Merge pull request #5750 from MicrosoftDocs/main

 Publish MDC/MSEM defender portal integration

Author: shsagir

defender-for-cloud-apps/release-notes.md

@@ -1,7 +1,7 @@
 ---
 title: What's new | Microsoft Defender for Cloud Apps
 description: This article is updated frequently to let you know what's new in the latest release of Microsoft Defender for Cloud Apps.
-ms.date: 05/13/2025
+ms.date: 11/25/2025
 ms.topic: overview
 ---
 
@@ -20,6 +20,20 @@ For more information on what's new with other Microsoft Defender security produc
 
 For news about earlier releases, see [Archive of past updates for Microsoft Defender for Cloud Apps](release-note-archive.md).
 
+## November 2025
+
+### AI Agent Protection (Preview)
+Microsoft Defender delivers comprehensive protection for AI agents, combining proactive exposure management with advanced threat detection. It automatically discovers AI agents created in Microsoft Copilot Studio and Azure AI Foundry, collects audit logs, continuously monitors for suspicious activity, and integrates detections and alerts into the XDR Incidents and Alerts experience with a dedicated Agent entity.
+
+  - **Copilot Studio AI agents**
+
+    Defender ingests data from Copilot Studio agents into Advanced Hunting, enabling you to create custom queries and proactively hunt for threats. It also provides real-time protection by monitoring agent runtime and blocking harmful or suspicious actions, fully integrated with XDR incidents and alerts.
+
+  - **Azure AI Foundry AI agents**
+
+    Defender monitors agents for misconfigurations and vulnerabilities, identifies potential attack paths, and delivers actionable security recommendations through Exposure Management to strengthen your AI security posture.
+
+For more information, see [Protect your AI agents (Preview)](ai-agent-inventory.md).
 
 ## September 2025 
 

defender-for-cloud-apps/toc.yml

@@ -428,7 +428,7 @@ items:
       href: app-activity-threat-hunting.md
   - name: App governance FAQ
     href: app-governance-faq.yml
-- name: Protect AI agents
+- name: Protect AI agents (Preview)
   items:
   - name: Overview
     href: ai-agent-protection.md

defender-xdr/TOC.yml

@@ -64,6 +64,8 @@
         href: /defender-cloud-apps/what-is-defender-for-cloud-apps?toc=/defender-xdr/toc.json&bc=/defender-xdr/breadcrumb/toc.json
       - name: Protect your IoT/OT assets
         href: protect-against-iot-ot-threats.md
+      - name: Protect your custom AI agents
+        href: ai-agent-inventory.md
       - name: Microsoft Secure Score
         items:
           - name: Overview

