What’s New in AI for Security from Microsoft Entra?

Your teams are moving fast—and so are we!

We’re committed to putting the most advanced identity security tools at your fingertips, so you can secure access with speed, precision, and confidence.
This is the first of a regularly updated series highlighting the newest AI-powered capabilities in Microsoft Entra—each designed to help you investigate threats faster, manage identities more effectively, and automate protection with less effort. From natural language-driven investigations to proactive optimization powered by AI agents, these updates are all about helping you stay ahead of attackers while unlocking new levels of efficiency.

Let’s dive into what’s new this month.

In this blog, we’ll cover:

• Enhancements for the CA Optimization Agent. Support for phased rollout of policy suggestions, 300% capacity growth, more controls, and richer exports.
• Expanded support for Microsoft Security Copilot in Entra across Privileged Identity Management (PIM), Conditional Access (CA), and Microsoft Entra ID Devices.
• Contextual prompt suggestions in the Microsoft Entra Admin Center, offering one-click, high-value prompts that surface dynamically on the pages where you need them most.

Enhancements to the Conditional Access Optimization Agent

The CA Optimization Agent helps to strengthen your Zero Trust security posture by identifying and closing gaps in CA policy coverage. Based on customer feedback, we’ve added new capabilities to make the agent more flexible, transparent, and scalable.

Phased Rollout for New Policy Suggestions: Rolling out CA policies can be challenging – one wrong move can lock out users, flood support channels, and disrupt productivity. To make it safer and easier, we’ve added Phased Rollout to the CA Optimization Agent. Available in public preview, you can now gradually deploy agent-suggested policies through a five-phase rollout plan that starts with small, low-risk groups and expands to broader populations. Built-in safeguards automatically pause rollout if unexpected user impact occurs, giving you confidence every step of the way.  You can customize the plan to fit your organization’s needs, including editing each phase and timeline before starting and tracking progress and impact as policies expand. Phased Rollout is currently in Public Preview and available to tenants with a Microsoft Entra ID P1 license and Security Copilot SCUs. Try it today and let us know what you think. To learn more about phased rollout, head to:  Conditional Access optimization agent phased rollout - Microsoft Entra ID | Microsoft Learn

Expanded scale for large environments: The agent can now analyze up to 150 applications and 300 users in a single run – up from 100 apps and 150 users previously. That’s a 300% capacity increase since our first announcement of the agent at RSA earlier this year, enabling the agent to protect even the largest, most dynamic Microsoft Entra environments. The agent flags missing baseline policies for all tenants, but this is especially important for customers exceeding that threshold, ensuring gaps are never left unaddressed as new users and applications are added. 

More control over report-only policy creation: It can automatically create report-only mode policies when it detects gaps—a fast way to delegate setup. For customers with stricter change management needs, you can now turn this off and require admin review before any policy is created. This gives you the ability to:

• Review and customize proposed policies before they’re created.
• Align policy deployment with internal change control or regulatory requirements.

Downloadable JSON of recommendation details: When the agent recommends adding specific users or apps to a policy, you can now export the full list in JSON format. This enables:

• Easy sharing with teammates for review.
• Integration into scripts, automation workflows, or governance tools for approval tracking.

Expanded support for Microsoft Security Copilot in Entra

Investigate and monitor privileged access: Microsoft Security Copilot in Entra now supports Privileged Identity Management (PIM) scenarios, making it faster and easier to investigate and monitor privileged access with the power of AI directly in the Microsoft Entra admin center. With PIM signals, Security Copilot in Entra cuts investigation time dramatically, delivering clear insights on role assignments and access eligibility in seconds. Whether you need to see all eligible and active roles assigned to a user, or all users assigned to a specific role, you can get the answer instantly. These insights help you:

• Ensure least privileged access by identifying over-privileged accounts before they become a risk.
• Monitor role activation and eligibility at scale, without manually sifting through logs.
• Respond quickly to potential access risks, whether triggered by an urgent investigation, a compliance audit, or a suspicious sign-in. 

