weeks of manual discovery.

Six service domains assessed in one run: M365 licensing, Entra identity protection, Defender security posture, Purview compliance, Power Platform governance, Copilot Studio readiness. 200+ feature evaluations with Copilot-specific risk context for every finding.

Output: CSV and Excel reports with High/Medium/Low priority recommendations, direct links to Microsoft remediation docs, and timestamps for tracking progress across multiple runs.

Security: Runs entirely within your environment. Read-only API permissions. No data leaves your tenant. Zero cost — open source, no licensing fees.

git clone https://github.com/microsoft/m365-copilot-automated-readiness-assessment
python main.py

Microsoft Foundry tool for automated adversarial testing of AI models and agents. Runs automated scans simulating adversarial probing, scores each attack-response pair, and generates Attack Success Rate (ASR) metrics and a deployment scorecard. Built on PyRIT (open-source).

Three agentic-specific risk categories (cloud-only):
• Prohibited actions — tests whether agents perform universally banned actions (facial recognition, social scoring), high-risk actions needing human-in-the-loop (financial transactions, medical decisions), or irreversible actions (file deletion, system resets)
• Sensitive data leakage — tests for leakage of financial, medical, and personal data from internal knowledge bases via tool calls
• Task adherence — tests whether agents faithfully complete assigned tasks: goal achievement, rule compliance, procedural discipline

Also tests: indirect prompt injection (XPIA) via synthetic mock tool outputs. Use in a "purple environment" — non-production with production-like resources.

Microsoft's open-source Python framework for AI red teaming. Powers the AI Red Teaming Agent. Provides a library of attack strategies for adversarial probing of AI systems — including character substitution ciphers, encoding attacks (Base64, ASCII), ANSI manipulation, and multi-turn adversarial conversation. Can be used standalone outside Foundry for custom red teaming pipelines.

Open-source MIT-licensed toolkit from Microsoft providing runtime security governance for autonomous AI agents. Seven packages: Agent OS — stateless policy engine intercepting every agent action at sub-millisecond latency (<0.1ms p99); Agent Mesh — cryptographic identity (DIDs, Ed25519), Inter-Agent Trust Protocol, dynamic trust scoring 0-1000; Agent Runtime — execution rings, saga orchestration, emergency kill switch; Agent SRE — circuit breakers, SLOs, chaos engineering; Agent Compliance — automated OWASP Agentic AI Top 10 evidence collection, EU AI Act and HIPAA mapping; Agent Marketplace — plugin signing and supply-chain security; Agent Lightning — RL training governance. Framework-agnostic — works with LangChain, AutoGen, CrewAI, Microsoft Agent Framework, Foundry. Available in Python, TypeScript, Rust, Go, .NET.

SIEM + SOAR. Ingests AI-specific telemetry: agent behaviour logs, MCP server activity, Copilot interaction signals. RSAC 2026 updates: Data Federation via Microsoft Fabric (Preview), Playbook Generator (Preview), MCP Entity Analyzer (GA April), Custom Graphs via Fabric (Preview), Security Store in Purview + Entra (GA March 31), GDAP + unified RBAC for cross-tenant management (Preview). May 2026: Microsoft Copilot solution added to Content Hub — 6 analytic rules (Jailbreak Attempt, Access from External IP, Plugin Created by Non-Admin, Plugin Tampering, Plugin Enabled After Disabled, File Uploads Disabled) + Microsoft Copilot Activity Monitoring workbook (7 sections). Deploy as single solution from Content Hub. Source: Samik Roy, Microsoft Sentinel GitHub. UEBA Behaviors layer now GA. Custom Guidebooks for Copilot Guided Response now GA.

Dedicated posture management surface covering Copilot experiences, enterprise apps via Entra/Foundry, and third-party GenAI tools detected through browser telemetry and the Defender for Cloud Apps catalog. Data risk assessments, oversharing detection, one-click policies. A preview now unifies DSPM and DSPM for AI into a single pane of glass.

Two distinct DLP capabilities for M365 Copilot and Copilot Chat. ① Block files/emails with sensitivity labels (GA): prevents labelled files and emails from being used in Copilot response summaries. Items still appear in citations but content is excluded. ⚡ April 2026 update — all storage locations: Previously, label-blocking only applied to files in SharePoint and OneDrive. Rolling out mid-April to May 2026: DLP label-blocking now applies to Word, Excel, and PowerPoint files regardless of where they are stored — local device, network shares, non-Microsoft cloud. No policy changes needed; existing rules apply automatically. Triggered by bug CW1226324 (January 2026) in which Copilot accessed confidential emails in Outlook Drafts/Sent Items despite DLP labels. ② Block SITs in prompts (Preview — GA planned June/July 2026): when a typed prompt contains a selected Sensitive Information Type, Copilot returns no response. Available in M365 Copilot, Copilot Chat, Word/Excel/PowerPoint, and prebuilt agents. Key caveats: The two conditions cannot be combined in the same rule. DLP cannot scan files uploaded directly into prompts — only typed text is evaluated. Policy changes take up to 4 hours to apply. Admin Units not supported.