defender-xdr/ai-agent-inventory.md

@@ -0,0 +1,122 @@
+---
+title: Protect AI agents
+description: Learn how Microsoft Defender protects AI agents from security threats. Learn about agent inventory, real-time protection, and threat hunting capabilities.
+ms.service: defender-xdr
+ms.author: abbyweisberg
+author: AbbyMSFT
+ms.topic: article
+ms.date: 11/20/2025
+appliesto:
+    - Microsoft Defender for XDR
+    - Microsoft Defender for Cloud Apps
+    - Microsoft Defender for Cloud
+
+#Customer intent: As a security administrator, I want to protect my organization's AI agents from security threats and maintain visibility into agent activities and configurations.
+---
+
+# Protect your AI agents (Preview)
+
+As organizations embrace AI agents to streamline operations and enhance productivity, they also face new security risks that these tools can introduce.
+
+Without strong visibility and controls, misconfigured AI agents can expose sensitive data, enable unauthorized access, escalate privileges, and trigger unintended actions that weaken your organization’s security posture.
+
+To provide comprehensive threat protection, we include both posture management to minimize the attack threat landscape, while at the same time we operate under the assumption that a breach can occur. 
+
+## AI agent protection features
+Microsoft Defender protects you against security threats with comprehensive AI agent protection, offering proactive exposure management and advanced threat hunting with these features: 
+
+- Detects all of your AI agents created with Microsoft Copilot Studio or Azure AI Foundry. 
+- Collects audit logs for your AI agents, continuously monitors the agents for suspicious activity, and enables detections and alerts. To enable this monitoring, make sure that you:
+    - [Enable the AI agent inventory](#discover-your-ai-agents-with-the-ai-agent-inventory-in-the-defender-portal-preview).
+    - [Enable the Microsoft 365 connector](/defender-cloud-apps/protect-office-365#connect-microsoft-365-to-microsoft-defender-for-cloud-apps).
+- For Copilot Studio AI agents, Microsoft Defender:  
+    - Integrates data from Copilot Studio AI agents into [advanced hunting](advanced-hunting-overview.md) for proactive threat detection. You can use this data to create custom queries and hunt for potential threats. 
+    - [Protects your environment in real-time](/defender-cloud-apps/real-time-agent-protection-during-runtime) to block suspicious or harmful actions initiated by your Copilot Studio AI agents during agent runtime, and triggers an informative alert integrated into the XDR incidents and alerts environment.  
+- For Azure AI Foundry AI agents, Microsoft Defender:  
+    - Monitors your AI agents for misconfigurations and vulnerabilities, and identifies potential attack paths.
+    - Provides security recommendations to improve the security posture of your AI agents.
+    
+## Prerequisites
+To enable AI agent inventory and detection you must opt in to the [Microsoft Defender preview features](https://security.microsoft.com/securitysettings/defender/preview_features) of:
+- Microsoft Defender for Cloud Apps
+- Microsoft Defender for Cloud
+- Microsoft Defender XDR
+
+## Discover your AI agents with the AI agent inventory in the Defender portal (Preview)
+
+Microsoft Defender detects all of the AI agents created with Microsoft Copilot Studio and Azure AI Foundry. This inventory helps security teams discover, catalog, and continuously monitor AI agents across your organization.
+
+ - To set up AI agent inventory for agents created in Coplot Studio, see [Discover and protect your AI Agents (Preview)](ai-agent-inventory.md).
+ - To set up AI agent inventory for agents created in Azure AI Foundry, see [Microsoft Defender for Cloud AI Security posture management](/azure/defender-for-cloud/ai-security-posture).
+
+## The AI agent inventory page
+The AI agent inventory page in Microsoft Defender provides a centralized view of all detected AI agents, along with their key attributes and security status. 
+
+1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com/).
+1. In the left navigation pane, select **Assets** > **AI Agents**.
+
+    A list of all detected AI agents appears. 
+
+    :::image type="content" source="media/ai-agent-inventory/ai-agent-inventory.png" alt-text="Screenshot that shows the AI agent inventory in the Defender portal.":::  
+
+1. Select **Copilot Studio** or **Azure AI Foundry** to see a filtered list of AI agents based on the tool used to create the agent.
+1. To see detailed information about a specific AI agent, select the agent from the list. 
+
+## AI agent details
+When you select an AI agent from the inventory, the **Agent** pane opens, providing detailed information about the selected agent. The information displayed varies based on whether the agent was created in Azure AI Foundry or Copilot Studio.
+
+### [Azure AI Foundry](#tab/azure-ai-foundry)
+
+-- Select **Open agent page** to open the [**AI Agent** page](/azure/defender-for-cloud/identify-ai-workload-model).
+
+:::image type="content" source="media/ai-agent-inventory/foundry-agent-details.png" alt-text="Screenshot that shows the details for Foundry AI agents in the Defender portal."::: 
+
+- Select **Go hunt** to perform [advanced hunting](advanced-hunting-overview.md).
+- Select **View on map** to see the agent's [location and related attack paths](/azure/defender-for-cloud/concept-attack-path).
+
+These AI agent details are displayed:
+
+|AI Agent Information  |Description  |
+|---------|---------|
+|ID     |Unique identifier for the agent as assigned to it in Azure AI Foundry         |
+|Name     |Display name of the agent         |
+|Account     |The account or tenant under which the AI agent operates, typically linked to organizational ownership.         |
+|Deployment     |Details about where and how the AI agent is deployed (e.g., cloud environment, on-premises, hybrid).         |
+|Attack paths     |Potential routes or methods that could be exploited to compromise the AI agent or its environment.         |
+|Risk factors |Key vulnerabilities or conditions that increase the likelihood of security threats to the AI agent.         |
+|Creation time     |Date and time when the agent was created         |
+|Project     |The associated project or initiative that the AI agent supports or belongs to.         |
+|Model     |The underlying AI/ML model powering the agent, including version or architecture details.         |
+|Recommendations     | Suggested actions or best practices to improve security, performance, or compliance for the AI agent.        |
+
+
+#### [Copilot Studio](#tab/copilot-studio)
+
+- Select **Open agent page** to open the Copilot Studio AI Agent page in the Defender portal.
+- Select **Go hunt** to perform [advanced hunting](advanced-hunting-overview.md).
+
+:::image type="content" source="media/ai-agent-inventory/copilot-agent-details.png" alt-text="Screenshot that shows the details for Copilot Studio AI agents in the Defender portal.":::
+
+These AI agent details are displayed:
+
+|AI Agent Information  |Description  |
+|---------|---------|
+|Description     |Description of the agent as displayed in the agent's source         |
+|ID     | Unique identifier for the agent as assigned to it in Microsoft 365 Copilot or Copilot Studio        |
+|Environment ID     |The identifier of the Microsoft Power Platform environment the agent resides in.         |
+|Name     |Display name of the agent         |
+|Creator     | User principal name (UPN) of the account that created the agent        |
+|Authentication type | The agent’s configured authentication type for users interacting with the agent; possible values: None, Microsoft, Custom.        |
+|Access control     |Users that can interact with the agent; possible values: Any, Copilot readers, Group membership, Any (multitenant)         |
+|Creation time     | Date and time when the agent was created        |
+|Owner     |User principal names (UPN) of all the owners of the agent         |
+|Authentication trigger     | Indicates when authentication is triggered for the agent; possible values: As Needed, Always        |
+|Authorized security group IDs     |List of Azure Active Directory Group IDs that are allowed to interact with the agent         |
+|Alerts     | Notifies you of any Microsoft Defender alerts related to the AI agent. |
+
+
+--- 
+
+## See also
+ - [Discover and protect your Copilot StudioAI Agents (Preview)](ai-agent-inventory.md).
+ - [Microsoft Defender for Cloud AI Security posture management](/azure/defender-for-cloud/ai-security-posture).

