This site is a living document. Microsoft updates products and capabilities frequently โ this log tracks meaningful content changes, corrections, and additions. Minor fixes (typos, link corrections) are not listed.
Entries marked ๐ New are net-new content additions. Entries marked โ๏ธ Updated are corrections or refinements to existing content. Entries marked โ ๏ธ Correction are cases where earlier content was wrong or misleading and has been fixed.
| Type | Change | Page(s) Affected |
|---|---|---|
| ๐ New | Agent's User Account โ fifth authentication pattern โ an agent provisioned with a full human user account (mailbox, calendar, Teams membership). Highest risk pattern: compromised agent is indistinguishable from a human user. Added to the authentication patterns table. | identity.html |
| ๐ New | Agent sprawl โ named concept and lifecycle risk section โ Microsoft formally defines agent sprawl as uncontrolled expansion of agents without visibility, management, or lifecycle controls. Added to identity page and gaps page with consequences and mitigations. | identity.html, gaps.html |
| ๐ New | A2A (Agent-to-Agent) protocol โ emerging standard for authenticated inter-agent communication, supported by Entra Agent ID alongside MCP. Added to identity page and MCP page with comparison table and risk callout. | identity.html, mcp.html |
| ๐ New | Agent-to-agent propagation โ new threat scenario (Scenario 7) โ compromised orchestration agent propagates compromise to sub-agents across the entire agent chain. Full attack chain with controls and A2A gap note. | threats.html |
| ๐ New | Microsoft Managed Policies for agents โ new significant gap โ automatic baseline CA policies that block high-risk agents. Many organisations unaware of or not using these. Added to gaps page. | gaps.html |
| Type | Change | Page(s) Affected |
|---|---|---|
| โ ๏ธ Correction | Conditional Access for Agents does NOT apply to Copilot Studio agents โ corrected on both the identity page and product map card. CA for Agents only triggers during modern Agent ID authentication (OAuth 2.0), used by Security Copilot and AI Foundry. Copilot Studio agents use OBO, maker credentials, or service principal โ none of which trigger CA for Agents. Field-validated by Derk van der Woude (March 2026). | identity.html, product-map.html |
| ๐ New | Four Copilot Studio authentication patterns table โ new section on identity page covering all four patterns: End User Credentials (OBO), Maker-Provided Credentials, App Registration Delegated, App Registration Application Permissions. Includes risk rating and detection method for each. | identity.html |
| ๐ New | Precise maker credentials KQL โ upgraded Playbook 01 Step 4 with Derk's field-validated query that checks both AgentToolsDetails and AgentTopicsDetails for maker mode connections. More precise than the previous agent-level auth type check. | playbooks.html |
| ๐ New | App Registration Graph API detection KQL โ new Playbook 01 Step 4b detects agents using HTTP Request actions to graph.microsoft.com or management.azure.com, identifying potential application permission agents (very high risk โ tenant-wide access). | playbooks.html |
| ๐ New | Change-detection KQL for auth type downgrade โ added to Playbook 01 Step 1. Detects when a published agent's authentication is changed to None โ designed to be saved as a Sentinel Analytics Rule for real-time alerting. Sourced from Derk's AI Agent Inventory blog (November 2025). | playbooks.html |
| ๐ New | Any user can change another agent's auth type โ new significant gap โ by design in Copilot Studio, any tenant user can downgrade another agent's authentication to No Authentication, even without being the owner. Added to Significant Gaps with interim mitigations. | gaps.html |
| ๐ New | Community Queries tip added to Playbook 01 โ Defender Advanced Hunting has a dedicated AI Agents section with queries from the Microsoft Product Group. Callout added to Playbook 01 checklist. | playbooks.html |
| Type | Change | Page(s) Affected |
|---|---|---|
| ๐ New | AI Model Scanning (Defender for Cloud) โ new product card added covering malware, unsafe operator, and backdoor scanning for Azure ML models. Includes CLI integration, CI/CD gating, and Defender XDR alert integration. Sourced from Microsoft Defender for Cloud Blog RSAC 2026 announcement. | product-map.html |
| ๐ New | AI Model Supply Chain Attack scenario โ new threat scenario added covering poisoned pretrained models (Hugging Face/Azure ML), training data poisoning, CI/CD pipeline injection, and unsafe ML serialisation operators. Includes controls and gap assessment. | threats.html |
