PRACTICAL PLAYBOOKS · MARCH 2026

From architecture
to action

Step-by-step security checklists for the most common AI security tasks. Each playbook distils field experience into the minimum viable set of controls — what to do, in what order, and what to watch for.

4 PLAYBOOKS

Based on field research

⚠ Verify steps with Microsoft docs — UIs change

PLAYBOOK 01

Audit Your Copilot Studio Estate

~30 min · Copilot Admin · No extra licensing

PLAYBOOK 02

Secure a New Copilot Studio Agent

~45 min · Power Platform Maker + Admin · Managed Environments required

PLAYBOOK 03

Set Up the Security Dashboard for AI

~2 hrs · Defender Admin + Power Platform Admin · Agent 365 or E7 required

PLAYBOOK 04

Respond to a Suspected Agent Compromise

~1 hr · Security Engineer · Sentinel + Defender required

PLAYBOOK 01

Audit Your Copilot Studio Estate in 30 Minutes

Find no-auth agents, overly shared agents, ownerless agents, and maker credential risks — using only KQL in Microsoft Defender Advanced Hunting. No extra licensing required beyond Defender.

✓ Works for Classic & Modern Agents ✓ No extra licensing ⚠ Requires AI Agent Inventory enabled

PREREQUISITE

Enable AI Agent Inventory

In Microsoft Defender portal → Settings → Cloud Apps → Copilot Studio AI Agents → enable. Then in Power Platform Admin Center → Security → Threat Detection → enable Microsoft Defender — Copilot Studio AI Agents. This is a dual-admin setup requiring both Defender admin and Power Platform admin.

⚠ Takes up to 2 hours for initial data population in the AIAgentsInfo table.

STEP 1 — FIND NO-AUTH AGENTS

Run this KQL in Defender Advanced Hunting

Finds published agents with no authentication configured — anyone with the link can chat with them.

AIAgentsInfo | summarize arg_max(Timestamp, *) by AIAgentId | where AgentStatus == "Published" | where UserAuthenticationType == "None" | project AIAgentName, CreatorAccountUpn, OwnerAccountUpns, AgentCreationTime, UserAuthenticationType

⚠ Any result here is a critical finding. A no-auth published agent is accessible to anyone with the link — including external users if the agent is published to a website.

Also run this change-detection query — use as a Sentinel Analytics Rule to alert the moment any agent is switched to no-auth:

// Alert when UserAuthenticationType changes to "None" AIAgentsInfo | summarize arg_max(Timestamp, *) by AIAgentId | where AgentStatus == "Published" | order by AIAgentName | extend PreviousAuthType = prev(UserAuthenticationType, 1) | where UserAuthenticationType == "None" and PreviousAuthType != "None" | project AIAgentName, PreviousAuthType, UserAuthenticationType, ReportId = tostring(AIAgentId), Timestamp

💡 Save this as a Sentinel Analytics Rule to get an incident the moment a published agent is downgraded to no-auth — even if the change was made by someone who isn't the agent owner.

STEP 2 — FIND OWNERLESS AGENTS

Find agents with no accountable owner

Agents without an owner lack accountability — no one is responsible for reviewing or decommissioning them.

AIAgentsInfo | summarize arg_max(Timestamp, *) by AIAgentId | where AgentStatus == "Published" | where isempty(OwnerAccountUpns) | project AIAgentName, CreatorAccountUpn, AgentCreationTime, AgentStatus

STEP 3 — FIND ORG-WIDE SHARED AGENTS

Identify agents shared with the entire organisation

Org-wide sharing means every employee can interact with the agent. When combined with maker credentials this is critical — the maker's privileges are extended to everyone.

AIAgentsInfo | summarize arg_max(Timestamp, *) by AIAgentId | where AgentStatus == "Published" | where SharedWithOrganization == true | project AIAgentName, CreatorAccountUpn, OwnerAccountUpns, UserAuthenticationType

⚠ Cross-reference this list with Step 4 (maker credentials). Any agent that is both org-wide shared AND uses maker credentials is your highest blast-radius risk.

STEP 4 — IDENTIFY MAKER CREDENTIAL RISK

Find agents using maker credentials (Classic agents with connected services)

Classic Copilot Studio agents authenticate connected services (SharePoint, Outlook etc) using the builder's credentials — not the end user's. Review the creator of each published agent to assess blast radius.

let base = AIAgentsInfo | summarize arg_max(Timestamp, *) by AIAgentId | where AgentStatus == "Published"; let directActions = base | mv-expand detail = AgentToolsDetails | where detail.action.connectionProperties.mode == "Maker" | extend ActionType = "FromTools", Action = detail.action | project-reorder AgentCreationTime, AIAgentId, AIAgentName, UserAuthenticationType, CreatorAccountUpn; let topicActions = base | mv-expand topic = AgentTopicsDetails | extend topicActionsArray = topic.beginDialog.actions | mv-expand Action = topicActionsArray | where Action.connectionProperties.mode == "Maker" | extend ActionType = "FromTopic" | project-reorder AgentCreationTime, AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns, Action; directActions | union topicActions | sort by AIAgentId, Timestamp desc

💡 This query checks both AgentToolsDetails and AgentTopicsDetails — more precise than checking only UserAuthenticationType. Prioritise agents created by high-privilege users (Global Admins, SharePoint Admins).