defender-xdr/compare-rbac-roles.md

@@ -129,13 +129,40 @@ You configured protection-related Exchange Online permissions in the Exchange ad
 > Exception: If you have configured [Scoped deployment](/defender-cloud-apps/scoped-deployment) for Microsoft Defender for Identity alerts in Microsoft Defender for Cloud Apps, these permissions do not carry over. You need to explicitly grant the Security operations \ Security data \ Security data basics (read) permissions for the relevant portal users.
 
 <a name='map-microsoft-defender-for-cloud-apps-permissions-to-the-microsoft-365-defender-unified-rbac-permissions'></a>
-
 ### Map Microsoft Defender for Cloud Apps permissions to the Microsoft Defender XDR Unified RBAC permissions (Preview)
 
 > [!IMPORTANT]
 > App Governance supports Microsoft Entra roles as described in [Roles in app governance for Microsoft Defender for Cloud Apps](/defender-cloud-apps/app-governance-get-started#roles) and does not support the roles defined in the integration of Defender for Cloud Apps with unified RBAC.</br></br>
 > Once you activate the Defender for Cloud Apps integration with Microsoft Defender XDR Unified RBAC, the following roles, configured through [built-in scoped roles](/defender-cloud-apps/manage-admins#roles-and-permissions) in Defender for Cloud Apps, will no longer be supported: **App/instance admin**, **User group admin**, **Cloud Discovery global admin**, and **Cloud Discovery report admin**.
 
