What's new in Viva Insights
As we move further into 2026, we’re excited to announce a variety of new powerful tools and reporting capabilities for Viva Insights that make it easier to understand how your organization's adoption and use of Microsoft 365 Copilot compares to other uses of it both within and outside your company. You can also now learn more about the adoption and impact of agents built in Microsoft Copilot Studio, and there are new functionalities to share and customize reports more broadly across your organization. Let's dive in. Agent Dashboard We’re thrilled to announce the initial rollout of the Agent Dashboard, a powerful new functionality for the Viva Insights web app that provides leaders and analysts with actionable insights into agent adoption. With this new dashboard, users can dive into Copilot Credit usage – which measures how agents are used – and identify opportunities to optimize and track agent adoption over time. To start, the dashboard covers adoption metrics aggregated at the user level for agents used within Microsoft 365 Copilot. Read more about the Agent Dashboard here on the Microsoft 365 Copilot blog. The Agent Dashboard is currently rolling out to public preview customers only. When you’re ready to start using it, learn how using our guide on MS Learn. Benchmarks in Copilot Dashboard The Copilot Dashboard has been focused on providing actionable insights into Copilot readiness, adoption, and impact trends for specific groups within the organization. Now, with benchmarks in the Copilot Dashboard, users can also see how their adoption compares to others, either within their organization, or with other companies. Benchmarks in the Copilot Dashboard provide context around Copilot adoption trends, so users can compare usage across internal cohorts, or see how their adoption of Copilot compares to similar organizations. Read more about benchmarks in the Copilot Dashboard here on the Microsoft 365 Copilot blog. Export Copilot metrics from the Copilot Dashboard We’re excited to introduce the initial public preview rollout of Copilot metrics export from the Copilot Dashboard. This new capability gives organizations greater flexibility to analyze the usage of both Microsoft 365 Copilot and Copilot Chat beyond the dashboard across the past six months at the de-identified user level, with user identifiers removed. With this export tool, leaders and analysts with access to the global scope dashboard can download the data directly to support Copilot initiatives, such as tracking adoption and usage trends over time, or combining it with other data sources for custom analysis and reporting. Learn more about how to use the export feature on MS Learn. Launch of Copilot Studio agents report In an exciting expansion of our reporting tools measuring the adoption and impact of Microsoft 365 Copilot, the Copilot Studio agents report is now broadly available. This powerful new Power BI template allows users to learn more about the impact of agents built in Microsoft Copilot Studio, and how their deployed across channels in the organization. This report can help users answer questions like: What are the top agents being used? What are top agents' high-level KPI-like sessions, satisfaction scores, and success rates? What is the impact of individual agents (conversational and autonomous), such as the split of engaged sessions and topics against actions and triggers distribution, as well as maker-led inputs? The report provides insights about agents built in Microsoft Copilot Studio that are deployed across a variety of channels, including Microsoft Teams and Microsoft 365 Copilot, Facebook, mobile apps, and custom and demo websites. To learn more about the report and how to run it, refer to our guide on MS Learn. New ability to customize out-of-the-box Power BI reports Existing tools for Power BI template reports in the Viva Insights web app allow users to customize their reports for their organization's needs, through their selection of filters, metrics, and organizational attributes. Now, an expanded toolkit allows Viva Insights analysts to further customize out-of-the-box Power BI reports to make them even more relevant to their organization. With these new tools, analysts can, for example: Add new visualizations, text boxes, and graphics Change the report's filters Add, rename, and rearrange report pages Save and delete your customized reports Users can now customize pre-built Power BI reports such as the Copilot Studio agents or Copilot for Sales adoption reports, but not custom queries such as Person queries or Meeting queries. Users can also customize any queries that they or other analysts in their organization have previously run. To learn how to customize out-of-the-box reports, please see our guide on MS Learn.What’s New in Microsoft Teams | Microsoft Ignite 2025
