Microsoft Build (often shortened to MS Build) is an annual developer conference hosted by Microsoft. It’s designed primarily for software engineers, developers, IT professionals, and tech enthusiasts who build applications and services using Microsoft technologies.
Here is a complete review of the Security updates collected from the MS Build’s ”Book of News”. Including the announcement status, what it is all about, current status (General Availability (GA) or Preview) and actions to consider. Feel free to share it.
1. Data-centric security & compliance for AI
| What was announced | Why it matters | Status / availability | Actions to consider |
| Microsoft Purview SDK – REST APIs + code samples to embed Purview’s classification, labeling and auditing directly into custom AI apps (prompts & responses). | Lets dev teams “shift-left” on compliance without re-inventing DLP or audit pipelines. | Preview | Add SDK calls as a middleware layer in your RAG or agent app.• Map labels → policies early so prompts that hit “Highly Confidential” data are blocked. |
| Purview DSPM for AI across Azure AI Foundry workloads. | First Microsoft tool that surfaces prompt/response risk, harmful content and user risk scoring for any GenAI service you stand up in Azure. | Preview | Enable in the Foundry portal, route findings to existing Sentinel workbook. |
| Purview DSPM + Audit for Copilot Studio agents (B2C) | Gives compliance teams visibility into unauthenticated end-user chats with public-facing agents. | Preview | Turn on before shipping external-facing bots; set retention in Purview Audit. |
| DLP for Microsoft 365 Copilot agents | Extends label-based controls (announced 2024) from documents to agents themselves – stops users copy/pasting or grounding on restricted text. | GA late June (labels) / Preview (agent support) | Review sensitivity taxonomy; test agents against “Secret” docs to verify redaction. |
| Azure AI Foundry evaluation → Purview Compliance Manager | One-click export of risk assessments (bias, transparency, cyber) into Compliance Manager to satisfy EU AI Act Article 17 & DPIAs. | Preview | Pilot if you sell into regulated EU markets; add DPIA template to SDLC gate. |
| Microsoft Purview SDK – REST APIs + code samples to embed Purview’s classification, labeling and auditing directly into custom AI apps (prompts & responses). | Lets dev teams “shift-left” on compliance without re-inventing DLP or audit pipelines. | Preview | Add SDK calls as a middleware layer in your RAG or agent app. Map labels → policies early so prompts that hit “Highly Confidential” data are blocked. |
| Purview DSPM for AI across Azure AI Foundry workloads. | First Microsoft tool that surfaces prompt/response risk, harmful content and user risk scoring for any GenAI service you stand up in Azure. | Preview | Enable in the Foundry portal, route findings to existing Sentinel workbook. |
| Purview DSPM + Audit for Copilot Studio agents (B2C) | Gives compliance teams visibility into unauthenticated end-user chats with public-facing agents. | Preview | Turn on before shipping external-facing bots; set retention in Purview Audit. |
| DLP for Microsoft 365 Copilot agents | Extends label-based controls (announced 2024) from documents to agents themselves – stops users copy/pasting or grounding on restricted text. | GA late June (labels) / Preview (agent support) | Review sensitivity taxonomy; test agents against “Secret” docs to verify redaction. |
| Azure AI Foundry evaluation → Purview Compliance Manager | One-click export of risk assessments (bias, transparency, cyber) into Compliance Manager to satisfy EU AI Act Article 17 & DPIAs. | Preview | Pilot if you sell into regulated EU markets; add DPIA template to SDLC gate. |
2. Threat protection & posture management
| Capability | What it does | Why you care | Status |
| Defender for Cloud integration in Azure AI Foundry | Brings CNAPP findings and 15+ AI-specific detections (jailbreaks, data leakage, wallet abuse) into the Foundry portal. | Gives devs and SecOps a single view of misconfig + live attacks on GenAI services. | Preview – rolls out by June 2025. |
3. Identity & access for agents
| New feature | Details | Impact | Status |
| Microsoft Entra Agent ID | Issues a unique, first-class identity to every AI agent built in Copilot Studio or Azure AI Foundry; admins can list agents and audit their permissions. | Solves “agent sprawl” and enables per-agent Conditional Access, PIM, logging. | Preview |
| MCP Identity & Authorization spec (open standard) | Adds Entra-based auth flows to the Model Context Protocol; plus a public registry for MCP servers. | Establishes cross-vendor SSO & RBAC for agent-to-agent interactions – critical for zero-trust in multi-agent apps. | GA (community-driven) |
4. Browser & endpoint security
| Announcement | Security angle | Who benefits | Status |
| On-device AI APIs in Microsoft Edge (Prompt, Writing, upcoming Translator) | Models (Phi-4-mini) run locally – no data leaves the device for common AI tasks. | Regulated industries and privacy-sensitive workloads. | Dev trials in Edge Canary/Dev. |
| Web Content Filtering in Edge for Business | Category-based block lists (auto-updated) at no extra cost for schools & SMBs; works off-network. | Lightweight SWG alternative; closes a big gap for small orgs. | Preview – Intune-managed Windows 10/11. |
5. Platform security call-outs
- Windows – MCP on Windows: Microsoft emphasised security-by-design for exposing Windows system capabilities (file system, WSL, etc.) as MCP servers for local agents. Security model details in accompanying blog.
- Edge PDF translation & Copilot summarisation are productivity, not security features, so not covered here.
6. Strategic take-aways
- Purview becomes the policy plane for GenAI – treat it like your “SIEM for data”.
- Identity now extends to non-human agents – start including Agent ID objects in joiner-mover-leaver processes.
- Shift-left threat management – Defender’s CNAPP hooks land inside the dev portal; security teams should embed into build pipelines.
- On-device + web filtering show Microsoft pushing security to the edge layer, reducing cloud egress and third-party spend.
Next steps for security architects
- Spin up an Azure AI Foundry sandbox, enable Defender + Purview previews, and run a red-team jailbreak to see new detections in action.
- Register pilot agents with Entra Agent ID and test Conditional Access + audit logs.
- Map EU AI Act controls to the new Foundry-to-Purview compliance workflow if you operate in Europe.
- Evaluate Edge roll-out (incl. filtering) for education or branch scenarios where a full secure-web-gateway is overkill.
- Update your Secure Development Lifecycle checklists to require Purview SDK integration for any new AI micro-service.
Share this post:
Leave a Comment