what's new
441 TopicsHands-on webinar: Teach Module in M365 Copilot and Copilot Notebooks (available for all educators)
Join us on Wednesday, July 8th @ 8am Pacific Time for an in-depth professional development webinar on the new AI-powered "Teach" module in M365 Copilot that is fully rolled out and available to everyone. We will also be covering Copilot Notebooks and the Study Guide which is now also available to all M365 Educators and Students. This will be a 60-minute hands-on webinar where the Product Management team will walk through the new updates in detail and you can follow-along at home with your own M365 Education account. To reiterate, the Teach Module and Copilot Notebooks are available globally to all educators using Microsoft 365. And don’t worry – we’ll be recording these and posting on our Microsoft Education YouTube channel so you’ll always to able to watch later or share with others. Register here: https://msit.events.teams.microsoft.com/event/msit.ed7f065d-57a5-437c-ba23-12b0ef06a259@72f988bf-86f1-41af-91ab-2d7cd011db47 Agenda: How to use the new AI-powered "Teach" module in M365. ✅ Lesson plans and the new Keep Going feature ✅ Learning Zone integration ✅ Modifying Existing content ✅ Learning Activities ✅ Coplot Notebooks plus Study Guide We look forward to having you attend the event! Mike Tholfsen Group Product Manager Microsoft Education team21Views0likes0CommentsIntroducing a refreshed design, task chat, and more in Microsoft Planner
We’re excited to announce that a modernized user interface and new features are now rolling out to basic plans in both Planner in Teams and Planner for the web. The updated design offers enhanced navigation, responsive layouts, a new goals view for setting objectives and priorities, and task chat—one of your most requested features—to enable real-time collaboration and @ mentioning team members. This release aims to make planning easier for everyday users while preparing for future AI-powered capabilities. Our goal is to streamline planning by making it more intelligent and connected, so teams can concentrate on achieving results rather than managing tasks. What's new in Planner A refreshed design: With this rollout, users will be able to manage their plans in a cleaner, more modern interface that brings a more consistent planning experience across work. Planner’s new look was designed to feel simpler, allowing users to find what they need. It reduces visual clutter, improves layout and spacing, and creates a more focused workspace. Task chat with @ mentions: A new task chat is coming to basic plans, bringing real-time, threaded conversations directly into tasks, including @ mentions, rich formatting, emojis, and notifications to help keep decisions tied to the specific task at hand. Plan members who are @ mentioned in a task will receive a notification in their Teams Activity feed and via email and can select the notification which takes them directly to the task card for additional context. Note that previously, users received notifications for every task comment, but as a result of customer feedback, we now only send notifications to mentioned users. The ability to @ mention team members directly in a task has been a top request, and we’re excited to roll this out in a familiar, chat-based experience. Please note, premium plans will continue to utilize the existing task conversation experience. This will converge into the new experience at a later point in time. Goals view: Basic plans will now include a dedicated Goals view, allowing teams to set clear, well-defined objectives to help prioritize work. By connecting tasks to shared goals, teams achieve greater alignment, gain clarity on priorities, and track progress and outcomes—driving the plan forward together. Access to Goals view in basic plans requires either a Planner premium license or a Microsoft 365 Copilot license. Notes on availability Please note that not all users will see the new Planner interface at the same time. This refreshed interface, along with Task chat and Goals view, begins rolling out to basic plans today and will continue to roll out over the coming weeks. This is only the beginning This redesign lays the groundwork for many more improvements coming to Planner in the next few weeks and months, including: Project Manager agent in basic plans – to help with task execution and the creation of status reports. Custom templates. Planner in Outlook. Stay tuned for announcements regarding these updates and more aligned to our long-term vision for integrated work management. Feature availability, naming, and timelines are subject to change. Please refer to the Microsoft 365 Roadmap for the latest status. Addressing your feedback We heard your feedback about inconsistencies between basic and premium plans. This refresh starts closing those gaps, so features appear consistently across plans based on your license. For example, users with a Planner premium license will now see Goals in basic plans, and users with a Microsoft 365 Copilot license will soon have access to Project Manager Agent in basic plans as well. Tell us what you think about the new Planner interface, Task chat, and Goals view by selecting More (circled question mark icon) in the top right corner of the app, then selecting Feedback from the dropdown menu. We also encourage you to share any feature requests by adding your ideas to the Planner Feedback Portal. Your feedback helps inform our feature updates, and we look forward to hearing from you. Learn more Visit planner.cloud.microsoft to access Planner directly from your browser. Sign up to receive future communication about Planner. Learn more about Planner in our Frequently asked questions. Check out the Planner adoption page and Planner help & learning page to learn more about Planner. Visit the Microsoft 365 roadmap for feature descriptions and estimated release dates for Planner. Walk through the interactive demos for Project Manager Agent in Planner and Project Manager Agent skills in Teams meetings.45KViews9likes125CommentsWhat’s New in Microsoft Teams | June 2026 – InfoComm Edition
Where did the first half of the year go? This edition of What's New in Teams comes to you on the heels of InfoComm 2026 in Las Vegas, the largest professional AV show in North America, and the week where the people who design, build, and run the world's collaboration spaces all gather in one place. It's a fitting backdrop, because so much of what's new in Teams this month comes back to a single idea: bringing people and AI together to get work done. That was the high-level takeaway of our InfoComm keynote, where our Corporate Vice President for Teams Calling, Meetings, and Devices, Ilya Bukshteyn, showed how AI now shows up across Teams like a teammate, in your calls, in your meetings, and in the environments where work happens. A few highlights from each worth calling out: In your calls and conversations New calling agents: Teams Phone Agent is a new AI calling experience that answers incoming calls for a department or organization, understanding what each caller needs and routing or resolving common information requests and appointments scheduling conversationally. Custom voice agents your organization builds in Microsoft Copilot Studio integrate with Teams Phone for help with specialized processes, like enabling a customer to pay a bill in a call. Brand impersonation protection: Teams now detects and warns you when a caller may be posing as a trusted brand, like your IT help desk or bank, with a clear in-call signal so you can decline or leave before you engage. In your meetings Redesigned in-meeting controls: Customize your meeting controls around how you work, and share with more confidence through an improved experience for previewing and presenting content. Bot detection: A new Teams admin policy helps identify likely bots, route them to the lobby in a separate group, and requires organizer approval before they join. In your rooms Facilitator in Teams Rooms: with new skills, the Facilitator agent can help extend the meeting lifecycle in Teams Rooms. For the room itself, Facilitator agent can now notify of any issues with the room and find a suitable replacement, use voice to interact with users in the Teams Room, provide information about how to get the most out of using the space, and access external knowledge to answer general questions. These new skills make Teams Rooms smarter before, during, and after meetings. IntelliFrame people labels: IntelliFrame now identifies each person in the room and places their name right alongside them, so remote participants always know exactly who's speaking. A small thing that makes hybrid meetings feel more inclusive and equitable. These are just some of what's new to explore in Teams this month. For more information about all the features we highlighted at InfoComm 2026, watch Ilya’s full keynote presentation here. Read on to see everything we've released in June across Teams. Product areas covered in this update: (All features are generally available unless otherwise noted.) Chat and Collaboration Meetings Teams Phone Workplace - Places and Teams Rooms Fundamentals and Security Frontline workers Platform Certified for Teams Devices Chat and Collaboration Contextual search in Copilot in Teams Sometimes the fastest path to an answer in Teams is to ask rather than scroll through search results. Contextual search in Copilot is now built into Teams search—invoked from autosuggest or a new button on the search results page—so you can get answers without leaving the search experience. Advanced file discovery and filters in Teams Find in chat and channels Finding the right file in a busy channel often means scrolling or asking someone to resend it. Enhanced contextual search now indexes every file uploaded to a channel—even files added outside messages—and adds filters for file type, sender, and date, with instant typeahead to narrow results as you search. Press Ctrl+F (Windows), Cmd+F (Mac), or click Find in chat to start. Improved preview experience for Microsoft PowerPoint and Excel files in Teams on mobile Slow or unreliable previews on mobile can stall you between meetings. PowerPoint and Excel previews in Teams now load faster and more reliably, so you can review presentations and spreadsheets shared in chats and channels while on the go. The new preview experience also enables you to open Information Rights Management (IRM)-protected files, improving access to protected content. List view for "View more apps" A cluttered tile view in “View more apps” makes it hard to scan and find the app you need. A streamlined list view now reduces visual noise and helps you discover and open apps more quickly. Context preservation in Teams Teams automatically restores your workspace when you return to a conversation shortly after leaving it. Your selected tab, open side panel, and layout are preserved, allowing you to pick up where you left off