# Configuration AI Agent Security builds on Veza's existing cloud integrations. To discover AI resources, connect Veza to your cloud platform using the integration guide for that platform, then grant the additional permissions described below. ## Requirements * **AI Agent Security feature flag** — Contact Veza support to activate AI Agent Security for your tenant. * **Cloud integration** — At least one supported platform must be connected to Veza. See [Configuring Integrations](/4yItIzMvkpAvMVFAamTf/integrations/configuration.md) for platform setup guides. ## AWS Bedrock Follow the [AWS Integration Setup Guide](/4yItIzMvkpAvMVFAamTf/integrations/integrations/aws.md) to connect Veza to your AWS environment, then add the following Bedrock-specific permissions to your Veza IAM role: ```json { "Effect": "Allow", "Action": [ "bedrock:GetAgent", "bedrock:GetGuardrail", "bedrock:ListAgentActionGroups", "bedrock:ListAgentAliases", "bedrock:ListAgentKnowledgeBases", "bedrock:ListAgents", "bedrock:ListAgentVersions", "bedrock:ListCustomModels", "bedrock:ListDataSources", "bedrock:ListFoundationModels", "bedrock:ListGuardrails", "bedrock:ListImportedModels", "bedrock:ListKnowledgeBases", "bedrock:ListPromptRouters", "bedrock:ListPrompts" ], "Resource": "*" } ``` Bedrock discovery scans all enabled regions by default. To limit discovery to specific regions, edit the integration and enter region names in the **Regions** field (e.g., `us-east-1, us-west-2`). Bedrock services are regional. Ensure agents exist in the regions you configure. ## AWS Bedrock AgentCore Bedrock AgentCore is a separate AWS service from Bedrock (classic), with its own IAM service prefix (`bedrock-agentcore`). It is configured as a sub-service of the existing AWS integration in Veza. Follow the [AWS Integration Setup Guide](/4yItIzMvkpAvMVFAamTf/integrations/integrations/aws.md) to connect Veza to your AWS environment, then: 1. In the AWS integration settings, go to **Limit Services** and enable **Bedrock AgentCore**. 2. Add the following permissions to your Veza IAM role: ```json { "Sid": "BedrockAgentCore", "Effect": "Allow", "Action": [ "bedrock-agentcore:ListAgentRuntimes", "bedrock-agentcore:GetAgentRuntime", "bedrock-agentcore:ListAgentRuntimeEndpoints", "bedrock-agentcore:ListGateways", "bedrock-agentcore:GetGateway", "bedrock-agentcore:ListGatewayTargets", "bedrock-agentcore:GetGatewayTarget", "bedrock-agentcore:ListMemories", "bedrock-agentcore:GetMemory", "bedrock-agentcore:ListOnlineEvaluationConfigs", "bedrock-agentcore:GetOnlineEvaluationConfig", "bedrock-agentcore:ListCodeInterpreters", "bedrock-agentcore:GetCodeInterpreter", "bedrock-agentcore:ListBrowsers", "bedrock-agentcore:GetBrowser" ], "Resource": "*" } ``` AgentCore discovery is regional. Ensure your AWS integration includes the regions where your AgentCore runtimes are deployed. IAM must also be enabled in the same AWS integration for Veza to resolve agent runtime permissions through assumed IAM roles. ## Azure AD (Entra ID) No additional configuration is required. Veza automatically classifies qualifying entities as AI Agents using platform-native fields during regular integration sync: * **Azure AD** — `AzureADEnterpriseApplication` entities are classified as AI Agents when their application tags include `AgenticInstance`, `AgenticApp`, or any tag prefixed with `power-virtual-agents-`. No changes to your existing Azure AD integration are needed. ## Azure AI Foundry Follow the [Microsoft Azure Integration Setup Guide](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure.md) to connect Veza to your Azure environment, then follow the steps in [Enable Azure AI Foundry](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure.md#enable-azure-ai-foundry) to grant the required control plane and data plane roles and enable the service in **Limit Services**. ## Google Cloud Vertex AI Follow the [Google Cloud Integration Setup Guide](/4yItIzMvkpAvMVFAamTf/integrations/integrations/google.md) to connect Veza to your Google Cloud project, then grant the following additional permissions to your Veza service account: ``` aiplatform.reasoningEngines.list aiplatform.reasoningEngines.get aiplatform.endpoints.list aiplatform.endpoints.getIamPolicy aiplatform.models.list aiplatform.models.get aiplatform.locations.list aiplatform.locations.get ``` You can grant these by creating a custom IAM role or assigning the predefined `roles/aiplatform.viewer` role. Vertex AI resources are location-specific. Edit the integration and use the **Location allow list** to specify the locations where your Vertex AI resources are deployed (e.g., `us-central1, us-east1`). {% hint style="info" %} Use the **Limit Google Cloud Services** option in the integration settings to explicitly enable Vertex AI discovery. Extractions that encounter Vertex AI resources without the required permissions can impact the extraction pipeline. {% endhint %} ## Microsoft Copilot Studio Follow the [Microsoft Azure Integration Setup Guide](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure.md) to connect Veza to your Azure environment, then complete the following steps: 1. **Grant Microsoft Graph permissions**: In **Azure Portal**, go to **Azure Active Directory** → **App registrations**, select your Veza service principal, click **API permissions** → **Add a permission** → **Microsoft Graph** → **Application permissions**, and add: * `User.Read.All` * `Group.Read.All` * `Application.Read.All` * `ServicePrincipalEndpoint.Read.All` 2. **Grant Dataverse permission**: Click **Add a permission** → **Dynamics CRM**, select **Delegated permissions**, add `user_impersonation`, and click **Grant admin consent**.

