Security and IT teams move fast - and so does Security Copilot. This month, we’re delivering powerful new capabilities that help security and IT professionals investigate threats, manage identities, and automate protection with greater speed and precision. From AI-powered triage and policy optimization to smarter data exploration and expanded language support, these updates are designed to help you stay ahead of threats, reduce manual effort, and unlock new levels of efficiency.
Let’s dive into what’s new.
Improve IT efficiency with Copilot in Microsoft Intune – now generally available
IT admins can now use Security Copilot in Intune which includes a dedicated data exploration experience, allowing them to ask questions, extract insights, and take action - all from within the Intune admin center. Whether it’s identifying non-compliant devices, managing updates, or automating remediation, Copilot simplifies complex workflows and brings data and actions together in one place.
Learn more: Copilot in Microsoft Intune announcement
Streamline identity security with Copilot in Microsoft Entra – now generally available
Security Copilot in Microsoft Entra now brings AI-assisted investigation and identity management directly into the Entra admin center. Admins can ask natural language questions to troubleshoot sign-ins, review access, monitor tenant health, and analyze role assignments - without writing queries or switching tools. With expanded coverage and improved performance, Copilot helps teams move faster, close gaps, and stay ahead of threats.
Learn more: Copilot in Microsoft Entra announcement
Close gaps quickly with the Conditional Access Optimization Agent – now generally available
The Conditional Access Optimization Agent in Microsoft Entra brings AI-powered automation to identity workflows. The agent runs autonomously to detect gaps, overlaps, and outdated policy assignments - then recommends precise, one-click remediations to close them fast.
Key benefits include:
- Autonomous protection: Automatically identifies users and apps not covered by policies
- Explainable decisions: Plain-language summaries and visual activity maps
- Custom adaptability: Learns from natural-language feedback and supports business rules
- Full auditability: All actions logged for compliance and transparency
As one security leader put it:
“The Conditional Access Optimization Agent is like having a security analyst on call 24/7. It proactively identifies gaps in our Conditional Access policies and ensures every user is protected from day one... It’s a secure path to innovation that every chief information security officer can trust.”
—Julian Rasmussen, Senior Consultant and Partner, Point Taken, Microsoft MVP
Learn more: Conditional Access Optimization Agent in Microsoft Entra GA announcement
Investigate phishing alerts faster with the new Phishing Triage Agent in Microsoft Defender
The Phishing Triage Agent in Microsoft Defender is now in public preview, bringing autonomous, AI-powered threat detection to your SOC workflows. Powered by large language models, the agent performs deep semantic analysis of emails, URLs, and files to determine whether a submission is a phishing threat or a false alarm - without relying on static rules.
It learns from analyst feedback, adapts to your organization’s patterns, and provides clear, natural language explanations for every verdict. A visual decision map shows exactly how the agent reached its conclusion, making the process fully transparent and reviewable.
Learn more: Announcing public preview Phishing Triage Agent in Microsoft Defender
The Threat Intelligence Briefing Agent is now in Public Preview: Build organization-specific briefings in just minutes
The Threat Intelligence Briefing Agent has entered public preview in the Security Copilot standalone experience, transforming how security teams stay ahead of emerging threats. With this powerful agent, creating highly relevant, organization-specific threat intelligence briefings now takes minutes rather than hours or days, empowering teams to act with speed and confidence. Through real-time dynamic reasoning, the agent surfaces the most relevant threat intelligence based on attributes such as the organization's industry, geographic location, and unique attack surface to deliver critical context and invaluable situational awareness.
Learn more: aka.ms/ti-briefing-agent
Streamline operations with workspace-level management
Security Copilot now supports workspaces, giving organizations a flexible way to segment environments by team, region, or business unit. With workspaces now in public preview, admins can align access, data boundaries, and SCU capacity with operational and compliance needs. Each workspace supports role-based access control, localized prompt history, and independent capacity planning – making it easier to manage complex, distributed security and IT operations.
As part of this model, workspace-level plugin management is now generally available, allowing admins to configure plugin settings at the workspace or organization level. This eliminates the need for per-user setup and improves efficiency across large environments.
Learn more: New tools for Security Copilot management and capacity planning
Plan smarter with the new Security Copilot Capacity Calculator
The Security Copilot Capacity Calculator is now available in the standalone experience (Azure account required), helping teams estimate how many SCUs they may need.
Security Copilot supports:
- Provisioned SCUs for predictable workloads
- Overage SCUs to scale with variable workloads
Teams can estimate initial capacity using the capacity calculator, monitor usage in the in-product usage dashboard, and adjust their SCU allocation as needed. Learn more about Security Copilot pricing here.
Learn more: New tools for Security Copilot management and capacity planning
Automate Entra workflows with embedded NL2API skill
Security Copilot can now reason over Microsoft Graph APIs to answer complex, multi-stage questions across Entra resources. This embedded experience in Entra, powered by the NL2API skill, is now generally available - bringing advanced automation and intelligence directly into your Entra workflows.
Get faster suggestions with dynamic suggested prompts for Entra skills
Dynamic suggested prompts are now generally available for Entra skills, offering faster and more deterministic follow-up suggestions using direct skill invocation - bypassing the orchestrator for improved performance.
Meet compliance needs with FedRAMP High authorization for Security Copilot
Security Copilot is now included within the Federal Risk and Authorization Management Program (FedRAMP) High Authorization for Azure Commercial. This Provisional Authorization to Operate (P-ATO) within the existing FedRAMP High Azure Commercial environment was approved by the FedRAMP Joint Authorization Board (JAB). This milestone marks a significant step forward in our mission to bring Microsoft Security Copilot’s cutting-edge AI-powered security capabilities to our Government Community Cloud (GCC) customers. Stay tuned for updates on when Security Copilot will be fully available for GCC customers.
Expand global reach with Korean language and Swiss data residency
Security Copilot now supports Korean in both standalone and embedded experiences. For a full list of supported languages, visit Supported languages in Microsoft Security Copilot
Additionally, customers in Switzerland can now benefit from Swiss region data residency, ensuring Security Copilot data is stored within Swiss boundaries to meet local compliance requirements.
Learn more: Availability and recovery of Security Copilot
Improve accuracy and scale with GPT-4.1 and large output support
We’ve upgraded Security Copilot to support GPT-4.1 across all experiences at the evaluation level, offering larger context windows, improved interactions, and up to 50% accuracy improvements in some scenarios.
Also now generally available is large output support, which removes the previous 2MB limit for data used in LLMs – giving teams more flexibility when working with large datasets.
Audit agent changes with Purview UAL integration
Agent administration auditing is now generally available in Microsoft Purview Unified Audit Log, allowing teams to trace agent creation, updates, and deletions with detailed metadata for improved visibility and compliance.
Learn more: Access the Security Copilot audit log
Stay tuned and explore more!
Security Copilot is transforming how security and IT teams operate – bringing AI-powered insights, automation, and decision support into everyday workflows. With new capabilities landing every month, the pace of innovation is accelerating.
We’ll be back in September with more updates. Until then, explore these resources to get hands-on, deepen your understanding, and see what’s possible:
- Security Copilot Video Hub – Watch demos and walkthroughs to see Security Copilot in action
- Microsoft Security Copilot Website – Learn about capabilities, use cases, and product details
- Security Copilot Adoption Hub – Access rollout guides, templates, and best practices
Don’t miss Microsoft Secure digital event on September 30th - we’ll be announcing exciting new capabilities for Security Copilot and sharing what’s next in AI-powered security. Register now to be the first to hear the announcements and see what’s coming.
Microsoft