Creating a Microsoft Copilot Chat Agent for M365 Security (ASD Secure Cloud Blueprint)

Overview

ASD’s Blueprint for Secure Cloud is a comprehensive set of security guidelines published by the Australian Signals Directorate. It details how to configure cloud services (including Microsoft 365) to meet high security standards, incorporating strategies like the Essential Eight. For Microsoft 365, the Blueprint covers everything from enforcing multi-factor authentication and blocking legacy authentication, to hardening Office 365 services (Exchange, SharePoint, Teams) and securing Windows devices via Intune policies[1][2]. By creating a dedicated Copilot Chat agent based on this Blueprint, you give your organisation an easy way to access all that expertise. The agent will act as a virtual security advisor: available through Microsoft Teams (Copilot Chat) to answer questions, provide configuration guidance, and even supply automation scripts – all for free using your existing M365 subscription.

Below is a step-by-step guide to build the agent within the Copilot Chat interface, followed by examples of how it can improve your Microsoft 365 security management.

---

Step-by-Step: Creating the Copilot Agent in Teams Copilot Chat

You can create the agent entirely within the Microsoft 365 Copilot Chat interface (such as in Teams), using the built-in Agent Builder. There’s no need to use separate tools or write code. Here’s how to set it up quickly:

Note: The above assumes that the Copilot Agents feature is enabled in your tenant. Microsoft made Copilot Chat available to all users by 2025, but an admin might need to turn on custom agent creation if it’s in preview. Check your M365 admin settings for “Copilot” or “Agents” if you don’t see the option to create an agent. Once enabled, any user can build or use agents in Copilot Chat[3].

---

How the Agent Improves M365 Security

With your M365 Security Copilot agent up and running, your IT team (and potentially all employees) can leverage it in several ways to strengthen security. Here are some examples of what it can do:

1. Instant Q&A on Security Best Practices

The agent can answer questions about Microsoft 365 security configurations, drawing directly from the ASD Blueprint’s guidance and related Microsoft documentation. This is like having a security policy expert available 24/7.

• Example: “What does the ASD Blueprint say about email protection?” – The agent might respond: “It recommends enabling Microsoft Defender for Office 365 features like Safe Links and Safe Attachments for all users[2]. Safe Links will check URLs in emails and documents for malicious content and redirect users if the link is unsafe. Safe Attachments will open email attachments in a sandbox to detect malware before delivering them to the recipient[2].” It would likely go on to mention anti-phishing policies as well. This guidance helps you know which settings to configure (e.g. turn on Safe Links and Safe Attachments in your Exchange Online security policies).
• Example: “Do we allow legacy email protocols?” – Legacy protocols like IMAP/POP3 (which use Basic Auth) are a known security risk. The agent knows the Blueprint stance is to disable them in favour of Modern Authentication. It might answer: “No. According to ASD’s guidelines, legacy authentication protocols such as POP3 and IMAP should be disabled[4]. This prevents attackers from bypassing MFA. You should ensure only Modern Auth is allowed for Exchange Online.” The agent could even cite Microsoft’s policy that basic auth is deprecated. This reminds your team to verify those settings (or use the script the agent provides, which we’ll see below).
• Example: “What are the password requirements for Windows 10 devices?” – The agent can pull from the Intune compliance policy Blueprint. It could respond: “The Blueprint’s baseline for Windows 10 requires a complex password of at least 15 characters[1]. Simple passwords are blocked, and the device must be encrypted with BitLocker[1]. It also enforces screen lock after 15 minutes of inactivity.” This gives a clear answer that aligns with your organisation’s policy (assuming you adopt the Blueprint settings).
• Why this helps: It eliminates guesswork. Admins and helpdesk staff don’t have to search through lengthy documents or remember every detail. They can just ask the agent and get an authoritative answer with the reasoning included. This ensures consistent application of security best practices.

2. Guidance for Implementation and Automation

The agent doesn’t just cite policy – it can help you implement it. Through step-by-step guidance or actual code snippets, it translates the recommendations into action:

• Step-by-Step Instructions: For instance, if you ask “How do I enforce MFA for all users?”, the agent will explain the methods. It might say: “To enforce MFA, you have options: (1) Enable Security Defaults in Azure AD, which require MFA for all users by default; or (2) create a Conditional Access policy that requires MFA for all sign-ins[2]. In Azure AD portal, go to Conditional Access -> New policy, assign to all users, cloud apps All, then under Access Controls, require MFA.” It will outline these steps clearly. If the Blueprint or Microsoft docs have a sequence, it will present it in order. This is like having a tutor walk you through the Azure AD configuration.
• PowerShell Script Generation: Perhaps the biggest time-saver. The agent can generate scripts to configure settings across your tenant:
  • If you say, “Give me a PowerShell script to disable POP and IMAP for all mailboxes,” the agent can produce something like:
    
    Connect-ExchangeOnline -Credential (Get-Credential)
Get-Mailbox -ResultSize Unlimited | Set-CASMailbox -PopEnabled $false -ImapEnabled $false
    
    It knows from context that disabling these protocols is recommended, and the commands to do so. In fact, this script (getting all mailboxes and piping to Set-CASMailbox to turn off POP/IMAP) is a common solution[4]. The agent might add, “This script connects to Exchange Online and then disables POP and IMAP on every user’s mailbox.” With this, an admin can copy-paste and execute it in PowerShell to enforce the policy in seconds.
  • Another example: “Generate a script to require MFA for all users.” The agent could output a script using Azure AD PowerShell to set MFA on each account. For instance, it might use the MSOnline module:
    
    Connect-MsolService
$users = Get-MsolUser -All foreach ($u in $users) { Set-MsolUser -UserPrincipalName $u.UserPrincipalName -StrongAuthenticationRequirements @( New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement -Property @{ RelyingParty = "*"; State = "Enabled" } ) }
    
    And it would explain that this iterates through all users and enforces MFA. This aligns with the Blueprint’s mandate for MFA everywhere. The agent is effectively writing the code so you don’t have to. (As always, you should test such scripts in a safe environment, but it provides a solid starting point.) Not here that the MSOL module has been deprecated by Microsoft and you really should use the latest option. Always check your results from AI!
  • The agent can assist with device policies too. If you ask, “How can I deploy the Windows 10 baseline settings?”, apart from describing the steps in Intune, it might mention scriptable options (like exporting the Blueprint’s Intune configuration as JSON and using Graph API or PowerShell to import it). It will guide you to the appropriate tooling.
• Why this helps: It automates tedious work and ensures it’s done right. Many IT admins know what they need to do conceptually, but writing a script or clicking through dozens of settings can be error-prone. The agent provides ready-made, Blueprint-aligned solutions. This speeds up implementation of secure configurations. Your team can focus on higher-level oversight rather than nitty-gritty syntax.

3. Organisation-Wide Security Awareness

By sharing the agent with the whole organisation, you extend its benefits beyond the IT/security team (if desired):

• Empowering Helpdesk and Junior Staff: Frontline IT support can use the agent to answer user questions or to verify they’re giving correct advice. For example, if a user asks “Why can’t I use my old Outlook 2010 with company email?”, a helpdesk tech could consult the agent, which might answer: “Outlook 2010 uses legacy authentication which is not allowed because it doesn’t support modern security features. We require newer Outlook versions or clients that support Modern Auth to protect your account.” This backs up the helpdesk with authoritative reasoning.
• Training New Team Members: New hires in the IT department can learn your security policies by interacting with the agent. They can ask it various “why do we do X” questions and get consistent answers. It’s like an interactive policy manual. Over time, this improves everyone’s understanding of security in the company.
• Consistent Messaging: The agent will always refer to the Blueprint’s guidance. This means the language and recommendations are consistent. If two different people ask about, say, OneDrive sharing settings, they’ll get the same answer from the agent. Consistency is key in security – you don’t want conflicting info. The agent ensures one voice (that of the ASD Blueprint) is answering.

4. Keeping the Agent (and Advice) Up-to-Date

As threats evolve and the ASD Blueprint (or Microsoft’s recommendations) update, you can refresh the agent easily:

• Periodically check the Blueprint site for updates. If new sections or changes appear (e.g., a new recommendation to use a particular security feature), you can update the agent’s knowledge. In Copilot’s agent settings, you can re-index the website or add new URLs if needed. For example, if a new “Design Decision” is added on the blueprint site about a feature, include it.
• You might also feed the agent additional sources. Suppose Microsoft releases a detailed blog on a new M365 security feature not covered by the current Blueprint. You can add that blog URL to the agent’s sources. Now the agent can incorporate that into its answers as well.
• Because you can edit the agent’s instructions at any time, you can also adjust its behavior. If your organisation decides on a custom policy that slightly deviates from the Blueprint, you can instruct the agent about that. For instance, “our company chooses to disable feature X due to internal reasons – reflect that in answers.”

All of this ensures the agent remains a living tool that adapts to the latest best practices and your organisation’s needs.

---

Example Questions & Agent Responses

To illustrate, here are some example questions you could ask your new security Copilot agent, and the kind of answers you can expect:

Question	Agent’s Response (Summary)
“How do I enforce MFA for all users?”	“Multi-Factor Authentication is mandatory for all users. The ASD Blueprint advises enabling it tenant-wide. You can do this by turning on Azure AD Security Defaults or creating a Conditional Access policy requiring MFA for all accounts. This ensures every login uses a second factor, which makes accounts 99.9% less likely to be compromised[5].” The agent would then guide through setting up the policy (as described in step-by-step above).
“Give me a script to disable legacy email auth.”	“To block legacy authentication (like basic auth for POP/IMAP) on Exchange Online, run the following PowerShell commands: Connect-ExchangeOnline -Credential (Get-Credential) Get-Mailbox -ResultSize Unlimited | Set-CASMailbox -PopEnabled $false -ImapEnabled $false This disables POP and IMAP for all mailboxes[4], forcing the use of Modern Authentication (which supports MFA).”
“What are the device security requirements?”	“For Windows 10/11 devices, the Blueprint baseline requires: BitLocker disk encryption enabled, a password of at least 15 characters with complexity, screen lock after 15 minutes, and up-to-date antivirus/antispyware protection[1]. Jailbroken or rooted mobile devices are not compliant. These ensure devices meet a strong security standard.”
“How can we protect email from phishing?”	“Use Microsoft Defender for Office 365. The Blueprint recommends Safe Links and Safe Attachments for all users[2]. Safe Links will scan and rewrite URLs in incoming emails to shield users from malicious sites. Safe Attachments will open email attachments in a virtual machine to detect malware. Enable these in your Office 365 security center under Threat Management > Policy.” The agent might also mention anti-phishing policies and user training reminders.
“Why do we insist on MFA for login?”	“Because it dramatically improves security. As Microsoft reports, an account is over 99.9% less likely to be hacked if MFA is enabled[5]. The ASD Blueprint therefore mandates MFA for all users. Even if a password is stolen, the attacker cannot get in without the second factor.” This kind of answer provides the rationale you can pass on to users or execs who ask the same question.

These examples show how the agent can be used in practice. It provides precise, actionable answers with evidence (often even citing the official guidance). By interacting with the agent, your IT staff can save time and ensure they’re following the correct procedures, and your end-users get consistent answers on why security measures are in place.

---

In summary, a dedicated Copilot Chat agent based on the ASD Secure Cloud Blueprint can greatly streamline your Microsoft 365 security operations. It’s free to set up (since Copilot Chat agents are available to all M365 users[3]), quick to distribute via Teams, and immediately useful for both answering questions and executing security tasks. Your organisation gets the benefit of an always-available expert that reflects approved best practices, helping you raise the security baseline across the board.

References

[1] Windows 10/11 Compliance Policy | ASD’s Blueprint for Secure Cloud

[2] Microsoft Defender for Office 365 | ASD’s Blueprint for Secure Cloud

[3] Safe Attachments | ASD’s Blueprint for Secure Cloud

[4] BRK3083 – Secure Office 365 like a cybersecurity pro—assessing risk and implementing controls

[5] Microsoft: Using multi-factor authentication blocks 99.9% of … – ZDNET