Microsoft Security Copilot agents
Automate phishing triage, prioritize alerts, streamline access reviews, and close policy gaps while keeping full control through natural language feedback and recommendations. Reduce repetitive work, cut through alert noise, and focus on the most critical risks facing your organization. Stay ahead of vulnerabilities and evolving threats by proactively identifying at-risk devices, deploying patches, and optimizing access policies as your environment changes. Build custom agents tailored to your workflows, connecting tools and data to automate your most time-consuming security tasks. Dilip Radhakrishnan, Microsoft Security Copilot Partner Director, shares how to keep your organization protected with Security Copilot agents. Spend less time chasing false alarms. Spend more time stopping real threats. See how Microsoft Security Copilot’s Phishing Triage Agent works. Simplify access reviews. Allow users to approve or revoke permissions in Microsoft Teams with natural language. See how with the Access Review Agent. No gaps, no guesswork. Spot misaligned users & apps, fix with one click. See how the Conditional Access Optimization Agent keeps organizations secure. QUICK LINKS: 00:00 — Security Copilot agents 01:02 — Phishing Triage Agent 02:17 — Alert Triage Agents 03:24 — Access governance 04:41 — Conditional Access Optimization Agent 05:57 — Vulnerability Remediation Agent 06:57 — Build your own specialized agents 07:54 — Wrap up Link References Get started at https://aka.ms/securitycopilotadoptionhub Unfamiliar with Microsoft Mechanics? As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast Keep getting this insider knowledge, join us on social: Follow us on Twitter: https://twitter.com/MSFTMechanics Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/ Enjoy us on Instagram: https://www.instagram.com/msftmechanics/ Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics Video Transcript: -What if your security tools could think like your best analysts and could augment your team skills and capacity to triage alerts faster, respond more effectively, and manage more incidents? That’s what Microsoft Security Copilot enables you to do, where we have both pre-built autonomous agents embedded across Microsoft’s security stack, along with verified agents developed by our security partners, which you can access from a brand new security store. And of course, you now have the option to build your own agents too. Microsoft Security Copilot agents work alongside you to help reduce manual work and accelerate your response times. -And you can secure these agents using a unique agent identity with its own permissions. Importantly, the agents learn from your instructions and feedback keeping you and your team in control. And they offer proven productivity benefits with reporting available to visualize the impact of each agent, like time savings to reduce alert triage times and more. So let’s start by making this real with some of the prebuilt autonomous agents embedded across the Microsoft security stack. -I’ll start with the Phishing Triage Agent in the Microsoft Defender portal designed to tackle one of the most difficult and evolving challenges for security analysts where phishing emails are reported by users every day, but many of those reports come from cautious employees flagging safe messages as threats. These false alarms drain time and distract from real attacks. To solve for this, the Phishing Triage Agent autonomously reviews each alert, applies advanced reasoning and built-in security expertise and precisely distinguishes true threats from harmless bulk or spam. You can trust the results because of the built-in feedback loop that helps you to tune agent outputs. As an analyst, you can provide feedback in natural language like, “this email is harmless,” and the agent will then adapt making future triage more tuned to your organization. The agent also provides a natural language explanation and visual workflow mapping the steps behind its assessment. With every interaction, the agent gets smarter removing the alert noise so you can focus on real phishing threats and hardening your defenses. -Next, let’s look at the Alert Triage Agents in Microsoft Purview, specifically, for Data Loss Prevention and Insider Risk Management. Each day your team might receive dozens of alerts, and often you might only be able to address a fraction of them due to time constraints. Prioritizing which alerts to tackle first can also be a challenge, because the importance of an alert may not be clear on the surface. -That’s where Alert Triage Agents work to analyze alerts based on the priorities you give it. This can range from user behavior, content sensitivity, activity context or other parameters in order to identify which alerts pose the greatest risk. And you can also fine-tune the agent’s triage criteria using natural language. For example you might specify, “Prioritize alerts involving finance documents accessed outside business hours.” Each alert is also accompanied by a detailed explanation of why it was prioritized to help you make data-driven decisions quickly. By mirroring how an analyst on your team would evaluate risk, these Alert Triage Agents help you focus on the alerts that matter most. So we’ve seen how agents help cut through noise, identifying real phishing threats and prioritizing risky alerts. -That same intelligence also powers access governance in Microsoft Entra. Access reviews are critical to reducing risk, but they’re often delayed, too difficult to navigate or approved in bulk with little scrutiny. This leads to over-permissioned users and missed compliance requirements. The Access Review Agent instead brings reviews directly into Microsoft Teams, giving business users clear guidance to complete them accurately and on time. In the background, the agent analyzes user data, summarizes context and provides informed recommendations based on signals like past decisions, role changes and sign-in activity. Reviewers can validate or override any recommendation with natural language input, ensuring accuracy and flexibility. -Admins can also configure which reviews the agent supports, such as recurring reviews for critical apps, privileged groups or compliance-bound access packages. Each review concludes with a clear summary of actions and explanations. By streamlining decisions and prioritizing risk, the Access Review Agent helps you complete reviews faster with more accuracy and less overhead. -Now let’s switch gears to discovering gaps in your