without resetting your view. This helps reduce friction and keeps you focused as you move between conversations. Live meeting indicator for threaded channels in Teams (government clouds) Live meetings happening right now in a busy threaded channel can go unnoticed in the scroll. A new live meeting indicator in Teams for government clouds highlights active meetings in the channel so you can spot them and join in real time. Improved organization for muted and meeting chats in Teams A long, mixed chat list makes it hard to find the conversations that actually need your attention. Teams now automatically groups muted chats (on by default) and, optionally, meeting chats into dedicated sections you can turn on or off, so your most important conversations remain easy to find. Improved visibility and control for downloads in Teams Tracking the status of files you’ve downloaded shouldn’t get in the way of your chats. The download manager now opens from the title bar or with a keyboard shortcut and lets you monitor downloads without blocking chat and channel actions, so you can stay on top of files while keeping the conversation moving. Quick Share for images in Teams Quick Share in Teams now makes it easier to share images across chats and channels in just a few clicks. You can access sharing options from hover, right-click, overflow menus, and shared tabs to quickly copy links or share images. For images stored in OneDrive or SharePoint, Quick Share preserves existing permissions so the right people maintain access, while images pasted directly into chat are stored separately and do not support permission-based sharing. Meetings Smarter bot protection in Teams meetings AI note-taking bots have started showing up in meetings, creating privacy and security risks when sensitive topics are discussed. A new Teams admin policy, Manage external bots and their access to meetings, helps Teams identify likely bots, route them to the lobby in a separate "Suspected threats" group, and require organizer approval before they join. Confirmation prompts on admission and an upcoming registration path for trusted ISVs make admitting a bot a deliberate decision rather than an accidental one. Learn more. Branded reactions Visual identity shapes how your organization shows up. Whether it's a client presentation, an internal milestone, or a seasonal event, the right visuals set the tone and reinforce your brand. With new branded reactions, organizations can now extend their visual identity directly into meetings. IT admins simply upload custom reaction icons reflecting brand elements or event themes, and these instantly become available for meeting participants. Every clap, thumbs-up, or celebration now aligns with your organization's look and feel. A simple way to create more cohesive, on-brand meeting experiences. Teams Phone Teams Phone Agent and extensibilty for Copilot Studio voice agents [Frontier public preview] Callers reaching a service line shouldn’t have to wait on hold just to ask a simple question or schedule an appointment. The new Teams Phone Agent answers incoming calls to your Teams Phone service line quickly, handles common questions, schedules appointments, and routes calls to the right person or department when human help is needed. It also integrates with custom AI voice agents built in Microsoft Copilot Studio for specialized workflows like paying a bill over the phone. This is experience is available in preview through the Fronter Program. Learn more. Outlook, Teams: Enhanced voicemail transcription and support for new languages Inaccurate or limited-language voicemail transcripts can leave you guessing what callers actually said. Starting in June, voicemail transcription moves to Azure LLM Speech via the Fast Transcription API, bringing more accurate transcripts, faster processing, automatic language detection, and 14 new languages: Arabic, Czech, Danish, Finnish, Hebrew, Hindi, Hungarian, Korean, Norwegian Bokmål, Polish, Russian, Swedish, Thai, and Turkish. Simplified app management for Teams Phone devices via Teams admin center Empower IT admins to customize Teams Phone devices at scale with centralized app management in the Teams admin center. Administrators can now select and remove applications on Teams Phone devices directly from a single management console, eliminating the need for on-device configuration. This streamlined experience helps organizations tailor the app experience for different roles, reduce administrative effort, and maintain greater control across their device fleet. Learn more. Workplace: Teams Rooms Facilitator agent skills in Teams Rooms [Public preview] Facilitator agent now brings a persistent, voice-activated AI presence to your Teams Rooms before and after every meeting, understanding the space, your work data, and even the web to keep collaboration moving. With room readiness checks, it catches problems like camera obstructions, clutter, or too few seats before anyone walks in, and surfaces the issue. You can now invoke Facilitator by voice, just speak to the Teams Room to join a meeting or get help and it answers out loud. As a persistent Teams Room expert, Facilitator can answer questions about how the space is set up, from the room's name to how to share wirelessly. Facilitator agent in Teams Rooms can now also access external knowledge, it pulls trusted answers from the web to settle in-the-moment questions, so people stay in the flow instead of reaching for a laptop. The result is a room that's ready when you are, captures what matters, and gives everyone more out of every meeting. IntelliFrame people labels [Public preview] IntelliFrame people labels put names to faces for everyone joining from a Teams Room, so the whole meeting knows exactly who's who. Powered by intelligent cameras and enrollment-based recognition, the labels appear when you hover over an in-room participant. These labels are there when you need them, out of the way when you don't, and if someone hasn't enrolled, others in the meeting can identify them so their contributions still get attributed. Department of Defense (DoD) cloud support for Teams Rooms on Android While available for commercial customers, DoD customers couldn’t yet take advantage of Teams Rooms on Android. But now, Teams Rooms on Android app meeting and collaboration functionalities are fully supported for Department of Defense (DoD) customers. Available with Teams Rooms Pro. Front-of-room view control for Webinars & structured meetings in Teams Rooms on Android When a Teams Rooms on Android joins a webinar or structured meeting as a presenter, you don't want the front-of-room display flipping to presenter view in front of the audience. The front-of-room display now defaults to attendee view, and presenters keep full control from the console—including green room and off-stage management—and can switch the front-of-room display to presenter view without impacting attendees. Learn more. Proximity join support for presenters in Teams Events from Teams Rooms on Windows or Android Getting set up to present an event from a meeting room can be a bit cumbersome and confusing for users. Now, proximity join in Teams Rooms on Windows or Android lets presenters connect quickly and effortlessly to nearby room systems during Teams Events such as town halls, webinars, and structured meetings, enabling smooth live presentations. Learn more. Room availability signal in the Teams events app Booking a room for a Teams event without knowing whether it's free at that time can lead to conflicts and last-minute scrambles. In the Events app, event organizers can now see whether the chosen room or space is available at the designated time before confirming. Available for any Teams event organizer with a Teams Enterprise license. Learn more. Fundamentals and Security Admins can define Teams policies in TAC that are specific to Blueprints or Digital Workers Governing digital workers and their blueprints with the same Teams policies used for regular users creates risk and limits flexibility. IT admins can now associate a Policy Template, a reusable set of licensing, security, and compliance policies, with one or more blueprints in the Teams admin center, so every agent created from a blueprint automatically inherits the right policies, without disrupting existing blueprint management. Manage Teams core agents in the Teams admin center Managing Teams core agents alongside general Microsoft app settings makes it hard to control where they show up. IT admins can now manage Teams core agents like Facilitator from a dedicated experience in the Teams admin center, controlling availability for all users, specific users, or groups. These agents are native to Teams and no longer affected by org-wide Microsoft app settings. Security Detection Report in Teams Admin Center Investigating phishing, impersonation, and message safety incidents in Teams has meant piecing together signals from multiple places. The Security Detection Report in the Teams admin center gives IT admins a unified view that consolidates impersonation, malicious URL, and weaponizable file detection data across Teams messaging. Admins can export the report as a CSV with sender MRI and thread ID for deeper investigation, and access reporting directly in the Teams admin center alongside existing security workflows. Meeting impersonation detection and high‑risk alerts for Teams on iOS and Android Impersonation attempts in meetings are hard to spot in the moment, and in the past, mobile users have had fewer protections than desktop. Now, new security signals in Teams identify potential impersonation and surface contextual alerts when elevated risk is detected, so you can make more informed decisions during collaboration. This release brings high-risk detection capabilities to Teams on iOS and Android, extending protection across more endpoints without disrupting meeting experiences. Report a Security Concern in Calls Suspicious calls are often the first sign of vishing, impersonation, or fraud attempts—but until now, you’ve had no easy way to flag them. From Teams call history and post-call surfaces, you can now report suspicious or unexpected VoIP and PSTN calls, add context, and optionally block the caller. If a call was flagged in error, you can mark it “not a concern” to reduce false positives. Your reports feed Microsoft security and investigation systems, strengthening protections against emerging calling-based threats. Microsoft Teams VDI Optimization for Omnissa on Mac VDI users on Omnissa for Mac haven’t had the same modern Teams performance as native desktop users, especially for meetings, audio, video, and screen sharing. Teams now brings its modern VDI optimization architecture to Omnissa on Mac, delivering better performance, greater feature parity with the native desktop client, and a more reliable experience—while keeping the centralized management, security, and scalability of VDI. New Teams