+|Defender for Cloud Apps permission|Defender XDR Unified RBAC permission|
+|---|-----|
+|Local Global administrator|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage)</br>Authorization and settings \ Authorization (all permissions) </br>Authorization and settings \ Security settings (all permissions) </br>Authorization and settings \ System settings (all permissions)|
+|Local Security operator|Security operations \ Security data \ Security data basics (read) </br>Security operations \ Security data \ Alerts (manage)</br>Authorization and settings \ Authorization (read) </br>Authorization and settings \ Security setting (all permissions) </br>Authorization and settings \ System setting (read)|
+|Local Security reader|Security operations \ Security data \ Security data basics (read)</br>Authorization and settings \ Authorization (read) </br>Authorization and settings \ Security settings \ Security settings (read) </br>Authorization and settings \ System settings (read)|
+|Local Compliance administrator|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage)</br>Authorization and settings \ Authorization (read) </br>Authorization and settings \ Security settings \ Security settings (all permissions) </br>Authorization and settings \ System settings (read)|
+
+### Unified RBAC roles in Microsoft Defender for Cloud
+
+Unified Role-Based Access Control (uRBAC) lets you manage permissions across Microsoft Defender for Cloud resources using a consistent model. Roles define what actions users can perform and assign roles carefully to maintain least-privilege access.
+
+The following table lists the available uRBAC roles and their permissions.
+
+| **Role**                | **Permissions**                                                                                              | **Description**                                                                 |
+|-------------------------|----------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------|
+| **Security data basics**: Security operations / Security data / Security data basics (read)   | Read | Access alerts, incidents, investigations, hunting, devices, cloud assets, and reports. Includes cloud inventory and threat protection. |
+| **Alerts**: Security operations / Security data / Alerts (manage) | Manage | Manage alerts, investigations, scans, device tags, and packages. Includes cloud threat protection features. |
+| **Vulnerability Management**: Security posture / Posture management / Vulnerability management (read) | Read | View vulnerability data: software inventory, weaknesses, missing KBs, baselines, hunting, and devices. Includes data lake (Preview). |
+| **Exposure Management**: Security posture / Posture management / Exposure Management (read); Security posture / Posture management / Exposure Management (manage) | Read/Manage  | View or manage exposure insights, including Secure Score, recommendations, initiatives, and metrics.|
+
+> [!NOTE]
+> Roles can be combined for broader access, but always apply least-privilege principles. Some capabilities may require additional permissions or feature enablement.
+
+### Map Microsoft Defender for Cloud Apps permissions to the Microsoft Defender XDR Unified RBAC permissions (Preview)
+
+> [!IMPORTANT]
+> App Governance supports Microsoft Entra roles as described in [Roles in app governance for Microsoft Defender for Cloud Apps](/defender-cloud-apps/app-governance-get-started#roles) and does not support the roles defined in the integration of Defender for Cloud Apps with unified RBAC.</br></br>
+> Once you activate the Defender for Cloud Apps integration with Microsoft Defender XDR Unified RBAC, the following roles, configured through [built-in scoped roles](/defender-cloud-apps/manage-admins#roles-and-permissions) in Defender for Cloud Apps, will no longer be supported: **App/instance admin**, **User group admin**, **Cloud Discovery global admin**, and **Cloud Discovery report admin**.
 
 |Defender for Cloud Apps permission|Defender XDR Unified RBAC permission|
 |---|-----|

defender-xdr/create-custom-rbac-roles.md

@@ -149,6 +149,12 @@ You can configure scoped access using Microsoft Defender XDR’s Unified RBAC (U
 
 For more information, see: [Configure scoped access for Microsoft Defender for Identity](/defender-for-identity/configure-scoped-access).
 
+### Configure scoped roles for Microsoft Defender for Cloud
+
+You can configure scoped access using Microsoft Defender XDR’s Unified RBAC model for resources managed by Microsoft Defender for Cloud. This enables you to limit access and visibility to specific **subscriptions**, **resource groups**, or **individual resources**. By applying scoped roles, you help ensure that team members only see and manage the assets relevant to their responsibilities, reducing unnecessary exposure and improving operational security.
+
+For more information, see: [Manage cloud scopes and unified role-based access control](/azure/defender-for-cloud/cloud-scopes-unified-rbac&pivots=defender-portal).
+
 ## Next steps
 
 - [Import existing RBAC roles](import-rbac-roles.md)

…protect-ai-agents/ai-agent-inventory.png …i-agent-inventory/ai-agent-inventory.pngdefender-xdr/media/protect-ai-agents/ai-agent-inventory.png renamed to defender-xdr/media/ai-agent-inventory/ai-agent-inventory.png defender-xdr/media/protect-ai-agents/ai-agent-inventory.png renamed to defender-xdr/media/ai-agent-inventory/ai-agent-inventory.png

@@ -19,6 +19,18 @@ ms.date: 07/06/2025
 
 This article provides information about new features and important product updates for the latest release of Microsoft Defender XDR Unified role-based access control (RBAC).
 
+## November 2025
+
+### Microsoft Defender for Cloud permissions are now integrated with Microsoft Defender XDR unified RBAC (Preview)
+
+We’ve introduced Unified Role-Based Access Control (uRBAC) to simplify permission management across Defender for Cloud resources.
+
+Assign roles consistently across cloud scopes.
+Apply least-privilege principles with granular permissions.
+New consolidated role table available for quick reference.
+
+For more information, see: [Unified RBAC roles in Microsoft Defender for Cloud](compare-rbac-roles.md#unified-rbac-roles-in-microsoft-defender-for-cloud)
+
 ## July 2025
 
 ### Microsoft Sentinel data lake permissions integrated with Microsoft Defender XDR unified RBAC (Preview)