📄️ Require Users to Use Entra ID Auth to Interact with Agents
Implementation Effort: Medium – IT must configure agent authentication flows, consent, and app registrations that tie interactive agents to Entra ID, but this is a one‑time project rather than an ongoing program.
📄️ Discover and inventory existing agents in Agent 365 Registry
Implementation Effort: Low – Agent Registry is available in the Microsoft 365 admin center; Microsoft-built and Copilot Studio agents are automatically registered and require no manual onboarding.
📄️ Triage Discovered Agents and Establish Ownership
Implementation Effort: Medium – Requires cross-team coordination to assess agents and assign accountability.
📄️ Design Conditional Access Posture for Agents
Implementation Effort: Medium – Requires mapping all agent access patterns across the Microsoft Entra Agent ID architecture and defining a policy structure before any enforcement begins.
📄️ Design Identity Governance Access Controls for Agents
Implementation Effort: Medium – Requires cross-team alignment between identity governance administrators, security architects, and business stakeholders to define the governance model before any operational controls are deployed.
📄️ Create Custom Security Attributes for Agent and Resource Classification
Implementation Effort: Medium – Requires defining an attribute taxonomy across agent identities and target resources, coordinating with application owners to tag resources, and assigning attributes to agents through the Agent Registry or Entra admin center.
📄️ Enable ID Protection and Deploy Risk-Based Conditional Access for Agents
Implementation Effort: Low – ID Protection for agents is enabled at the tenant level with minimal configuration; the risk-based CA policy follows a standard template.
📄️ Deploy Attribute-Based Conditional Access Policies for Agents
Implementation Effort: Medium – Requires custom security attributes to be in place on both agents and resources, and careful policy design to avoid blocking legitimate agent flows.
📄️ Establish Agent Publishing and Certification Standards
Implementation Effort: Medium – Requires cross-team alignment between security, platform engineering, and development teams to define publishing standards, certification criteria, and observability instrumentation requirements.
📄️ Publish Discovered Agents to Agent Registry
Implementation Effort: Low – Registry publication is a straightforward administrative action per agent once discovery is complete.
📄️ Organize Discovered Agents with Registry Collections
Implementation Effort: Low – Collections are a lightweight organizational feature that can be configured quickly once agents are published.
📄️ Assign Sponsors and Owners to Agent Identities
Implementation Effort: Medium – Requires identifying the right human accountable for each agent identity across potentially many teams, and establishing an operational process for ongoing sponsor assignment as new agents are deployed.
📄️ Create Access Packages for Agent Resource Assignments
Implementation Effort: Medium – Requires defining catalogs, selecting resource roles, configuring approval policies, and setting expiration and lifecycle rules for each access package.
📄️ Configure Lifecycle Workflows for Sponsor Mover/Leaver Scenarios
Implementation Effort: Medium – Requires configuring lifecycle workflow templates in Microsoft Entra ID Governance and integrating them with the organization's existing joiner/mover/leaver processes.
📄️ Inventory workload identities with agent-like behavior
Implementation Effort: Medium – Requires reviewing existing managed identities and service principals across Azure subscriptions to identify those exhibiting autonomous, agent-like behavior patterns.
📄️ Triage workload identities as agent candidates
Implementation Effort: Medium – Requires cross-team evaluation of inventoried workload identities against migration criteria, including risk level, permission scope, and operational autonomy.
📄️ Migrate agent-candidate workloads to agent identities
Implementation Effort: High – Requires coordinated migration of workload identities to the agent identity framework, including re-registration in Agent Registry, permission reassignment, and validation of downstream service dependencies.
📄️ Enable Global Secure Access for Copilot Studio agents
Implementation Effort: Low – Requires enabling the Global Secure Access for Agents toggle in the Power Platform Admin Center for the target environment or environment group.
📄️ Update Copilot Studio connectors to route through Global Secure Access
Implementation Effort: Medium – Requires identifying all existing Copilot Studio custom connectors and editing each one to apply the Global Secure Access routing configuration; new connectors inherit routing automatically.
📄️ Configure GSA dashboard for generative AI app visibility
Implementation Effort: Low – Dashboard is available in the Microsoft Entra admin center once Global Secure Access is configured; requires reviewing widgets and applying the generative AI filter.
