Introducing Windows Ready Print and Modernized Driver Selection
Windows Ready Print: A clearer path to modern printing on Windows Printing on Windows is evolving. As printing environments modernize, customers and partners are asking for solutions that are reliable, secure, and easy to manage across today’s devices. To reflect this shift and make the value of our platform clearer, we are evolving the Modern Print Platform under a new name: Windows Ready Print. Windows Ready Print highlights what matters most: a streamlined, dependable printing experience built for modern Windows environments. It represents our commitment to simplifying printing, aligning modern standards, and delivering consistent, forward-looking experiences for users, IT admins, and partners. Driving the transition to Windows Ready Print with driver selection controls At the core of Windows Ready Print is a transition away from legacy, third party drive-based workflows toward modern, standards-based printing with IPP (Internet Printing Protocol) using the Windows inbox IPP printer driver. Starting in July 2026, new printer installations will default to Windows Ready Print where supported, enabling a simpler and more reliable setup experience. This change reduces the need for traditional driver management and lays the foundation for a more scalable and predictable print experience. However, we recognize that not all environments can move to Windows Ready Print immediately. To ensure a smooth and flexible transition, we are introducing the ability for users to configure Windows to install their printers using Windows Ready Print (if supported) or the OEM printer driver during installation. You can find this setting under Settings > Bluetooth & Devices > Printers & Scanners > Default install printer using Windows Ready Print. This feature enables users and IT admins to control how Windows selects drivers when installing printers: When “Default install printers using Windows Ready Print” is enabled, Windows Ready Print installation is preferred When “Default install printers using Windows Ready Print” is disabled, default driver selection is used The configuration applies to new printer installations only, without affecting existing devices. To enable/disable this feature via group policy, go to: Launch Group Policy Editor Navigate to Local Computer Policy -> Administrative Templates -> Printers Find and select 'Configure Windows Ready Print driver ranking' -> double click to open it Select 'Enabled' (if you wish to enable Windows Ready Print driver selection) or 'Disabled' (if you wish to explicitly disable Windows Ready Print driver selection). Select Apply Select OK How driver selection configuration works with Windows protected print mode When you enable "Default install printers using Windows Ready Print”, new printer installations will default to Windows inbox IPP printer driver when supported. When you enable Windows protected print mode, printers are exclusively installed with Windows Ready Print. Devices that do not support Windows Ready Print cannot be installed. Note: When you’ve enabled Windows protected print mode, you cannot disable "Default install printers using Windows Ready Print".
did the Jun 9 Security Update remove trusted (amazon) certs?
We have a product that runs on Windows and uses AWS IoT to connect and transmit info. We noticed yesterday that many - roughly 2/3 of our fleet went silent - no connections. We have some of our own PCs that experienced this as well. Investigation yielded issues with TLS. The client (which is just using the default windows cert checking) actively terminated the connected. It didn't like the cert from the AWS IoT endpoint. All of these PCs were happily connected on Jun 8. Investigation seemed to indicate that some combination of Amazon Root CA (1-4) and some Starfield certs were not in the device cert mgr. Also - when we manually added AmazonRootCA1.pem to the cert mgr, our service connected again. So the evidence seems to strongly support that the security update removed trusted amazon root certs from the cert store. I'm guessing some/many won't notice since they are making regular TCP connections and maybe the certs get auto-added if they are not there? But we are doing MQTT over the AWS port 8883. So perhaps Windows did not detect this and seek to refresh its cert store? Can anyone confirm if they have seen the same?How can you stay competitive and relevant in an AI-Driven World?
In a world where AI tools evolve weekly and yesterday's skills can feel obsolete overnight, this blog offers a grounded, human-first guide for cloud and technology professionals who want to stay ahead not by chasing every trend, but by building the right foundations. Across six core themes, the post walks readers through understanding what AI truly changes in the workplace, committing to deliberate and structured learning through platforms like Microsoft Learn, getting hands-on with real Azure AI projects beyond just certifications, and doubling down on the human skills critical thinking, communication, and ethical judgment that AI simply cannot replicate. The blog also makes the case for community and network as a long-term career asset, and closes with a call to develop an AI mindset rooted in curiosity, adaptability, and a willingness to experiment and share openly. Whether you're a cloud architect, a security professional preparing for AZ-500 or SC-200, or simply someone navigating what this AI shift means for your career this post is written for you. Key Takeaways for Readers: Understand AI's real impact · Build a deliberate learning habit · Go hands-on with Azure AI tools · Strengthen human skills · Invest in community · Cultivate an AI-first mindset
Strengthening Cybersecurity for Education‑Focused Nonprofits and Education Institutions
Cybersecurity is one of the most urgent priorities facing education‑focused nonprofits and education institutions today. Whether you’re a nonprofit delivering tutoring, literacy, STEM, or adult learning programs — or a school, district, or learning organization — you’re managing growing threat complexity with lean IT teams, rising ransomware risk, and sensitive learner and staff data to protect. Leaders across the education ecosystem need practical strategies that strengthen security without slowing down their mission. The Microsoft Elevate Education team is bringing you two powerful Signature Series webinars this spring to help education‑focused nonprofits and education institutions strengthen their cybersecurity posture from the inside out. Pick the topic and time that fits your day — or register for both. Webinar 1 | May 19, 2026 Preventing the Next Organization‑Wide Incident: Identity, Access, and Ransomware for Education‑Focused Nonprofits & Education Institutions Choose your session: 8:00 – 9:00 AM PT: https://msevents.microsoft.com/event?id=2868688952 4:00 – 5:00 PM PT: https://msevents.microsoft.com/event?id=1182185119 Webinar 2 | June 23, 2026 Self-Healing Security for Education‑Serving Organizations: Automated Investigation & Response with Microsoft Defender XDR Choose your session: 8:00 – 9:00 AM PT: https://msevents.microsoft.com/event?id=237608052 4:00 – 5:00 PM PT: https://msevents.microsoft.com/event?id=2738526889 Across both sessions, you'll learn how to: Reduce risk from over‑permissioned admin accounts and always‑on access Limit your organization’s blast radius through modern identity segmentation and access controls Automate threat investigation and response to contain incidents faster — even with a lean team Manage and approve remediation actions through a unified Action center Strengthen ransomware readiness using tools many organizations already own How This Benefits Education‑Focused Nonprofits Education‑focused nonprofits and education institutions face many of the same cybersecurity pressures — rising ransomware activity, increasingly sophisticated identity attacks, and the responsibility to protect sensitive learner, staff, and organizational data — often with limited resources and little room for disruption. These sessions tell the full cybersecurity story for organizations that teach, support, and deliver education: securing who has access and automating how you respond when threats occur. Together, they help nonprofits and education institutions move toward containment‑ready, resilient security operations that protect staff, volunteers, and the learners they serve. We hope to see you there. Microsoft Elevate EDU
