Safeguard & Protect Your Custom Copilot Agents (Cyber Dial Agent)
Overview and Challenge Security Operations Centers (SOCs) and InfoOps teams are constantly challenged to reduce Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). Analysts often spend valuable time navigating multiple blades in Microsoft Defender, Purview, and Defender for Cloud portals to investigate entities like IP addresses, devices, incidents, and AI risk criteria. Sometimes, investigations require pivoting to other vendors’ portals, adding complexity and slowing response. Cyber Dial Agent is a lightweight agent and browser add-on designed to streamline investigations, minimize context switching, and accelerate SecOps and InfoOps workflows. What is Cyber Dial Agent? The Cyber Dial Agent is a “hotline accelerator” that provides a unified, menu-driven experience for analysts. Instead of manually searching through multiple portals, analysts simply select an option from a numeric menu (1–10), provide the required value, and receive a clickable deep link that opens the exact page in the relevant Microsoft security portal. Agent base experience The solution introduces a single interaction model: analysts select an option from a numeric menu (1–10), provide the required value, and receive a clickable deep link that opens the exact page in the Microsoft Defender, Microsoft Purview, Microsoft Defender for Cloud portal. Browser based add-on experience The add-on introduces a unified interaction model: analysts select an option from a numeric menu (1–10), enter the required value, and are immediately redirected to the corresponding entity page with full details provided. Why It Matters Faster Investigations: Analysts pivot directly to the relevant entity page, reducing navigation time by up to 60%. Consistent Workflows: Standardized entry points minimize errors and improve collaboration across tiers. No Integration Overhead: The solution uses existing Defender and Purview URLs, avoiding complex API dependencies. Less complex for the user who is not familiar with Microsoft Defender/Purview Portal. Measuring Impact Track improvements in: Navigation Time per Pivot MTTD and MTTR Analyst Satisfaction Scores Deployment and Setup Process: Here’s a step-by-step guide for importing the agent that was built via Microsoft Copilot Studio solution into another tenant and publishing it afterward: Attached a direct download sample link, click here ✅ Part 1: Importing the Agent Solution into Another Tenant Important Notes: Knowledge base files and authentication settings do not transfer automatically. You’ll need to reconfigure them manually. Actions and connectors may need to be re-authenticated in the new environment. ✅ Part 2: Publishing the Imported Agent Here’s a step-by-step guide to add your browser add-on solution in Microsoft Edge (or any modern browser): ✅ Step 1: Prepare and edit your add-on script Copy the entire JavaScript snippet you provided, starting with: javascript:(function(){ const choice = prompt( "Select an option to check the value in your Tenant:\n" + "1. IP Check\n" + "2. Machine ID Check\n" + "3. Incident ID Check\n" + "4. Domain-Base Alert (e.g. mail.google.com)\n" + "5. User (Identity Check)\n" + "6. Device Name Check\n" + "7. CVE Number Check\n" + "8. Threat Actor Name Check\n" + "9. DSPM for AI Sensitivity Info Type Search\n" + "10. Data and AI Security\n\n" + "Enter 1-10:" ); let url = ''; if (choice === '1') { const IP = prompt("Please enter the IP to investigate in Tenant:"); url = 'https://security.microsoft.com/ip/' + encodeURIComponent(IP) + '/'; } else if (choice === '2') { const Machine = prompt("Please enter the Device ID to investigate in Tenant:"); url = 'https://security.microsoft.com/machines/v2/' + encodeURIComponent(Machine) + '/'; } else if (choice === '3') { const IncidentID = prompt("Please enter the Incident ID to investigate in Tenant:"); url = 'https://security.microsoft.com/incident2/' + encodeURIComponent(IncidentID) + '/'; } else if (choice === '4') { const DomainSearch = prompt("Please enter the Domain to investigate in Tenant:"); url = 'https://security.microsoft.com/url?url=%27 + encodeURIComponent(DomainSearch); } else if (choice === %275%27) { const userValue = prompt("Please enter the value (AAD ID or Cloud ID) to investigate in Tenant:"); url = %27https://security.microsoft.com/user?aad=%27 + encodeURIComponent(userValue); } else if (choice === %276%27) { const deviceName = prompt("Please enter the Device Name to investigate in Tenant:"); url = %27https://security.microsoft.com/search/device?q=%27 + encodeURIComponent(deviceName); } else if (choice === %277%27) { const cveNumber = prompt("Enter the CVE ID | Example: CVE-2024-12345"); url = %27https://security.microsoft.com/intel-profiles/%27 + encodeURIComponent(cveNumber); } else if (choice === %278%27) { const threatActor = prompt("Please enter the Threat Actor Name to investigate in Tenant:"); url = %27https://security.microsoft.com/intel-explorer/search/data/summary?