STEP 4b — FIND APP REGISTRATION AGENTS CALLING GRAPH API

Detect agents using Entra App Registrations to call Microsoft Graph

Finds agents with HTTP Request actions calling graph.microsoft.com or management.azure.com. Delegated permissions = low risk. Application permissions (no user context, tenant-wide access, admin consent required) = very high risk. Check each result to determine which pattern is in use.

AIAgentsInfo | summarize arg_max(Timestamp, *) by AIAgentId | where AgentStatus != "Deleted" | mvexpand Topic = AgentTopicsDetails | where Topic has "HttpRequestAction" | extend TopicActions = Topic.beginDialog.actions | mvexpand action = TopicActions | where action['$kind'] == "HttpRequestAction" | extend Url = tostring(action.url.literalValue) | extend ParsedUrl = parse_url(Url) | extend Host = tostring(ParsedUrl["Host"]) | where Host has_any("graph.microsoft.com", "management.azure.com") | project-reorder AgentCreationTime, AIAgentId, AIAgentName, ParsedUrl, Url, Host, AgentStatus, CreatorAccountUpn, OwnerAccountUpns

⚠ Application permissions agents have no user context and can access data across the entire tenant. If you find any, verify admin consent was intentional and review the granted scopes immediately.

STEP 5 — PORTAL COUNT RECONCILIATION

Cross-check inventory counts

Compare agent counts across three portals — they will likely differ. Use the AIAgentsInfo table as your most reliable source.

// Total agents in AIAgentsInfo AIAgentsInfo | summarize arg_max(Timestamp, *) by AIAgentId | summarize Total = count(), Published = countif(AgentStatus == "Published"), Classic = countif(AgentType == "Classic"), Modern = countif(AgentType == "Modern")

⚠ Known issue: Agent 365 portal, Security Dashboard for AI, and Entra Agent ID portal show different counts. Microsoft has confirmed this is in progress. Trust the KQL table for detailed audit work.

AUDIT CHECKLIST

AI Agent Inventory enabled and data populatedBoth Defender admin and Power Platform admin steps completed

No-auth agents identified and remediatedEach should have Entra ID auth or be unpublished

Ownerless agents reviewed and assignedEvery published agent should have an accountable owner

Org-wide shared agents reviewedConfirm each has legitimate business justification

High-privilege maker credentials identifiedAgents built by admins with org-wide sharing = critical priority

Findings documented for remediation tracking

Change-detection KQL saved as Sentinel Analytics RuleAlerts on any agent being switched to no-auth, even by non-owners

💡 Community Queries tip: In Defender Advanced Hunting → Community queries, there is a dedicated AI Agents section containing multiple queries created by the Microsoft Product Group. Check this section for the latest detection queries beyond what's listed here.

PLAYBOOK 02

Secure a New Copilot Studio Agent Before Publishing

Minimum security configuration for any new Copilot Studio agent — before it goes live. Covers authentication, sharing controls, MCP tool risk, and what to tell the maker.

⚠ Classic Agents: limited controls ✓ Modern Agents: full Entra stack Managed Environments required

BEFORE THE MAKER STARTS BUILDING

Enable Managed Environments in Power Platform

Power Platform Admin Center → Environments → select environment → Enable Managed Environments. This is the prerequisite for all governance controls including sharing limits and DLP policies.

Set sharing limits before agents are built

In Power Platform Admin Center → Managed Environments → Sharing limits → configure who makers can share agents with. Setting this before building prevents org-wide sharing by default.

💡 Recommend: restrict to specific security groups by default. Require explicit approval for org-wide sharing.

Brief the maker on maker credentials risk

When a maker adds a connector (SharePoint, Outlook, Teams) to a Classic agent, that connector authenticates as the maker — not the end user. Every user who interacts with the agent effectively acts with the maker's privileges. High-privilege makers (Global Admins, SharePoint Admins) should not build agents that access corporate data.

⚠ This is a build-time decision that cannot be fully mitigated after deployment. The right person needs to build the agent.