VDI optimization for macOS Users accessing Teams through existing virtual desktops systems on macOS often experience lower call quality and limited meeting features compared to local devices. Now in GA, the new Teams optimization for macOS improves performance The new Teams optimization for macOS improves performance and reliability for users connecting to Azure Virtual Desktop (AVD) and Windows 365. It replaces the previous solution with better video quality (up to 1080p), larger gallery views, and enhanced calling features like Quality of Service (QoS) and noise suppression. For IT admins, it adds Teams Admin Center integration, Call Quality Dashboard support, and simpler updates via a bundled plugin. For more info, check New VDI solution for Teams - Microsoft Teams | Microsoft Learn. Frontline Workers What's New in Shifts: Smarter Scheduling, Faster Workflows Frontline managers spend far too much of their day wrestling with schedules. This wave of Shifts updates is all about giving that time back — automating the tedious parts, making every interaction feel natural, and helping new teams get up and running in minutes. Here's everything shipping now and what's just around the corner. Build a Full Schedule in Seconds with Assign Open Shifts Assign Open Shifts intelligently matches your available workers to open shifts while honoring the rules that matter most — maximum weekly hours, minimum rest periods, and more — so you can build a ready-to-publish schedule in just a few clicks. Start by creating open shifts for when you need coverage, edit constraints as needed, then watch as a draft schedule is created. Changed your mind? One-click undo rolls the whole thing back instantly. Whether you're standing up a brand-new week or scrambling to cover a last-minute vacation, Assign Open Shifts turns hours of work into seconds. Move Shifts the Way You'd Expect with Drag and Drop One of our most-requested features of all time has arrived. Simply grab a shift and drop it wherever it needs to go. Reassign a shift from one worker to another, to a different day or schedule group, or move it into the open shifts pool. It's the intuitive, hands-on scheduling experience managers have been asking for, and it makes mid-week changes the easiest part of your day. Work at the Speed of a Spreadsheet with Improved Multi-Selection With improved multi-selection, the familiar shortcuts you already rely on — Ctrl+Select, Shift+Select, and Ctrl+A — let you grab dozens of shifts at once and bulk copy, paste, or delete them in a single motion. Cloning a productive week, clearing out a draft, or making sweeping updates across your team now takes a fraction of the effort. It's the speed and muscle memory of a spreadsheet, brought right into the Shifts app you use every day. See the Bigger Picture with Two-Week View Plan further ahead and stop flipping back and forth between weeks. The new two-week view lets you build and review a full fourteen days of shifts side by side — perfect for teams paid biweekly. Spot coverage gaps, balance workloads fairly, and finalize your next pay cycle all in one continuous view. It's a wider lens on your schedule that helps make long-range planning effortless. Platform Express voice enrollment in Microsoft Teams If you haven’t registered your voice in Teams, you’ll miss out on key features like intelligent speaker recognition, richer Microsoft 365 Copilot recaps, and smart audio and video experiences. Express voice enrollment makes registering your voice fast and easy. If you don’t yet have a voice profile, just go to the recognition tab in Teams settings and opt-in to enroll your voice simply by speaking during a meeting. Admins can enable or disable this feature for their organization. Learn more. App support for private and shared channels Users often need to leave private and shared channel conversations to access the apps they rely on. But now, app support for private and shared channels brings tabs, bots, and message extensions directly into these collaboration spaces (subject to admin policy). Channel owners can add apps at the channel level, helping teams stay in flow and move work forward without switching contexts. To implement these updates, follow Teams connects shared and private channels - Teams | Microsoft Learn. Certified for Teams Devices Biamp Ceiling Tile Mic w/ Configurable DSP for Medium, Large and Extra-Large Rooms The Biamp BMA 360D Ceiling Tile Mic, powered by the TesiraFORTÉ X — the industry's most trusted conference room DSP — brings gold-standard Tesira audio to medium, large and extra-large Microsoft Teams Rooms on drop-tile or hard ceilings. Learn More. New Logitech Express Install bundles Logitech, in partnership with Urben Express, Vison Express and Samsung, is simplifying room installations with Express Install solutions for Microsoft Teams Rooms on Windows and Android. Each bundle makes high-quality meeting spaces more accessible and easier to deploy. Logitech's Express Install kits for huddle rooms, medium rooms, and large rooms, can be installed in under an hour, with minimal labor and no specialist help needed. Logitech Rally Bar & Urben Express Range 65 for Teams Rooms on Windows Logitech MeetUp 2 & Vision Express Desk Mount for Teams Rooms on Windows Logitech Express Install: Logitech Rally Bar Mini & Vision Express Desk Mount for Teams Rooms on Android Logitech Rally Bar Huddle & Vision Express Desk Mount for Teams Rooms on Android Logitech Rally Bar & Urben U-Cart HD for Teams Rooms on Android1.4KViews0likes1CommentWhat’s new in Microsoft Sentinel: June 2026
Welcome back to What's new in Microsoft Sentinel. In June, Sentinel SIEM’s Advanced Security Information Model (ASIM) broadens its normalization, so one analytic rule can reach more sources with less per-source work and, additionally, two new ASIM schemas can now bring asset inventory and AI agent telemetry into common form. In Microsoft Sentinel data lake, the Agent Identities Asset Connector adds the identity context behind your AI agents, helping you see who owns an agent and what permissions it holds. In Sentinel MCP, graph tools help security teams investigate threats and optimize security coverage by visualizing relationships across identities, devices, alerts, and signals in a unified graph experience. Read on for the details, and explore the resources at the end to go deeper. Sentinel innovations: Sentinel SIEM Sentinel data lake Sentinel MCP Microsoft Security Store Sentinel SIEM Advanced Security Information Model (ASIM) parsers and schemas [Generally available] The Advanced Security Information Model (ASIM) in Sentinel normalizes logs into common schemas, so one analytic rule can cover many sources without managing each native schema. ASIM coverage has expanded across more Azure services, broader AWS CloudTrail activity, and a range of third-party firewall, identity, and proxy products, so your detections reach more of your environment with less per-source work. Two schemas also join ASIM: Asset Entities normalizes asset inventory so you can correlate files and assets across investigations, and AI Agent Events normalizes telemetry from AI-driven workflows and autonomous agents. Browse the ASIM parsers on GitHub to explore, file issues, or contribute. Learn more in our blog. Sentinel transition to Defender blog series By March 31, 2027, all Microsoft Sentinel customers transition to Defender. This six-part series guides you through moving your Sentinel experience from the Azure portal to Defender, where SIEM, XDR, threat intelligence, AI, and automation come together in one experience. Your analytics rules, playbooks, workbooks, log analytics workspace, and access assignments all carry forward while the operational layer becomes more connected and intelligent. Starting early matters because you realize the benefits sooner, including a unified incident queue, cross-product correlation, Security Copilot, Sentinel data lake, and SOC optimization. Across the six-part blog series you get 1) the strategic shift, 2) the anatomy of incident and data changes, 3) detection and automation, 4) the governance shift across roles and access, 5) a readiness playbook with the adoption helper and cost guidance, and 6) a look at the AI-first SOC. Each part stands alone, so you can read in order or jump to what matters most to you. Sentinel data lake Agent Identities Asset Connector [Public preview] The Agent Identities Asset Connector brings identity context for AI agents into Sentinel. Activity connectors like Agent 365 and Microsoft 365 Copilot already show you what AI agents do, but activity alone cannot tell you who owns an agent, what permissions it holds, or how it is governed. This connector fills that gap with four asset tables covering agent owners, agent identities, agent blueprints, and the service principals tied to those blueprints. Together they form a connected agent identity graph you can trace from owner to identity to blueprint to permissions to the resources an agent touches. Joining this asset data with activity data in Sentinel data lake lets you detect anomalous behavior relative to permissions, spot over-permissioned or misconfigured agents, and follow full execution chains for end-to-end traceability. To get started, install the Agent 365 and Microsoft 365 Copilot solutions in Content Hub and enable the asset and activity connectors. Learn more. Sentinel MCP Sentinel MCP graph tools [Public preview] Microsoft Security Graph MCP tools, recently introduced in the Microsoft Sentinel MCP Server data exploration collection helps security teams investigate threats by exploring relationships between identities and device assets, and threat and activity signals ingested by data connectors and surfaced by analytic rules. Starting from an alert, analysts can follow the exposure path across connected entities — tracing lateral movement, understanding blast radius, and identifying configuration gaps — all from a single, interactive workspace. The tool provides a clear graph view that highlights dependencies and makes it easier to understand how content interacts across your environment. This helps security teams assess coverage, optimize content deployment, and identify areas that may need tuning or additional data sources. Executing graph queries via the MCP tools will trigger the graph meter. Learn more. Microsoft Security Store Partner testimonials from Adaquest and Glueckkanja For partners like Adaquest and Glueckkanja, the Microsoft Security Store helps not only put their years of knowledge, understanding, and best practices into a scalable, packaged solution, it gives them the ability to democratize that expertise and take it to market globally. Security Store operationalizes their expertise as always-on defenses — discoverable, deployable, and driving real outcomes inside the tools that security teams rely on every day. See how the Security Store is helping security teams act on threats faster with the right solutions and to be ready when it matters most: Watch: Adaquest unlocks faster response times for customers (testimonial) Watch: Glueckkanja builds agents with purpose (testimonial) Additional resources Blogs and documentation: The Advanced Security Information Model (ASIM) Process Event normalization schema reference How BlueVoyant's ASIM-First Strategy Simplifies Threat Detection in Microsoft Sentinel Migrate Sentinel to Defender – Why It Is a Security Architecture Decision, Not Just a Portal Change Connect Microsoft Sentinel to the Microsoft Defender portal Agent 365 connector: Monitor, hunt, and investigate AI agent activity in Microsoft Sentinel Get started with Microsoft Sentinel MCP server Upcoming webinars and events: July 15–16: Microsoft Virtual Training Day: Predict and Defend Against Cybersecurity Threats July 22: Microsoft Security Immersion Event: Shadow Hunter July 23-24: Microsoft Virtual Training Day: Introduction to Microsoft Security July 28: Tech Brief: Modernize security operations with a unified platform July 29: Security Immersion Event: Into the Breach Stay connected Check back each month for the latest innovations, updates, and events to ensure you’re getting the most out of Microsoft Sentinel. We’ll see you in the next edition!226Views2likes0CommentsWhat's New in Microsoft Teams | May 2026 - Build Edition