&query=%27 + encodeURIComponent(threatActor); } else if (choice === %279%27) { url = %27https://purview.microsoft.com/purviewforai/data%27; } else if (choice === %2710%27) { url = %27https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/AscInformationProtection'; } else { alert("Invalid selection. Please refresh and try again."); return; } if (!url) { alert("No URL generated."); return; } try { window.location.assign(url); } catch (e) { window.open(url, '_blank'); } })(); Make sure it’s all in one line (bookmarklets cannot have line breaks). If your code has line breaks, you can paste it into a text editor and remove them. ✅ Step 2: Open Edge Favorites Open Microsoft Edge. Click the Favorites icon (star with three lines) or press Ctrl + Shift + O. Click Add favorite (or right-click the favorites bar and choose Add page). ✅ Step 3: Add the Bookmark Name: Microsoft Cyber Dial URL: Paste the JavaScript code you copied (starting with javascript:). Click Save. ✅ Step 4: Enable the Favorites Bar (Optional) If you want quick access: Go to Settings → Appearance → Show favorites bar → Always (or Only on new tabs). ✅ Step 5: Test the Bookmarklet Navigate to any page (e.g., security.microsoft.com). Click Microsoft Cyber Dial from your favorites bar. A prompt menu should appear with options 1–10. Enter a number and follow the prompts. ⚠ Important Notes Some browsers block javascript: in bookmarks by default for security reasons. If it doesn’t work: Ensure JavaScript is enabled in your browser. Try running it from the favorites bar, not the address bar If you see encoding issues (like %27), replace them with proper quotes (' or "). Safeguard, monitor, protect, secure your agent: Using Microsoft Purview (DSPM for AI) https://purview.microsoft.com/purviewforai/ Step-by-Step: Using Purview DSPM for AI to Secure (Cyber Dial Custom Agent) Copilot Studio Agents: Prerequisites Ensure users have Microsoft 365 E5 Compliance and Copilot licenses. Enable Microsoft Purview Audit to capture Copilot interactions. Onboard devices to Microsoft Purview Endpoint DLP (via Intune, Group Policy, or Defender onboarding). Deploy the Microsoft Purview Compliance Extension for Edge/Chrome to monitor web-based AI interactions. Access DSPM for AI in Purview Portal Go to the https://compliance.microsoft.com. Navigate to Solutions > DSPM for AI. Discover AI Activity Use the DSPM for AI Hub to view analytics and insights into Copilot Studio agent activity. See which agents are accessing sensitive data, what prompts are being used, and which files are involved. Apply Data Classification and Sensitivity Labels Ensure all data sources used by your Copilot Studio agent are classified and labeled. Purview automatically surfaces the highest sensitivity label applied to sources used in agent responses. Set Up Data Loss Prevention (DLP) Policies Create DLP policies targeting Copilot Studio agents: Block agents from accessing or processing documents with specific sensitivity labels or information types. Prevent agents from using confidential data in AI responses. Configure Endpoint DLP rules to prevent copying or uploading sensitive data to third-party AI sites. Monitor and Audit AI Interactions All prompts and responses are captured in the unified audit log. Use Purview Audit solutions to search and manage records of activities performed by users and admins. Investigate risky interactions, oversharing, or unethical behavior in AI apps using built-in reports and analytics. Enforce Insider Risk and Communication Compliance Enable Insider Risk Management to detect and respond to risky user behavior. Use Communication Compliance policies to monitor for unethical or non-compliant interactions in Copilot Studio agents. Run Data Risk Assessments DSPM for AI automatically runs weekly risk assessments for top SharePoint sites. Supplement with custom assessments to identify, remediate, and monitor potential oversharing of data by Copilot Studio agents. Respond to Recommendations DSPM for AI provides actionable recommendations to mitigate data risks. Activate one-click policies to address detected issues, such as blocking risky AI usage or unethical behavior. Value Delivered Reduced Data Exposure: Prevents Copilot Studio agents from inadvertently leaking sensitive information. Continuous Compliance: Maintains regulatory alignment with frameworks like NIST AI RMF. Operational Efficiency: Centralizes governance, reducing manual overhead for security teams. Audit-Ready: Ensures all AI interactions are logged and searchable for investigations. Adaptive Protection: Responds dynamically to new risks as AI usage evolves. Example: Creating a DLP Policy in Microsoft Purview for Copilot Studio Agents In Purview, go to Solutions > Data Loss Prevention. Select Create Policy. Choose conditions (e.g., content contains sensitive info, activity is “Text sent to or shared with cloud AI app”). Apply to Copilot Studio agents as the data source. Enable content capture and set the policy mode to “Turn on.” Review and create the policy. Test by interacting with your Copilot