March update: What’s new in Security for partners
Navigate to News and Announcements, Incentives and Offers, Skilling and Events, Go-To-Market, Customer Success News and Announcements Introducing Microsoft 365 E7: The Frontier Suite— The challenge isn’t building AI agents—it’s operating them securely at scale. Microsoft 365 E7 unifies M365 E5, Entra Suite, Copilot, and Agent 365, creating new partner opportunities across deployment, governance, and optimization. Join the Agent 365 AMA on March 18 and the Digital Partner Airlift for SI and CSP partners on March 31 to learn more. Microsoft is launching “Cyber Pulse,” a new Microsoft Security thought leadership series, starting with Issue 1: An AI Security Report. The report provides business and security leaders with practical insights and guidance on emerging AI security risks, with a focus on the rapid rise of AI agents and the urgent need for observability, governance, and Zero Trust security to manage them safely at scale. New small and medium-sized businesses (SMB)-focused customer pages are now available for Microsoft Purview Suite for Business Premium and Microsoft Defender Suite for Business Premium—making it easier for partners to articulate the value of integrated data protection, compliance, and threat protection on Microsoft 365 Business Premium. Unlock new attach and renewal revenue with Microsoft Defender Suite for Business Premium and Microsoft Purview Suite for Business Premium, now available as attach SKUs for Microsoft 365 Business Premium and fully integrated into the Security Business Case Builder (BCB). Start quantified, value-based security conversations. To support high-volume deals and reduce friction, we’re increasing the maximum license cap for eligible Cloud Solution Provider (CSP) promotions from 2,400 to 9,999 licenses. This update simplifies large transactions, aligns guidance across Core, Security, and Copilot, and can accelerate upsell momentum. Experience the new Partner Marketing Center Pro, which supports the activation of ready-to-use Microsoft campaigns and assets as well as customization and launch of demand generation with AI. Partners can now unlock new revenue opportunities by building Security Copilot agents and publishing them in the Microsoft Security Store. Agents published in the store are discoverable within Security Copilot and Microsoft Security products—empowering partners to reach new customers, expand solution visibility, and deliver differentiated, AI-powered security outcomes. Check out the Quick Start Development Toolkit for detailed guidance on developing your Security Copilot agent. Microsoft Sentinel Accelerator updates: Beginning March 1, 2026, Microsoft Sentinel Accelerator has increased payments (up to $60,000 1 ) and shifted from a daily ingestion model to a monthly usage model. The qualification, activation, and stabilization criteria are also updated. Partners will now qualify customers using 0–1,500 GB/month usage, earn activation at 1,500 GB/month, and receive increased activation and stabilization payment amounts designed to provide a more predictable and growth-aligned incentive experience. Download the latest IncentivesGuide for details. Security Immersion Briefings for Threat Protection and Data Security include updated delivery guidance, refreshed resources, and new briefing kits for Microsoft Defender Suite and Microsoft Purview Suite for Business Premium. The Advanced Security for Business Premium Immersion Briefing is not a standalone engagement and must be nominated through a Threat Protection or Data Security Immersion Briefing. Briefings now include localized, ready-to-use content in multiple languages, empowering partners to deliver high-value security sessions that showcase Microsoft data protection capabilities and accelerate customer intent. Incentives and Offers Microsoft Partner investments community calls Join us for interactive discussions about the latest updates in Security partner investments. These events begin with a presentation from Microsoft partner investments experts, followed by audience Q&A. Current promotions and offers related to security and compliance Strengthen data security for Copilot at lower cost: Microsoft Purview Suite for Microsoft 365 Copilot customers is now available at 50% off, so enterprise organizations can reduce costs and strengthen data security through June 30, 2026. Microsoft 365 E3, E5, Defender Suite, and Purview Suite promotions: Transition customers from on-premises solutions or upgrade from Office 365 with 10% discount promotions for new-to-E3 or new-to-E5 customers or Defender and Purview Suites on CSP three-year subscription terms through June 30, 2026. Accelerate with Microsoft 365 E5 promotion: CSP authorized partners can offer new Microsoft 365 E5 customers 15% off with this promotion, which has been extended through June 30, 2026. Microsoft Sentinel 50GB promotion: Customers can now purchase a 50GB commitment tier for Sentinel with promotional pricing through March 31, 2026. Microsoft Sentinel pre-purchase plan (P3): Get Sentinel pre-commit units (CUs) at a discounted rate and save 44% when you buy a 5K CUs plan for Sentinel. Microsoft Purview Suite for Business Premium: Customers who have licensed Business Premium with Microsoft 365 Copilot Business or Microsoft 365 Copilot qualify for 50% off enhanced data protection on Purview Suite for Business Premium. This is a limited-time offer available until March 31, 2026. Security Envisioning Workshops: The Security Portfolio Performance Measure has been adjusted from 33% to 15%, lowering the baseline requirement for partner eligibility; earning cap extension criteria remain unchanged. Skilling and Events Visit the Skilling Resources page to discover the latest security skilling event calendars, playbooks, and updates, plus register for training sessions that match your business needs. For a full view of the events calendar, download the Partner Skilling Calendar on the above Skilling Resources page. For all your skilling questions, contact AskSkilling. Upcoming Security events Join the Advanced Security Growth Engine community call on March 25, 2026: Discover the latest momentum in Microsoft Security and learn how partners can accelerate growth using ASPX (AI Business Solutions & Security Insights)—our data-driven targeting platform to identify the right customers, drive adoption, and deliver measurable results. Get practical insights to sharpen your go-to-market strategy and strengthen your security business. Register now: 8:00 AM–9:00 AM Pacific Time (Americas/EMEA), 7:00 PM–8:00 PM Pacific Time (Asia) Protect Cloud, AI Platform, and Apps by Implementing Microsoft Defender for Cloud - March 10–12 (IST, GMT, PST) Implement Identity and Access Management with Microsoft Entra - March 30–April 2 (IST, BST, PST) Level Up CSP: Win with Microsoft Security (Americas, EMEA, Asia) - March 18 or March 19 (PDT, IST) Upcoming: Security Certification Weeks Being Credential Ready matters. Certifications build credibility, support Solutions Partner designations, and enable Project Ready and Sales & Tech Deal Ready skilling. Certification Weeks for Microsoft AI Cloud Partner Program offer regionally delivered, live instructor-led training—now including new Pre-sales and Sales tracks—with labs, exam prep, and expert support. Cloud & AI Platforms + Security Certification Weeks April 13–17 (Asia - English, Japanese, Korean), April 13–17 (EMEA - Spanish), April 13–17 (Americas - Portuguese), April 20–24 (EMEA - German, Italian), April 20–24 (Americas - Spanish) For on-demand certification prep, visit Certification Prep On-Demand – LevelUp. Access self-paced Microsoft certification training available in English and nine local languages, along with hands-on labs and exam preparation resources to build practical skills and prepare for certification. Microsoft Security partners are invited to kick off RSAC 2026 early at the Microsoft Security Pre-Day on Sunday, March 22, featuring executive insights on AI-driven threats, emerging trends, and the future of security, plus exclusive networking, a keynote, and an evening reception. In addition, on March 23, join our Security Reborn in the Era of AI workshop for actionable guidance for building your Security Copilot agent and publishing it on the new Microsoft Security Store. Join us on