It's hard to believe May is over already! You may have noticed this edition of What's new in Teams is landing a few days later than usual — that's intentional. We're publishing alongside Microsoft Build, our annual developer conference where we showcase the latest in AI, agents, and the tools that help developers. It's one of the most energizing weeks of the year, full of announcements, hands-on sessions, and a first look at where the platform is headed. A lot of what's in this release ties directly to what's being unveiled on the Build stage, and I wanted to highlight a few Teams Platform features worth calling out: Linear, Cursor, and Atlassian Rovo agents in Teams — three powerful new partner agents that turn channel conversations into shipped code, filed issues, and updated project plans without ever leaving the chat. New Teams CLI — one command to register, configure, and deploy a Teams agent, so developers can spend their time on agent logic instead of managing complex processes Collaborative features for agents – our new agent capabilities include quoted replies to keep conversations anchored, slash commands to quickly take action in the flow of work, and expressive emoji reactions that add nuance without adding noise, all helping teams stay aligned and move faster in collaboration with agents. A few other highlights I'm especially excited about beyond Platform: New AI-generated Video recap in Teams turns meeting recordings into short, narrated highlight reels—so you can quickly catch up on what matters most without watching the full session. In Teams Phone, Brand Impersonation Protection alerts you in real time when a caller may be posing as a trusted brand like your bank or IT helpdesk, so you can decline or report the call with confidence. These are just a taste of what's new. Read on to see everything we've released in May across chat, meetings, phone, rooms, frontline, and more. Product areas covered in this update: (All features are generally available unless otherwise noted.) Teams Platform Chat and Collaboration Meetings Teams Phone Workplace - Places and Teams Rooms Fundamentals and Security Frontline workers Certified for Teams Devices Teams Platform Slash commands for agents- Public Preview Triggering an agent shouldn't break your flow. With slash commands, users can invoke agent actions, retrieve information, or kick off tasks directly from the compose box using simple "/" prompts — keeping agents one keystroke away in any chat or channel. Quoted replies for agents- Public Preview Threaded conversations are easier to follow when agents stay anchored to the right message. With quoted replies, your agent can now reference the exact message a user is responding to so context isn't lost as threads grow longer or branch into side discussions. Agents can also send quoted replies of their own, keeping multi-turn exchanges clear and traceable for everyone in the chat. Message Reactions for Agents – Public Preview Ever wish your agent could just give a thumbs-up instead of cluttering a thread with another reply? Now it can. Agents in Teams can now respond with emoji reactions the same way people do, matching the rhythm of the conversation with a lightweight signal instead of an extra message. Threads stay clean, exchanges feel more natural, and you get a clear acknowledgment without the noise. New Teams CLI Building an agent today means juggling registration, credentials, manifest creation, and deployment across multiple tools, slowing developers down before they even get to the interesting work. The new Teams CLI collapses all of it into a single command, working alongside coding agents to take a Teams agent from idea to running instance in minutes. By handling setup and diagnostics behind the scenes, developers can focus on agent logic instead of managing configuration complexity. Learn more here. Linear agent in Teams Software teams lose momentum every time a channel decision has to be manually translated into a Linear issue or project update. The Linear agent in Teams closes that gap by turning conversations directly into actionable work — creating issues, capturing context, and updating project workflows from inside the thread where the decision was made. The Linear agent is available now in the Microsoft Marketplace. Cursor agent in Teams Engineering work stalls every time you have to leave a Teams discussion to fix a bug or ship a feature in a separate tool. The Cursor agent in Teams keeps you in the flow: @mention it in any channel or chat to invoke Cursor's Cloud Agents directly inside the conversation, where it returns results with full context of the discussion. The result is a faster path from idea to production, without ever leaving Teams. The Cursor agent is available now in the Microsoft Marketplace. Atlassian Rovo agent in Teams Jumping between Teams, Jira, and Confluence to turn a chat decision into actual project work slows everyone down. The Atlassian Rovo agent in Teams brings AI-powered context and action across Jira, Confluence, and Teamwork Graph organizational data into your conversations — so you can go from a question in chat to creating Jira issues, drafting Confluence pages, and updating workflows in a single interaction. Rovo evolves Atlassian's previous Jira and Confluence apps into an orchestrating "uber agent" for Atlassian AI, now available in the Microsoft Marketplace. MCP servers/connectors discovery and connection UI from agent settings- Public Preview Connecting an agent to the right external system used to mean piecing together configurations from multiple places. Now, you can discover, connect, and manage MCP servers and connectors all from one unified experience inside agent settings in Teams — so it's faster and more secure to plug external data and services into agent workflows. App centric management in Teams Admin Center to manage the Apps access for tenants, end-users, and groups in GCC In GCC environments, controlling who can install which Teams apps used to require broad permission policies that didn't scale well as app catalogs grew. With app-centric management, GCC admins can now set defaults for newly published apps and decide app-by-app whether everyone, specific users and groups, or no one, can install them. Existing app permission policies are migrated automatically, so current availability stays intact. Visual enhancements in adaptive cards Agent responses used to feel flat, with long walls of text and little room for users to drill into the details that matter. New visual TableSet, Accordion, and Loop components let agent builders structure responses into navigable tabs, expandable sections, and repeating content so users can scan and act on information the same way they would in a polished app. Expanded action capabilities such as Popover and richer content support through references and Citations round out the experience. Organization evaluation score for apps and agents- Public Preview IT admins used to manually review trust data for Teams agents and apps in the admin center to verify security, privacy, and compliance standards. This new feature enables admins to define their company's approval requirements once; the system then automatically assesses apps and agents, generating an evaluation score and detailed report per agent/app. This speeds up decision-making by clearly surfacing which ones meet all company standards and which need further review. M365 Agents Toolkit and Developer Portal Support for Agents in Gov Clouds Developers building for regulated customers used to face a choice: ship in commercial cloud, or rebuild from scratch for government environments. Now, the Microsoft 365 Agents Toolkit and Developer Portal are expanding support for building agents in Government Community Cloud (GCC), GCC High (GCCH), and DoD — so the same solution can reach highly regulated organizations without redesign or re-architecture. M365 certification bulk management IT admins today have to enable trusted third-party apps one at a time in the Teams admin center, a slow and repetitive process when working across hundreds of apps. This feature evolves the org-wide third-party app setting from a simple ON/OFF toggle into a granular dropdown with a new "Allow only Microsoft 365 certified apps" option, letting admins turn on every Microsoft-certified app across their tenant in a single click. As apps earn or lose certification, the platform keeps availability in sync automatically — no ongoing manual upkeep. Observability features for A365 Agents in Teams- Public Preview As more A365 agents act on behalf of users in Teams, IT needs more than just visibility and control—they need to understand how those agents are operating in real time. These new observability capabilities provide deep insights into agent activity, usage, performance, and interactions across Teams and the Microsoft 365 Copilot Agent Store. By surfacing real-time metrics and governance signals, admins can monitor behavior, identify issues, and ensure agents are operating securely, compliantly, and effectively at scale. A365 agents on Teams mobile- Public Preview Bring AI agents with you wherever work happens. A365 agents are now available on Teams mobile in public preview, so you can discover, chat with, and add approved agents to conversations and meetings from your phone, the same way you would from desktop. From the Teams mobile app store, browse the "Agents for your team" category, request an agent, and start delegating tasks on the go after admin approval. Enhanced Teams Store- Public Preview Finding the right agent in Teams just got