Week 23 · 7 min read
June 1 – June 8, 2026
Act by
- 6 Jul 2026 — Conditional Access enforcement for the Register security information action extends to Windows Hello for Business provisioning and macOS Platform SSO registration, closing a long-standing gap where those flows were unenforced. The same week, an SSPR registration campaign begins. Test any CA policies scoped to registration flows in report-only mode before the rollout so device setup does not start failing for users who cannot satisfy the policy. (Microsoft Entra Blog)
- 7 Sep 2026 — Self-service password reset stops accepting authentication methods that were never explicitly registered. Directory-sourced phone numbers and email addresses will no longer work for SSPR — only registered methods. Drive users through the July registration campaign so they are not locked out of reset when this flips. (Microsoft Entra Blog)
- 30 Sep 2026 — Entra Custom controls retire (end of life May 2027). Third-party MFA integrations wired through Custom controls must move to External MFA to stay supported. Existing configs keep working through the transition, but start migration planning now. (Microsoft Entra Blog)
What changed
Microsoft extended Defender to secure AI agents running locally on managed Windows and macOS devices (public preview). Defender now discovers 20+ agent types — coding CLIs (Claude Code, GitHub Copilot CLI, Codex, Gemini), agentic IDE extensions (Cursor, Windsurf, Cline), desktop assistants, local runtimes like Ollama, and MCP servers — surfacing each as a first-class asset with user identity, process relationships, trust indicators, and risky settings such as "auto-approve." It adds inline runtime protection to block malicious agent behavior — including prompt-injection attempts against a coding agent before the malicious action executes (starting with Claude Code and GitHub Copilot CLI) — an exposure view across reachable identities and resources, and an Advanced Hunting surface for the activity. For a SOC this is the first real visibility into agents that previously ran as opaque OS processes yet can reach source code, secrets, SharePoint, and email through the user's identity. (Microsoft Defender XDR Blog)
At Build 2026 (June 2–3), Microsoft put its multi-model agentic scanning harness (codename MDASH) into an expanded preview and brought the native integration between Microsoft Defender and GitHub Code Security (the former GitHub Advanced Security suite) to general availability. MDASH orchestrates 100+ specialized AI agents across an ensemble of models to find, validate, and prove exploitability in code — Microsoft cites 96.55% on the CyberGym benchmark — and the Defender tie-in enriches those findings with production signal (internet exposure, data sensitivity), routes AI-assisted fixes through GitHub Copilot Autofix, and surfaces exploitable code risk in the same queue as endpoint and identity alerts. Relevant if your org is folding code-security findings into SOC triage rather than leaving them in a separate developer tool. (Microsoft Security Blog)
Also at Build, Defender AI model scanning entered preview. It detects and blocks potentially vulnerable or compromised AI models across model registries, workspaces, and CI/CD pipelines, verifying model integrity before deployment. For a SOC standing up coverage for AI workloads, this pushes supply-chain checks left of runtime — a tampered or backdoored model is caught at the registry or pipeline stage rather than after it is serving in production, and the signal lands in Defender alongside the rest of the estate. (Microsoft Security Blog)
Microsoft Purview extended data-protection controls to coding agents at Build (preview). The controls prevent data exfiltration and add agentic risk detection for coding agents (Claude Code, GitHub Copilot, OpenAI Codex, and others), DSPM risk discovery for where agents reach sensitive data, and — with Agent 365 — runtime DLP for agent prompts that detects, blocks, and audits sensitive data before the agent processes it; Purview data-risk signals in the Foundry control plane went GA alongside. For a SOC that owns Purview, this is the data-layer complement to Defender's endpoint view of the same agents: visibility into what data a local agent touches and a runtime block on sensitive content entering a prompt. (Microsoft Security Blog)