DURING BUILD

Configure authentication — never leave as "No authentication"

In Copilot Studio → Settings → Security → Authentication → select "Authenticate with Microsoft" for internal agents. Enable "Require users to sign in". Classic agents: this is the primary identity control available. Modern agents: this plus Entra Agent ID controls.

⚠ Copilot Studio shows a warning at publish time if authentication is set to None — but makers can bypass it. Administrators can enforce this at the environment level via data policies.

Review MCP tools carefully before adding

Every MCP tool added to a Classic agent uses maker credentials. Each tool expands the blast radius. For each tool ask: (a) does this tool need to authenticate as the maker? (b) could a malicious prompt abuse this tool to exfiltrate data? (c) is there a safer connector alternative?

💡 Use built-in connectors instead of HTTP request nodes or direct MCP connections where possible — connectors have OAuth governance via Defender for Cloud Apps.

Enable Block Images and URLs (external threat detection)

In Copilot Studio → Settings → Security → enable external threat detection and configure Microsoft Defender as the provider. This blocks image-based and URL-based prompt injection before the agent processes the content.

BEFORE PUBLISHING

Scope sharing to the minimum required audience

In Copilot Studio → Share → add only the specific security groups who need access. Avoid "Everyone in [Org]" unless there is a documented business justification and security review.

Assign an owner and document the agent

Every published agent should have a named owner accountable for reviewing it quarterly. Document: what connectors it uses, what data it can access, who can interact with it, and who built it.

✓

If Modern Agent: configure Entra Agent ID controls

Enable Modern Agent mode in Power Platform Admin Center → Copilot → Settings → Copilot Studio. Once enabled, the agent gets an Entra Agent Identity and you can apply Conditional Access policies, Access Reviews, and ID Protection via Entra. Note: Entra Agent ID is still in preview as of March 2026.

PRE-PUBLISH CHECKLIST

Managed Environments enabledRequired for all governance controls

Authentication set to "Authenticate with Microsoft" + Require sign-inNever publish with No authentication

Maker is not a high-privilege account (Global Admin, SharePoint Admin etc)Maker credentials = agent credentials for Classic agents

All MCP tools and connectors reviewed and justified

Block Images and URLs enabled via Defender external threat detection

Sharing scoped to minimum required audience

Named owner assigned and agent documented

Agent visible in AI Agent Inventory after publishingVerify it appears in Defender Advanced Hunting AIAgentsInfo table

PLAYBOOK 03

Set Up the Security Dashboard for AI

Configure the unified AI security posture view in Microsoft Defender. Requires collaboration between Defender admin and Power Platform admin. Allow up to 2 hours for data population.

⚠ Requires Agent 365 or M365 E7 ⚠ Dual-admin setup ✓ Works for Classic & Modern Agents

STEP 1 — DEFENDER ADMIN SIDE

Enable preview features in Defender XDR

Microsoft Defender portal → Settings → Microsoft Defender XDR → Preview features → turn on. The AI Agent Inventory and Security Dashboard for AI features require preview mode enabled.

Connect the Microsoft 365 app connector

Defender portal → Settings → Cloud Apps → Connected Apps → Microsoft 365 → connect. This is required for Copilot agent telemetry to flow into Defender.

Enable Copilot Studio AI Agents

Defender portal → Settings → Cloud Apps → Copilot Studio AI Agents → enable. Copy the URL shown — you will need to share this with your Power Platform admin to complete the next step.

💡 Save this URL carefully — it encodes your tenant ID and is required for the Power Platform side of setup.

STEP 2 — POWER PLATFORM ADMIN SIDE

Enable external threat detection in Power Platform

Power Platform Admin Center → Security → Threat Detection → Additional threat detection → enable "Allow Copilot Studio to share data with a threat detection partner" → paste the URL from Step 3 → enter the Entra App ID.

⚠ The App ID must match exactly. Mismatch causes a silent failure — status will show "pending" indefinitely.

Verify connection status

Back in Defender portal → Settings → Cloud Apps → Copilot Studio AI Agents → check that the Power Platform action status shows "Connected". If it shows "Pending" after 30 minutes, re-check the App ID and URL entered in Step 4.

STEP 3 — VERIFY DATA IS FLOWING

Confirm AIAgentsInfo table is populating

Run this query in Defender Advanced Hunting. If it returns rows, setup is complete. If it returns nothing after 2 hours, check the connection status in Step 5.

AIAgentsInfo | summarize arg_max(Timestamp, *) by AIAgentId | summarize count() by AgentStatus

Open the Security Dashboard for AI

Defender portal → left nav → expand Microsoft Sentinel → AI → Security Dashboard for AI. You should see agent inventory, posture findings, and risk signals from Entra, Defender, and Purview.

