Microsoft is putting a second line of defense around AI agents: Copilot Studio now supports advanced near‑real‑time protection during agent runtime, a public‑preview capability that lets organizations route an agent’s planned actions through external monitoring systems — including Microsoft Defender, third‑party security platforms, or homegrown tools — to approve or block actions before they execute.
AI agents in enterprise settings are no longer experimental toys. They’re embedded in workflows that read documents, call APIs, send emails, and manipulate sensitive systems. That expansion of capability has widened the attack surface: prompt injection (both user and cross‑prompt types), jailbreaks, data exfiltration through connectors, and misconfigured automation can all cause real business harm. Microsoft has been steadily adding governance and protection controls to Copilot Studio — from environment routing and data loss prevention to agent protection status and audit logging — and the new near‑real‑time runtime protection extends that model into the execution path itself. (microsoft.com)
Background
AI agents in enterprise settings are no longer experimental toys. They’re embedded in workflows that read documents, call APIs, send emails, and manipulate sensitive systems. That expansion of capability has widened the attack surface: prompt injection (both user and cross‑prompt types), jailbreaks, data exfiltration through connectors, and misconfigured automation can all cause real business harm. Microsoft has been steadily adding governance and protection controls to Copilot Studio — from environment routing and data loss prevention to agent protection status and audit logging — and the new near‑real‑time runtime protection extends that model into the execution path itself. (microsoft.com)What the new runtime protection does
The core idea
Before an agent executes a planned action, Copilot Studio now sends the agent’s plan — including the user prompt, recent chat history, tool calls and their inputs, and metadata such as agent ID and tenant ID — to an external monitoring endpoint over an API. The external system has a hard, split‑second window to reply with an approve/block verdict; if it blocks the action, the agent halts and the user is notified. If the monitor approves, the agent proceeds. If no response returns in time, the platform assumes approval and continues. This design enables external, policy‑driven enforcement to become part of the agent’s decision loop.Key technical facts (as announced)
- Data shared with the external system includes the prompt, chat context, tool details, tool inputs, and metadata (agent ID, user ID, tenant ID).
- The external monitor is expected to respond within one second; after that, the agent proceeds by default.
- Admins configure and apply these protections across environments using the Power Platform Admin Center (no coding required), with per‑environment or environment‑group scoping. (microsoft.com, microsoft.com, microsoft.com, microsoft.com, microsoft.com, microsoft.com, microsoft.com, microsoft.com, zenity.io, microsoft.com, learn.microsoft.com, microsoft.com)
- Revisit agent design and least privilege:
- Apply data policies, environment routing, and connector whitelists at build time so runtime checks are compensating controls rather than primary defenses. Use customer‑managed keys (CMK) and avoid persisting sensitive transcripts unless necessary.
Example deployment blueprint
- Phase A — Pilot
- Identify three high‑value agents (e.g., HR onboarding automation, IT helpdesk, and a finance approver).
- Route their runtime monitoring to Defender + a vendor sandbox (or a custom lambda) configured to simulate varied responses.
- Monitor latency, false positives, and user experience for 4–6 weeks. (microsoft.com, microsoft.com, zenity.io)
Source: Microsoft Strengthen agent security with near-real-time protection in Microsoft Copilot Studio | Microsoft Copilot Blog