security posture with the Conditional Access Optimization Agent in Microsoft Entra. We’ve all faced this. As your directory grows new users, contractors and apps are added constantly. Stale or unused accounts with access to your resources could be leveraged by attackers. Or maybe an entity wasn’t added to the right groups used for policy scoping, leaving a gap in protection. -Keeping conditional access policies aligned with these changes isn’t easy. And that’s where the Conditional Access Optimization agent helps by continuously scanning for new users and applications or changing attributes, then checking their alignment with existing conditional access policies. As it uncovers risks, it flags them automatically, for example users without MFA or apps with excessive permissions, then it even provides actionable recommendations that you often apply with a single click streamlining policy updates and reducing manual work. And now you can chat with the agent and you can more gradually roll out its recommendations over time. The agent helps ensure that your access policies evolve with your environment to close gaps before they become liabilities. -Next, you can bring together the worlds of trending threat intelligence with endpoint management using the Vulnerability Remediation Agent in Microsoft Intune to stay ahead of emerging threats. There might be trending OS or app-related vulnerabilities that could impact your managed devices and it’s difficult to map which specific devices are at risk. That’s where the Vulnerability Remediation Agent comes in. This agent continuously monitors known vulnerabilities and reevaluates them as new threats emerge. It assesses the impact of each vulnerability to prioritize which endpoints are at risk and need attention. For each CVE, the agent provides clear reasoning for urgency and suggests appropriate fixes that you can deploy. Its recommendations are designed to be effective and minimize disruption. This agent transforms vulnerability management from a reactive process into a repeatable and proactive approach, helping you to deploy patches faster and smarter. -Next, let me show you how easy it is to build your own specialized agents. This is an early look at the Security Copilot agent builder experience. Here, you can use natural language with Security Copilot to author an agent. From there, you have an option to edit or customize the agent further. Where in addition to your instructions from chat, you can refine and add inputs with the context needed to execute your tasks. -You can also add more tools to your agent for additional functionality where you can connect to MCP servers and access the tools within them. And if you’re an advanced developer, you can use your preferred tools like Visual Studio Code or others. Once complete and published, your in-house developed agents will be available alongside other Security Copilot agents and you can activate them to run autonomously based on triggers like events or schedules. So you have the complete flexibility to help automate your most time-consuming and important work. -Microsoft Security Copilot agents help prioritize the most critical risks, help you mitigate them and even offload time-consuming repetitive tasks. To get started, visit aka.ms/securitycopilotadoptionhub and subscribe to Microsoft Mechanics for the latest updates on AI-powered security. Thanks for watching.NEW Conditional Access Optimization Agent in Microsoft Entra + Security Copilot in Entra updates
Instead of switching between logs, PowerShell, and spreadsheets, Security Copilot centralizes insights for faster, more focused action. Resolve compromised accounts, uncover ownerless or high-risk apps, and tighten policy coverage with clear insights, actionable recommendations, and auto-generated policies. Strengthen security posture and reclaim time with a smarter, more efficient approach powered by Security Copilot. Diana Vicezar, Microsoft Entra Product Manager, shares how to streamline investigations and policy management using AI-driven insights and automation. Skip the scripting. Ask questions in plain language and get back policy and risk insights in seconds. Microsoft Entra now has built-in AI with Security Copilot. Stay ahead of threats. Use AI to track auth changes, elevated roles, and risky signals with Security Copilot in Entra. Start here. Improve your security posture. Receive personalized recommendations of policies and configurations to make using Microsoft Security Copilot in Microsoft Entra. Take a look. QUICK LINKS: 00:00 — Microsoft Entra with Security Copilot 01:26 — Conditional Access Optimization Agent 03:35 — Investigate risky users 05:49 — Investigate risky apps 07:34 — Personalized security posture recommendations 08:20 — Wrap up Link References Check out https://aka.ms/SecurityCopilotAgentsinMicrosoftEntra Unfamiliar with Microsoft Mechanics? As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast Keep getting this insider knowledge, join us on social: Follow us on Twitter: https://twitter.com/MSFTMechanics Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/ Enjoy us on Instagram: https://www.instagram.com/msftmechanics/ Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics Video Transcript: -Microsoft Entra has built-in AI with Security Copilot. In fact, if you are new to the experience or haven’t looked at it in a while, you’ll find that it is continuously being fine-tuned with skills to accelerate your daily troubleshooting and risk assessments, which means whether you’re a seasoned admin or just getting started, you don’t need deep expertise in filtering, PowerShell, or Graph API. You can just use natural language and have Security Copilot surface the information for you. Additionally, new specialized agents like the one for Conditional Access Optimization work with you to continuously look for misaligned policies along with gaps in coverage that could be putting your organization at risk. -Today, I’ll walk through examples of just how powerful Security Copilot in Microsoft Entra can be, starting with a pretty common challenge, policy coverage and conflicts, where right now, you might try to work through these issues by using filters to identify new users in the Entra audit logs or by using PowerShell with the Microsoft Graph module, then perhaps, you might export log outputs into a spreadsheet for manual analysis, and repeat the same process to identify new Enterprise apps, all with the goal of identifying coverage or gaps in policies. It’s a manual effort that can take hours from your