⚠ The dashboard shows different agent counts than Entra Agent ID portal or Agent 365. This is a known inconsistency. Use Advanced Hunting for precise counts.

STEP 4 — ENABLE REAL-TIME PROTECTION

Enable RT protection for Copilot Studio agents

This step enables the webhook-based runtime inspection of tool invocations. Defender evaluates each tool call before execution and can block suspicious actions. Defender portal → Settings → Cloud Apps → Copilot Studio AI Agents → enable Real-time protection.

⚠ 1-second timeout applies. If Defender doesn't respond within 1 second, the tool invocation is allowed through. This is a deliberate tradeoff for reliability but means high-speed tool calls may not always be evaluated.

SETUP CHECKLIST

Preview features enabled in Defender XDR

Microsoft 365 app connector connected

Copilot Studio AI Agents enabled — URL copied

Power Platform external threat detection configured with correct App ID and URL

Connection status shows "Connected" in Defender portal

AIAgentsInfo table returning data in Advanced Hunting

Security Dashboard for AI accessible in Defender portal

Real-time protection enabled

PLAYBOOK 04

Respond to a Suspected Agent Compromise

Triage and contain a suspected agent abuse incident — prompt injection, data exfiltration via agent, or suspicious agent behaviour. Requires Sentinel and Defender for Cloud Apps.

⚠ Time-sensitive — act within 1 hour of detection Sentinel + Defender required

DETECT

Check Defender portal for RT protection alerts

Defender portal → Incidents & Alerts → filter by "Copilot Studio". RT protection generates SOC-ready alerts that explain what was stopped, why it was considered risky, and which agent, user, and tool were involved.

Query for suspicious agent activity in Advanced Hunting

Run these queries to surface anomalous agent behaviour in the last 24 hours.

// Agents with sudden auth type changes AIAgentsInfo | summarize arg_max(Timestamp, *) by AIAgentId | where AgentStatus == "Published" | extend PreviousAuthType = prev(UserAuthenticationType, 1) | where UserAuthenticationType == "None" and PreviousAuthType != "None" | project AIAgentName, PreviousAuthType, UserAuthenticationType, Timestamp // High-volume tool invocations in last 24h // (use CopilotActivity table if connector enabled) CopilotActivity | where TimeGenerated > ago(24h) | where Operation contains "Tool" | summarize Count = count() by AgentName, UserId | where Count > 50 | order by Count desc

CONTAIN

Unpublish the agent immediately

In Copilot Studio → open the suspect agent → Settings → Channels → unpublish all channels. This immediately stops all user interactions with the agent while investigation continues.

Revoke the maker's sessions if maker credentials are involved

If the agent uses Classic maker credentials and you suspect the maker account is compromised: Entra portal → Users → select maker → Revoke all sessions. Also check for new credentials on the associated Enterprise Application in Entra.

⚠ For Classic agents, the Enterprise Application owner is "Power Virtual Agent Service" — check if the maker's account has been added as an owner (a known risk pattern that enables credential abuse and bypasses CA/MFA).

INVESTIGATE

Review Copilot Data Connector logs in Sentinel

If the Copilot Data Connector is enabled, query the CopilotActivity table in Sentinel for the time window of the suspected incident. Look for CopilotAgentManagement events (config changes), unusual CopilotInteraction volumes, and CopilotPlugin lifecycle events.

CopilotActivity | where TimeGenerated between (ago(48h) .. now()) | where AgentName == "<>" | project TimeGenerated, UserId, Operation, AgentName, PromptContent, ResponseContent | order by TimeGenerated desc

Use Security Copilot or Security Analyst Agent for triage

In Defender portal, open the Security Copilot pane and ask it to summarise the incident, identify the affected users, and recommend next steps. The Security Analyst Agent (Preview, March 2026) can autonomously triage the incident against your Sentinel data.

RECOVER

Remediate and rebuild with security controls

Before republishing: apply all controls from Playbook 02. If the agent is Classic, evaluate whether it should be migrated to Modern (requires enabling Modern Agent mode in Power Platform). Update your DLP policies if data exfiltration occurred via prompts.

Document and update your agent security policy

Record the incident in your risk register. Update your agent security checklist with any gaps this incident revealed. Consider running Playbook 01 across your entire estate as a follow-up audit.

INCIDENT RESPONSE CHECKLIST

Defender RT protection alerts reviewed

Advanced Hunting queries run for anomalous activity

Suspect agent unpublished from all channels

Maker sessions revoked if account compromised

Enterprise Application checked for rogue credentials or owners

CopilotActivity logs reviewed in Sentinel

Incident documented in risk register

Agent rebuilt with Playbook 02 controls before republishing

← PREVIOUSGaps NEXT →Changelog

From architectureto action

From architecture
to action