easier, and knowing what it does is now instant. The enhanced Teams Agents & Apps Store solves both problems. Smarter search surfaces helpful suggestions that appear the moment you open the search box, and results update instantly as you type. Once you find what you're looking for, redesigned tiles, clickable sample prompts, and a personalized "Your Agents & Apps" view make it easy to evaluate an agent and put it to work right away. Chat and Collaboration Create workflows with slash commands Jumping out of a chat to update your status or schedule a message breaks your concentration just when you're trying to get something done. Now, you can stay in the compose box using slash commands. Type / on an empty line to interact with apps and agents, create and manage workflows, or run Teams actions like /busy, /goto, or /schedulemessage. Whether you're inserting a GIF or managing workflows, slash commands offer a consistent and efficient way to get things done without leaving your flow. Improved code readability with line numbers Pointing teammates to "the third line from the bottom" gets old fast when you're reviewing code in a chat. Teams now displays automatic line numbers in code blocks so you can reference specific lines naturally in reviews and discussions, and enhanced keyboard navigation lets you move through code without reaching for the mouse. Badging updates help find messages that count in the chat list That little badge on your Teams app icon tells you something needs attention, but tracking down exactly which message is driving it can take longer than you'd like. Now, unmuted chats show a purple indicator when they affect the badge. In addition, mentions, followed threads, and tag mentions display a purple number showing how many unread items are part of the count. Catch up on Teams conversations on mobile Catch up on everything that needs your attention in a single, unified view. Each conversation appears on its own swipeable card with full context and all the actions you need - reply, react, save, mark read/unread, follow/unfollow - to complete your triage. Simply tap the Catch up button at the top of your chat list to get started and get swiping! Learn more about Catch up. Quick access to read items from unread-only mode Unread-only mode keeps your chat list focused on what needs attention, but sometimes you still need to find a message you read earlier. Now, hovering over any section in unread-only view reveals an eye icon that opens a list of read chats and channels for that section, without leaving your unread view. Instant search results when typing in Teams Find in chat and channel Hitting Enter, scanning results, refining your query, and trying again is a slow way to find a message. Find in chat and Find in channel now show results instantly as you type, so you can refine on the fly and get to the right message faster. Advanced filters in Teams Find in chat and channel When the right message is buried under hundreds of others, scrolling isn't a search strategy. New filters in Find in chat and Find in channel let you narrow results by sender, date, attachments, or mentions directly from the right rail — accessible via Ctrl+F (Windows), Cmd+F (Mac), or the Find icon in any chat or channel header. Teams honors the Windows Do not disturb setting Setting Windows to Do not disturb but still getting pinged by Teams defeats the whole point of focus time. Teams integrates with the Do not disturb setting in Windows to help reduce interruptions during focused work. Teams notifications are paused when the Windows Do not disturb setting is turned on, and resume after it is turned off. Meetings Video recap Catching up on meetings just got a whole lot faster. Video recap turns your recorded Teams meetings into short, narrated highlight reels, pairing an AI-generated voiceover with real clips of the key moments, decisions, and shared visuals from the conversation. Whether you missed a meeting or just want to revisit the most important parts, video recap helps you quickly grasp the flow, tone, and outcomes without scrubbing through the full recording. Available to Microsoft 365 Copilot–licensed users on Teams for Windows, Mac, and the web, for recorded English-language meetings between 10 and 90 minutes. Ability to delete recap Cleaning up after a sensitive meeting used to mean deleting recording, transcript, AI summary, and notes from separate places, or asking an admin for help. Organizers can now delete all of it in one place from the recap page's More (…) menu. Shared files stay put in their original locations. It's a quick, confident way to support your retention practices — no admin setup required. Teams Phone Brand Impersonation Protection in Microsoft Teams Calling Stay one step ahead of scammers. Teams now detects and warns you when a caller may be impersonating a trusted brand—like your IT helpdesk, bank, or Microsoft Support—before you engage. When a potential threat is detected, you'll see an in-call alert with clear identity signals (such as "Scam suspected"), empowering you to decline, leave, or report the call instantly. No extra tools needed—protection is built right into your calling experience. It's proactive security that keeps your credentials, data, and organization safe without disrupting your workflow. Report a Suspicious Call in Teams Suspicious calls used to be easy to hang up on but hard to actually do anything about. Users can now report calls that appear unusual or suspicious directly in the Calls app history. After selecting, “Report call”, in the call’s additional options, users can add a reason to the report and have the option to block the caller. When a call is reported, the signal helps strengthen Microsoft’s detection systems to reduce future unwanted or malicious activity. By making it easy to report in the moment, users can contribute to ongoing threat protection while helping improve overall call security across the organization. Queues app for Teams Mobile Customer-facing employees can't always sit at a desk all day, but stepping away used to mean dropping out of the queue and missing calls. The Queues app — with advanced queue management and collaborative calling — is now supported on Teams mobile, so information workers like bank tellers or IT help desk representatives can stay opted in, review recent calls, and return missed customer calls from their phone. The result: faster response, fewer missed opportunities, and a more consistent customer experience away from the desk. Consult and merge a PSTN caller through DTMF Need to consult a subject matter expert in a private conversation before merging them into a meeting, but they're behind an auto attendant phone menu? Now you can. Meeting organizers can consult and merge PSTN callers into active Teams meetings, even when reaching them requires navigating Dual-Tone Multi-Frequency (DTMF) menus, so the right person joins the conversation without delays or call drops. Workplace - Places and Teams Rooms Enhanced media quality for Direct Guest Join in Teams Rooms on Windows You’ll notice media quality improvements including support for up to 16 participant videos (4×4 grid) available in May and simulcast streaming (June) when using Direct Guest Join. These updates make cross-platform meetings more immersive and reliable when joining Teams meetings from Zoom, Google Meet, or Cisco devices. Learn more. Miracast support for Teams Rooms on Windows devices including touch boards Cables and connectors slow down meetings, especially in flex spaces where guests and visitors need to share quickly. Teams Rooms on Windows all-in-one touch boards, now support Miracast for cable-free wireless screen mirroring alongside Teams Cast and HDMI ingest. Walk in, mirror your screen, present. Available with Teams Rooms Pro. Learn more. Multi-camera view support for GCC-H and DoD in Teams Rooms on Windows Remote participants in large rooms often miss what's happening because they're stuck looking at a single, fixed camera angle. GCC-H and DoD cloud customers can now use multi-camera views in Microsoft Teams Rooms on Windows, allowing remote participants to switch between multiple in-room camera feeds for improved visibility and engagement in larger spaces. Find camera requirements here. Available with Teams Rooms Pro. Learn more. Multi-stream IntelliFrame support for GCC-H and DoD in Teams Rooms on Windows In hybrid meetings, remote attendees often see in-room participants in a single distant frame— making it hard to read faces and engage. Multi-stream IntelliFrame, now available for GCC-H and DoD customers in Teams Rooms on Windows, sends a separate video feed of each in-room participant for far more inclusive hybrid conversations. Requires a compatible intelligent camera. Available with Teams Rooms Pro. Learn more. Book future meetings directly from Teams panels You can now make an upcoming meeting reservation from a Teams panel by browsing the calendar on the device and choosing any open time slot through midnight the next day. Add a guest during booking streamlining ad-hoc scheduling and coordination. Available with Teams Rooms Pro and Shared Device licenses. Learn more. Enhanced issue detection in Teams Rooms on Windows and auto-remediation with Teams Rooms Pro Management To minimize delays due to equipment issues, Teams Rooms on Windows proactively monitors room audio, video, and display signals to detect issues in meeting spaces. Teams Rooms Pro Management automatically remediates common issues that can be resolved through software, configuration changes, or device resets during nightly maintenance. This ensures users have reliable, ready-to-use meeting rooms, while IT admins benefit from reduced manual troubleshooting and increased uptime. Available for Teams Rooms Pro-licensed rooms. Learn more. Room health signals and notifications in Teams Rooms on Windows When critical issues impact room functionality, meetings can be delayed or derailed. Room health signals now trigger display of a banner notification on both the front-of-room display and console in Teams Rooms on Windows. Room health signals help get issues resolved quickly and ensure productive meetings. Available with Teams Rooms Pro. Learn more. Expanded access to the AI Assistant for all roles in the Teams Rooms Pro Management portal Admins now have broader access to the AI Assistant in the Teams Rooms Pro Management portal, no longer limited to global admin roles. Using role-based access controls (RBAC), admins see only rooms and devices they manage, improving visibility and support while adhering to security policies. Learn more. Fundamentals and Security Agent metadata visibility in Teams Admin Center Approving an AI agent for the organization used to mean piecing together what it could actually do from multiple places. IT admins can now view detailed agent metadata — capabilities, knowledge sources, and allowed actions — directly in the Teams Admin Center before approving