March 31 for The Agentic System of Work: Discover how Copilot, Agents, and Agent 365 are shaping the next evolution of work. In this March 31 webcast, Microsoft experts will walk partners through the Agentic System of Work and what it means for driving customer value at scale. Tailored sessions are available for both SI and CSP partners, with clear guidance on how to get started and where to engage next. Register today for the session built for you. Empower your customers with the value of Microsoft Security by attending Level Up CSP: Attendees can expect to gain clarity on Microsoft Security licensing, explore Microsoft Defender and Microsoft Purview Suites, tap into go-to-market resources and skilling paths, stay current on promotions and incentives, and get actionable insights directly from Microsoft Security sales experts during live Q&A. Register now. Threat Protection and Incident Response with Microsoft Sentinel within Unified Platform: Learn how to implement end-to-end threat protection and incident response using the new unified Microsoft Defender portal. This course equips technical teams to deploy, investigate, automate, and integrate Microsoft Sentinel with the Microsoft Security suite—using a single, streamlined SecOps experience enhanced by AI, UEBA, SOAR, and Security Copilot. Please note that accessing on-demand content does not meet the criteria for earning a badge. Sign in to view the on-demand version now. Go-To-Market Discover the full portfolio of Microsoft Security Campaign in a Box assets designed to protect customers across security operations, cloud and AI platforms, data, and Microsoft 365 Copilot. These campaigns equip you with partner-ready messaging, assets, and guidance to address modern security threats, improve visibility and compliance, and deliver unified, AI-powered protection across customers of all sizes. Explore all available Security campaigns on Partner Marketing Center and choose the ones that best align to your customer needs. We are excited to announce the availability of an expanded library of compliance assets for partners that’s designed to help articulate differentiated Microsoft capabilities in compliance, security, and risk management, as well as to address customer concerns with confidence. These assets cover a broad range of topics, including security assessments, regulatory readiness, data governance, risk management, and AI compliance. Learn more below: Data Security Modern SecOps with Unified Platform Protect Cloud, AI Platforms, and Apps Advanced Identity Security Copilot Customer Success Allegis Group offers a useful example of what secure and practical AI adoption can look like in action. As they modernized operations and scaled AI, they paired Microsoft 365 Copilot and Azure AI Services with governance and security capabilities, including Microsoft Purview and Microsoft Sentinel. That combination empowered the organization to pursue productivity gains while also addressing compliance requirements and employee concerns about AI adoption. Submit your partner success story to showcase your impact, highlight your expertise, and demonstrate the measurable success you’re delivering to customers. Go to the Partner Success story submission form to get started. Follow the tag Security partner news to stay updated on monthly Security partner news.The Agent Era Has Already Arrived in Healthcare. Are You Ready to Govern It?
Start here. Answer honestly. Right now, how many AI agents are running inside your organization? Who built them? Which patient data, claims information, or proprietary research are they configured to access? If your CISO walked into your office tomorrow and asked for a complete inventory of every agent in your enterprise, including each one's owner, the systems it is permitted to access, and the policies that govern how it operates, could you produce that inventory before lunch? When the analyst who built that clinical summarization agent moves to a new role next quarter, what happens to the agent? Does its access continue? Does anyone notice? If a regulator opened an audit tomorrow, could you prove that every AI agent operating in your environment is subject to the same lifecycle controls, identity standards, and data protection policies you apply to your human workforce? Could you disable a compromised agent enterprise-wide with a single click, the same way you would revoke a lost access credential? If those questions made you hesitate, you are not alone. Almost no healthcare or life sciences organization can answer them confidently today. And that gap is exactly where the next decade of risk, and the next decade of competitive advantage, will be decided. The quiet crisis nobody talks about yet Healthcare and life sciences leaders are caught in a paradox. You need AI to survive the operational pressures squeezing your organization from every direction. Physician burnout is at crisis levels, with 45.2% of US physicians reporting symptoms in recent Mayo Clinic research. Revenue cycle complexity continues to climb, and McKinsey now estimates that the cost to collect consumes 30 to 60 percent of net patient revenue at many provider organizations. Prior authorization backlogs delay care. Clinical trial timelines stretch into years. Documentation burden eats hours that belong to patients. So you started piloting Microsoft 365 Copilot. You experimented with agents in Copilot Studio. Maybe a clinical team built an agent to draft discharge summaries. A revenue cycle group spun up an agent to triage denials. A medical affairs team built one to comb through literature. Each one delivered value. Each one was approved on its own merits. And then a quiet thing happened. You lost track of how many agents you have. According to KPMG's AI Quarterly Pulse Survey, 88 percent of organizations are now exploring or piloting AI agents. IDC projects that 1.3 billion agents will be in operation by 2028. Inside your own walls, the number is climbing fast. Each new agent is a digital identity that authenticates into your environment, accesses your data, and executes work on behalf of your business. Most have no formal owner. Most have no documented access scope. Most have no decommissioning plan. Most have never been reviewed by Compliance. Microsoft's 2024 Data Security Index found that 84 percent of organizations lack confidence in their AI data security posture, and 40 percent have already experienced an AI related data security incident. That is not a future problem. That is a now problem. If shadow IT was the defining governance challenge of the last decade, agent sprawl is the defining challenge of this one. And in healthcare and life sciences, where ePHI, member PII, and proprietary clinical trial data are at stake, the consequences are not theoretical. They are existential. The reframe that changes everything Here is the counterintuitive truth that separates HLS organizations that scale AI from those stuck in pilot purgatory. Governance is not the brake on AI adoption. Governance is the accelerator. When security, identity, and agent oversight are engineered in from day one, your teams stop tiptoeing. They build with confidence because the guardrails are real. They expand into clinical use cases because Compliance trusts the foundation. They scale wall-to-wall because IT can prove every agent is accounted for. The organizations that lead with trust end up moving faster in the long run, not slower. This is the bet behind Microsoft Agent 365 and Microsoft 365 E7. What Agent 365 and Microsoft 365 E7 actually are Microsoft 365 E7, announced March 6, 2026 and now generally available, is the Frontier Suite. It is Microsoft's answer to a single question that every healthcare CIO, CISO, and COO is wrestling with: how do you run AI safely, at scale, across an entire organization? E7 is not another SKU on top of your existing stack. It is one cohesive platform that brings together four essential capabilities: Microsoft 365 E5 for your enterprise productivity, collaboration, and security foundation, including Microsoft Defender, Microsoft Purview, and Microsoft Intune. Microsoft 365 Copilot for AI grounded in your organizational data through Work IQ, embedded in the flow of work for clinicians, researchers, operations teams, and administrators. Microsoft Entra Suite for identity governance, Conditional Access, and Zero Trust network access, extended consistently across