Inline protection natively integrated into Edge for Business via Intune policy sync. Performs deep content inspection on typed prompt submissions to unmanaged GenAI apps — not just file transfers. Crucially, activates without endpoint DLP deployment and extends to unmanaged (BYOD) devices where users are signed into their Edge for Business profile. Covers shadow AI tools that policy-layer DLP cannot reach.

Covers the gap endpoint and browser DLP cannot reach: unmanaged devices without Edge for Business, desktop apps, Office add-ins, and API calls. Delivered natively via Microsoft Entra Global Secure Access. Optional SASE/SSE partner integrations available for broader coverage. Policies follow the data — not the app or device.

DLP policies now explicitly extend to agent-to-human, agent-to-tools, and agent-to-agent interactions. Sensitive files can be blocked from being used as grounding data. Agent instances in Agent 365 are automatically enrolled for audit and data classification at creation — treated as auditable entities alongside users. IRM, DLM, and eDiscovery all apply to agent-generated content.

Extends sensitivity labels into AI workflows. Prevents agents from accessing, generating, or transmitting content violating classification policies. Integrates with Entra Internet Access for network-layer enforcement.

Monitors Copilot and agent conversations for policy violations and regulatory issues. OBO note: attribution may show user identity rather than agent identity in audit logs.

Unified view of AI-related data risk directly in the Microsoft 365 Admin Center. Brings Purview data security insights into the same admin surface where Copilot is configured and governed. New at RSAC 2026.

Tracks what data agents access, process, and output at runtime. Creates a complete data access audit map for compliance and forensics teams. Feeds into eDiscovery workflows.

Included with Microsoft 365 Copilot licences at no extra cost. Provides Copilot-specific SharePoint governance: Content Management Assessment — scans for overshared, ownerless, and inactive sites that could expose data via Copilot. Restricted Content Discovery (RCD) — excludes specific sites from Copilot grounding entirely (interim protection while remediating). Site Access Reviews — lets site owners remove excess users, groups, and company-wide sharing links. Restricted Access Control (RAC) — enforces access defaults at provisioning. Site ownership policies ensure all sites have an accountable owner.

Insider Risk Management detects patterns of inappropriate or non-compliant Copilot usage — unusual data access, risky sharing behaviour, potential exfiltration via prompts. Adaptive Protection automatically enrolls risky users into more restrictive DLP policies without manual intervention. For AI: a user exhibiting risky Copilot usage patterns gets automatically moved to stricter prompt and data access controls. Closes the gap between detection and enforcement.

Compliance Manager now includes AI-related regulatory assessment templates. Assesses your tenant against EU AI Act, NIST AI RMF, and other AI governance frameworks — surfacing specific improvement actions for data protection, auditability, and AI usage controls. The operational tool for closing EU AI Act (August 2026) and Colorado AI Act (June 2026) compliance gaps identified on the Frameworks page.

AI assistant embedded in Defender, Entra, Intune, Purview. Automates threat hunting, phishing triage, identity risk remediation. Included for M365 E5 at 400 SCU per 1,000 users/month. Over 15 new partner-built agents available via Security Store.

Helps accelerate threat investigations by providing contextual analysis and guided workflows in Microsoft Defender. Deep multi-step investigation using Defender and Sentinel telemetry. Announced at RSAC 2026.

Extends the phishing triage agent to cloud and identity — autonomously analyses, classifies, prioritises, and resolves repetitive low-value alerts at scale. Reduces analyst alert fatigue across identity and cloud signals.

Adds context-aware recommendations, deeper analysis, and phased rollout to strengthen identity security through Conditional Access policies. Agent is GA; RSAC 2026 enhancements are in preview.

Purview agent with new credential scanning capability — proactively detects credential exposure in your data estate. Helps surface hidden identity risks embedded in documents, repositories, and data stores.

Purview alert triage agent with advanced AI reasoning layer and improved interpretation of custom Sensitive Information Types — improves agent outputs during alert review. Agent is GA; RSAC 2026 enhancements in preview from March 31.

Automate device policy reviews, offboarding, and risk-based remediation within Intune. Policy Configuration Agent lets IT create and validate policies via natural language. Enhanced app inventory for AI-enabled apps GA in May.