Microsoft Defender’s AI Agent Security: The Game-Changer You Can’t Ignore + Video

By /

Listen to this Post

Featured Image

Introduction:

As enterprises rapidly deploy AI agents—from Microsoft Foundry to third‑party marketplaces and custom line‑of‑business tools—each agent becomes a potential attack surface for data exfiltration, prompt injection, and unauthorised tool execution. Microsoft Defender now integrates natively with Agent365, shifting AI security from reactive logging to proactive discovery, real‑time protection, and pre‑execution blocking of malicious agent‑initiated actions.

Learning Objectives:

  • Discover and inventory all AI agents (Copilot Studio, Foundry, third‑party, custom) using Microsoft Defender’s new “Security for AI agents” tab.
  • Query the expanded `AIAgentsInfo` table in Advanced Hunting to gain deeper visibility into agent behaviour and configuration.
  • Integrate the Microsoft Agent 365 SDK to enable near‑real‑time threat detection, alerts, and investigation.
  • Implement real‑time protection and block unsafe agent‑initiated tool actions before execution via the Agent Tooling Gateway (ATG).
  • Assess security posture and respond to AI‑agent threats using Defender’s preview features and KQL‑based hunting.

You Should Know

  1. Discovering AI Agents: From Shadow IT to Full Visibility
    Defender automatically discovers agents registered with Agent365, eliminating blind spots. Here’s how to access and verify your AI agent inventory.

Step‑by‑step guide:

  1. Log into the Microsoft Defender portal at `https://security.microsoft.com`.
  2. Navigate to Settings → Security for AI agents (new dedicated tab).
  3. Review the discovered agents list, including type (Copilot Studio, Foundry, third‑party marketplace, custom LOB), registration status, and configuration health.

PowerShell (Microsoft Graph) – list registered agents via Defender API:

 Install required module
Install-Module -Name Microsoft.Graph -Scope CurrentUser

Connect to Graph with appropriate scopes (DeviceManagementApps.Read.All, ThreatHunting.Read.All)
Connect-MgGraph -Scopes "DeviceManagementApps.Read.All", "ThreatHunting.Read.All"

Query Defender’s agent inventory (example using Beta endpoint)
$uri = "https://api.security.microsoft.com/api/aiagents/inventory"
$response = Invoke-MgGraphRequest -Uri $uri -Method Get
$response.value | Format-Table DisplayName, AgentType, RegistrationStatus

Linux/macOS alternative (using `curl` with API key):

curl -X GET "https://api.security.microsoft.com/api/aiagents/inventory" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" | jq '.value[] | {DisplayName, AgentType}'

2. Advanced Hunting with `AIAgentsInfo` Table

The `AIAgentsInfo` table now includes columns for all agent types (Foundry, third‑party, custom), expanding beyond Copilot Studio. Use KQL to investigate agent identities, tool permissions, and recent activities.

Step‑by‑step guide:

  1. In Defender portal, go to Hunting → Advanced hunting.
  2. Enter a KQL query to retrieve agent details.

3. Run and export results for security assessment.

Sample KQL queries:

// List all AI agents with their configuration source
AIAgentsInfo
| project Timestamp, AgentName, AgentType, ConfigurationSource, OnboardingStatus
| take 100

// Find agents with high‑risk tool permissions (e.g., email send, file delete)
AIAgentsInfo
| where ToolPermissions has_any ("Mail.Send", "File.Delete")
| extend RiskLevel = "High"
| project AgentName, AgentType, ToolPermissions, LastSeen

// Correlate agent identity with recent alerts
AIAgentsInfo
| join kind=inner (AlertInfo | where Severity == "High") on $left.AgentId == $right.AgentId
| project AlertTime = Timestamp, AgentName, AlertName, Severity

3. Integrating Agent 365 SDK for Threat Detection

To enable discovery, detections, and Advanced Hunting for your custom agent, you must integrate the Microsoft Agent 365 SDK. This SDK emits telemetry to Defender.

Step‑by‑step guide:

  1. Register your agent with Agent365 (portal: `https://agent365.microsoft.com`).
    2. Install the SDK into your agent’s codebase (C, Python, or Node.js).
    3. Initialize the SDK with your agent’s credentials and set up event logging.

    Python SDK example:

    from microsoft_agent365 import AgentClient, SecurityEvent

 Initialize client with managed identity or client secret
client = AgentClient(
agent_id="your-agent-id",
tenant_id="your-tenant-id",
client_secret="your-client-secret"
)

 Emit a custom security event (e.g., tool invocation attempt)
event = SecurityEvent(
event_type="ToolExecution",
tool_name="SendEmail",
parameters={"recipient": "[email protected]"},
outcome="BlockedByPolicy"
)
client.emit_event(event)

 Verify telemetry is flowing to Defender
print(client.get_health_status())

    Verify data ingestion in Defender:

    Run in Advanced Hunting:

    AIAgentEvents
| where AgentId == "your-agent-id"
| take 10

    4. Real‑Time Protection with Agent Tooling Gateway (ATG)

    Agents onboarded via ATG benefit from pre‑execution evaluation. Defender can block unsafe tool actions (e.g., deleting SharePoint sites, sending mass emails) before they execute.

    Step‑by‑step guide:

    1. Onboard your agent through ATG: In Defender portal → Settings → Security for AI agents → Agent Tooling Gateway → Add agent.
    2. Define tool‑action policies (allow/block) based on risk scores, user context, or destination.
    3. Test blocking by simulating a prohibited action from the agent.

