NEW Conditional Access Optimization Agent in Microsoft Entra + Security Copilot in Entra updates
Instead of switching between logs, PowerShell, and spreadsheets, Security Copilot centralizes insights for faster, more focused action. Resolve compromised accounts, uncover ownerless or high-risk apps, and tighten policy coverage with clear insights, actionable recommendations, and auto-generated policies. Strengthen security posture and reclaim time with a smarter, more efficient approach powered by Security Copilot. Diana Vicezar, Microsoft Entra Product Manager, shares how to streamline investigations and policy management using AI-driven insights and automation. Skip the scripting. Ask questions in plain language and get back policy and risk insights in seconds. Microsoft Entra now has built-in AI with Security Copilot. Stay ahead of threats. Use AI to track auth changes, elevated roles, and risky signals with Security Copilot in Entra. Start here. Improve your security posture. Receive personalized recommendations of policies and configurations to make using Microsoft Security Copilot in Microsoft Entra. Take a look. QUICK LINKS: 00:00 — Microsoft Entra with Security Copilot 01:26 — Conditional Access Optimization Agent 03:35 — Investigate risky users 05:49 — Investigate risky apps 07:34 — Personalized security posture recommendations 08:20 — Wrap up Link References Check out https://aka.ms/SecurityCopilotAgentsinMicrosoftEntra Unfamiliar with Microsoft Mechanics? As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast Keep getting this insider knowledge, join us on social: Follow us on Twitter: https://twitter.com/MSFTMechanics Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/ Enjoy us on Instagram: https://www.instagram.com/msftmechanics/ Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics Video Transcript: -Microsoft Entra has built-in AI with Security Copilot. In fact, if you are new to the experience or haven’t looked at it in a while, you’ll find that it is continuously being fine-tuned with skills to accelerate your daily troubleshooting and risk assessments, which means whether you’re a seasoned admin or just getting started, you don’t need deep expertise in filtering, PowerShell, or Graph API. You can just use natural language and have Security Copilot surface the information for you. Additionally, new specialized agents like the one for Conditional Access Optimization work with you to continuously look for misaligned policies along with gaps in coverage that could be putting your organization at risk. -Today, I’ll walk through examples of just how powerful Security Copilot in Microsoft Entra can be, starting with a pretty common challenge, policy coverage and conflicts, where right now, you might try to work through these issues by using filters to identify new users in the Entra audit logs or by using PowerShell with the Microsoft Graph module, then perhaps, you might export log outputs into a spreadsheet for manual analysis, and repeat the same process to identify new Enterprise apps, all with the goal of identifying coverage or gaps in policies. It’s a manual effort that can take hours from your day. And that’s where the Conditional Access Optimization Agent comes in. It can be accessed and enabled from the agents page in the Microsoft Entra admin center. From there, the Conditional Access agent works alongside you, proactively surfacing issues and suggestions like gaps in protection, users, or apps that should be added to an existing policy and policy overlaps. And you can track the status of agent suggestions as you work through them. -Clicking into a suggestion gives you the details. For this one about adding users, the agent has listed userIDs for the new users. And I can review the user impact of the suggested policy before I apply the changes. You can also dive into the agent’s activity to explore its path of analysis and the reasoning behind each suggestion to validate its logic, making sure its behaving in the way you want it to. Then moving back to the policy details, before you apply any changes, you can review the summary of changes and even the detailed JSON view if you want a deeper look, down to the individual configuration options for the policy. And at the tenant level, if you need to fine-tune the agent’s behavior, you can do so in the agent Settings tab using Custom Instructions. -For example, you can instruct the agent to make exceptions like excluding break-glass admin accounts, which the agent will take into account on its next run. And beyond just giving you suggestions and recommendations, the agent can go a step further and create a fully configured policy if no existing equivalent policy is found. By default, these are report-only policies. And from here, you can even turn it on to enable the policy directly. And from Edit, you can review the policy details. The Conditional Access Optimization Agent is great for consistently tracking your policy coverage as users, apps, and access policies evolve over time. Additionally, the specialized Microsoft Entra skills in Security Copilot will also help save you time and even help you add to your existing expertise. -For example, let me show you how Security Copilot helps automate the manual steps when investigating and fixing a known compromised user account. Typically, you would need to use sign-in logs to isolate what they are trying to access or audit the actions that they have taken with visibility into their sign-in events as well as any group memberships giving