Welcome to What’s new in Teams, Ignite 2025 edition! This year at Microsoft Ignite we’re excited to share all the ways that Teams + Copilot are amplifying collaboration, automating workflows, and enhancing productivity. With Copilot and agents in chats, meetings, and channels, Teams and Copilot together provide a powerful solution. One new feature I’m excited to share is Teams Mode for Microsoft 365 Copilot. This powerful new capability lets you bring coworkers into your Copilot conversations, essentially turning an individual AI chat into a shared, group AI collaboration. You can choose which messages you’d like to share with the group; any prompts or responses not selected are kept private. Then, your team can brainstorm and create with Copilot together, with everyone able to ask questions and see suggestions in a group chat. Copilot is also now seamlessly integrated into Teams channels and chats, so you can ask it to recap lengthy conversation threads, extract decisions and tasks, or answer questions based on the conversation context – a huge time saver for your busy schedule. We’re also proud to announce new enhancements to Channel Agent, Facilitator, and meeting recap notes that make them even more powerful and useful. Channel agents can generate status reports and workback plans – keeping your team on track. Facilitator can recognize when you share an agenda in the chat and use it to generate a meeting progress bar, ping meeting invitees who’ve been mentioned twice but not joined yet, and draft documents during your meeting. Meeting recaps are now more versatile too. You can choose from a variety of templates or customize your own to fit your team’s style. All of the new Teams + Copilot features debuting at Ignite 2025 underline a simple message: AI in Teams is driving tangible improvements that can help you and your team achieve more together. So read on for a look at all of the new features being released this month! Feature categories: (All features listed are generally available unless otherwise noted) Chat and Collaboration Platform Meetings, webinars, and townhalls Teams Phone Fundamentals and Security Frontline Worker Solutions Certified for Teams devices Chat and Collaboration Copilot experience in Teams The Copilot experience in Teams is being unified across chats, channels, and meetings for users with a Microsoft 365 Copilot license, matching the experience in the Microsoft 365 Copilot app. Beyond the updated interface, Copilot in Teams can analyze chat history, meeting transcripts, and calendar content to generate smart recaps, rewrite messages, and surface relevant insights. Whether reviewing a thread or following up after a call, Copilot delivers context-aware summaries and suggestions based on your activity and goals. This experience is now generally available for chat and channels, and is rolling out to public preview for meetings. Teams Mode for Copilot [Public preview] Teams Mode for Microsoft 365 Copilot is a simple, secure way to bring your co-workers into Copilot conversations, turning individual AI chats into group AI chats in Microsoft Teams. Now, the same Copilot you use for individual work supports group work as well. When you’d like to extend your 1:1 Copilot conversation into a group conversation, select “start a group chat” in the top-right corner of the Microsoft 365 Copilot app. This creates a group chat in Teams with your colleagues and Copilot, making it easy for others to build on your work. You choose which messages you’d like to bring forward to the group, ensuring any prompts or responses you don’t want to share are kept private. You can also add Copilot to any existing Teams group chat, just like adding a teammate, to help your team research, draft, coordinate, and complete tasks with AI. Then, within the chat, each member of the group can request help from Copilot by typing copilot in the group chat and making their request. Now in public preview. See Introducing Teams Mode for Microsoft 365 Copilot for more details. Launch Demo Enhancements to Channel Agent [Public preview] Each channel can have a Channel Agent that draws on its conversations, files, and meetings to act as a domain expert for the team. These agents adopt the channel’s name and help with common tasks – for example, flagging important deadlines that are buried in conversations, and summarizing progress with succinct status reports. Channel Agent is available with a Copilot license. New enhancements now available in public preview: Status report update: stay on top of projects by at-mentioning the agent with queries like “create a status report.” Status reports will now post directly in the channel for all users. Workback Plan: share your objective and deadline with the agent, and it will automatically create a sequenced list of tasks with due dates. You can review and adjust the plan before tasks are added to Planner, making project planning simple and collaborative. Enhancements to external collaboration [Public preview] We've reimagined external collaboration in Teams to make it easier and more secure to connect with partners, vendors, and customers. These new features are designed to reduce friction, increase security, and enhance how you work with people outside your organization, while helping