Microsoft Defender + Copilot Studio AI agents

Full tenant inventory, risk signal, and runtime protection (Preview), a practical enablement guide.

If you’ve been waiting for central visibility and security controls over the custom AI agents your makers are spinning up in Copilot Studio, Microsoft Defender now has a clear story: it can detect all Copilot Studio custom AI agents in your tenant, collect their data for hunting, and (optionally) provide real-time protection during runtime to block suspicious tool invocations before an agent can act. This post walks through the exact enablement steps across the Microsoft Defender portal and the Power Platform admin center (PPAC), and explains what data is collected, what gets blocked, and how to validate it’s working. Everything below is based only on Microsoft documentation

What you get (and why it matters)

1) AI agent inventory + risk identification (Defender)

Once enabled, Microsoft Defender detects all Copilot Studio custom AI agents in your tenant and collects data from Copilot Studio so you can identify misconfigured or potentially risky agents using hunting.

Defender integrates this data into Advanced hunting via the AIAgentsInfo table, and you can use community queries in the AI Agents folder to look for risky patterns. 

2) Real-time runtime protection (Defender + Copilot Studio)

When you enable runtime protection, Defender inspects tool invocations before the agent runs any actions and can block suspicious tool invocations, notify the user, and create an alert surfaced in XDR Incidents and Alerts. 

Important nuance: If the Microsoft 365 connector isn’t connected, runtime protection can still block suspicious activity, but alerts/incidents won’t appear in the Defender portal. 

3) Data that Copilot Studio shares with the security provider

When you configure external threat detection (including Defender as the provider), Copilot Studio shares high-level runtime context with the provider whenever the orchestrator considers invoking a tool. This can include:

  • user’s recent prompt + recent chat history
  • outputs of previous tools
  • conversation metadata (agent identity, user identity, tenant, trigger)
  • the tool being invoked, plus agent-generated reasoning and proposed inputs/values 

Copilot Studio also documents that if it doesn’t receive an allow/block decision within one second, it proceeds to allow the tool to execute as planned (unless you choose a stricter error behavior).


Architecture at a glance (how the plumbing works)

At a high level, you’re enabling:

  1. Inventory & hunting signal path
    Copilot Studio → Defender (AI Agents inventory) → Advanced hunting (AIAgentsInfo

  2. Runtime control path
    Copilot Studio (orchestrator) → calls provider endpoint during runtime → provider returns allow/block → Copilot Studio enforces decision; Defender can also create XDR alerts when integrated correctly. 

Prerequisites (don’t skip these)

Preview opt-in (Defender side)

To enable AI agent inventory and detection, you must opt in to preview features for:

  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Cloud
  • Microsoft Defender XDR 

Cross-admin collaboration

Microsoft explicitly calls out that onboarding requires collaboration with Power Platform administrators (PPAC steps are required).

Runtime protection eligibility note (Copilot Studio)

External threat detection is only called for generative agents using generative orchestration; it’s skipped for classic agents.

  • System > Settings > Cloud Apps > Copilot Studio AI Agents” toggle enabled

Step-by-step: Enable Copilot Studio AI agent inventory in Microsoft Defender

Step 1: Turn on “Copilot Studio AI Agents” in the Defender portal

  1. Sign in to the Microsoft Defender portal as System Administrator. 
  2. Navigate to: System → Settings → Cloud Apps → Copilot Studio AI Agents. 
  3. Turn on Copilot Studio AI Agents
  • “System > Settings > Cloud Apps > Copilot Studio AI Agents” toggle enabled


Step 2: Complete the PPAC side of the connection (inventory enablement)

In parallel, your Power Platform admin completes:

  1. Go to Power Platform admin center → Security → Threat Protection
  2. Select Microsoft Defender - Copilot Studio AI Agents.
  3. Turn on Enable Microsoft Defender - Copilot Studio AI Agents
  • “Security > Threat detection/Threat protection” page showing “Microsoft Defender – Copilot Studio AI Agents” option

Step 3: Validate status in Defender

When connected, Defender shows a green indicator in the AI Agents Inventory section, and the initial status can take up to 30 minutes to update (longer in bigger environments).

Turn on runtime protection during agent runtime (Preview)

Runtime protection is where the value gets spicy: you’re no longer only discovering risk—you’re blocking suspicious tool executions before they happen.

