Agent Governance Planner

In the Microsoft 365 admin centre, go to Agents and select All Agents. Review the full inventory. Pay attention to Agent publishers (created by your org vs external partners), Host products, and any agents listed as ownerless. Export the inventory to Excel for documentation. This is your baseline.

In Entra ID, go to Roles and administrators. Search for Agent ID Administrator. Assign it to your security lead or designated agent governance owner. Consider assigning to at least two people for coverage.

In Agent Registry, review each agent and check the sponsor field. Assign a sponsor to any agent without one. Set a calendar reminder to check for ownerless agents monthly. When someone leaves, verify their agent sponsorships transferred correctly.

First, opt in to preview features for three separate services: Defender for Cloud Apps, Defender for Cloud, and Defender XDR. Then enable the AI agent inventory: in the Defender portal, go to System, then Settings, then Cloud Apps, then Copilot Studio AI Agents and turn it on. Work with your Power Platform administrator to enable it in the Power Platform Admin Center under Security, then Threat Protection, then select Microsoft Defender - Copilot Studio AI Agents. Allow up to 30 minutes for the connection. Once connected, query the AIAgentsInfo table in Advanced Hunting to identify agents by risk level, platform, and management status. Also check the community queries in the AI Agents folder for pre-built misconfiguration checks. Cross-reference with the Agent Registry. For each shadow agent found, identify the creator, review what data it accesses, assign a sponsor, and decide whether to formalise it or decommission it.

In the M365 admin centre, go to Agents, then All Agents. Select each agent and open the Permissions tab. Review every application and delegated permission listed. For each one, ask: does this agent actually need this access? Revoke any permissions that are not required. During future publishing or deployment, read the consent screen carefully before approving.

In Entra ID, go to Conditional Access and create a new policy. Under Assignments, target agent identities - you can target all agents, specific agents by object ID, or agents grouped by blueprint or custom security attributes. The only condition currently available is agent risk level (from ID Protection). The only grant control is Block. Start with a policy that blocks high-risk agents from accessing sensitive workloads. Test in report-only mode first, then enforce.

In Entra ID Protection, check the Agent detections tab in the Risk detections report. ID Protection detects agent-specific risks including unfamiliar resource access, sign-in spikes, failed access attempts, sign-ins by risky users, confirmed compromised (admin-triggered), and Microsoft Entra threat intelligence matches. Use the Risky Agents report to review flagged agents and take action - confirm compromise, confirm safe, dismiss, or disable. Pair this with a Conditional Access policy that blocks high-risk agents.

Agent lifecycle governance uses two Entra ID Governance features together. First, use Entitlement Management to create access packages for agents - these control what resources agents can access, with built-in expiry dates and sponsor approval. Access can be requested by agents programmatically via Graph API, by sponsors on behalf of agents, or by admin direct assignment. Second, enable Lifecycle Workflows sponsor tasks (preview) to automatically notify managers and co-sponsors when a sponsor moves or leaves. Review ownerless agents in the Agent Registry regularly.

In Global Secure Access, configure web content filtering policies in the baseline profile - these apply tenant-wide to all Copilot Studio agent traffic. Enable threat intelligence filtering to block known malicious destinations. Set up network file filtering to prevent agents from moving sensitive files to unapproved locations. Traffic forwarding for agents is enabled per environment or environment group in the Power Platform Admin Centre.

In the Purview portal, go to Audit and verify it is turned on. It is enabled by default for M365 and Office 365 enterprise organisations, but not for SMB licences (Business Basic, Business Standard, Business Premium) - check yours. Review your retention settings - default is 180 days, but you may need longer for compliance. If audit was recently enabled, allow up to 60 minutes for the change to take effect and several hours for data to start appearing.

In the Defender portal, go to Settings, then Cloud Apps, then App connectors. Check for Microsoft 365. If it is not there, click Connect an app and follow the setup wizard. After connecting, verify data is flowing by running a simple CloudAppEvents query in Advanced Hunting.

In the Defender portal, go to Settings, then Permissions, then Roles. Assign at least two team members with Security Administrator or Security Operator roles via the Unified RBAC model. They will need manage permissions for the workloads their custom detections target (for example, Defender for Cloud Apps for CloudAppEvents queries). Test by having them run a basic CloudAppEvents query in Advanced Hunting.

In Defender XDR Advanced Hunting, create and save queries filtering CloudAppEvents on agent action types. Start simple: CloudAppEvents | where ActionType in ("InvokeAgent", "InferenceCall", "ExecuteToolBySDK", "ExecuteToolByGateway", "ExecuteToolByMCPServer"). Then build queries for specific scenarios - agents accessing sensitive sites, agents active outside business hours, agents with unusually high activity volumes.