them access to resources or examine any current or recently elevated role assignments, which could increase the severity of the compromise. Already I’m jumping between tabs, and it’s time-consuming to collect all of that information to see why they’re showing up as risky. Security Copilot on the other hand can pull everything together in a fraction of the time. In this case, I know that a user, Michael, has had an account compromise. -So, I’ll ask Copilot if his account was recently flagged as risky, which even if he is low risk now, could be a sign of a persistence attack, where his account is compromised and the attacker is waiting for the right timing. The response from Copilot shows me that he is high risk with an at-risk state that started on May 19th. So, I’ll ask for the risk details for his account. Copilot spots an attempted Primary Refresh Token or PRT access. Threat Intelligence has flagged his account. There are sign-in attempts from a known malicious IP address and an anonymized IP address. So, the account was definitely compromised. I’ll ask Copilot if Michael’s authentication methods have changed. And it looks like he added a new phone on May 15th, then updated details again on the 19th. Finally, I’ll ask about Michael’s account type and whether he has privileged roles assigned. And it looks like he has Cloud Device and Device Join admin permissions. This would let him easily register and modify other managed devices, for example, to have them send file contents or sign-in tokens to other cloud storage locations. So very quickly, I was able to get the visibility I needed to decide what to do next. - Now let’s move from risky user accounts to risky apps, which can present a vulnerability. Normally, you’d spend a long time digging through app lists just to isolate which apps are even worth worrying about, trying to understand the overall risk to determine what apps are created by my organization or maybe a 3rd party that might require more scrutiny. Who owns the app, or does it no longer have an owner? What protocols are the apps using? And are they risky? And which applications are stale or unused that you may want to purge from the list. Investigations like this can take hours. Let’s use Copilot for this instead. I’ll start by asking it to list some external apps that are not owned by my tenant with verified publisher details for each app. And it pulls together a list of seven apps with additional details like the app name, App ID, and Verified Publisher, so I’m not wasting time on low-risk noise. That said, sometimes it’s the apps owned by at-risk users that can be the real problem. -So, I want to ask Copilot, do the risky users in my tenant own any applications? And it finds an app that is owned by a high-risk user. Another potential problem that presents a hidden risk are apps and service principals in your environment that are currently ownerless. I’ll ask Copilot, what proportion of apps and service principals are ownerless? And Copilot tells me that more than half or 55% of my apps are ownerless and 92% of our service principals are also ownerless. And beyond finding and pointing out problems with my policies and settings, Copilot can even give me detailed recommendations to improve identity posture. -In this case, I’ll ask, give me recommendations to improve the security posture of at-risk apps in my tenant. Show this as a bulleted list with impacted resources as applications. And Copilot gives me seven actionable recommendations of policies and configurations to make, including the removal of the unused service principals that I presented earlier, as well as outdated authentication protocols and more. So, with just a few simple prompts, I have achieved something that otherwise might have taken hours in just a few minutes. -As you’ve seen, Security Copilot in Microsoft Entra simplifies troubleshooting and risk assessments, with specialized skills and agents. And while I showed you the Conditional Access Optimization agent today, there are more on the way. To learn more, check out aka.ms/SecurityCopilotAgentsinMicrosoftEntra. Keep checking back to Microsoft Mechanics for the latest updates and thanks for watching.Fix Identity Sprawl + Optimize Microsoft Entra
Enforce MFA, block legacy authentication, and apply risk-based Conditional Access policies to reduce exposure from stale accounts and weak authentication methods. Use built-in tools for user, group, and device administration to detect and clean up identity sprawl — like unused credentials, inactive accounts, and expired apps — before they become vulnerabilities. Jeremy Chapman, Microsoft 365 Director, shares steps to clean up your directory, strengthen authentication, and improve overall identity security. Prioritize top risks. Take action across MFA, risk policies, and stale objects with Microsoft Entra recommendations. Start here. Block over 99% of identity attacks. Enforce MFA for admins and users in Microsoft Entra. Detect and delete stale user accounts. See how to fix account sprawl, and get started with Microsoft Entra. QUICK LINKS: 00:00 — Microsoft Entra optimization 00:54 — New Recommendations tab 02:11 — Enforce multifactor authentication 03:21 — Block legacy authentication protocols 03:58 — Apply risk-based Conditional Access 04:44 — Identity sprawl 05:46 — Fix account sprawl 08:06 — Microsoft 365 group sprawl 09:36 — Devices 10:33 — Wrap up Link References Watch part one of our Microsoft Entra Beginner’s Tutorial series at https://aka.ms/EntraBeginnerMechanics Check