Studio agent and reviewing activity in DSPM for AI’s Activity Explorer. ✅ Conclusion The Cyber Dial Agent combined with Microsoft Purview DSPM for AI creates a powerful synergy for modern security operations. While the Cyber Dial Agent accelerates investigations and reduces context switching, Purview DSPM ensures that every interaction remains compliant, secure, and auditable. Together, they help SOC and InfoSec teams achieve: Faster Response: Reduced MTTD and MTTR through streamlined navigation. Stronger Governance: AI guardrails that prevent data oversharing and enforce compliance. Operational Confidence: Centralized visibility and proactive risk mitigation for AI-driven workflows. In an era where AI is deeply integrated into security operations, these tools provide the agility and control needed to stay ahead of threats without compromising compliance. 📌 Guidance for Success Start step-by-step: Begin with a pilot group and a limited set of policies. Iterate Quickly: Use DSPM insights to refine your governance model. Educate Users: Provide short training on why these controls matter and how they protect both the organization and the user. Stay Current: Regularly review Microsoft Purview and Copilot Studio updates for new features and compliance enhancements. 🙌 Acknowledgments A special thank you to the following colleagues for their invaluable contributions to this blog post and the solution design: Zaid Al Tarifi – Security Architect, Customer Success Unit, for co-authoring and providing deep technical insights that shaped this solution. Safeena Begum Lepakshi – Principal PM Manager, Microsoft Purview Engineering Team, for her guidance on DSPM for AI capabilities and governance best practices. Renee Woods – Senior Product Manager, Customer Experience Engineering Team, for her expertise in aligning the solution with customer experience and operational excellence. Your collaboration and expertise made this guidance possible and impactful for our security community.
Cannot see Data Map and Unified Catalog in the free version of Microsoft Purview
Hey, I am trying to setup a data connection in the free version of Microsoft Purview. However, I cannot see the Data Map and Unified Catalog features. Is this the intended limitation of the free version? Or do I miss something?Microsoft deployment blueprint - Address oversharing concerns for your M365 Copilot deployment
Optimized deployment leverages advanced compliance and automation capabilities available in Microsoft 365 E5. This episode outlines how E5 customers can proactively secure data and enhance Copilot performance.Microsoft deployment blueprint - Address oversharing concerns for your M365 Copilot deployment
In regulated industries, internal oversharing can compromise data integrity and Copilot effectiveness. This episode defines what “Foundational” means for Microsoft 365 E3 customers and outlines actionable steps to mitigate oversharing risks during Copilot deployment.Purview Webinars
REGISTER FOR ALL WEBINARS HERE Upcoming Microsoft Purview Webinars JULY 15 (8:00 AM) Microsoft Purview | How to Improve Copilot Responses Using Microsoft Purview Data Lifecycle Management Join our non-technical webinar and hear the unique, real life case study of how a large global energy company successfully implemented Microsoft automated retention and deletion across the entire M365 landscape. You will learn how the company used Microsoft Purview Data Lifecyle Management to achieve a step up in information governance and retention management across a complex matrix organization. Paving the way for the safe introduction of Gen AI tools such as Microsoft Copilot. 2025 Past Recordings JUNE 10 Unlock the Power of Data Security Investigations with Microsoft Purview MAY 8 Data Security - Insider Threats: Are They Real? MAY 7 Data Security - What's New in DLP? MAY 6 What's New in MIP? APR 22 eDiscovery New User Experience and Retirement of Classic MAR 19 Unlocking the Power of Microsoft Purview for ChatGPT Enterprise MAR 18 Inheriting Sensitivity Labels from Shared Files to Teams Meetings MAR 12 Microsoft Purview AMA - Data Security, Compliance, and Governance JAN 8 Microsoft Purview AMA | Blog Post 📺 Subscribe to our Microsoft Security Community YouTube channel for ALL Microsoft Security webinar recordings, and more!
Scan fails
Hi together, I want to setup Purview for my company. I have setup the connection to the desired sources in Datamap and connection tests are successful as well for Fabric as for Azure-Components. But when I start a scan, following error appears after a few seconds: "Account is not in ready state. please check whether your account has been provision successfully and your subscription is enabled." Also the linkes site https://learn.microsoft.com/en-us/purview/troubleshoot-connections?wt.mc_id=mspurview_inproduct_learnmoreerrorlinks_troubleshootscanconnection_csadai does not help me, because I setup the sources as described. Anyone an idea or already solves this issue? Thanks in advance! Kind regards, Alex