day. And that’s where the Conditional Access Optimization Agent comes in. It can be accessed and enabled from the agents page in the Microsoft Entra admin center. From there, the Conditional Access agent works alongside you, proactively surfacing issues and suggestions like gaps in protection, users, or apps that should be added to an existing policy and policy overlaps. And you can track the status of agent suggestions as you work through them. -Clicking into a suggestion gives you the details. For this one about adding users, the agent has listed userIDs for the new users. And I can review the user impact of the suggested policy before I apply the changes. You can also dive into the agent’s activity to explore its path of analysis and the reasoning behind each suggestion to validate its logic, making sure its behaving in the way you want it to. Then moving back to the policy details, before you apply any changes, you can review the summary of changes and even the detailed JSON view if you want a deeper look, down to the individual configuration options for the policy. And at the tenant level, if you need to fine-tune the agent’s behavior, you can do so in the agent Settings tab using Custom Instructions. -For example, you can instruct the agent to make exceptions like excluding break-glass admin accounts, which the agent will take into account on its next run. And beyond just giving you suggestions and recommendations, the agent can go a step further and create a fully configured policy if no existing equivalent policy is found. By default, these are report-only policies. And from here, you can even turn it on to enable the policy directly. And from Edit, you can review the policy details. The Conditional Access Optimization Agent is great for consistently tracking your policy coverage as users, apps, and access policies evolve over time. Additionally, the specialized Microsoft Entra skills in Security Copilot will also help save you time and even help you add to your existing expertise. -For example, let me show you how Security Copilot helps automate the manual steps when investigating and fixing a known compromised user account. Typically, you would need to use sign-in logs to isolate what they are trying to access or audit the actions that they have taken with visibility into their sign-in events as well as any group memberships giving them access to resources or examine any current or recently elevated role assignments, which could increase the severity of the compromise. Already I’m jumping between tabs, and it’s time-consuming to collect all of that information to see why they’re showing up as risky. Security Copilot on the other hand can pull everything together in a fraction of the time. In this case, I know that a user, Michael, has had an account compromise. -So, I’ll ask Copilot if his account was recently flagged as risky, which even if he is low risk now, could be a sign of a persistence attack, where his account is compromised and the attacker is waiting for the right timing. The response from Copilot shows me that he is high risk with an at-risk state that started on May 19th. So, I’ll ask for the risk details for his account. Copilot spots an attempted Primary Refresh Token or PRT access. Threat Intelligence has flagged his account. There are sign-in attempts from a known malicious IP address and an anonymized IP address. So, the account was definitely compromised. I’ll ask Copilot if Michael’s authentication methods have changed. And it looks like he added a new phone on May 15th, then updated details again on the 19th. Finally, I’ll ask about Michael’s account type and whether he has privileged roles assigned. And it looks like he has Cloud Device and Device Join admin permissions. This would let him easily register and modify other managed devices, for example, to have them send file contents or sign-in tokens to other cloud storage locations. So very quickly, I was able to get the visibility I needed to decide what to do next. - Now let’s move from risky user accounts to risky apps, which can present a vulnerability. Normally, you’d spend a long time digging through app lists just to isolate which apps are even worth worrying about, trying to understand the overall risk to determine what apps are created by my organization or maybe a 3rd party that might require more scrutiny. Who owns the app, or does it no longer have an owner? What protocols are the apps using? And are they risky? And which applications are stale or unused that you may want to purge from the list. Investigations like this can take hours. Let’s use Copilot for this instead. I’ll start by asking it to list some external apps that are not owned by my tenant with verified publisher details for each app. And it pulls together a list of seven apps with additional details like the app name, App ID, and Verified Publisher, so I’m not wasting time on low-risk noise. That said, sometimes it’s the apps owned by at-risk users that can be the real problem. -So, I want to ask Copilot, do the risky users in my tenant own any applications? And it finds an app that is owned by a high-risk user. Another potential problem that presents a hidden risk are apps and service principals in your environment that are currently ownerless. I’ll ask Copilot, what proportion of apps and service principals are ownerless? And Copilot tells me that more than half or 55% of my apps are ownerless and 92% of our service principals are also ownerless. And beyond finding and pointing out problems with my policies and settings, Copilot can even give me detailed recommendations to improve identity posture. -In this case, I’ll ask, give me recommendations to improve the security posture of at-risk apps in my tenant. Show this as a bulleted list with impacted resources as applications. And Copilot gives me seven actionable recommendations of policies and configurations to make, including the removal of the unused service principals that I presented earlier, as well as outdated authentication protocols and more. So, with just a few simple prompts, I have achieved something that otherwise might have taken hours in just a few minutes. -As you’ve seen, Security Copilot in Microsoft Entra simplifies troubleshooting and risk assessments, with specialized skills and agents. And while I showed you the Conditional Access Optimization agent today, there are more on the way. To learn more, check out aka.ms/SecurityCopilotAgentsinMicrosoftEntra. Keep checking back to Microsoft Mechanics for the latest updates and thanks for watching.
