Agent 365 | Security Operations in Defender

Triage high-severity alerts as IT in the Microsoft 365 admin center, then pivot into the full incident graph as a SOC analyst in Microsoft Defender. Block malicious tool invocations the instant they fire and catch jailbreak attempts on Copilot Studio agents before they take hold. 

Trace a compromised user back to suspicious agent activity, then trigger Microsoft Entra conditional access to revoke the session and force a password reset straight from the incident. Hunt overpermissioned agents with pre-built advanced hunting templates — including one that exposes every agent running MCP tools on the maker’s standing credentials — and pull risky builds from the Agent Store using the Agent Registry. 

Spencer Berg, AI & Security Product Manager, shares how to turn agent risk signals into coordinated remediation across Defender, Entra, and the Microsoft 365 admin center. 

One agent. Two security views. 

IT admins triage critical alerts in the M365 admin center. SOC analysts dig into the full incident graph in Microsoft Defender. Try Agent 365.

Real-time agent defense. 

Microsoft Defender blocks malicious tool calls mid-execution and flags persistent jailbreak attempts on Copilot Studio agents the moment they happen. Watch it in action.

Pull a risky AI agent from the Agent Store. 

Open the Agent Registry in the Microsoft 365 admin center, block the agent, and cut access for current users until the maker resubmits a safer build. See it here.

QUICK LINKS: 

00:00 — Stay in control with Agent 365 

00:40 — Gain visibility with unified control plane 

01:48 — Unified IT & SOC agent view 

02:54 — Real-time blocking and jailbreak detection 

04:08 — Auto-revoke via Entra conditional access 

04:32 — Prevent future incidents 

05:28 — Advanced hunting for AI agents 

06:43 — Block risky agents 

07:15 — Wrap up

Link References 

Check out https://aka.ms/Agent365SecOps 

Unfamiliar with Microsoft Mechanics? 

As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. 

• Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries 
• Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog
• Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast

Keep getting this insider knowledge, join us on social: 

• Follow us on Twitter: https://twitter.com/MSFTMechanics
• Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/
• Enjoy us on Instagram: https://www.instagram.com/msftmechanics/
• Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics

Video Transcripts:

-What if your next Sev 1 security incident isn’t a compromised user, but instead an autonomous agent, chaining actions across systems you didn’t even know it could reach? In the agentic era, SOC teams aren’t just defending endpoints or identities. They’re defending a machine-speed execution layer that collapses boundaries and turns small gaps into full attack paths. When agents act on their own while logged in as a user, on-behalf-of activity becomes user impersonation. They can access and interact with Teams, email, other internal apps, and your users’ devices. This blurs the lines between human and agent activity. So how do you gain visibility into these activities and stay in control? It starts with the fundamentals of agent defense, knowing what’s running, controlling what it can access, and seeing what it’s doing in real time. Agent 365 brings all these defense areas together through a unified control plane. 

-The Microsoft 365 admin center provides centralized inventory and governance of agents and tools. Entra establishes strong identity with least-privilege access and clear ownership. Defender delivers runtime protection and deep observability with end-to-end activity tracing and detection. And Purview enforces data protection and posture by monitoring how agents interact with sensitive information. Together, these capabilities create a shared, consistent view so security and IT can manage agent risk as one system, not in silos. Today, in the second episode of this series, we build on that foundation and dive deeper from the SOC perspective in Microsoft Defender, showing how unified agent visibility enables faster detection, stronger investigations, and coordinated response with IT before agent-driven risk escalates. 

-Starting off as an IT admin in the Microsoft 365 admin center, I can see agents which have risks associated with them. The agent risks tab in the registry has identified several agents that need my attention based on security risk signals surfaced here. And drilling into any of these agents exposes the security & compliance page, where the IT admin will see only unresolved alerts with high and critical severity from Defender. Switching perspectives, as a SOC analyst on the Zava security team, the Microsoft Defender portal is my go-to-solution for threat protection, including posture management and investigations. I also need detailed security information for the agents that run in our environment. 

