Microsoft Build 2026 — Enterprise Agent Security with MDASH and Purview

AI relevance: Microsoft's Build 2026 announcements directly address enterprise-scale deployment and governance of AI coding agents (Claude Code, GitHub Copilot, OpenAI Codex, OpenClaw), introducing identity-based agent management, DLP controls, and a fleet of 100+ threat-hunting AI agents.

Key announcements

• MDASH exits preview — Microsoft Defender Advanced Security Hunting (MDASH) now includes 100+ specialized threat-hunting AI agents, covering the full development lifecycle from exploitability assessment to production verification.
• Agent identity via Entra ID — Agents now operate as managed service principals in Entra ID, not under developer credentials. This eliminates the "shadow IT" problem where agents run with untracked developer access.
• Intune deployment policies — Agents can be deployed and governed via Intune, with policies dictating which agents run, what data they can access, and when they must pause for human approval.
• Purview agentic risk detection — Data Loss Prevention controls now explicitly cover coding agents (Claude Code, GitHub Copilot, OpenAI Codex, OpenClaw), with Data Security Posture Management risk discovery for agent-accessed data.
• Sentinel SIEM integration — All agent activities are logged to Microsoft Sentinel for security analysis and to Purview for compliance tracking.
• Defender exposure graph — Provides visibility into how agents connect across the network, helping analysts investigate agent activity using advanced hunting.
• Agent-Native Windows platform — A dedicated platform for governed AI developer agents, enabling Intune-based deployment and policy enforcement.

Why it matters

Enterprise adoption of AI coding agents is outpacing governance frameworks. Microsoft's announcements represent the first comprehensive enterprise-stack approach to agent security: identity (Entra), deployment (Intune), data protection (Purview), and detection (Defender/Sentinel) — all unified for AI agents. This signals a shift from treating agents as developer tools to treating them as managed workloads requiring the same security controls as services and applications.

What to do

• Inventory all AI coding agents running in your environment (Claude Code, Copilot, Codex, etc.).
• Map agent access to sensitive data repositories and CI/CD pipelines.
• Evaluate Purview DLP policies for agent-accessed content — treat agent file reads/writes as potential exfiltration vectors.
• Implement human-approval gates for agents accessing production systems or secrets.
• Log all agent activity to your SIEM — agents should be visible in your existing security tooling, not operating as a blind spot.

Sources

• Microsoft Security Blog — Build 2026: Securing code, agents, and models
• ZDNET — Build 2026: MDASH exits preview with 100+ threat-hunting AI agents