Using this feature requires at least one of the following roles: Security Administrator, Global Reader, or Security Reader. You’ll also need Microsoft Security Copilot (Security Compute Units [SCUs]), Microsoft Entra ID P2 license, and a tenant with PIM already configured.

Here are some great prompts you can use right away to speed up investigations and answer common privileged access questions in seconds, without navigating through multiple dashboards or writing complex queries:

• How many admins are currently using an activated assignment using PIM?
• Which PIM roles are currently assigned to user {username}?
• Which PIM eligible roles are assigned to user {username}?
• Who has PIM eligible assignment of a specific role {role name}?
• Who has PIM active assignment of a specific role {role name}?

Evaluating and optimizing Conditional Access policies: You can now ask natural-language questions against Conditional Access—such as which policies apply to a specific user, or which policies require certain controls—and get clear, actionable insights in seconds. You can quickly view the policies that matter most, identify coverage gaps, and make informed adjustments that strengthen your security posture.

Using this feature requires at least one of the following roles: Security Administrator, Global Reader, or Security Reader. You’ll also need Microsoft Security Copilot (Security Compute Units [SCUs]), a Microsoft Entra ID P1 license and a tenant with Conditional Access policies already configured.

Example prompts:

• List active MFA Conditional Access policies in my tenant.
• Which MFA policies are enforced in my tenant?
• Which Conditional Access policies are enabled in my tenant?
• Which CA policies are not enabled in my tenant?
• Which Conditional Access policies in my tenant exclude trusted locations?

Investigate and monitor devices with Security Copilot in Entra: Microsoft Security Copilot in Entra now lets you investigate devices using natural language queries, enabling quick access to device IDs, compliance status, operating systems, activity history, and registration details. With this AI-powered experience, it’s easier to keep your device inventory accurate, ensure compliance, and quickly identify devices that may pose a risk to your environment. This feature is available with a free Microsoft Entra ID license and can be used by any user in any tenant, as long as Microsoft Security Copilot SCUs are provisioned on the tenant.

Example prompts: 

• Show me all compliant devices / Show me all non-compliant devices
• List all devices that are Entra ID registered / Entra ID joined / Entra ID hybrid joined
• Show me when device {ID} was last active
• List the devices with a specific {operating system name}
• Show me how many devices are running Windows (8, 10, 11)

Contextual prompt suggestions in the Microsoft Entra admin center

Contextual prompt suggestions for Security Copilot in Microsoft Entra put high-value, pre-defined prompts right where you need them—at the top of Microsoft Entra admin center blades that support Security Copilot. These curated prompts remove the guesswork from getting started and show you exactly where Copilot can have the greatest impact.

 

                                                                   Contextual prompt suggestions in Microsoft Entra admin center.

If you have a Microsoft Security Copilot license, these prompts appear automatically in applicable blades. With one click, you can launch queries—saving time and avoiding trial-and-error. These help with:

• Lower the learning curve – Newer users can start strong without needing deep query knowledge.
• Drive consistent investigations – Teams can run the same vetted prompts for repeatable, reliable results.
• Accelerate decision-making – Get to relevant insights faster, with no detours.
• Evolve with your needs – Prompts are updated over time to reflect the latest threat trends and admin priorities.

When you open an enabled blade, look for the suggestions at the top. Select a prompt to run it instantly and see actionable results in seconds—so you can move from question to answer without slowing down your work.
-Rahul Prakash

LinkedIn

 

Additional resources

• MS Learn | Security Copilot in Entra
• MS Learn | Getting Started with the CA Optimization Agent

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

• ⁠Microsoft Entra News and Insights | Microsoft Security Blog
• ⁠⁠Microsoft Entra blog | Tech Community
• ⁠Microsoft Entra documentation | Microsoft Learn
• Microsoft Entra discussions | Microsoft Community