-I can view the same agent within Defender with a security lens with related incidents and alerts. I mentioned before that an IT admin can see the big picture and even view unresolved alerts from critical incidents within their experience, but as a SOC analyst, I need the granular details to dig deeper into the incident. I can see all the lower priority and resolved incidents that provide more context on the activity of this agent. Microsoft Defender continuously monitors AI agent activity in real time. It can block malicious tool invocation attempts as they happen, and alert security teams that there have been attempts to jailbreak AI agents. 

-Let’s click into the critical incident to investigate further. In the details, I can see that this has been identified as a collection incident involving one user. It also includes the information that our SOC team needs. I can look at the incident description to see that the agent is connected to a tool that sends emails, which was blocked, thankfully. Let’s open the incident page to investigate further. 

-Now we can see a detailed explanation of what happened, who was involved, and additional context. Alerts related to the agent are combined into a more detailed incident view, including persistent jailbreak attempts on a Copilot Studio agent and an AI agent tool invocation by the same user, which was blocked by Microsoft Defender. The alert also provides recommended actions to remediate it. It shows all events related to our user, Griffin, where the agent tried to invoke the same email tool multiple times within a short period, each with details on the date, time, and the user’s IP address. Optionally, we could investigate the user further using advanced hunting to view additional activity across a longer period. 

-That said, for this incident, I have enough information to suspect that it’s potentially stolen credentials and is carrying out suspicious activity. I can then click on the user to view their details and confirm that they have been compromised. Defender can automatically trigger our Entra conditional access policy to revoke Griffin’s access and require them to reset their password. This would now show that their account has been compromised and let us resolve the incident without further impact. 

-And I can also prevent future incidents with this agent. For that, I’ll use advanced hunting to get more information and context. I’ll click on the agent within the incident graph to find out more about the purpose of the agent, its number of associated incidents and alerts, as well as other tools it’s connected to. Running this query gives me the most up-to-date information about this agent. I can see detailed attributes like the agent’s name and creation date, who last modified it, and when. It also shows its action triggers, which actually invokes the agent to run, and any connected or child agents it interacts with. 

-Now, tying this back to our earlier attack, we saw that Defender’s real-time protection blocked a tool invocation for the tool that sends emails. That’s already good news, but as the investigator, I want to know what else this agent can do and how risky it is. I’ll open Agent Tool Details and I can see that, in addition to sending emails, this agent also has access to an MCP server as a knowledge source. MCP servers often expose a broad set of actions. These are mostly used for read access, but sometimes write access too. Often, as a workaround for future permissions issues, developers or makers give write access even in cases where the agent only needs read access. That’s what we call overpermissioning, and it goes against the principle of least privilege. In turn, it introduces a lot more risk if the agent is ever compromised. But I don’t want to stop with just one agent. Let’s find out if other agents in my organization are exposing risks related to overpermissioning. 

-Here, I have a collection of pre-built queries designed specifically for AI agents, making it easy to spot misconfigurations, excessive permissions, and other risky setups across my environment. This specific template gives me a view into agents with MCP tools configured using the maker’s credentials. That’s not good. With these permissions, the MCP server tools can be accessed using the standing permissions of the agent maker. This can lead to privilege escalation and data exposure. The advanced hunting results show that multiple agents have access to MCP servers with maker privileges, which put them at high risk. 

-Now we have the information we need to notify each creator that changes are necessary to scope their agent’s permissions so that they can be used safely. From there, our Microsoft 365 administrator can prevent the current agents from being used until new versions are ready. To do that, as the IT admin, I’m signed into the Microsoft 365 admin center, and in the Agent Registry. There’s our Customer Billing Agent, and I’ll click into its details. I can take action from here and block it from being used, then confirm. That’s going to remove it from the Agent Store for new users, and prevent current users from accessing it. 

-Then, once a newer, safer version of the agent is ready, the maker can resubmit it for publishing approval. With Agent 365 using Microsoft Defender, you can strengthen agent security posture and protect against threats. This helps you proactively identify and mitigate risks before attacks occur. 

-To learn more, check out aka.ms/Agent365SecOps. And in the next episode of this series, we’ll explore Agent 365 with Microsoft Entra to prevent agent sprawl, unclear ownership, and weak lifecycle management. Keep watching Microsoft Mechanics for the latest AI and security updates. Thanks for watching.