out https://aka.ms/MicrosoftEntraRecommendations Unfamiliar with Microsoft Mechanics? As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast Keep getting this insider knowledge, join us on social: Follow us on Twitter: https://twitter.com/MSFTMechanics Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/ Enjoy us on Instagram: https://www.instagram.com/msftmechanics/ Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics Video Transcript: -If you’re managing identities using Microsoft Entra, which includes any Microsoft Cloud service, today, I’ll show you how you can fix identity sprawl, where you probably have stale accounts, groups, and devices in your directory, and improve your identity posture with stronger authentication and more. Now, these are identity management challenges that left unaddressed will introduce security vulnerabilities, but there are ways to get them under control. -So, using recommendations tailored specifically to your company to help you better secure and optimize your running environment, along with techniques to locate identity sprawl with users, groups, and devices, then delete stale objects in your directory. This is part two in our Microsoft Entra Beginner’s Tutorial series, and I’ll link you here to part one if you missed that at aka.ms/EntraBeginnerMechanics. Now, I’ll start in the Microsoft Entra admin center under Identity and the main Overview page. The new Recommendations tab gives you a super set of security and best practice-based recommendations that go beyond what’s available from Secure Score to increase your identity posture. -In fact, if you look at the recommendations here, anything in the Secure Score column marked N/A are items based on best practices. And the list that you’re seeing here is based on what applies to this specific Microsoft Entra tenant, so your list, it might look a little different. For each recommendation, you can also see the licensing requirements to implement that recommendation. As I scroll down, you’ll see that the top recommendations with high priorities require multifactor authentication, or MFA, for administrative roles at 10 Secure Score points. -Then ensure all users can complete multifactor authentication at 9 Secure Score points. And for any of these recommendations, like this one here for administrators, you can just click in to get more details and even find the accounts that are not meeting that requirement, even if you’ve scoped an all users policy and have that in place. And by the way, even Break Glass admin accounts should use MFA with FIDO2 or certificate-based authentication as a second factor. Requiring multifactor authentication is the most important control that you can enforce as an identity admin. It can block over 99% of identity-based attacks and can also solve for many of the other common issues that I mentioned before, like stale accounts, because those are most often breached because they use basic passwords. Multifactor authentication policies are set using Conditional Access policies, where it’s recommended that you assign the policy to all users and also target all resources, formerly all cloud apps. -You can also access controls for grant and then specify specific access requirements. And if you ever wondered the difference between Require MFA and require authentication strength, well, Require MFA is more of a catch-all that works with two or more authentication methods at any strength level. Whereas require authentication strength lets you narrow down which combinations of authentication methods are allowed. For example, choosing phishing-resistant authentication as an authentication strength means that SMS text messages and passwords would not be allowed as factors, because both of those could be phished by a third party. -The next highest recommendations are related to this as well. Under high priority and at 8 Secure Score points, there is a recommendation to block legacy authentication protocols like IMAP, SMTP, and POP3. Now these are related to MFA, because all of these protocols, which are used by legacy apps, do not support MFA and Conditional Access controls. Now, here’s why this is important. If an attacker can access a legacy app using those protocols with basic password authentication, they may still be able to access protected resources, then move laterally once they’ve gained access. Then, rounding out the list of high priority recommendations are the enforcement of risk-based Conditional Access policies. -Now, these risk types might indicate that a user account has been compromised or that the user is either intentionally or unintentionally doing something that they shouldn’t be doing. And all of these recommendations are easy to implement with corresponding Conditional Access policies, where you’ll target each as a condition and pair that with a risk-based control to either block access outright or grant access with additional requirements that need to be met. Next, you’ll find a few recommendations to renew expiring application credentials. And finally, a few remove recommendations, like remove unused credentials from applications and also Remove unused applications themselves. -This leads us to identity sprawl, including unused or stale accounts, non-human accounts, and inactive registered devices. Enforcing MFA and disabling legacy authentication can mitigate much of the risk, though some of the accounts might still fall outside of MFA policies. Often, these users move on or their accounts are seasonal. They leave your company and