users, applications, and AI agents. Microsoft Agent 365 as the centralized control plane to observe, govern, and secure every AI agent, whether built by Microsoft, your internal teams, or external partners. Agent 365 is also available as a standalone capability. But the magic happens when it works alongside the rest of E7, because that is where AI, identity, security, and governance stop being separate disciplines and become one operating system for the agentic era. The mental model that unlocks everything: agents are first-class digital identities Here is the simplest way to understand what Agent 365 does. Microsoft 365 governs your enterprise identities. Agent 365 governs your agent identities. The same control plane disciplines apply to both. Think about the rigor you apply to any privileged identity in your environment, whether a service account, an API integration, or a third-party application connector. You issue it a unique identity in Microsoft Entra. You assign a human owner who is accountable. You scope its access to least privilege. You apply DLP, sensitivity labels, and Conditional Access. You monitor for anomalous behavior. You have a documented decommissioning path. Identities that no one watches over become identities that get exploited. Now ask yourself how the last AI agent in your environment was created. The honest answer at most organizations: someone opened Copilot Studio, pointed it at a SharePoint library of clinical protocols, gave it a name, and moved on. No documented owner. No access review. No retirement plan. Compliance was never consulted. You would never stand up a privileged service account that way. Yet that is exactly how most organizations are standing up the fastest-growing class of digital identities in their environment. Agent 365 closes that gap by extending the identity, security, and lifecycle controls you already trust for users and applications so they apply with the same rigor to AI agents. Every agent receives a unique Entra Agent ID, a first-class identity in Azure AD with the same governance primitives as any other privileged identity. Every agent has a designated human owner who is accountable for its scope and behavior. Access is granted explicitly through Conditional Access and policy templates, so each agent operates only against the resources its purpose requires. Microsoft Purview DLP and sensitivity labels govern which data the agent is permitted to read, generate, or share. Microsoft Defender monitors agent activity for anomalies and surfaces alerts the same way it does for any other identity-driven risk. Lifecycle rules flag or auto-retire agents that are dormant, orphaned, or risky, eliminating the unowned automations that quietly accumulate in every enterprise. This is not metaphor. It is the actual architecture. The fastest path to governing agents is to extend the identity infrastructure you already trust. The three pillars of Agent 365: Observe, Govern, Secure Pillar 1: Observe. Know what is actually happening. You cannot govern what you cannot see. The first job of Agent 365 is to give you complete, continuous visibility into every AI agent operating in your environment. The Agent Registry is the single authoritative inventory of every agent, whether built by Microsoft, custom developed by your team, deployed by a partner, or discovered as a shadow agent operating without oversight. Each entry shows the owner, purpose, capabilities, lifecycle status, and business context. Agent Analytics tracks adoption, quality, performance, and business impact. Agent Map visualizes how agents connect with other agents, people, tools, and data sources, surfacing dependencies and risk concentrations you would never spot in a spreadsheet. Real time monitoring flows directly into Microsoft Defender, so unusual agent behavior generates alerts the same way unusual user behavior does today. For a health system CISO, that means finally being able to answer the question: which agents are touching ePHI, and is every one of them authorized? For a life sciences compliance officer, it means audit ready visibility into every AI system operating across R&D, regulatory affairs, and commercial. For a payer operations leader, it means knowing which claims processing agents are actually delivering accuracy and throughput, and which are quietly underperforming. Pillar 2: Govern. Set the rules. Control the lifecycle. Visibility is the start. Control is what turns visibility into outcomes. Agent 365 ensures that every agent is approved, compliant, and accountable from creation through retirement. IT led onboarding workflows make sure each agent launches with the right identity, access, and ownership before it ever touches data. Policy templates enforce data handling, permission, and usage rules consistently from day one through Defender, Entra, and Purview. Rules based agent management gives admins an automated If This Then That interface. If an agent is unused for 90 days, auto retire it. If an agent is flagged as risky, block it and alert the security operations team. No human in the loop required for the routine cases, full alerting and override for the exceptions. Ownership enforcement requires every agent to have a designated human owner. When that owner leaves the organization, the platform flags the orphaned agent for bulk reassignment, so nothing operates without clear accountability. The Tools Gateway brokers and audits tool access for agents, enabling least privilege at the action level, not just the identity level. For HLS specifically, that translates to outcomes you can take to your board. A hospital CIO can ensure any agent touching Epic or Cerner goes through standardized approval. A pharma IT director can enforce that clinical trial matching agents only touch de identified data unless elevated permissions are explicitly granted and documented. A payer compliance team can automatically retire agents tied to a completed open enrollment campaign instead of letting them silently expand the attack surface. Pillar 3: Secure. Protect agents and data with the stack you already trust. The final pillar is what makes Agent 365 production grade for healthcare and life sciences. Security and compliance are not bolted on. They are the same proven Microsoft security stack you already run for your users, extended natively to agents. Microsoft Purview, your data security and compliance backbone: Data Security Posture Management for AI gives visibility into how agents interact with sensitive data and detects risky usage patterns. Data Loss Prevention stops agents from accessing or processing files labeled Highly Confidential, even when a user prompts them to. Sensitivity labels are inherited automatically by agent outputs, governing how data is viewed, extracted, or shared downstream. Insider Risk Management detects risky behavior by users interacting with agents, such as unusual prompt patterns or excessive access to sensitive data. Communication Compliance monitors AI driven interactions for regulatory or ethical violations and unauthorized disclosures. eDiscovery and Audit logs every agent interaction, giving legal, compliance, and IT teams the transparency required for HIPAA, GDPR, and FDA 21 CFR Part 11. Oversharing Assessments run weekly checks for sensitive data exposure across SharePoint sites and agent access patterns. Microsoft Entra, your identity control plane: Entra Agent ID gives every agent a unique identity in Azure AD, so Conditional Access, role based access, and risk based policies apply individually. Conditional Access for agents enforces policies like only allow this prior authorization agent to access claims data from approved devices and locations during business hours. Identity Governance provides access packages for agents with reduced scope permissions and least privilege defaults. Block at Scale lets you instantly disable all high-risk agents from Entra in a single action. Microsoft Defender, your threat protection layer: Security Posture Management identifies and remediates agent misconfigurations, such as agents running with no authentication. Threat Detection and Blocking monitors suspicious agent activity, generates alerts, and blocks unauthorized tool invocations. Threat Investigation and Hunting collects unified agent observability logs so SOC teams can forensically trace every action an agent took. One Click Kill Switch instantly disables any