"Dynamics CRM" is Microsoft's label for the Dataverse Web API in the Entra permission picker. This name is set by Microsoft and was never updated after the Dataverse rebrand. You do not need a Dynamics 365 license or a CRM deployment to use this integration with Copilot Studio.

3. **Register as Application User**: In each Power Platform Dataverse environment, register the Veza service principal as an Application User with read access to the `bot` and `botcomponent` tables. 4. **Add Dataverse environment URLs**: Go to **Integrations**, select your Microsoft Azure integration, click **Edit Settings**, and enter your Dataverse environment URL(s) in the **Dynamics 365 CRM Environments** field (e.g., `https://org.crm.dynamics.com`).

The *.crm.dynamics.com domain is the standard Dataverse environment hostname. Microsoft retained this domain for all Dataverse environments, including those used exclusively for Copilot Studio with no CRM deployment.

5. **Enable the services**: In the Azure integration settings, go to **Limit Services** and enable both **Microsoft Copilot Studio** and **Azure Dynamics 365 CRM**.

Copilot Studio discovery uses the same Dataverse environment URLs configured under Azure Dynamics 365 CRM (step 4). Both services must be enabled for discovery to run. Azure Dynamics 365 ERP is a separate integration and is not required.

## Salesforce (Agentforce) Follow the [Salesforce Integration Setup Guide](/4yItIzMvkpAvMVFAamTf/integrations/integrations/salesforce.md) to connect Veza to your Salesforce org, then grant read access to the `BotDefinition` object: 1. In Salesforce **Setup**, go to **Profiles** or **Permission Sets**. 2. Select the profile or permission set assigned to your Veza integration user. 3. Under **Object Settings**, find **BotDefinition** and enable **Read**. 4. Click **Save**. {% hint style="info" %} The `BotDefinition` object is only visible if your org has an Agentforce license. {% endhint %} ## ServiceNow Follow the [ServiceNow Integration Setup Guide](/4yItIzMvkpAvMVFAamTf/integrations/integrations/servicenow.md) to connect Veza to your ServiceNow instance. AI Agent discovery requires the following ServiceNow plugins: * **AI Agent Studio** (`sn_aia`) — Required for AI Agent and AI Agent Tool discovery * **Now Assist Skill Kit** — Required for Gen AI Skill discovery * **Generative AI Controller** — Required for AI Model and Gen AI Config discovery Grant the Veza integration user the `sn_aia.admin` role for access to AI Agent Studio tables. If a required plugin is not installed, Veza skips the corresponding AI entity types and continues the extraction normally. See the [ServiceNow integration guide](/4yItIzMvkpAvMVFAamTf/integrations/integrations/servicenow.md) for the full list of required table permissions. ## Verify Discovery After the next scheduled integration sync, or after triggering a manual extraction: 1. Go to **AI Agent Security > Overview** and confirm the agent count is greater than 0. 2. Navigate to **AI Agent Security > Agents**, filter by platform, and verify agents appear with correct properties. 3. Select an agent, click the linked models count, and confirm the graph shows model relationships. ## Next Steps * [Supported Entities](/4yItIzMvkpAvMVFAamTf/features/ai-agent-security/supported-entities.md) — Entity types discovered per platform * [AI Agent Security Overview](/4yItIzMvkpAvMVFAamTf/features/ai-agent-security.md) — GUI walkthrough and key capabilities * [Access Reviews](/4yItIzMvkpAvMVFAamTf/features/access-reviews.md) — Create recurring reviews for AI Agent permissions * [Rules and Alerts](/4yItIzMvkpAvMVFAamTf/features/insights/rules-and-alerts.md) — Configure automated alerts for AI security events --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/ai-agent-security/configuration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.