- Advanced real-time protection in Defender for Cloud Apps adds an extra layer of protection onto Copilot Studio agents used with Microsoft 365 Copilot.
- This protection is broader than Copilot Studio’s native defenses and could help reduce the risks of unintended consequences from agents created by low coders.
- Organizations already licensing Microsoft 365 E5 may want to consider adding Defender for Cloud Apps protection to their Copilot Studio agents, but users not licensed for E5 will need to be licensed for Defender.
Advanced real-time protection for Copilot Studio, a new Defender for Cloud Apps feature, offers an additional level of protection for agents that is more extensive than the protections Copilot Studio itself offers. This feature could prove useful for organizations using Copilot Studio agents heavily but brings additional licensing requirements if Microsoft 365 E5 is not already broadly licensed. Free during preview, it currently only supports Copilot Studio agents and requires licensing users with Defender for Cloud Apps, which is typically licensed with Microsoft 365 User Subscription Licenses (User SLs).
Where Does Advanced Real-Time Protection Fit?
Copilot Studio already includes built-in protection from two major types of attacks:
- Cross-prompt injection attacks (XPIA)—Malicious injection from an external source into a large language model (LLM) prompt to cause data leaks or tool misuse
- User-prompt injection attacks (UPIA)—Malicious injection by user into an LLM prompt to achieve a malicious goal.
Defender for Cloud Apps Advanced Real-time Threat Protection offers additional protection and governance beyond those two approaches by offering three new capabilities for Copilot Studio agents:
- Inspecting all tool calls made by Copilot Studio agents through Defender
- Logging of all Copilot Studio agent outbound tool calls into Purview logs
- Potentially integrating third-party and custom solutions that can offer real-time detection and logging.
Inspecting Real-Time Tool Calls
To enable real-time protection, Copilot Studio agents must be configured within Power Platform to share data with Defender for Cloud Apps using a Microsoft 365 App Connector.
Real-time protection connects through a Microsoft 365 App Connector that accesses Microsoft 365 and Entra ID management activities. It uses that information to assess actions performed by agents that were created using Copilot Studio.
Defender for Cloud Apps can access the user’s prompt and chat history, tool details and input values, and key metadata, including the agent ID, user ID, and tenant ID involved in the request.
Every time Copilot Studio agents make a tool or action, Defender for Cloud Apps gets one second to respond whether to allow or disallow that action. If no response is received in time, the agent assumes approval and continues.
On disallow, the invocation is blocked before it runs, and the user is notified that their message was blocked. In addition, a Defender XDR alert is created about the potential incident.
Logging Copilot Studio Agent Activity
Once configured, Copilot Studio will use Defender for Cloud Apps to create audit logs for every interaction with external systems.
Admins can use these logs to track attempted breaches, identify vulnerable agents, and improve future deployments.
These logs can also assess how well external monitoring is working and potentially enhance them or request enhancements from Microsoft (or a third party if relevant).
Third-Party Extensibility Available
Copilot Studio now also offers a REST-based API available for organizations or partners looking to build their own threat assessment systems instead of using Defender for Cloud Apps.
As with Defender for Cloud Apps integration, the API enables an API where the third party can specify that tools should be allowed or blocked, as well as validate that the third-party integration is working correctly.
Licensing
Real-time protection of Copilot Studio–based agents requires licensing Defender for Cloud Apps for every user that benefits from this protection. In addition, any users that benefit from a third-party detection system designed to respond to configured REST-based API calls from agents built using Copilot Studio must also be licensed for that software, but do not need to be licensed for Defender for Cloud Apps.
Most organizations acquire Defender for Cloud Apps as a component of the Microsoft 365 E5 suite User SL or a lesser suite that includes it.
Directions Recommends
Consider using Defender for Cloud apps with agents. Understand that this feature requires broad licensing of Defender for Cloud Apps at a minimum and only works with Copilot Studio agents.
Investigate if your security vendor may add support. Since Microsoft’s API is open, any additional partner can also integrate into Copilot Studio and offer real-time agent protection.
Regularly assess Defender XDR and Purview logs for agent activities. An increasing number of Copilot incidents are logged into Defender XDR, and agent activities are logged into Purview.
Resources
Copilot Studio and agents are described in the Directions report “Understanding Copilot Studio.”
Real-time agent protection was announced in “Strengthen agent security with real-time protection in Microsoft Copilot Studio. (Microsoft)”
Real-time agent protection details are described in “Real-time protection during agent runtime for Microsoft Copilot Studio AI agents (Preview)” (Microsoft).
The third-party Copilot Studio agent threat detection API is described in “Build a runtime threat detection system for Copilot Studio agents” (Microsoft).