their accounts then become stale. So, what’s the risk? The problem is that most people reuse their passwords or will just modify them slightly with known patterns like adding numbers or symbols at the end of it. And if the account in Microsoft Entra is password-only and another account of theirs is compromised by an attacker to steal their password, all the attacker needs to do then is look up the user’s profile on LinkedIn, for example, to see where they’ve last worked, guess their email address, sign into their previous employer domain using the stolen password with variations to access their stale user account, and they’re in. -Fortunately, there are ways to fix account sprawl. I’ll show you how you can do this in the admin center, but you can also automate this using PowerShell with the Microsoft Graph Module. From all users, you can see that I have 2007 users right now. Now, remember that number because we’ll come back to it. -Next, using the manage view control, I’ve added a column to my view with last interactive sign-in time so I can see how long it’s been since each account has signed in. From there, I can create a filter using that property with an operator here of less than or equal to, and I’ll go ahead and choose a time, I’ll go back about eight months ago, and then I’ll apply the filter. That narrowed my list down to 27 accounts, so now I’ll hit download users to export a CSV file with their details, which is an Excel file that starts out looking like this. Now, to save time, you’ll see that I’ve removed user principal names that I don’t want to delete. In my case, that was the meeting room accounts only. And for this to work, I needed to delete all other columns and to add a version number using this format here with the colon. In the second field, I use this exact string. User, space, name, space, userPrincipalName in square brackets. Then under that, I have my chosen UPNs listed that I want to delete. -Now, moving back to the admin center, once I have that final list of items that I want to delete, I’ll use Bulk operations and select Bulk delete. And then for the sale accounts, all I need to do is upload my CSV file that we just saw. There it is. Now I need to type yes here, and then confirm and submit. And that takes a moment to run. And you’ll see that it succeeded. Now, when I refresh the list, you’ll see that only my meeting rooms are still here. The blank lines are actually deleted. Because they matched my filter, they’re still there. And if I remove the filter, you’ll see that my user count is now 1985 or 22 fewer than before. And just in case you accidentally delete a user that you didn’t want to delete, from the deleted users, you can actually recover those accounts for up to 30 days. -So, next, let’s move on to Microsoft 365 group sprawl. These groups are typically created by users so they can quickly sprawl and pose a similar risk, especially when users with basic password auth might have persistent access to the resources from that group, or if those groups have standing access for external user accounts. Here, to help control sprawl, you can set up group lifetime policies for a number of days. By default, there are options for 180, 365, and custom. I’ll choose 180. In this case, the group owners are sent an email notification at 30 days, 15 days, and one day prior to group expiration, where they can choose to renew the impacted groups or just let them go. Now, if left unrenewed, those groups will be deleted along with associated content in Outlook, SharePoint, Teams and Power BI. In this field, you’ll add an email address for groups with no owners. -And finally, you’ll choose which Microsoft 365 groups to enable for these automatic expiration controls, either all groups or using the selected option, you’ll then be able to choose exactly each of the groups that you want to have added to this policy, or you can choose none, which will effectively disable the policy. So, in my case, I’ll keep all and then I’ll hit save. Like user accounts, groups have 30 days of grace prior to permanent deletion, and you or the group owner can restore them. -We’ve covered two main areas of identity sprawl, and the third common category we’ll cover today is devices. For this, before you just start deleting devices, you’ll need to prevent your users or yourself even from getting locked out. This is because Microsoft Entra-joined physical Windows devices are often the ones that you own and manage. Their associated BitLocker keys used to encrypt and unencrypt the local drives are stored in Microsoft Entra and accessible through their device properties, which acts as an insurance policy in case, for whatever reason, you get locked out. Likewise, local administrator passwords can be maintained here, too. So, for Windows devices, unless you’re sure, don’t delete them. Otherwise, deleting Windows devices or other registered device platforms follows roughly the same process that I showed for users and groups with one important exception. Deletion in this case is permanent. There’s not a recycle bin or 30 days grace to undelete those devices. -Implementing the tips that I’ve shown today will help improve your identity posture, and help contain identity sprawl. Now, the latter helps keep your users, groups, and devices more manageable and reduces risk associated with stale objects in your directory. To learn more, check out aka.ms/microsoftEntraRecommendations. And be sure to subscribe to Microsoft Mechanics for latest updates and thanks so much for watching.