agent and surfaces the complete audit trail of every action it took before being stopped. For a hospital security operations team, that means the same DLP policies protecting patient records in email and Teams now protect agents that summarize clinical notes. For a life sciences data protection officer, it means agents accessing proprietary compound data respect the same sensitivity labels as human researchers. For a payer CISO, it means an anomalous claims agent can be killed in seconds, with a complete forensic record of every member record it touched. Why this only works as an integrated platform Individual capabilities are useful. Integration is what makes them transformative. Here is the contrast HLS leaders feel today versus what changes the moment E7 lights up. Without an integrated platform, you operate with: Fragmented tools for identity, security, compliance, and AI, each with its own console and its own gaps. No centralized agent inventory, forcing your IT and security teams to track bots and automations in spreadsheets. Inconsistent policy enforcement across agents, creating compliance gaps every audit team will eventually find. Blind spots where agents access data, invoke tools, or interact with other agents without any oversight. Manual triage when an incident hits, because nothing connects user identity, agent identity, and data classification in one view. With Microsoft 365 E7, you gain: A Unified Agent Registry providing a single source of truth for every agent, whether Microsoft built, custom developed, partner deployed, or shadow discovered. Entra Agent ID giving each agent a unique identity, so Conditional Access, role based access, and risk based policies apply at the individual agent level. Full lifecycle governance with standardized onboarding, periodic review, ownership transfers, auto retirement of dormant agents, and structured offboarding. Policy by design, where Purview DLP, sensitivity labels, and compliance rules extend to all agent interactions through pre built templates applied consistently from day one. One click disable to instantly freeze any agent, with Defender threat detection extended to agents and full audit trails for forensic investigation. Expanded threat coverage that addresses agent sprawl, overprivileged access, tool misuse, misconfiguration, and inter agent risk patterns no legacy tool was designed to see. Shared registry and controls that let IT, Security, and Compliance reference the same authoritative inventory across Defender, Entra, and Purview, eliminating the silos that slow incident response. This is the reason E7 exists as a platform, not a bundle. AI, identity, security, and governance stop being separate disciplines and start operating as one system. What this is actually worth: the Forrester numbers Microsoft commissioned Forrester to conduct a Total Economic Impact study of Microsoft 365 Copilot, published in March 2025. The composite organization in that study, modeled on real customer interviews, achieved: 132 percent three-year ROI with payback in under one year. 9 hours saved per Copilot user per month through automation of routine work like drafting, summarizing, and analysis. Up to 2.6 percent top line revenue lift through better qualified opportunities, improved win rates, and stronger retention in customer facing teams. 25 percent acceleration in new employee onboarding as new hires ramp faster on summarized institutional knowledge. Those are the verified numbers. The bigger story for HLS is what they look like when applied to clinical, claims, and research workflows where every reclaimed hour is an hour that goes back to patients, members, or science. AI is already defending AI The same agentic capabilities transforming clinical and operational workflows are now embedded in your security stack. Microsoft Security Copilot agents work alongside human analysts inside Defender, Entra, Purview, and Intune, accelerating threat response and absorbing the manual load that today drowns most security operations teams. Independent benchmarks back the impact. In a 162 admin randomized study published in 2025, the Conditional Access Optimization Agent in Microsoft Entra completed configuration tasks 43 percent faster and produced 48 percent more accurate Conditional Access policies than admins working without it. Security triage, alert investigation, and identity hygiene are following the same trajectory. For HLS security teams already stretched thin, that is hours reclaimed every week to focus on the threats that actually matter, with the same Agent 365 governance applying to the security agents themselves. The defenders are governed by the same rules as the workforce they defend. How HLS organizations are putting Agent 365 to work Here is how the value shows up across the three biggest HLS segments. For providers: reclaiming time for care The challenge: clinicians spend more time on documentation than on patients. Care coordination is fragmented. Burnout is gutting retention. The strategy: deploy agents that absorb administrative load while Agent 365 ensures every one of them respects ePHI boundaries. Clinical documentation agents integrated with Microsoft Dragon Copilot structure dictation against EHR requirements, apply billing codes, and flag missing elements before submission. Care coordination agents generate care plans, allocate tasks, and surface relevant patient context during multidisciplinary rounds, optimized for HL7 FHIR interoperability. Patient intake and scheduling agents built in Copilot Studio handle appointment booking, reminders, eligibility verification, and referral management. Handoff and shift summary agents pull from multiple systems to generate complete handoff summaries for nurses and physicians transitioning between shifts, reducing communication gaps that drive adverse events. The aha moment: applied across a 10,000 employee health system, nine hours per user per month is more than one million reclaimed hours a year. That is the equivalent of hundreds of full time clinicians, returned to direct patient care, with every agent governed under the same Conditional Access and DLP policies your IT team already manages today. For payers: transforming revenue cycle and member experience The challenge: prior auth backlogs delay care. Denial rates climb. Member services teams drown in volume. The strategy: agentic AI rewires the most expensive, most manual workflows in your operation while Agent 365 keeps every agent inside the lines on member PII. Prior authorization agents autonomously gather clinical documentation, cross reference medical policy, determine approval criteria, and route decisions, accelerating turnaround from days to hours. Claims processing agents automate billing and denial management. With cost to collect running 30 to 60 percent of net patient revenue at many organizations, even modest automation produces material margin recovery. Denial resolution and appeals agents analyze denial patterns, surface root causes, generate appeal documentation, and track success rates over time, turning a cost center into a continuous improvement engine. Member services agents integrated with Microsoft 365 Copilot Chat handle benefits inquiries, claims status, and self service triage, deflecting call volume and improving first contact resolution. Fraud detection and risk adjustment agents scan claims data for anomalies and optimize coding accuracy for Medicare Advantage and ACA populations. The aha moment: a payer CISO can disable an anomalous prior auth agent in one click and produce a complete forensic record of every member record it accessed, while Compliance simultaneously confirms the agent never violated DLP. That is regulatory readiness that legacy automation cannot deliver. For life sciences and pharma: accelerating discovery and commercialization The challenge: clinical trials take years. Regulatory submissions consume teams. Medical affairs cannot keep up with literature volume. The strategy: orchestrate agents across R&D, regulatory, medical, and commercial, with Agent 365 enforcing the data classification rules that proprietary IP and clinical data demand. Clinical trial matching agents scan patient profiles and eligibility criteria to surface trial opportunities, accelerating recruitment. Regulatory document preparation agents assemble submissions, cross reference data across modules, and ensure consistency in