Microsoft Security
Products for AI

Unified control plane for all agents. Inventory, governance, and security posture across Microsoft and partner agents. Licensing is per-user, not per-agent — governance scope does not scale with agent count. Includes new Defender, Entra, and Purview capabilities to secure agent access and prevent data oversharing.

Unified CISO-level AI risk aggregation from Defender + Entra + Purview. AI inventory covering agents, MCP servers, models, apps — including third-party AI (ChatGPT, Gemini). Security Copilot NL-driven risk exploration. Now generally available — previously preview.

Assign control collections to specific models or agents in Azure AI Foundry. Limits tools available to each agent, constrains output behaviour, enforces content safety at the orchestration layer. Only applies to Foundry-deployed agents.

Bundles M365 Copilot + Agent 365 + Entra Suite + M365 E5. Agent 365 included but inherits the same per-user licensing model. Best for orgs where agents are tightly coupled to named users.

Register agents as non-human identities. Human sponsor required. Lifecycle automation. Currently limited preview — frontier/large enterprise only. Agents still use OBO flow underneath. Only applies to Modern Agents — most existing Copilot Studio agents are Classic Agents (Service Principals) and receive no Entra Agent ID protection. Migration tool from Classic to Modern does not yet exist. Agent names do not sync on rename — original "Agent #" name persists in Entra.

Today's real-world primitive for non-human identities. Designed for apps/services — not purpose-scoped for individual agents. Lacks agent-specific lifecycle governance and sponsor model. The current stopgap while Agent ID matures.

Block risky agents; enforce least-privilege and JIT access. Critical caveat (field-validated March 2026): CA for Agents does not apply to Copilot Studio agents — they authenticate via OBO or service principal, not modern Agent ID. CA for Agents is only active for Security Copilot and AI Foundry agents using OAuth 2.0 Agent ID authentication. For Copilot Studio, use Conditional Access policies targeting the user or workload identity instead.

Secure web and AI gateway. Shadow AI Detection now GA on March 31 — uses network layer to identify unknown AI applications. Prompt Injection Protection also GA March 31 — enforces universal network-level policies to block malicious AI prompts across apps and agents.

Connect external MFA providers directly with Microsoft Entra — leverage pre-existing MFA investments or use highly specialised MFA methods alongside Entra authentication flows. New at RSAC 2026.

Automated backup of Entra directory objects to enable rapid recovery in case of accidental deletion or unauthorised changes. New resilience capability for identity infrastructure.

Discover unmanaged (shadow) Entra tenants and establish consistent tenant policies and governance in multi-tenant environments. Addresses the risk of unsanctioned AI deployments creating orphaned tenants.

New dashboard in Microsoft Defender highlighting the most impactful insights across human and non-human identities. New identity risk score unifies account-level risk signals for real-time access decisions and SecOps investigations.

Runtime defence against direct and indirect prompt injection at the orchestration layer. Inspects user inputs AND content retrieved by the agent (RAG, tool outputs) before it reaches the model decision loop.

API-level model I/O filters: harmful content, jailbreak attempts, protected material, groundedness violations. Operates at the model boundary — separate from Prompt Shields which operates at the orchestration layer.

Dynamically adjusts identity and access policies during active attacks — reducing exposure and limiting lateral movement in real time. Applies to both human and agent identities during incidents. New at RSAC 2026.

CSPM and runtime threat protection for AI infrastructure. Monitors model deployments, API access patterns, and agent behaviour. Expanded container security at RSAC 2026 including binary drift and antimalware prevention.

Ingests Copilot audit logs and activity telemetry into a new CopilotActivity table in Sentinel. Enables analytic rules, workbooks, hunting queries, and automation specifically targeting AI/agent interactions. Record types include: CopilotInteraction, plugin lifecycle (create/update/delete), CopilotPromptBook operations, CopilotForSecurityTrigger, CopilotAgentManagement. Also supports Sentinel data lake for low-cost long-term retention and MCP server integration. Note: data ingestion costs apply. Prompt content ingested becomes a sensitive artifact — apply field-level masking and access controls on CopilotActivity table.