📄️ Configure web content filtering for AI app categories
Implementation Effort: Low – Requires creating a web content filtering policy in the Microsoft Entra admin center with rules targeting AI-related web categories; minimal infrastructure changes.
📄️ Link filtering policies to baseline profile for agent traffic
Implementation Effort: Low – Requires linking existing web content filtering policies to the baseline security profile in the Microsoft Entra admin center; a few clicks per policy.
📄️ Configure Prompt Shield for AI Traffic Inspection
Implementation Effort: Medium – Requires configuring prompt policies, conversation schemes for target LLMs, linking policies to security profiles, and creating a Conditional Access policy to scope enforcement.
📄️ Extend Prompt Shield to Custom Enterprise LLM Endpoints
Implementation Effort: Medium – Requires understanding the request and response format of each custom LLM endpoint to define conversation schemes that Prompt Shield can parse.
📄️ Enable Microsoft Purview Audit for AI interactions
Implementation Effort: Low – Audit logging is on by default for most Microsoft 365 organizations; verification and enablement require a single PowerShell command or portal action.
📄️ Deploy DSPM for AI Overview and Get Started Prerequisites
Implementation Effort: Low – DSPM for AI is a built-in Microsoft Purview capability that requires license activation and minimal configuration; no agents or infrastructure deployment needed.
📄️ Assess and Remediate Data Oversharing for Copilot Readiness
Implementation Effort: Medium – Requires running oversharing assessments in Microsoft Purview DSPM for AI, creating custom assessments for priority sites, and coordinating remediation actions across site owners, data stewards, and security teams.
📄️ Configure DSPM for AI Activity Explorer and Observability
Implementation Effort: Low – Activity explorer is a built-in capability in Microsoft Purview DSPM for AI that requires minimal configuration; extending observability to Agent 365 instances uses the same console with preview features enabled.
📄️ Deploy Collection Policies for AI Interaction Locations
Implementation Effort: Low – Collection policies are deployed through the DSPM for AI console with minimal configuration; extending coverage to enterprise AI apps may require coordination with network teams if third-party SASE/SSE providers are in use.
📄️ Configure DLP Policies for M365 Copilot and Agent 365 Locations
Implementation Effort: Medium – Requires designing DLP policy rules for the Microsoft 365 Copilot location, configuring blocking rules for highly classified sensitivity labels, and extending policy scope to include Agent 365 instances — all of which demand cross-team coordination between compliance, security, and data governance teams.
📄️ Deploy Endpoint and Browser DLP Policies for AI Data Locations
Implementation Effort: Medium – Requires configuring endpoint DLP policies scoped to AI-accessible data locations, deploying browser DLP for AI interactions in Microsoft Edge, and optionally leveraging DSPM for AI one-click policy deployment to accelerate coverage.
📄️ Deploy Risky AI and Risky Agents Policies
Implementation Effort: Low – One-click deployment available from DSPM for AI, or manual configuration through Insider Risk Management.
📄️ Configure Adaptive Protection and Priority User Groups
Implementation Effort: Medium – Requires integration between Insider Risk Management and DLP policies, plus identification of priority users.
📄️ Establish Recurring Triage Process for AI Insider Risk Alerts
Implementation Effort: Medium – Requires defining triage workflows, assigning SOC analysts to review AI-specific insider risk alerts on a regular cadence, and coordinating escalation paths with legal, HR, and compliance teams.
📄️ Define Isolation Requirements for Agent Infrastructure
Implementation Effort: Medium – Requires architectural decisions and documentation across network and data domains.
📄️ Require Content Safety SDK Integration for All Agent Inputs Across Hosting Platforms
Implementation Effort: Low – Establishing the requirement is a policy and documentation task; SDK integration per agent is lightweight with available client libraries.
📄️ Deploy and Configure the AI Gateway
Implementation Effort: High – Requires provisioning Azure API Management infrastructure, defining API policies for token rate limiting and content safety, configuring networking, and integrating with identity providers and backend AI services.
📄️ Establish APIM Gateway Requirement for MCP Servers
Implementation Effort: Low – Establishing the requirement is a policy decision; APIM already supports MCP server exposure with minimal configuration.