FDA, EMA, and global filings. Medical research and literature review agents powered by Microsoft GraphRAG retrieve research backed insights with verified source references, giving medical science liaisons trustworthy synthesis on demand. Pharmacovigilance agents monitor safety databases, flag potential adverse events, and generate timely case reports. Commercial insights and launch planning agents synthesize market data, payer policy, and HCP sentiment for sharper launch and field strategy. The aha moment: cutting even three months off a regulatory cycle on a single high revenue product can mean tens of millions in additional sales, while Purview sensitivity labels guarantee every agent accessing proprietary compound data respects the same data classification as your senior researchers. A phased path that actually works in regulated industries In regulated industries, a big bang AI rollout is a recipe for incidents. The HLS organizations getting this right are following a five-phase pattern that builds expertise and validates governance before scale. Establish. Form a cross-functional champion team across IT, Compliance, Clinical Operations, and Research. Define what risks you are mitigating and what outcomes you are unlocking. Inventory the agents already in flight. Configure. Stand up identity, DLP, and policy templates in Microsoft 365 Admin Center, Power Platform Admin Center, and Microsoft Purview. Enforce that any agent handling PHI runs in a secure environment with audit logging on by default. Pilot. Choose a small group of makers in a controlled environment. Start with non-critical workflows like internal reporting or scheduling before moving to clinical or member facing use cases. Run weekly reviews with Compliance and Security. Empower. Launch role specific training for clinicians, researchers, makers, and IT. Stand up a Center of Excellence to provide templates, best practices, and reusable patterns. Promote success stories internally to build momentum. Scale. Expand agent development across departments with governance as a guardrail, not a gate. Use pay as you go metering to track usage and optimize licensing. Refine policies continuously based on Purview signals and audit results. The strategic insight: organizations that lead with governance reach scale faster than those that lead with experimentation. Trust is the unlock, not the obstacle. Governance is a team sport Here is the pattern we see again and again. The HLS organizations that succeed with AI at scale are not the ones with the smartest IT shop or the boldest Compliance officer. They are the ones whose IT, Security, Compliance, Clinical, Research, and Operations leaders sit at the same table on agent strategy from week one. Agent 365 was designed for that table. The Agent Registry is the shared truth. Purview policies satisfy your Compliance officer. Entra controls reassure your CISO. The lifecycle workflows give your CIO confidence. The clinical and research outcomes give your COO and Chief Medical Officer the business case. Everyone gets the view they need from the same single source. Stand up an agent governance council. Meet every two weeks. Use the Agent Registry as your standing agenda. Make decisions in plain sight. The organizations that do this consistently outperform on both speed and safety. The ones that try to keep AI inside a single function fall behind on both. Who contributes what Think back to the mental model. You would never let a single function authorize, configure, and oversee a new privileged system on its own, not when it touches ePHI, claims, or proprietary research. Security, IT, Compliance, Clinical, and the relevant business owner all weigh in because the stakes are too high for any one seat to carry alone. Agent governance demands the same multidisciplinary scrutiny, and the council is where that happens. Each seat brings something the others cannot. CIO. Owns the agent strategy and the platform investment. Translates board-level AI ambition into an operating model the rest of the organization can execute against. CISO and Security Operations. Define agent identity standards, Conditional Access policies, and incident response playbooks. Without this seat, an anomalous agent touching ePHI becomes a breach instead of a contained event. Chief Compliance Officer and Privacy. Translate HIPAA, GDPR, FDA 21 CFR Part 11, and state regulations into Purview policies and audit requirements. This is the seat that keeps you out of an OCR investigation or a 483 letter. Chief Medical Officer and Clinical Operations. Validate that clinical agents are safe, accurate, and aligned with care standards. Own the clinical risk review for any agent that touches patient care, the same way you would for a new clinical protocol. Chief Research Officer or Head of R&D. Govern how agents interact with proprietary trial data, compound libraries, and scientific IP. The seat that protects the next decade of pipeline value. COO and Revenue Cycle Leadership. Prioritize the operational workflows where agents will move the needle on cost to collect, denial rates, and throughput, and own the business outcomes that justify the investment. Center of Excellence Lead. Maintains templates, reusable patterns, and maker enablement. Turns every council decision into a guardrail builders can actually use the next morning. Frontline champions. Clinicians, claims specialists, and researchers who pilot, give feedback, and carry credibility back to their peers. The seat that decides whether agents get adopted or quietly ignored. When every one of these voices is in the room, your governance council operates like a tumor board for AI. Different lenses, one shared decision, full accountability. That is how regulated industries make complex calls safely, and it is exactly the muscle Agent 365 was built to support. Seven questions to bring to your next leadership meeting If you want to know whether your organization is ready, run through these together. The places you hesitate are exactly where Agent 365 and E7 deliver the most value. Visibility. Do you know which AI agents, bots, and automations are running in your environment today, who built them, what they have access to, and whether they are still needed? Control. If someone on your team builds a new AI agent tomorrow, what is the actual process to make sure it is approved and secured? Or could they deploy it with wide open access? Security. What prevents an AI agent from reading or transmitting patient data it should not? Do you have a way to detect and stop a rogue or compromised agent? Accountability. Who owns the outputs of an AI agent's actions? What is the offboarding process when the agent or its creator leaves? Scale. Six months from now, you may have a hundred agents deployed across departments. Are your oversight and compliance structures ready for that volume? Cross-functional alignment. How are your IT, Security, and Compliance teams partnering on AI today? Governance is a team sport. Data readiness. How confident are you that your data estate is clean, labeled, and governed well enough for AI to surface accurate answers and not outdated or conflicting information? If you hesitated on even one of those, you have just identified where Agent 365 and Microsoft 365 E7 will pay for themselves the fastest. The path forward Here is the honest truth. The healthcare and life sciences organizations that lead in the next decade will not be the ones that adopted AI first. They will be the ones that adopted AI safely, compliantly, and at scale, with intelligence and trust woven into every layer. Microsoft Agent 365 and Microsoft 365 E7 give you the only integrated platform that brings AI, identity, security, and governance into one cohesive system, running in the flow of work you already use. This is not about adding another tool to your stack. It is about extending the investments you have already made in Microsoft 365, Entra, Defender, and Purview to cover the fastest-growing class of digital identities in your environment. The agent era has already arrived. The question is whether you will govern it with confidence or chase it with anxiety. We would love to help you lead. Take the next step Explore Microsoft Agent 365: The Control Plane for Agents Microsoft Entra Agent ID: aka.ms/EntraAgentID Learn more about Microsoft 365 E7, the Frontier Suite: Introducing Microsoft 365 E7 See Microsoft 365 Copilot in action: Microsoft 365 Copilot Read the Forrester TEI study: The Total Economic Impact of Microsoft 365 CopilotSecuring and governing AI agents before deployment