Step 4: Ensure the Microsoft 365 connector is connected (for alerting)

  1. In the Defender portal, go to: System → Settings → Cloud Apps → Copilot Studio AI Agents. [learn.microsoft.com]
  2. Check Microsoft 365 App Connector status and connect it if needed. [learn.microsoft.com]
  3. Remember: without this connector, runtime blocking can still occur, but XDR alerts/incidents won’t show in Defender. [learn.microsoft.com]

  • Connector status showing “Connected” or the Connect workflow

Step 5: Start runtime protection onboarding from the Defender portal

  1. In the same Copilot Studio AI Agents settings area, go to the Real time protection during agent runtime section. [learn.microsoft.com]
  2. Defender provides a URL that you must share with the Power Platform admin to complete onboarding in PPAC. [learn.microsoft.com]

  • Real-time protection panel with “Enable Power Platform Integration” URL

Step 6: Configure external threat detection in PPAC (this is the enforcement hook)

Microsoft documents a generic “external threat detection provider” model. The provider is a REST API endpoint called during runtime when the orchestrator considers invoking a tool. 

In Power Platform admin center:

  1. Go to Security → Threat detection.
  2. Select Additional threat detection, choose the environment, and select Set up. 
  3. Turn on Allow Copilot Studio to share data with a threat detection provider. 
  4. Enter:
    • Azure Entra App ID (created in the next step) 
    • Endpoint link (the provider endpoint; when Defender is the provider, you get it from Defender portal) 
  5. Under Set error behavior, decide what happens if the provider times out/errors:
    • Default: Allow the agent to respond
    • More restrictive: Block the query 
  6. Select Save (save fails if Entra app config/auth isn’t correct). 

  • Additional threat detection pane with Entra App ID + Endpoint link + error behavior

Step 7: Register the Microsoft Entra application used for authentication (secret-less)

Copilot Studio uses Federated Identity Credentials (FIC) as a “secret-less authentication method” for exchanging data with the provider, and Microsoft provides two options: PowerShell script (recommended) or manual configuration. 

Option A (Recommended): Use Microsoft’s PowerShell script

Microsoft provides Create-CopilotWebhookApp.ps1 to automate creation/configuration and outputs the App ID you’ll paste into PPAC and Defender. [learn.microsoft.com]

You’ll need: TenantId, Endpoint, DisplayName, FICName (all documented). 

Option B: Manual Entra app registration + Federated credential

Manual steps include:

  • Create an app registration (Single-tenant) and copy the App ID.
  • Add a Federated credential under Certificates & secrets with:
    • Issuer https://login.microsoftonline.com/{tenantId}/v2.0
    • Explicit subject identifier formatted as documented (with base64 encoding of tenantId and endpoint) 

If you’re integrating with Defender specifically, the provider may require allowlisting/authorization; Microsoft even documents an example where onboarding fails if the app isn’t allowlisted with the provider.

Step 8: Finalize runtime integration back in Defender

After the Power Platform admin completes PPAC onboarding:

  1. Get the App ID from the PP admin. 
  2. In the Defender portal, enter the same App ID in the runtime protection configuration and select Save.
  3. If you just changed the App ID, allow up to one minute for propagation before retrying save if validation fails. 
  4. Validate a green Connected status in the “Real time protection during agent runtime” section. 

Troubleshooting (the errors you’ll actually see)

Microsoft documents common failure classes when saving PPAC threat detection settings, including:

  • endpoint connectivity/timeouts
  • token acquisition failures due to missing/incorrect FIC
  • Entra app not found / wrong tenant
  • provider authorization failures 

If you hit issues, the PPAC UI includes Copy error info, and the doc lists example AADSTS codes and what to fix (App ID, issuer, subject formatting, etc.)


References (Official Microsoft documentation)

This article is based exclusively on Microsoft’s official documentation for Microsoft Defender for Cloud Apps and Microsoft Copilot Studio, including the setup flows for AI agent inventory, runtime protection, and external threat detection provider configuration

  • Discover and detect threats using the AI agents inventory (Preview)  Microsoft Defender for Cloud Apps[learn.microsoft.com]

  • Protect your agents in real-time during runtime (Preview)  [learn.microsoft.com]

  • Enable external threat detection and protection for Copilot Studio custom agents (preview) [learn.microsoft.com]

  • Register a Microsoft Entra application:
    https://learn.microsoft.com/en-us/microsoft-copilot-studio/external-security-provider#register-a-microsoft-entra-application

Comments

Post a Comment