Scans AI models in Azure ML registries and workspaces for malware, unsafe operators, and backdoors across common model formats. Recurring scans surface as security recommendations per model. High-confidence detections generate Defender XDR SOC alerts. CLI integration enables in-pipeline scanning during CI/CD build. Gating capability blocks unsafe models from reaching a registry. New at RSAC 2026.

Governs how AI agents and MCP tools access SaaS. Discovers shadow AI, governs OAuth permissions, detects over-privileged agent-to-SaaS access. For Copilot Studio specifically: provides real-time protection — blocks tool invocations if a prompt is suspicious. 1-second timeout: if no decision returned in time, tool executes. Not a guaranteed prevention control.

Detects all Copilot Studio agents in the tenant and surfaces misconfigurations via the AIAgentsInfo Advanced Hunting table. Detects no-auth agents, ownerless agents, and risky configurations. Setup requires collaboration between Defender admin AND Power Platform admin — two separate portals. Takes up to 30 minutes for initial connection and longer for full data population. Three Defender preview features must be enabled separately.

SIEM + SOAR. Ingests AI-specific telemetry: agent behaviour logs, MCP server activity, Copilot interaction signals. RSAC 2026 updates: Data Federation via Microsoft Fabric, Playbook Generator with natural language orchestration, MCP Entity Analyzer (GA April), Sentinel Custom Graphs, and Connector Builder Agent (Preview March 31). UEBA Behaviors layer now GA. Custom Guidebooks for Copilot Guided Response now GA.

Discovers where sensitive data exists across AI workloads. Identifies oversharing risks before agents exploit them. Posture assessments and automated remediation for AI data risks.

Two distinct DLP capabilities for M365 Copilot and Copilot Chat. ① Block files/emails with sensitivity labels (GA): prevents labelled files and emails from being used in Copilot response summaries. Items still appear in citations but content is excluded. ② Block SITs in prompts (Preview — GA planned June/July 2026): when a typed prompt contains a selected Sensitive Information Type (credit card numbers, passport numbers etc), Copilot returns no response at all — it does not fall back to internal Graph sources. Blocks both internal and external web searches. Available in M365 Copilot, Copilot Chat, Word/Excel/PowerPoint, and prebuilt agents. Key caveats: The two conditions cannot be combined in the same rule. DLP cannot scan files uploaded directly into prompts — only typed text is evaluated. Policy changes take up to 4 hours to apply. Admin Units not supported.

Extends sensitivity labels into AI workflows. Prevents agents from accessing, generating, or transmitting content violating classification policies. Integrates with Entra Internet Access for network-layer enforcement.

Monitors Copilot and agent conversations for policy violations and regulatory issues. OBO note: attribution may show user identity rather than agent identity in audit logs.

Unified view of AI-related data risk directly in the Microsoft 365 Admin Center. Brings Purview data security insights into the same admin surface where Copilot is configured and governed. New at RSAC 2026.

Tracks what data agents access, process, and output at runtime. Creates a complete data access audit map for compliance and forensics teams. Feeds into eDiscovery workflows.

AI assistant embedded in Defender, Entra, Intune, Purview. Automates threat hunting, phishing triage, identity risk remediation. Included for M365 E5 at 400 SCU per 1,000 users/month. Over 15 new partner-built agents available via Security Store.

Helps accelerate threat investigations by providing contextual analysis and guided workflows in Microsoft Defender. Deep multi-step investigation using Defender and Sentinel telemetry. Announced at RSAC 2026.

Extends the phishing triage agent to cloud and identity — autonomously analyses, classifies, prioritises, and resolves repetitive low-value alerts at scale. Reduces analyst alert fatigue across identity and cloud signals.

Adds context-aware recommendations, deeper analysis, and phased rollout to strengthen identity security through Conditional Access policies. Agent is GA; RSAC 2026 enhancements are in preview.

Purview agent with new credential scanning capability — proactively detects credential exposure in your data estate. Helps surface hidden identity risks embedded in documents, repositories, and data stores.

Purview alert triage agent with advanced AI reasoning layer and improved interpretation of custom Sensitive Information Types — improves agent outputs during alert review. Agent is GA; RSAC 2026 enhancements in preview from March 31.

Automate device policy reviews, offboarding, and risk-based remediation within Intune. Policy Configuration Agent lets IT create and validate policies via natural language. Enhanced app inventory for AI-enabled apps GA in May.