or enabling agents. With this visibility centralized in one place, admins can understand what kind of agent they are approving and broaden rollout once they're certain agents meet their security and compliance standards. User-Reported Teams Message Security Signals in the Teams Admin Center Users flag suspicious messages every day, but those signals used to be hard for IT to act on at scale. Admins can now monitor user-reported security signals directly in the Teams Admin Center through the Security Message Violation report, surfacing flagged messages and false-positive reports in one centralized view, so security controls can be tuned to real-world threat exposure without leaving the admin center. Account switching for native Mac controls via dock and menu bar Juggling work, guest, and tenant accounts in Teams on Mac used to mean opening the full app every time you needed to switch. Now, account and tenant switching controls live directly in the macOS dock and menu bar — exactly where Mac users expect them — so toggling between organizations or accounts takes one click. Frontline workers Explore our learn docs for more information on all of our Teams for frontline solutions. Guided setup for Frontline Rolling Teams out to thousands of frontline workers used to mean stitching together onboarding, team structure, and pinned-app policies across multiple tools. Guided setup in the Teams Admin Center now walks admins through all of it in one place — making it easier to expand pilots, keep app layouts uniform, and track adoption with built-in insights. Learn more in the official documentation here or sign up here to explore additional deployment capabilities in private preview. Automatically fill open shifts with Smart Scheduling Smart scheduling in Shifts takes the manual effort out of building frontline schedules. Managers can automatically assign open shifts based on employee availability, scheduled time off, constraints such as maximum weekly or daily hours, and historical data about what shifts people usually work. Simply create open shifts for the required number of positions, select "Assign open shifts," and let Teams find the best match for each slot. Any shifts that can't be filled automatically are flagged for manual review, so managers stay in control while saving significant time. The result: faster, fairer schedules with less effort for managers and frontline workers alike. Deliver operational updates with the Communicator app Critical updates for frontline workers — safety alerts, training reminders, outage notifications — often get lost in long channel threads or scattered across other apps. The Communicator app in Microsoft Teams enables operations teams to deliver structured, actionable updates directly within the channels frontline workers already use. Whether sharing safety alerts, training reminders, or outage notifications, teams can publish consistent, easy-to-act-on messages, track delivery and engagement, and communicate seamlessly without requiring additional apps or workflow changes. Sign up for the limited public preview: aka.ms/CommunicatorApp Run hands-free site walkthroughs with voice in Frontline Agent Typing inspection notes on a phone while walking a site is slow, error-prone, and can be a safety risk. Frontline Agent enables voice-driven site walkthroughs, allowing workers to complete inspections, capture issues, and document compliance tasks using natural speech. Inputs are automatically transcribed into structured digital records, reducing manual data entry, speeding up reporting, and ensuring critical insights from the field are consistently captured. Sign up for the limited public preview: aka.ms/SiteWalkthrough Certified for Teams Devices Barco ClickShare Hub Core with Logitech Meetup 2 The ClickShare Hub Core and Logitech MeetUp 2 bundle is a solution certified for Microsoft Teams Rooms designed for small meeting rooms. ClickShare Hub Core enables one-click, wireless conferencing and 4K content sharing with one next-gen ClickShare Button (featuring Wi-Fi 6E and USB-C DisplayPort™). Built on the Microsoft Device Ecosystem Platform (MDEP), it’s designed to deliver a secure meeting experience. The widely recognized Logitech MeetUp 2 video bar delivers USB-connected high-quality audio and video with AI-enhanced performance. For meeting participants, this bundle ensures intuitive and engaging meetings. For IT managers, it pairs ease of installation and eco-friendliness with enterprise-grade security, compliance, and standardized integration. Learn more Jabra Scheduler Jabra Scheduler is a smart, professional room scheduling panel that makes finding and booking meeting rooms fast. With an integrated lightbar and intuitive touchscreen, it’s certified for Microsoft Teams. Easy to deploy, simple to scale, and built to unlock more productive meetings across your workplace. Learn more Neat Pad Pro Neat Pad Pro elevates how meetings come together. As a meeting room controller or scheduling display, it gives teams effortless command and IT a simple, scalable way to manage rooms. With a 10-inch touchscreen, built-in microphones, and intelligent processing, it enhances audio, sharpens control, and improves accessibility—so meetings run more smoothly and sound clearer. Learn more Jabra Speak2 40 Built for hybrid workers who take meetings from anywhere, the Jabra Speak2 40 delivers true full-duplex audio with a 50mm speaker, wideband sound, and four advanced beamforming microphones — connecting via either USB-C or USB-A on the same cable. Learn more. Owl Labs Meeting Owl 5 Pro The Meeting Owl 5 Pro is redefining the center-of-table experience by making hybrid meetings simpler and smarter than ever. Our next-gen camera, speaker, and microphone device powers enterprise-grade hybrid meetings with an easy-to-use BYOD solution. It combines 360-degree 4K video with award-winning automatic speaker-switching software to enable effective hybrid collaboration in any space. Features native HDMI and Ethernet ports for a seamless single-cable BYOD experience built with security and reliability in mind. Compatible with all video conferencing platforms, including Microsoft Teams, Zoom, and many others. Learn more.5.1KViews0likes0CommentsWhat’s New in Microsoft 365 Copilot | May 2026
Welcome to the May 2026 edition of What's New in Microsoft 365 Copilot! Every month, we highlight new features and enhancements to keep Microsoft 365 admins up to date with Copilot features that help your users be more productive and efficient in the apps they use every day.23KViews11likes5CommentsMicrosoft Sentinel data lake FAQ
Microsoft Sentinel data lake (generally available) is a purpose‑built, cloud‑native security data lake. It centralizes all security data in an open format, serving as the foundation for agentic defense, enhanced security insights, and graph-based enrichment. It offers cost‑effective ingestion, long‑term retention, and advanced analytics. In this blog we offer answers to many of the questions we’ve heard from our customers and partners. General questions What is the Microsoft Sentinel data lake? Microsoft has expanded its industry-leading SIEM solution, Microsoft Sentinel, to include a unified, security data lake, designed to help optimize costs, simplify data management, and accelerate the adoption of AI in security operations. This modern data lake serves as the foundation for the Microsoft Sentinel platform. It has a cloud-native architecture and is purpose-built for security—bringing together all security data for greater visibility, deeper security analysis, contextual awareness and agentic defense. It provides affordable, long-term retention, allowing organizations to maintain robust security while effectively managing budgetary requirements. What are the benefits of Sentinel data lake? Microsoft Sentinel data lake is purpose built for security offering flexible analytics, cost management, and deeper security insights. Sentinel data lake: Centralizes security data delta parquet and open format for easy access. This unified data foundation accelerates threat detection, investigation, and response across hybrid and multi-cloud environments. Enables data federation by allowing customers to access data in external sources like Microsoft Fabric, ADLS and Databricks from the data lake. Federated data appears alongside native Sentinel data, enabling correlated hunting, investigation, and custom graph analysis across a broader digital estate. Offers a disaggregated storage and compute pricing model, allowing customers to store massive volumes of security data at a fraction of the cost compared to traditional SIEM solutions. Allows multiple analytics engines like Kusto, Spark, and ML to run on a single data copy, simplifying management, reducing costs, and supporting deeper security analysis. Integrates with GitHub Copilot and VS Code empowering SOC teams to automate enrichment, anomaly detection, and forensic analysis. Supports AI agents via the MCP server, allowing tools like GitHub Copilot to query and automate security tasks. The MCP Server layer brings intelligence to the data, offering Semantic Search, Query Tools, and Custom Analysis capabilities that make it easier to extract insights and automate workflows. Provides streamlined onboarding, intuitive table management, and scalable multi-tenant support, making it ideal for MSSPs and large enterprises. The Sentinel data lake is designed for security workloads, ensuring that processes from ingestion to analytics meet evolving cybersecurity requirements. Is Microsoft Sentinel SIEM going away? No. Microsoft is expanding Sentinel into an AI powered end-to-end security platform that includes SIEM and new platform capabilities - Security data lake, graph-powered analytics and MCP Server. SIEM remains a core component and will be actively developed and supported. Getting started What are the prerequisites for Sentinel data lake? To get started: Connect your Sentinel workspace to Microsoft Defender prior to onboarding to Sentinel data lake. Once in the Defender experience see data lake onboarding documentation for next steps. Note: Sentinel is moving to the Microsoft Defender portal and the Sentinel Azure portal will be retired by March 31, 2027. I am a Sentinel-only customer, and not a Defender customer. Can I use the Sentinel data lake? Yes. You must connect Sentinel to the Defender experience before onboarding to the Sentinel data lake. Microsoft Sentinel is generally available in the Microsoft Defender portal, with or without Microsoft Defender XDR or an E5 license. If you have created a log analytics workspace, enabled it for Sentinel and have the right Microsoft Entra roles (e.g. Global Administrator + Subscription Owner, Security Administrator + Sentinel Contributor), you can enable Sentinel in the Defender portal. For more details on how to connect Sentinel to Defender review these sources: Microsoft Sentinel in the Microsoft Defender portal