Microsoft disclosed a critical remote code execution flaw in Microsoft 365 Copilot (CVE-2026-45497, CVSS 7.7) on 4 June as one of its "June 2026 Early Security Updates." The root cause was command injection that could let an attacker break out of the Copilot service boundary and reach into the surrounding Microsoft 365 environment; a related critical Exchange Online information-disclosure bug (CVE-2026-48579, CVSS 9.1) was disclosed in the same batch. Microsoft fixed both server-side before publishing the advisories, so there is nothing to patch — but the SOC actions are real: review Entra sign-in and audit logs for anomalous Copilot access, confirm audit logging captures Copilot activity, and rotate credentials that a service-boundary escape could have exposed. These cloud CVEs are separate from the on-prem Patch Tuesday rollup that lands 9 June. (Microsoft 365 Copilot RCE analysis)
Build also shipped an Agent 365 governance and isolation stack. The Agent 365 SDK went GA (observability, access controls, and compliance enforcement in the development workflow); the Agent 365 Agent Registry surfaces unmanaged local agents discovered by Defender, Entra, and Intune; Windows 365 for Agents reached GA to run agents in fully isolated, policy-governed Cloud PC environments; and the Microsoft Execution Container (MXC) SDK entered early preview for OS-level process and session isolation of agent execution. For a SOC, the registry closes the shadow-agent discovery gap and the isolation options give a containment answer for agents that would otherwise run with the user's full reach on a managed endpoint. (Microsoft Security Blog)
Microsoft Entra ID posted three near-term identity-hardening changes. Custom controls are being deprecated in favor of External MFA; Conditional Access will be enforced consistently during credential registration (including WHfB and macOS Platform SSO); and SSPR will require explicitly registered authentication methods rather than accepting directory-sourced phone/email. The dates land in Q3 (see Act by), but the analyst-facing point is that CA enforcement is getting more uniform and SSPR fallback paths attackers could abuse are closing — expect fewer silent gaps and more registration prompts. (Microsoft Entra Blog)
Microsoft published a Global Secure Access Operations Guide on Microsoft Learn — a prescriptive day-2 playbook for running GSA in production. It ships a RACI matrix, capability-specific playbooks for Private Access, Internet Access, Remote Networks, and Microsoft Traffic, and alert-first monitoring routines built to act on Microsoft Sentinel and Azure Monitor signals before dashboards show trouble, plus daily health-check templates and Sentinel/Graph/PowerShell automation. Useful if your SOC owns any GSA monitoring or alerting, since it maps each alert to a defined action. (Microsoft Entra Blog)
Worth knowing
Microsoft Threat Intelligence detailed how threat actors are riding the AI hype as social-engineering bait. Since early 2026 it has tracked malvertising using AI-themed lures ("Flux Pro AI" and similar) in popups, malware filenames, and GitHub repo names, attributed to initial-access broker Storm-3075, with campaigns moving from launch to mass impact within hours. It also observed brand-impersonation phishing: an Anthropic/Claude-themed campaign hitting 2,000+ organizations (Apr 20–22, mostly US/UK/India) and a ChatGPT-themed credential/credit-card phishing run of ~4,500 emails on May 5 (97% South Africa). Worth flagging AI-branded domains and lures in your phishing and malvertising detections. (Microsoft Security Blog)
Build week's through-line is that AI agents and Copilot are now a first-class SOC surface, defended and attacked on the same footing as endpoints and identities. On the defense side the pieces landed together — Defender discovers and blocks local agents, Purview governs the data they touch, and Agent 365 registers and isolates them — while the two server-side Copilot CVEs (the 4 June M365 Copilot RCE and the paired Exchange Online disclosure) are the reminder that the managed AI services themselves carry exploitable flaws. Because Microsoft remediates those in its own cloud, the analyst job shifts from patching to detection and governance: make sure Copilot and agent activity is captured in your audit and sign-in telemetry now, so that when the next agent or Copilot advisory drops you can actually hunt for whether it was abused rather than discovering you had no logs.
On patching cadence there was no Patch Tuesday in this window — the early Copilot and Exchange Online cloud fixes are separate cloud-service advisories, and the on-prem June rollup lands 9 June (next issue), where trackers expect a record-size batch with an exploited Exchange zero-day. If you own the estate's patch sequencing, treat this quiet week as prep: confirm Defender-delivered update channels are healthy in MDE and stage your internet-facing triage list before the 9th, rather than reacting to it cold. (Microsoft Security Blog)