Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
As AI agents become increasingly accessible through low-code/no‑code (LCNC) platforms like Microsoft Copilot Studio, organizations face new types of security risks at scale. These platforms empower non‑technical users to build and deploy custom agents without centralized security review or controls in place. Attackers can attempt to manipulate these agents by injecting malicious prompts, triggering unintended tool executions, or exploiting data sources to escalate privileges or exfiltrate data.
Real-time protection during agent runtime in Microsoft Defender reduces these risks by inspecting tool invocations before the agent runs any actions.
If Microsoft Defender determines that a prompt is suspicious:
- The tool invocation is blocked before it runs.
- The user gets notified that their message was blocked.
- An informative alert is created and appears in the Microsoft Defender portal under XDR Incidents and Alerts.
Enable real-time protection for Microsoft Copilot Studio agents during runtime
Note
The onboarding process for real-time protection during agent runtime requires configuration in Power Platform and collaboration with other administrators.
Sign in to the Microsoft Defender portal:
Navigate to System > Settings > Cloud Apps > Copilot Studio AI Agents.
Check the Microsoft 365 App Connector status. If the Microsoft 365 connector is not connected, Enable the Microsoft 365 app connector.
Note
If the Microsoft 365 connector isn’t connected, real-time agent protection during runtime continues to block suspicious activity on the AI agent, but alerts and incidents related to these actions won't appear in the Microsoft Defender portal.
Work together with a Power Platform administrator to complete these onboarding steps: Enable external threat detection and protection for Copilot Studio custom agents.
Share the URL provided in the Defender portal with the Power Platform administrator to help them complete their onboarding steps.
Make sure that the Power Platform administrator uses the same App ID as the App ID used in Microsoft Entra ID application.
Get the AppID from the Power Platform administrator, and enter it in the App ID field in the Defender portal, then select Save.
Once the Power Platform administrator completes the onboarding steps, a green Connected status appears in the Microsoft 365 connector section in the Defender portal.