📄️ Define Sensitivity Label Inheritance Requirements for AI Outputs
Implementation Effort: Low – Defining the requirements is a policy task; Microsoft Purview already supports label inheritance behavior for AI interactions that administrators configure centrally.
📄️ Configure AI Red Teaming Agent in Foundry
Implementation Effort: Medium – Requires provisioning the AI Red Teaming Agent in Azure AI Foundry, configuring attack scenarios and target endpoints, and interpreting the results to prioritize remediation.
📄️ Establish Red Teaming Requirement for New Agent Deployments
Implementation Effort: Low – Establishing the requirement is a policy and process task; the underlying tooling (AI Red Teaming Agent) is already provisioned.
📄️ Establish Recurring AI Red Teaming Validation Cadence
Implementation Effort: Medium – Requires defining a recurring schedule, assigning ownership, integrating red teaming results into remediation workflows, and tracking posture changes over time.
📄️ Establish Identity Requirements for Agent Development
Implementation Effort: Low – Requires documenting standards and integrating into development processes.
📄️ Enable Diagnostic Logging for AI Services and Agents
Implementation Effort: Medium – Requires creating centralized logging infrastructure and configuring logging across multiple AI platforms.
📄️ Deploy Microsoft Sentinel workspace for AI threat detection
Implementation Effort: Medium – Requires provisioning a Log Analytics workspace, onboarding Microsoft Sentinel, configuring data connectors for AI workload telemetry, and setting retention policies appropriate for security investigation timelines.
📄️ Enable AI-specific analytics rules for prompt injection detection
Implementation Effort: Medium – Requires identifying and enabling the relevant built-in analytics rule templates from the Content hub, mapping entity types to AI workload identities, and tuning thresholds to the organization's AI usage patterns.
📄️ Create custom analytics rules for agent anomaly detection
Implementation Effort: Medium – Requires writing KQL queries against AI workload telemetry tables, defining baseline behavior for agent identities, and iterating on thresholds through testing against real data.
📄️ Configure AI threat detection workbooks
Implementation Effort: Low – Involves deploying workbook templates from the Content hub and customizing visualizations to focus on AI-specific analytics rule outputs and incident data.
📄️ Create AI Incident Response Playbooks in Sentinel
Implementation Effort: Medium – Requires designing response workflows for AI-specific incident types and coordinating with SOC teams on containment actions for AI workloads.
📄️ Configure Automated Response Rules for High-Risk AI Activity
Implementation Effort: Medium – Requires defining triage and escalation logic for AI-specific incident types and testing automation rules against real AI incident data.
📄️ Integrate AI Threat Response with Defender XDR
Implementation Effort: Medium – Requires onboarding the Sentinel workspace to the Defender portal, validating bi-directional incident sync, and reconciling automation rules that may behave differently in the unified portal.
📄️ Configure Scheduled AI Threat Review Queries and Dashboards
Implementation Effort: Low – Involves creating saved KQL queries and configuring a Sentinel workbook with AI-specific visualizations. Does not require cross-team coordination.
📄️ Configure Retention Policies for AI Prompts and Responses
Implementation Effort: Medium – Requires defining retention periods for AI interaction data, coordinating with legal and compliance teams on regulatory requirements, and configuring policies across Copilot and agent workloads.
📄️ Configure Defender for Cloud Apps GenAI app discovery
Implementation Effort: Medium – Requires Defender for Cloud Apps and Defender for Endpoint to be deployed; involves configuring cloud app discovery policies for the generative AI category and setting up monitoring or blocking rules.
📄️ Block Access to Unsanctioned AI Apps with Defender for Cloud Apps
Implementation Effort: Low – Policy creation in Defender for Cloud Apps is straightforward once GenAI app discovery is already configured.
📄️ Configure Data Quality Rules for AI Grounding Data Sources
Implementation Effort: Medium – Requires identifying the data sources used for AI grounding, defining data quality rules in Microsoft Purview, and establishing ongoing monitoring to detect quality degradation over time.
📄️ Configure Pre-Deployment Groundedness Evaluations
Implementation Effort: Medium – Requires configuring evaluation pipelines in Azure AI Foundry, defining evaluation datasets, selecting metrics, and establishing pass/fail thresholds for agent quality gates.
📄️ Enforce Runtime Groundedness Detection
Implementation Effort: Medium – Requires integration into agent orchestration pipelines and configuration of detection behavior, plus testing to calibrate thresholds against source data.