| ๐ New | AI model supply chain risk row โ added to the AI Risk Taxonomy table covering pre-deployment model risks that traditional AppSec doesn't address. | risk.html |
| ๐ New | Agent 365 Tools Gateway (ATG) RT protection โ clarified that Defender RT protection integrates with Agent 365's tools gateway, not just Copilot Studio. Every agent tool invocation through ATG is evaluated before execution with SOC-ready alerts. | product-map.html |
Microsoft Defender for Cloud Blog โ "Defending the AI Era: New Microsoft Capabilities to Protect AI" (March 20, 2026) ยท Microsoft Security Blog โ "Secure Agentic AI End-to-End" (March 20, 2026)
| Type | Change | Page(s) Affected |
|---|---|---|
| ๐ New | Purview DLP external web search blocking (Coming June/July 2026) โ new DLP policy option to prevent Copilot from sending prompts containing selected Sensitive Information Types (SITs) to external web search. When triggered, Copilot continues responding using internal Microsoft Graph data only. Alerts in DLP Alerts and Activity Explorer under DSPM for AI. GA June/July 2026, opt-in required. | product-map.html, gaps.html |
| โ ๏ธ Correction | Purview DLP SIT blocking description corrected โ initial entry incorrectly stated: (a) the feature was "coming June/July 2026" โ it is already in Preview, June/July is the GA target; (b) Copilot "continues responding using internal Graph sources" when triggered โ it does not respond at all; (c) only external web search was blocked โ both internal and external searches are blocked. Also added: files uploaded directly into prompts are not scanned by DLP (only typed text); the two DLP conditions (SITs and sensitivity labels) cannot be in the same rule. | product-map.html, gaps.html |
Microsoft Purview product announcement (March 2026) ยท learn.microsoft.com โ DLP for M365 Copilot (official docs, updated Feb 2026)
| Type | Change | Page(s) Affected |
|---|---|---|
| ๐ New | Copilot Data Connector for Microsoft Sentinel โ new product card added covering the CopilotActivity table, supported record types (CopilotInteraction, plugin lifecycle, CopilotPromptBook, CopilotAgentManagement), Sentinel data lake integration, and MCP server integration. Sourced from Microsoft Sentinel Community Hub blog (February 4, 2026). | product-map.html |
| ๐ New | CopilotActivity prompt data sensitivity gap โ new significant gap added: ingesting prompt content into Sentinel creates a sensitive artifact. Ingestion costs apply. Interim mitigations: field-level masking, restricted table access, retention policies, staged rollout. | gaps.html |
| โ๏ธ Updated | Microsoft Sentinel card updated โ UEBA Behaviors layer now GA, Custom Guidebooks for Copilot Guided Response now GA, Connector Builder Agent preview (March 31) added to card. | product-map.html |
| ๐ New | 10,000ft stack visualisation โ interactive 5-layer diagram on the Overview page showing the full AI security stack with GA/Preview/Gap status at a glance. Each layer is clickable. | overview.html |
| ๐ New | Image & URL-based XPIA variant โ new sub-scenario added to the XPIA threat chain covering how attackers embed malicious instructions in images or URLs to bypass text-based injection filters. Includes the Block Images and URLs control. | threats.html |
| ๐ New | Classic vs Modern agent security product coverage table โ 10-row table showing exactly which Defender and Entra security products apply to Classic agents vs Modern agents. | identity.html |
| ๐ New | Field research callout on Identity page โ two-column reference section linking to official Microsoft Learn docs and field research covering Classic & Modern agent security controls. | identity.html |
| ๐ New | Portal inventory count inconsistency gap โ Agent 365, Security Dashboard, and Entra Agent ID portal show different agent counts. Microsoft confirmed this is a known issue. Added to Significant Gaps. | gaps.html |
| ๐ New | Purview triage agent 90-day re-auth gap โ Purview Security Copilot triage agents stop running after 90 days without a manual config re-save. No automatic renewal. Added to Significant Gaps. | gaps.html |
Microsoft Security Blog (RSAC 2026, March 20 2026) ยท Microsoft Tech Community ยท learn.microsoft.com ยท Microsoft Copilot Studio agent security field research ยท NIST AI RMF 1.0 ยท ISO/IEC 42001:2023 ยท Derk van der Woude Medium blog series (Microsoft Security MVP)