April 30 | 2:00-3:00 PM (GTM +10) Join this live webinar to learn how to secure and govern AI agents before they go live. Explore how to provision agents with Entra Agent ID, manage identities and credentials, enforce least-privilege access, and prevent risks like Shadow AI and agent sprawl. Join to gain practical guidance on governing AI agents across their full lifecycle—so you can deploy with confidence. To view the session live, register here: Securing and Governing AI Agents Before They Go Live You can view previous Security for Software Development Company series sessions on demand here: Security for Software Development Company Series: Securing the Agentic EraBuilding an Auditable Security Layer for Agentic AI
Most agent failures do not look like breaches. They look like a normal chat, a normal answer, and a normal tool call. Until the next morning, when a single question collapses the whole story: who authorized that action. You think you deployed an agent. In reality, you deployed an unbounded automation pipeline that happens to speak English. I’m Hazem Ali — Microsoft AI MVP, Distinguished AI & ML Architect, Founder & CEO at Skytells. For over 20 years, I’ve built secure, scalable enterprise AI across cloud and edge, with a focus on agent security and sovereign, governed AI architectures. My work on these systems is widely referenced by practitioners across multiple regions. Hazem Ali honored to receive an official speaker invitation under the patronage of H.H. Sheikh Dr. Sultan bin Muhammad Al Qasimi, Member of the UAE Supreme Council and Ruler of Sharjah, to speak at the Sharjah International Conference on Linguistic Intelligence (SICLI), organized by the American University of Sharjah (AUS) and the Emirates Scholar Center for Research and Studies. This piece is a collaboration with Hammad Atta a Practice Lead – AI Security & Cloud Strategy and Dr. Yasir Mehmood , Dr Muhammad Zeeshan Baig, Dr. Muhammad Aatif, Dr. MUHAMMAD AZIZ UL HAQ. We align on one core idea: agent security is not about making the model behave. It is about building enforceable boundaries around the model and proving every privileged step. This article is meant to sit next to my earlier Tech Community piece, Zero-Trust Agent Architecture: How To Actually Secure Your Agents, and go one level deeper into the mechanics you can implement on Azure today. Let me break it down. The Principle: The model is not your boundary Let me break it down in the way I’d explain it in a design review. A boundary is something that still holds when the component on the other side is adversarial, confused, or simply wrong. An LLM is none of those reliably. In an agent, the model is not just a generator. It becomes a planner and scheduler. It decides when to retrieve, which tool to call, how to shape arguments, and when to loop. That means your real attack surface is not “bad output.” It is the control-flow graph the model is allowed to traverse. So if your “security” lives inside the prompt, you are putting policy in the same token stream the attacker can influence. That is not a boundary. That is a suggestion. The only stable design is to treat the model like an untrusted proposer and the runtime like the verifier. Here is the chain I use. Each gate is external to the model and survives manipulation. Context Gate: Everything that enters the model is treated as executable influence, not “text.” Capability Gate: Tools are invoked as constrained capabilities, not free-form function calls. Evidence Gate: Every privileged step produces a verifiable artifact, not a story. Retrieval Control Plane: What the agent can see is governed by labels and identity, not prompt etiquette. Detection Layer: Drift and probing become alerts, not surprises. Now the rare part, the part most people miss: the boundary is not “block or allow.” The boundary is stateful. Once the runtime sees a suspicious signal, the entire session must transition into a degraded capability state, and every downstream gate must enforce that state. 1. Treat context as executable influence, and preserve provenance If you do RAG, your documents are not “supporting info.” They are an input channel. That makes the biggest prompt-injection risk not the user. It is your documents. Microsoft’s Prompt Shields covers user prompt attacks (scanned at the user input intervention point) and document attacks (scanned at the user input and tool response intervention points). When enabled, each request returns annotation results with detected and filtered values that your runtime can translate into a policy decision: block, degrade, or allow. Provenance Collapse. Most teams concatenate prompt + policy + retrieved chunks into one blob. The moment you do that, you lose the one thing you need for a defensible boundary: you can no longer reliably tell which tokens came from where. That is how “context” becomes “authority.” For indirect/document attacks, Microsoft guidance recommends delimiting context documents inside the prompt using """<documents> ... </documents>""" to improve indirect attack detection. That delimiter is not formatting. It is a provenance marker that improves indirect attack detection through Prompt Shields. Minimal, practical pattern: // Provenance-preserving prompt construction for indirect/document attack detection function buildPrompt(system: string, user: string, retrievedDocs: string[]): string { const docs = retrievedDocs.map((d) => `- ${d}`).join("\n"); return [ system, "", `User: ${user}`, "", `""" <documents>\n${docs}\n</documents> """`, ].join("\n"); } Then treat Prompt Shields output as a session security event, not a banner: type RiskState = "NORMAL" | "SUSPECT" | "BLOCK"; type FilterPolicy = "BLOCK_ON_FILTERED" | "DEGRADE_ON_FILTERED"; function computeRiskState( shields: { detected: boolean; filtered?: boolean }, labels: string[], policy: FilterPolicy = "DEGRADE_ON_FILTERED", ): RiskState { // detected => hard stop if (shields.detected) return "BLOCK"; // filtered is an annotation signal: block or degrade by policy if (shields.filtered) { return policy === "BLOCK_ON_FILTERED" ? "BLOCK" : "SUSPECT"; } // example: sensitivity-based degradation independent of shield hits const sensitive = labels.some((l) => ["Confidential", "HighlyConfidential", "Regulated"].includes(l), ); return sensitive ? "SUSPECT" : "NORMAL"; } When the signal is clear, you block and log. When it is suspicious, you do not warn. You downgrade authority. QSAF Alignment: Prompt Injection Protection (Domain 1): QSAF-PI-001 (static pattern blacklist), QSAF-PI-002 (dynamic LLM analysis), QSAF-PI-003 (semantic embedding comparison) All addressed by Prompt Shields and provenance marking. Context Manipulation (Domain 2): QSAF-RC-004 (context drift), QSAF-RC-007 (nested prompt injection) – mitigated by stateful risk calculation. 2. Tools are capabilities with constraints, not functions When the model proposes a tool call, your runtime should re-derive what is allowed from identity plus risk state, then enforce it at the gateway. type ToolRequest = { tool: string; args: unknown; }; type Capabilities = { allowWrite: boolean; allowedTools: Set<string>; }; function deriveCapabilities(risk: RiskState, roles: string[]): Capabilities { const baseAllowed = new Set(["search_kb", "get_profile", "summarize"]); const isAdmin = roles.includes("Admin"); if (risk === "SUSPECT") { return { allowWrite: false, allowedTools: baseAllowed }; } if (risk === "BLOCK") { return { allowWrite: false, allowedTools: new Set() }; } // NORMAL const tools = new Set([ ...baseAllowed, ...