📄️ Enable Defender for Cloud AI security posture management
Implementation Effort: Medium – Requires the Defender CSPM plan to be enabled on Azure subscriptions hosting AI workloads; for AWS accounts, permissions must be reconfigured to enable AI posture capabilities.
📄️ Assign Azure Policy to Govern AI Model Deployments
Implementation Effort: Medium – Requires selecting and assigning built-in policy definitions for Azure AI Services, configuring scope and parameters, and monitoring compliance results.
📄️ Enable threat protection for AI workloads in Defender for Cloud
Implementation Effort: Low – Enabling the Defender for AI Services plan is a subscription-level toggle. The primary effort is confirming which AI resources are in scope and validating that alerts flow into the Sentinel workspace.
📄️ Establish AI Compliance Documentation
Implementation Effort: Medium – Requires selecting AI regulation assessment templates, assigning ownership for improvement actions, configuring operational reports in Azure AI Foundry, and coordinating across legal, compliance, and security teams.
📄️ Configure Communication Compliance Policy for Copilot Interactions
Implementation Effort: Medium – Requires creating policies scoped to Copilot interaction locations, defining detection classifiers, configuring reviewer workflows, and testing against real interaction data.
📄️ Require Users to Register Agents in Agent 365 Registry Before Use
Implementation Effort: Low –
📄️ Create and Apply Governance Templates for Agent Publishing and Activation
Implementation Effort: Medium – Requires defining policy bundles that span Microsoft Entra, Microsoft Purview, and SharePoint, then associating them with agent activation and publishing workflows in the Microsoft 365 admin center.
📄️ Configure and Apply Agent Lifecycle Management
Implementation Effort: Medium – Requires defining lifecycle policies and applying them to agent instances, with cross-team coordination between security and agent owners for compliance reviews.
📄️ Configure Agent 365 Dashboards for Ongoing Inventory and Adoption Monitoring
Implementation Effort: Low – Both the Agent Map and Overview dashboard are built-in features in the Microsoft 365 admin center that require minimal configuration to enable.
📄️ Automate Agent Registry Management at Scale via Graph API
Implementation Effort: Medium – Requires familiarity with Microsoft Graph API and scripting or automation tooling; the API surface itself is straightforward once permissions are configured.
📄️ Require MCP Management Server for All Custom MCP Server Deployments
Implementation Effort: Low – Establishing the requirement is a policy decision; the MCP Management Server is a built-in capability of Agent 365 that development teams adopt without infrastructure provisioning.
📄️ Manage Sensitivity Labels for Agent Embedded File Content
Implementation Effort: Medium – Requires extending the organization's sensitivity label taxonomy to cover agent-specific scenarios, coordinating label inheritance behavior for embedded file content, and validating that labels persist when agents process and re-surface documents.
📄️ Enable Defender real-time agent protection during runtime
Implementation Effort: Medium – Requires coordination between security administrators in the Defender portal and Power Platform administrators to complete the onboarding, including configuring a Microsoft Entra ID application and connecting the Microsoft 365 app connector.
📄️ Configure Defender Advanced Hunting queries for agent activity
Implementation Effort: Medium – Requires writing KQL queries against the CloudAppEvents table in Microsoft Defender, understanding the agent activity action types, and creating saved queries or custom detection rules for recurring use.
📄️ Configure SharePoint Site Access and Sharing Controls for Agents
Implementation Effort: Medium – Requires reviewing and tightening site-level access controls and sharing settings across SharePoint sites that agents access, with coordination between SharePoint administrators, site owners, and security teams.
📄️ Configure SharePoint Agent Access and Permissions Insights
Implementation Effort: Low – Leverages built-in SharePoint data access governance reports and permissions insights that require minimal configuration to enable.
📄️ Assess AI risk with Microsoft Security Dashboard for AI
Implementation Effort: Low – Dashboard is available through the Microsoft Security portal with no additional infrastructure; requires only that underlying Microsoft Security products are deployed.
📄️ Configure Privileged Roles to Manage AI
Implementation Effort: Medium – Requires identifying the right roles across Entra, Defender, and Purview, assigning them through Privileged Identity Management, and validating least-privilege access for each AI management responsibility.
📄️ Review AI agent, model, and app inventory
Implementation Effort: Low – Uses the AI inventory page in Microsoft Security Dashboard for AI to review already-discovered assets; no new deployment required.
📄️ Review and prioritize AI risk findings
Implementation Effort: Medium – Requires security team review of aggregated risk findings across Entra, Defender, and Purview, plus prioritization decisions that involve cross-team coordination.
📄️ Configure recommendation delegation workflows
Implementation Effort: Medium – Requires establishing delegation processes, identifying responsible owners across security, identity, and data teams, and integrating with organizational communication workflows.
📄️ Establish Ongoing Monitoring and Remediation
Implementation Effort: High – Requires integrating multiple monitoring surfaces, defining operational cadences, assigning accountability, and building remediation workflows that span Defender, Purview, and Entra.
📄️ Configure Agent Publishing and Deployment Controls
Implementation Effort: Medium – Requires configuring multiple approval workflows (publishing, activation, update approval) and deployment policies within the Microsoft 365 admin center, with cross-team alignment between AI administrators and security teams on approval criteria.
📄️ Configure Agent 365 Access and Sharing Policies
Implementation Effort: Low – These are tenant-level toggle settings within a single page of the Microsoft 365 admin center that require minimal coordination but should be deliberately decided before agents are published.
📄️ Define Agent Collection Taxonomy
Implementation Effort: Medium – Requires cross-team alignment between security, compliance, and business unit stakeholders to agree on grouping criteria and ownership model.
📄️ Extend Sign-In Log Monitoring to Cover Agent Identity Traffic
Implementation Effort: Low – Requires updating existing sign-in log filters, workbooks, and alert rules to recognize new agent identity types; no new logging infrastructure needed.
📄️ Verify Global Secure Access Readiness for AI Workloads
Implementation Effort: Low – Verification and validation of existing infrastructure; no new deployments if GSA is already in place.
📄️ Verify Data Protection Readiness for AI Workloads
Implementation Effort: Low – A focused assessment activity that uses existing Microsoft Purview tooling to evaluate the current state of data protection controls before enabling AI features.
📄️ Deploy One-Click DLP and IRM Policies from DSPM for AI
Implementation Effort: Low – One-click policies are preconfigured in the DSPM for AI console and deploy with minimal administrator input; policy scoping and tuning can follow after initial deployment.
📄️ Deploy and Configure Microsoft Purview Posture Agent
Implementation Effort: Medium – Requires Microsoft Security Copilot onboarding with security compute units (SCUs) provisioned, Microsoft Purview plug-in activation, and role assignments across Purview and Security Copilot; ongoing SCU consumption must be monitored.
📄️ Establish Recurring Triage Process for AI DLP Alerts
Implementation Effort: Medium – Requires cross-team coordination between security operations, compliance, and data protection teams to define triage workflows, assign ownership, and establish review cadences for DLP alerts generated by AI workloads.
📄️ Deploy and Configure DLP Alert Triage Agent
Implementation Effort: Medium – Requires Microsoft Security Copilot onboarding with security compute units (SCUs) provisioned, Microsoft Purview plug-in activation, agent identity configuration, and policy scope definition; ongoing SCU consumption monitoring is needed.
📄️ Deploy and Configure IRM Alert Triage Agent
Implementation Effort: Medium – Requires Microsoft Security Copilot onboarding with security compute units (SCUs) provisioned, Microsoft Purview plug-in activation, agent identity configuration, policy scope selection, and custom instruction tuning; ongoing SCU consumption monitoring is needed.
📄️ Define MCP Server and Tool Approval Policy
Implementation Effort: Low – Policy definition task requiring alignment between security, platform engineering, and compliance teams; no infrastructure changes.
📄️ Activate Approved MCP Servers and Manage Tool Access
Implementation Effort: Medium – Requires evaluating the Agent 365 MCP server catalog against the organization's approval policy, activating approved servers, configuring scoped Entra permissions per agent, and managing Connected Agents for Researcher.
📄️ Configure Copilot Studio Data Policies for Agent Capabilities
Implementation Effort: Medium – Requires cross-team alignment between security, platform engineering, and agent makers to classify Copilot Studio connectors and configure environment-scoped data policies in the Power Platform admin center.