    PowerShell – configure ATG policy via Graph API:

    $policyBody = @{
name = "Block Email to External Domains"
agentId = "agent-123"
toolAction = "Mail.Send"
condition = @{ recipientDomain = "-external.com" }
action = "Block"
notification = "Send alert to SecOps"
} | ConvertTo-Json

Invoke-MgGraphRequest -Uri "https://api.security.microsoft.com/api/atg/policies" `
-Method Post -Body $policyBody -ContentType "application/json"

Windows command line (test policy enforcement):

Simulate a blocked action using the ATG testing endpoint:

curl -X POST https://api.security.microsoft.com/api/atg/simulate -H "Authorization: Bearer %ACCESS_TOKEN%" -H "Content-Type: application/json" -d "{\"agentId\":\"agent-123\",\"toolAction\":\"Mail.Send\",\"parameters\":{\"recipient\":\"[email protected]\"}}"

5. Assessing Security Posture of AI Agents

Defender’s discovery preview provides a security score and misconfiguration alerts for each agent. Use this to prioritise remediation.

Step‑by‑step guide:

  1. In Defender portal, go to Security for AI agents → Posture assessment.
  2. Review agents with missing SDK integration, over‑privileged tool permissions, or outdated versions.
  3. Export the assessment report via API for compliance auditing.

Azure CLI – fetch agent security posture:

az rest --method get \
--url "https://api.security.microsoft.com/api/aiagents/securityposture" \
--headers "Authorization=Bearer $(az account get-access-token --resource https://api.security.microsoft.com --query accessToken -o tsv)" \
--query "value[?riskLevel=='High'].{AgentName:displayName, Risk:riskLevel, MissingControls:missingControls}" \
--output table

6. Detecting and Investigating Threats to AI Agents

Leverage near‑real‑time detections and alerts from the Agent 365 SDK and ATG. Advanced Hunting allows deep investigation of suspicious sequences.

Step‑by‑step guide:

  1. In Defender portal, go to Incidents & alerts → filter by Evidence type = AI agent.
  2. Click an alert to view the agent’s tool call chain, parameters, and policy verdict.
  3. Use Advanced Hunting to pivot to related identities or endpoints.

KQL – detect anomalous tool call frequency (possible abuse):

AIAgentEvents
| where Timestamp > ago(1h)
| summarize CallCount = count() by AgentName, ToolName, bin(Timestamp, 5m)
| where CallCount > 50 // threshold for anomaly
| join kind=leftouter (AIAgentsInfo) on AgentName
| project AgentName, AgentType, ToolName, CallCount, Timestamp, ConfigurationSource

Linux – monitor ATG blocking events via syslog integration (if configured):

 Simulate a blocked action and watch the Defender API response
curl -X POST https://api.security.microsoft.com/api/atg/evaluate \
-H "Authorization: Bearer $TOKEN" \
-d '{"agentId":"agent-123","toolAction":"SharePoint.DeleteSite","parameters":{"siteUrl":"https://contoso.sharepoint.com/sites/confidential"}}' \
-w "\nHTTP Status: %{http_code}\n"
 A 403 response indicates blocking; Defender generates an alert.

7. Hardening AI Agent Configurations in Microsoft 365

Beyond detection, enforce security baselines: restrict tool permissions, enforce SDK telemetry, and require ATG onboarding for high‑privilege agents.

Step‑by‑step guide:

  1. In Defender portal → Settings → Security for AI agents → Configuration policies.
  2. Create a policy that requires all agents with `Mail.Send` or `File.Delete` permissions to be onboarded via ATG.
  3. Apply the policy to specific agent groups (e.g., production agents).

4. Run a compliance audit using PowerShell.

PowerShell – export all agent configurations and check for compliance:

$agents = (Invoke-MgGraphRequest -Uri "https://api.security.microsoft.com/api/aiagents/inventory" -Method Get).value
$nonCompliant = $agents | Where-Object {
($<em>.ToolPermissions -match "Mail.Send|File.Delete") -and ($</em>.AtgOnboarded -ne $true)
}
if ($nonCompliant) {
Write-Warning "Non‑compliant agents found:"
$nonCompliant | Format-Table DisplayName, AgentType, ToolPermissions
 Optionally, trigger a remediation webhook
} else {
Write-Output "All high‑privilege agents are ATG‑onboarded."
}

What Undercode Say:

  • Key Takeaway 1: Defender’s integration with Agent365 shifts AI security from passive logging to active, pre‑execution control—closing the window for agent‑based attacks like tool abuse or privilege escalation.
  • Key Takeaway 2: The expanded `AIAgentsInfo` table and ATG’s real‑time blocking provide security teams with the same depth of visibility and response for AI agents that they already have for endpoints and identities.

Analysis: As organisations rush to deploy autonomous AI agents, traditional security models fail because agents execute actions under legitimate credentials. Microsoft’s approach—discovery via Defender, SDK telemetry, and inline blocking through ATG—mirrors successful EDR paradigms. The ability to hunt across all agent types (including third‑party and custom) using KQL empowers blue teams to detect subtle behavioural anomalies, such as an agent suddenly querying a sensitive SharePoint library. However, adoption hinges on developers integrating the Agent365 SDK and enterprises enforcing ATG onboarding—without these, the “visibility” remains partial.

Prediction:

By 2027, AI agent‑specific attacks (e.g., prompt‑induced data theft, tool‑chain poisoning) will account for over 30% of cloud incidents, forcing every major cloud provider to embed similar real‑time agent gateways. Microsoft’s early move with Agent365 and Defender will set the de‑facto standard, leading to cross‑platform agent security frameworks. Organisations that fail to implement pre‑execution blocking for AI agents will face breach scenarios where a single compromised agent exfiltrates terabytes of data before any log‑based alert triggers. The future of SOC operations will include “AI agent hunting” as a core competency, with KQL extensions specifically for agent behavioural analytics.

▶️ Related Video (88% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Markolauren Agent365 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: