Enable and configure the Defender for AI Services plan

  • 7 minutes

The Defender for AI Services plan is a Cloud Workload Protection plan in Microsoft Defender for Cloud. It works the same way as other Defender plans previously enabled—Defender for Servers, Defender for Storage, Defender for Containers—but its scope is Azure AI services workloads. When enabled on an Azure subscription, the plan integrates with Azure AI Content Safety Prompt Shields and Microsoft threat intelligence to scan text tokens flowing through your AI services at inference time.

The plan detects four categories of threats:

  • Jailbreak attempts - crafted prompts designed to bypass model safety instructions
  • Data leakage - sensitive data exposed through model responses
  • Credential theft - extraction of secrets, keys, or credentials through AI interactions
  • Data poisoning - attempts to corrupt model behavior through manipulated inputs

Alerts generated by the plan flow into Microsoft Defender XDR, where they correlate with signals from identity, endpoint, and cloud app protection. This integration means your existing SOC workflows and incident response processes apply to AI threats without requiring separate tooling.

Note

The Defender for AI Services plan scans text tokens only. Image and audio tokens aren't scanned in the current release.

The plan protects workloads running on Azure OpenAI supported models and Azure AI Model Inference service supported models. If your organization also uses Copilot Studio agents, those agents are protected separately through Microsoft Defender for Cloud Apps—covered earlier in this learning path.

Enable the Defender for AI Services plan

You enable the plan per Azure subscription in the Defender for Cloud Environment settings. You need Owner or Contributor permissions on the subscription.

  1. Sign in to the Azure portal.
  2. Search for and select Microsoft Defender for Cloud.
  3. In the Defender for Cloud menu, select Environment settings.
  4. Select the Azure subscription that hosts your AI services workloads.
  5. On the Defender plans page, locate the AI services row and toggle it to On.
  6. Select Save.

Screenshot of the Defender for Cloud Environment settings page with the AI services plan toggled to On for the selected Azure subscription.

After you enable the plan, Defender for Cloud begins scanning AI service inference traffic on that subscription. Alerts typically begin appearing within minutes if threat activity is occurring.

Important

Enable the plan on every subscription that hosts Azure AI services workloads. A subscription without the plan enabled has no AI threat detection, even if other Defender plans are active on that subscription.

Decide which plan components to enable

With the plan enabled, three optional components extend its capabilities. Use this table to decide which apply to your environment before configuring each one:

Component Enable if...
Suspicious prompt evidence Your SOC needs alert context for triage and your organization's data handling policy permits access to prompt content
Data security for AI interactions A Microsoft Purview license is available and your compliance team needs AI interaction audit, classification, or eDiscovery
AI model security Your organization maintains custom models in Azure Machine Learning registries alongside managed Azure OpenAI deployments

The following sections walk through enabling each component.

Configure suspicious prompt evidence

By default, the plan detects threats but masks the prompt content in alerts. Security engineers who need to triage alerts effectively should enable suspicious prompt evidence, which includes redacted snippets of the user prompt and model response in each alert.

  1. In the Azure portal, navigate to Microsoft Defender for Cloud > Environment settings.
  2. Select the relevant subscription.
  3. Locate AI services and select Settings.
  4. Toggle Enable user prompt evidence to On.
  5. Select Continue.

With prompt evidence enabled, each alert includes the suspicious portion of the prompt or response that triggered the detection. Sensitive data is automatically redacted. This evidence appears in the Defender portal as part of the alert's detail view. The evidence gives security engineers the context they need to determine whether the alert represents a genuine attack or a false positive.

If your organization's data handling policies restrict access to prompt content, leave this setting off. Defender for Cloud continues detecting threats—the only difference is that the alert detail view masks the prompt and response text.

Configure data security for AI interactions

The plan includes an optional integration with Microsoft Purview that enables data security and compliance capabilities for AI interactions. When you toggle Data security for AI interactions to On, Microsoft Purview can access and analyze prompts, responses, and associated metadata from your Microsoft Foundry workloads.

This integration supports:

  • Sensitive information type (SIT) classification
  • Analytics and reporting through Microsoft Purview Data Security Posture Management (DSPM) for AI
  • Insider risk management
  • Communication compliance
  • Microsoft Purview Audit
  • Data lifecycle management
  • eDiscovery

Note

Data security for AI interactions requires a separate Microsoft Purview license. It isn't included with the Defender for AI Services plan. Coordinate with your compliance team before enabling Purview integration.

Important

Purview integration covers Microsoft Foundry direct model API calls that use Microsoft Entra ID authentication with a user context token. Two scenarios fall outside its scope: API calls that don't include user context appear only in Purview Audit and DSPM for AI Activity Explorer, and Foundry agent interactions aren't captured at all—support for Foundry agent context in Purview isn't yet available.

To enable the integration, navigate to the AI services Settings page in Environment settings and toggle Data security for AI interactions to On.

Configure AI model security

AI model security scans models registered in Azure Machine Learning registries for security risks—serialization vulnerabilities, embedded malware, and exposed secrets. The scan runs automatically against registered models and surfaces findings as recommendations in Defender for Cloud.

To enable AI model security:

  1. Navigate to the AI services Settings page in Environment settings.
  2. Toggle AI model security to On.
  3. Select Continue.

This component is most relevant if your organization maintains custom models in Azure Machine Learning registries alongside Azure OpenAI deployments. If you use only managed Azure OpenAI models, the value of this component is lower—but enabling it adds no overhead and provides coverage if ML registry usage expands.

Apply enablement to Contoso's scenario

Contoso's security engineer identifies two Azure subscriptions that host Microsoft Foundry projects—one for the document analysis models and one for the regulatory research models. The engineer enables the Defender for AI Services plan on both subscriptions, then enables suspicious prompt evidence. This enables the SOC team to triage AI alerts effectively. The engineer defers the Purview integration to the compliance team, who manages the Purview license and data handling policies. AI model security is enabled on both subscriptions as a precautionary measure, since the data science team maintains a small set of custom models in an Azure Machine Learning registry.

With the plan enabled on both subscriptions, Contoso's AI workloads are now covered by threat detection at the inference layer.