In what regions is Sentinel data lake available? For supported regions see: Geographical availability and data residency in Microsoft Sentinel | Azure Docs. Is there an expected release date for Microsoft Sentinel data lake in GCC, GCC-H, and DoD? While the exact date is not yet finalized, we plan to expand Sentinel data lake to the US Government environments. . How will URBAC and Entra RBAC work together to manage the data lake given there is no centralized model? Entra RBAC will provide broad access to the data lake (URBAC maps the right permissions to specific Entra role holders: GA/SA/SO/GR/SR). URBAC will become a centralized pane for configuring non-global delegated access to the data lake. For today, you will use this for the “default data lake” workspace. In the future, this will be enabled for non-default Sentinel workspaces as well – meaning all workspaces in the data lake can be managed here for data lake RBAC requirements. Azure RBAC on the Log Analytics (LA) workspace in the data lake is respected through URBAC as well today. If you already hold a built-in role like log analytics reader, you will be able to run interactive queries over the tables in that workspace. Or, if you hold log analytics contributor, you can read and manage table data. For more details see: Roles and permissions in the Microsoft Sentinel platform | Microsoft Learn Data ingestion and storage How do I ingest data into the Sentinel data lake? To ingest data into the Sentinel data lake, you can use existing Sentinel data connectors or custom connectors to bring data from Microsoft and third-party sources. Data can be ingested into the analytics tier or the data lake tier. Data ingested into the analytics tier is automatically mirrored to the lake (at no additional cost). Alternatively, data that is not needed in the analytics tier can be ingested directly into the data lake. Data retention is configured directly in table management, for both analytics retention and data lake storage. Note: Certain tables do not support data lake-only ingestion via either API or data connector UI. See here for more information: Custom log tables. What is Microsoft’s guidance on when to use analytics tier vs. the data lake tier? Sentinel data lake offers flexible, built-in data tiering (analytics and data lake tiers) to effectively meet diverse business use cases and achieve cost optimization goals. Analytics tier: Is ideal for high-performance, real-time, end-to-end detections, enrichments, investigation and interactive dashboards. Typically, high-fidelity data from EDRs, email gateways, identity, SaaS and cloud logs, threat intelligence (TI) should be ingested into the analytics tier. Data in the analytics tier is best monitored proactively with scheduled alerts and scheduled analytics to enable security detections Data in this tier is retained at no cost for up to 90 days by default, extendable to 2 years. A copy of the data in this tier is automatically available in the data lake tier at no extra cost, ensuring a unified copy of security data for both tiers. Data lake tier: Is designed for cost-effective, long-term storage. High-volume logs like NetFlow logs, TLS/SSL certificate logs, firewall logs and proxy logs are best suited for data lake tier. Customers can use these logs for historical analysis, compliance and auditing, incident response (IR), forensics over historical data, build tenant baselines, TI matching and then promote resulting insights into the analytics tier. Customers can run full Kusto queries, Spark Notebooks and scheduled jobs over a single copy of their data in the data lake. Customers can also search, enrich and promote data from the data lake tier to the analytics tier for full analytics. For more details see documentation. What does it mean that a copy of all new analytics tier data will be available in the data lake? When Sentinel data lake is enabled, a copy of all new data ingested into the analytics tier is automatically duplicated into the data lake tier. This means customers don’t need to manually configure or manage this process, every new log or telemetry added to the analytics tier becomes instantly available in the data lake. This allows security teams to run advanced analytics, historical investigations, and machine learning models on a single, unified copy of data in the lake, while still using the analytics tier for real-time SOC workflows. It’s a seamless way to support both operational and long-term use cases—without duplicating effort or cost. What is the guidance for customers using data federation capability in Sentinel data lake? Starting April 1, 2026, federate data from Microsoft Fabric, ADLS, and Azure Databricks into Sentinel data lake. Use data federation when data is exploratory, infrequently accessed, or must remain at source due to governance, compliance, sovereignty, or contractual requirements. Ingest data directly into Sentinel to unlock full SIEM capabilities, always-on detections, advanced automation, and AI‑driven defense at scale. This approach lets security teams start where their data already lives — preserving governance, then progressively ingest data into Sentinel for full security value. Is there any cost for retention in the analytics tier? Analytics ingestion includes 90 days of interactive retention, at no additional cost. Simply set analytics retention to 90 days or less. Analytics retention beyond 90 days will incur a retention cost. Data can be retained longer within the data lake by using the “total retention” setting. This allows you to extend retention within the data lake for up to 12 years. While data is retained within the analytics tier, there is no charge for the mirrored data within the lake. Retaining data in the lake beyond the analytics retention period incurs additional storage costs. See documentation for more details: Manage data tiers and retention in Microsoft Sentinel | Microsoft Learn What is the guidance for Microsoft Sentinel Basic and Auxiliary Logs customers? If you previously enabled Basic or Auxiliary Logs plan in Sentinel: You can view Basic Logs in the Defender portal but manage it from the Log Analytics workspace. To manage it in the Defender portal, you must change the plan from Basic to Analytics. Once the table is transitioned to the analytics tier, if desired, it can then be transitioned to the data lake. Existing Auxiliary Log tables will be available in the data lake tier for use once the Sentinel data lake is enabled. Billing for these tables will automatically switch to the Sentinel data lake meters. Microsoft Sentinel customers are recommended to start planning their data management strategy with the data lake. While Basic and Auxiliary Logs are still available, they are not being enhanced further. Sentinel data lake offers more capabilities at a lower price point. Please plan on onboarding your security data to the Sentinel data lake. Azure Monitor customers can continue to use Basic and Auxiliary Logs for observability scenarios. What happens to customers that already have Archive logs enabled? If a customer has already configured tables for Archive retention, existing retention settings will not change and will be automatically inherited by the Sentinel data lake. All data, including existing data in archive retention will be billed using the data lake storage meter, benefiting from 6x data compression. However, the data itself will not move. Existing data in archive will continue to be accessible through Sentinel search and restore experiences: o Data will not be backfilled into the data lake. o Data will be billed using the data lake storage meter. New data ingested after enabling the data lake: o Will be automatically mirrored to the data lake and accessible through data lake explorer. o Data will be billed using the data lake storage meter. Example: If a customer has 12 months of total retention enabled on a table, 2 months after enabling ingestion into the Sentinel data lake, the customer will still have access to 10 months of archived data (through Sentinel search and restore experiences), but access to only 2 months of data in the data lake (since the data lake was enabled). Key considerations for customers that currently have Archive logs enabled: The existing archive will remain, with new data ingested into the data lake going forward; previously stored archive data will not be backfilled into the lake. Archive logs will continue to be accessible via the Search and Restore tab under Sentinel. If analytics and data lake mode are enabled on table, which is the default setting for analytics tables when Sentinel data lake is enabled, all new data will be ingested into the Sentinel data lake. There will only be one storage meter (which is data lake storage) going forward. Archive will continue to be accessible via Search and Restore. If Sentinel data lake-only mode is enabled on table, new data will be ingested only into the data lake; any data that’s not already in the Sentinel data lake won’t be migrated/backfilled. Only data that was previously ingested under the archive plan will be accessible via Search and Restore. What is the guidance for customers using Azure Data Explorer (ADX) alongside Microsoft Sentinel? Some customers might have set up ADX cluster for their DIY lake setup. Customers can choose to continue using that setup and gradually migrate to Sentinel data lake for new data that they want to manage. The lake explorer will support federation with ADX to enable the customers to migrate gradually and simplify their deployment. What happens to the Defender XDR data after enabling Sentinel data lake? By default, Defender XDR tables are available for querying in advanced hunting, with 30 days of analytics tier retention included with the XDR license. To retain data beyond this period, an explicit change to the retention setting is required, either by extending the analytics tier retention or the total retention period. You can extend the retention period of supported Defender XDR tables beyond 30 days and ingest the data into the analytics tier. For more information see Manage XDR data in Microsoft Sentinel. You can also ingest XDR data directly into the data lake tier. See here for more information. A list of XDR advanced hunting tables supported by Sentinel are documented here: Connect Microsoft Defender XDR data to Microsoft Sentinel | Microsoft Learn. KQL queries and jobs Is KQL and Notebook supported over the Sentinel data lake? Yes, via the data lake KQL query experience along with a fully managed Notebook experience which enables spark-based big data analytics over a single copy of all your security data. Customers can run queries across any time range of data in their Sentinel data lake. In the future, this will be extended to enable SQL query over lake as well. Note: Triggering a KQL job directly via an API or Logic App is not yet supported but is on the roadmap. Why are there two different places to run KQL queries in Sentinel experience? Advanced hunting queries both XDR and analytics tables, with compute cost included. Data lake explorer only queries data in the lake and incurs a separate compute cost. Consolidating advanced hunting and KQL explorer user interfaces is on the roadmap. This will provide security analysts a unified query experience across both analytics and data lake tiers. Where is the output from KQL jobs stored? KQL jobs are written into existing or new custom tables in the analytics tier. Is it possible to run KQL queries on multiple data lake tables? Yes, you can run KQL interactive queries and jobs using operators like join or union. Can KQL queries (either interactive or via KQL jobs) join data across multiple workspaces? Security teams can run multi-workspace KQL queries for broader threat correlation Pricing and billing How does a customer pay for Sentinel data lake? Billing is automatically enabled at the time of onboarding based on Azure Subscription and Resource Group selections. Customers are then charged based on the volume of data ingested, retained, and analyzed (e.g. KQL Queries and Jobs). See Sentinel pricing page for more details. 