(isAdmin ? ["update_record", "issue_refund"] : []), ]); return { allowWrite: isAdmin, allowedTools: tools }; } function authorizeTool(req: ToolRequest, caps: Capabilities): void { if (!caps.allowedTools.has(req.tool)) throw new Error("ToolNotAllowed"); if (!caps.allowWrite && req.tool.startsWith("update_")) { throw new Error("WriteDenied"); } } The model can ask. It cannot grant itself permission. QSAF Alignment: Plugin Abuse Monitoring (Domain 3): QSAF-PL-001 (whitelist enforcement), QSAF-PL-003 (restrict sensitive plugins), QSAF-PL-006 (rate‑limiting) – implemented via capability derivation and gateway policies. Behavioral Anomaly Detection (Domain 5): QSAF-BA-006 (plugin execution pattern deviance) – detected by comparing actual calls against derived capabilities. The Integrity Gate: Hash-chain the authority, not the output Let me add the part that makes investigations clean. Most teams treat integrity like an audit log problem. That is not enough. Logs explain. Integrity proves. The hard truth is that agent authority is assembled out of pieces: the system instruction, the user prompt, retrieved chunks, risk annotations, and finally the tool intent. If you do not bind those pieces together cryptographically, an incident review becomes a story-telling session. This is why QSAF has an entire domain for payload integrity and signing, including prompt hash signing, nonce or replay protection, and a hash chain lineage that tracks how a session evolved. Here is how you can map that into the runtime verifies. You build a canonical “authority envelope” for every privileged hop, compute a digest, and then: link it to the previous hop (hash chain) include a nonce (replay control) sign the digest with Azure Key Vault (Key Vault signs digests, it does not hash your content for you) import crypto from "crypto"; type AuthorityEnvelope = { sessionId: string; turnId: number; policyVersion: string; // provenance-preserved components systemHash: string; userHash: string; documentsHash: string; // hash of structured retrieved chunks (not just rendered text) shields: { detected: boolean; filtered: boolean; }; riskState: "NORMAL" | "SUSPECT" | "BLOCK"; // proposed action (if any) tool?: { name: string; argsHash: string; }; // anti-replay + lineage nonce: string; prevDigest?: string; ts: string; }; function sha256(bytes: string): string { return crypto.createHash("sha256").update(bytes).digest("hex"); } // Canonicalization matters. JSON.stringify is OK if you control key order. // For cross-language, use RFC 8785 (JCS) canonical JSON. function canonicalJson(x: unknown): string { return JSON.stringify(x); } function buildEnvelope( input: Omit<AuthorityEnvelope, "nonce" | "ts">, ): AuthorityEnvelope { return { ...input, nonce: crypto.randomUUID(), ts: new Date().toISOString(), }; } function digestEnvelope(env: AuthorityEnvelope): string { return sha256(canonicalJson(env)); } Then you call Key Vault to sign that digest (REST sign), and optionally verify later (REST verify). The rare failure mode this blocks is subtle: authority splicing. Without a hash chain, it is possible for the runtime to correctly validate a tool call, but later be unable to prove which retrieved chunk, which Prompt Shields result, and which policy version were in force when that call was authorized. With the chain, every privileged hop becomes tamper-evident. This is the point: Prompt Shields tells you “this looks dangerous.” Document delimiters preserve provenance. The integrity gate makes the runtime able to say, later, with evidence: “This is exactly what I accepted as authority.” QSAF Alignment: Payload Integrity & Signing (Domain 6): QSAF-PY-001 (prompt hash signing), QSAF-PY-005 (nonce/replay control), QSAF-PY-006 (hash chain lineage) – directly implemented via the envelope and chaining. Tools must sit behind a wall that can say “no” Tool calls are where language becomes authority. If an agent can call APIs that mutate state, your security story is not about the response text. It is about whether the tool call is allowed under explicit policy. This is exactly where Azure API Management belongs: as the tool gateway that enforces authentication and authorization before any tool request reaches your backend. The validate-jwt policy is the canonical enforcement mechanism for validating JWTs at the gateway. The design goal is simple: The model can request a tool call. The gateway decides if it is permitted. A capability token approach keeps it clean: <!-- APIM inbound policy sketch --> <validate-jwt header-name="Authorization" failed-validation-httpcode="401"> <required-claims> <claim name="scp"> <value>tools.read</value> </claim> </required-claims> </validate-jwt> The claim name (scp, roles, or custom claims) depends on your token issuer; the point is enforcing authorization at the gateway, not inside model text. Now you can enforce “read-only mode” by issuing tokens that simply do not carry write scopes. The model can try to call a write tool. It still gets denied by policy. Evidence is not logs. Evidence is a signed chain. Logs help you debug. Evidence helps you prove. So you hash the session envelope and the tool intent, then sign the digest using Azure Key Vault Keys. Key Vault sign creates a signature from a digest, and verify verifies a signature against a digest. Key Vault does not hash your content for you. Hash locally, then sign the digest.), and Key Vault documentation is explicit that signing is sign-hash, not “sign arbitrary content.” You hash locally, then ask Key Vault to sign the hash. import crypto from "crypto"; const sha256 = (x: unknown): string => crypto.createHash("sha256").update(JSON.stringify(x)).digest("hex"); type IntentEnvelope = { sessionId: string; userId: string; promptHash: string; documentsHash: string; tool: string; argsHash: string; nonce: string; ts: string; policyVersion: string; }; function buildIntent( sessionId: string, userId: string, prompt: string, docs: unknown, tool: string, args: unknown, policyVersion: string, ): IntentEnvelope { return { sessionId, userId, promptHash: sha256(prompt), documentsHash: sha256(docs), tool, argsHash: sha256(args), nonce: crypto.randomUUID(), ts: new Date().toISOString(), policyVersion, }; } Once you do this, your system stops “explaining.” It starts proving. Govern what the agent can see, not only what it can say RAG without governance eventually becomes a data exposure feature. This is why I treat retrieval as a governed operation. Microsoft Purview sensitivity labels give you a practical way to classify content and build retrieval rules on top of that classification. Microsoft documents creating and configuring sensitivity labels in Purview. The pattern is simple: Label the corpus. Filter retrieval by label and identity policy. Log label distribution per completion. Alert when a low-privilege identity retrieves high-sensitivity labels. This is how you keep sovereignty real. Not in a slide deck. In the retrieval path. Operate it like a security system: posture and detection Inline gates reduce risk. They do not eliminate it. Systems drift. People add tools. Policies get loosened. Attacks evolve. Microsoft Defender for Cloud’s Defender CSPM plan includes AI security posture management for generative AI apps and AI agents (Preview), including discovery/inventory of AI agents deployed with Azure AI Foundry. Then you use Microsoft Sentinel to turn your telemetry into incidents, with scheduled analytics rules. Your detections should match the gates you built: Repeated Prompt Shields detections from the same identity or session. Tool-call spikes after a suspicious document signal. APIM denials for write endpoints from sessions in read-only mode. High-sensitivity label retrieval by identities that should never touch that tier. QSAF Alignment: Behavioral Anomaly Detection (Domain 5): QSAF-BA-001 (session entropy), QSAF-BA-004 (repeated intent mutation), QSAF-BA-007 (unified risk score) – detected via Sentinel rules. Cross‑Environment Defense (Domain 9): QSAF-CE-006 (coordinated alert response) – using Sentinel incidents and playbooks. Where the reference checklist fits, quietly Behind the scenes, we use a control checklist lens to ensure we cover prompt/context attacks, tool misuse, integrity, governance, and operational monitoring. The point is not to rename Microsoft features into framework terms. The point is to make the system enforceable and auditable using Azure-native gates. Closing Zero trust for agents is not a slogan. It is a build. Prompt Shields gives you a front gate for both user prompt attacks and document attacks, with clear annotations like detected and filtered. API Management gives you a tool boundary that can say “no” regardless of what the model tries, using validate-jwt. Signed intent gives you evidence, using Key Vault’s sign-hash semantics. Purview labels give you governed retrieval. Sentinel and Defender give you an operating model, not wishful thinking. If you want the conceptual spine and the architectural principles that frame this pipeline, start with my earlier Tech Community pieces, then come back here and implement the gates. Thanks for reading — Hazem Ali