In Defender XDR, go to Advanced Hunting. Start with a query that shows all agent-related CloudAppEvents for the last 7 days. Identify your baseline of normal agent activity. Then go to Hunting, then Custom detection rules to create rules that trigger when activity deviates from that baseline - for example, an agent invoking tools it has never used before. CloudAppEvents supports Continuous (NRT) frequency for near-real-time alerting.

In the Defender portal, go to System, then Settings, then Cloud Apps, then Copilot Studio AI Agents. Ensure the M365 connector is already connected (see previous item). Work with your Power Platform administrator to complete the onboarding: they need to enable external threat detection in the Power Platform Admin Centre and share the App ID with you. Enter the App ID in the Defender portal and save. Once connected, a green status appears in the Real time protection during agent runtime section. Note: if the M365 connector is not connected, blocking still works but alerts and incidents will not appear in Defender.

In the Purview portal, go to Information Protection, then Labels. Create labels with encryption that match your data classification needs. Publish them via a label policy. Use the Label Taxonomy Builder to plan your structure before deploying.

For each encrypted sensitivity label, go to the encryption settings and check which permission level is assigned. Ensure it includes the EXTRACT usage right - Co-Author and Co-Owner both include it. If you are using custom permissions, verify EXTRACT is explicitly granted. Avoid Reviewer or Do Not Forward for content that agents need to access. Enable sensitivity labels for SharePoint and OneDrive in the Purview portal (Information Protection, Sensitivity labels, Turn on now) so agents can access encrypted files at rest, not just files open in desktop apps.

In the Purview portal, go to Data Loss Prevention, then Policies. Review each policy and check which locations are enabled. Ensure you have coverage across Exchange, SharePoint, OneDrive, and Teams. For per-agent scoping, add agent instances or security groups containing agents to your policies in these locations. For the dedicated Copilot location, create a separate DLP policy (it cannot be combined with other locations in the same policy). Note that DLP cannot scan files uploaded directly into prompts, and policy updates can take up to 4 hours to take effect. Use the DLP Policy Simulator to plan your coverage before deploying.

In the Purview portal, go to Data Loss Prevention, then Alerts. Set up a filter or dedicated view for agent-related DLP incidents. Create an alert policy that notifies the agent owner when their agent is blocked. Review agent DLP alerts weekly to identify patterns that suggest policy tuning is needed.

In the Purview portal, go to Insider Risk Management, then Policies. Create policies using both the Risky AI usage and Risky Agents templates. The Risky Agents template is applied by default for all organisations but review its scope and alert thresholds. Configure your triage workflow so alerts are reviewed by someone who understands your agent deployments.

In the Purview portal, check which version of DSPM you are running. If you do not see an AI Observability page showing agents with activity in the last 30 days prioritised by risk level, you are on classic. To move to the preview, follow the migration guidance in the Purview portal. The preview is currently rolling out with no confirmed GA date. Start with the AI Observability page as your daily dashboard for agent risk.

In the Purview portal, go to Data Lifecycle Management, then Retention policies. Check that you have policies covering the relevant AI app locations - these include Microsoft Copilot experiences (which covers Microsoft 365 Copilot, Security Copilot, Copilot in Fabric, and Copilot Studio), Enterprise AI apps, and Other AI apps. The underlying data is stored in user mailboxes (hidden folders). Verify the retention periods meet your regulatory requirements.

In the Purview portal, go to Communication Compliance, then Policies. Create a policy using the "Detect Microsoft Copilot interactions" template as a starting point. Under locations, enable "Microsoft Copilot experiences" and "Enterprise AI apps" to cover agent interactions. Note: detecting non-Microsoft 365 AI data requires pay-as-you-go billing. Review flagged interactions and tune the policy scope based on false positive rates.

Identify which agents in your tenant use embedded files as knowledge sources (filter in Agent Registry). For each, check whether the uploaded files contain content that should be restricted by Information Barriers. If so, consider whether the agent should be scoped to a limited audience, or whether the embedded files should be replaced with a reference to a properly IB-protected SharePoint site.

Update your eDiscovery search templates to include agent interaction data. In the Purview portal, when creating an eDiscovery search, use the condition Type, then Contains any of, then Copilot activity to capture all AI app interactions including agents. Brief your legal team on what agent interaction data looks like and where it is stored.