2. What are the pricing components for Sentinel data lake? Sentinel data lake offers a flexible pricing model designed to optimize security coverage and costs. At a high level, pricing is based on the volume of data ingested/processed, the volume of data retained, and the volume of data processed. For specific meter definitions, see documentation. 3. How does the business model for Sentinel SIEM change with the introduction of the data lake? There is no change to existing Sentinel analytics tier ingestion business model. Sentinel data lake has separate meters for ingestion, storage and analytics. 4. What happens to the existing Sentinel SIEM and related Azure Monitor billing meters when a customer onboards to Sentinel data lake? When a customer onboards to the Sentinel data lake, nothing changes with analytic ingestion or retention. Customers using data archive and Auxiliary Logs will automatically transition to the new data lake meters. How does data lake storage affect cost efficiency for high volume data retention? Sentinel data lake offers cost-effective, long-term storage with uniform data compression of 6:1 across all data sources, applicable only to data lake storage. Example: For 600GB of data stored, you are only billed for 100GB compressed data. This approach allows organizations to retain greater volumes of security data over extended periods cost-effectively, thereby reducing security risks without compromising their overall security posture. here How “Data Processing” billed? To support the ingestion and standardization of diverse data sources, the Data Processing feature applies a $0.10 per GB (US East) charge for all data ingested into the data lake. This feature enables a broad array of transformations like redaction, splitting, filtering and normalization. The data processing charge is applied per GB of uncompressed data Note: For regional pricing, please refer to the “Data processing” meter within the Microsoft Sentinel Pricing official documentation. Does “Data processing” meter apply to analytics tier data mirrored in the data lake? No. Data processing charge will not be applied to mirrored data. Data mirrored from the analytic tier is not subject to either data ingestion or processing charges. How is retention billed for tables that use data lake-only ingestion & retention? Sentinel data lake decouples ingestion, storage, and analytics meters. Customers have the flexibility to pay based on how data is retained and used. For tables that use data lake‑only ingestion, there is no included free retention—unlike the analytics tier, which includes 90 days of analytics retention. Retention charges begin immediately once data is stored in the data lake. Data lake storage billing is based on compressed data size rather than raw ingested volume, which significantly reduces storage costs and delivers lower overall retention spend for customers. Does data federation incur charges? Data federation does not generate any ingestion or storage fees in Sentinel data lake. Customers are billed only when they run analytics or queries on federated data, with charges based on Sentinel data lake compute and analytics meters. This means customers pay solely for actual data usage, not mere connectivity. How do I understand Sentinel data lake costs? Sentinel data lake costs driven by three primary factors: how much data is ingested, how long that data is retained, and how the data is used. Customers can flexibly choose to ingest data into the analytics tier or data lake tier, and these architectural choices directly impact cost. For example, data can be ingested into the analytics tier—where commitment tiers help optimize costs for high data volumes—or ingested data directly into the Sentinel data lake for lower‑cost ingestion, storage, and on‑demand analysis. Customers are encouraged to work with their Microsoft account team to obtain an accurate cost estimate tailored to their environment. See Sentinel pricing page to understand Sentinel pricing. How do I manage Sentinel data lake costs? Built-in cost management experiences help customers with cost predictability, billing transparency, and operational efficiency. Reports provide customers with insights into usage trends over time, enabling them to identify cost drivers and optimize data retention and processing strategies. Set usage-based alerts on specific meters to monitor and control costs. For example, receive alerts when query or notebook usage passes set limits, helping avoid unexpected expenses and manage budgets. See our Sentinel cost management documentation to learn more. If I’m an Auxiliary Logs customer, how will onboarding to the Sentinel data lake affect my billing? Once a workspace is onboarded to Sentinel data lake, all Auxiliary Logs meters will be replaced by new data lake meters. Do we charge for data lake ingestion and storage for graph experiences? Microsoft Sentinel graph-based experiences are included as part of the existing Defender and Purview licenses. However, Sentinel graph requires Sentinel data lake and specific data sources to build the underlying graph. Enabling these data sources will incur ingestion and data lake storage costs. Note: For Sentinel SIEM customers, most required data sources are free for analytics ingestion. Non-entitled sources such as Microsoft Entra ID logs will incur ingestion and data lake storage costs. How is Entra asset data and ARG data billed? Data lake ingestion charges of $0.05 per GB (US EAST) will apply to Entra asset data and ARG data. Note: This was previously not billed during public preview and is billed since data lake GA. To learn more, see: https://learn.microsoft.com/azure/sentinel/datalake/enable-data-connectors When a customer activates Sentinel data lake, what happens to tables with archive logs enabled? To simplify billing, once the data lake is enabled, all archive data will be billed using the data lake storage meter. This provides consistent long-term retention billing and includes automatic 6x data compression. For most customers, this change results in lower long‑term retention costs. However, customers who previously had discounted archive retention pricing will not automatically receive the same discounts on the new data lake storage meters. In these cases, customers should engage their Microsoft account team to review pricing implications before enabling the Sentinel data lake. Thank you Thank you to our customers and partners for your continued trust and collaboration. Your feedback drives our innovation, and we’re excited to keep evolving Microsoft Sentinel to meet your security needs. If you have any questions, please don’t hesitate to reach out—we’re here to support you every step of the way. Learn more: Get started with Sentinel data lake today: https://aka.ms/Get_started/Sentinel_datalake Microsoft Sentinel AI-ready platform: https://aka.ms/Microsoft_Sentinel Sentinel data lake videos: https://aka.ms/Sentineldatalake_videos Latest innovations and updates on Sentinel: https://aka.ms/msftsentinelblog Sentinel pricing page: https://aka.ms/MicrosoftSentinel_Pricing6.4KViews1like9CommentsSentinel Foundry - MCP Server (Preview) (Github Community Release)
I’ve been cooking something that a lot of people in SOC have been struggling with — especially on the engineering side of Microsoft Sentinel. Thanks to the Microsoft Security team for shaping the capabilities of Sentinel even better with Sentinel Data Lake & Modern SecOps. Today’s the day I can finally share it. Note: This is not an official Microsoft product, but it is designed to make the Sentinel Build even better (complement) with much more intelligence. 🚀 Sentinel Foundry is now in public preview with 43 tools. (Sentinel Foundry - MCP Server) It’s an MCP server built to act like the brain of a strong Sentinel engineer — helping make building, improving, and operating Sentinel far more practical, faster, and honestly more enjoyable. For a lot of teams, the challenge is not understanding what Sentinel can do. The hard part is the engineering work around it: -> Deciding what data should actually be ingested -> Building a clean, scalable Sentinel foundation -> Writing useful detections instead of noisy ones -> Balancing security value with cost -> Turning ideas into deployable engineering outputs That is exactly why I built Sentinel Foundry to help communities grow stronger. It helps with the real engineering tasks behind Sentinel — from architecture thinking to detection design, deployment planning, ingestion strategy, automation ideas, and many of the workflows outlined in the GitHub project. How does it work? Here’s one of the flagship prompts I ran with it: “Give me a complete security posture report for our workspace. Score each pillar and tell me what to prioritise.” And within seconds, it produced a structured engineering blueprint that would normally take a lot longer to pull together manually. You can see the example prompts here in what it can do: https://github.com/prabhukiranveesam/Sentinel-Foundry#what-can-it-do I want building Sentinel to feel less like repetitive engineering overhead — and more like real security engineering that is fast, creative, and enjoyable. If you work with Sentinel as a SOC L2 analyst, engineer, detection engineer, consultant, or architect, I’d genuinely love for you to try it and tell me what you think. 🔗 Public Preview: https://github.com/prabhukiranveesam/Sentinel-Foundry This is just the start of an AI era — and I’m excited to keep shaping it with more powerful features over the coming days. This is very easy to set up and will be available to all of you at no cost during this month as part of the public preview, and your feedback is extremely valuable to shape this as a powerful solution.533Views0likes1Comment