admins manage external collab. These features are now in public preview. Chat with anyone: users in SMB organizations can start a conversation from Teams with anyone using just their email address, even if they’re not on Teams. Whether you're working with a vendor, client, or partner, simply type their email, send your message, and they’ll receive an invitation to join the chat as a guest. From there, they both reply and start a call—just like they would if they were part of your organization. And because this experience is built on Teams’ existing guest access framework, IT admins retain control. External access policies, multifactor authentication, and organizational compliance settings are respected. Sharing a file or a Loop: Now you can share a file or a Loop component in an external chat. Whether you drag and drop, attach from your device, or paste a link, Teams recognizes the file, unfurls it in the compose box and shares it with the chat participants when you send the message. You can also adjust permissions before sending. As a recipient, you can now view the content right from the chat - no account switching required. Sharing is controlled by an admin toggle, which is off by default, giving organizations flexibility to enable or disable external sharing as needed. Trust Indicators: External users are now labeled with clear trust indicators, helping users quickly assess who they’re working with. Group chats and Meeting chats that have external users are also marked as External to drive clarity and security. Labels include external-familiar, external-unfamiliar, guest, or unverified. Activity in other accounts and organizations: users can view and respond to activity across multiple tenants without switching accounts. You can triage notifications, reply to chats, and pin tenants to the left rail for quick access. This reduces context switching and makes cross-org collaboration feel native—especially useful for users working with multiple vendors or clients. Admin Presets: Admins have access to a new overview page in the Teams admin center under the external collaboration section. This page allows admins to review and modify their organization's external collaboration settings. To make changes, admins can use a guided flow and select either the open or controlled preset modes, or choose to customize the settings. Pop out your core Teams functions into a new window [Public preview] You can now organize your work environment to fit your needs by opening Teams chat, calls, calendar, activity, and more in separate windows. This gives you the flexibility to multitask and organize your workspace the way you want. Whether you're catching up on chats while reviewing call history or managing notifications alongside your calendar, this update helps you stay productive without switching tabs. Just right-click an app icon or use the app flyout to pop it out into its own window. Forwarded Messages Links When someone forwards a message in Teams, you'll now be able to click a link that takes you straight to the original chat or channel where it came from. Note: the link works only if the recipient has access to the original conversation. This enhancement improves message traceability and helps users quickly understand the context of forwarded messages. Search in Teams Settings Teams now has a new search bar at the top of its Settings menu to help you quickly find any setting by name. Just type a keyword (like “Notifications” or “Dark mode”) to jump straight to that option without digging through menus. This saves time and makes adjusting your settings faster and easier. Collaborative space in chat and channels A persistent collaborative space is now available directly from your Teams chat and channels, helping you organize key information, co-create content, and reduce message clutter. Pages in channels are flexible collaboration pages. You can add as many pages as you need to your channels. You can also add existing Loop components or pages as their own tabs, making it easy to centralize work and keep everyone aligned. Notes in chat is available in 1:1 and group chats and is accessible only to the chat members. Use this editable collaborative space effectively by adding images, formatting text, sharing Loop components, and @mentioning chat members when you require their attention. Emojis in section names You can now choose an emoji to accompany section names in your chats and channels list, helping you organize content with a splash of personality. Whether it’s a smiley for your “Fun Projects” section or a star for “Priority Tasks,” emojis make navigation easier and more engaging, so your sections stand out at a glance. Platform Channel agents in Teams connect to Asana, Atlassian, GitHub [Public preview] Channel Agent can now connect with Asana, Atlassian, and GitHub via MCP server to execute workflows on the behalf of users. By unlocking the power of agent to MCP server communication, agents can now handle more complex tasks that involve subjects outside of their domain so they can seamlessly coordinate tasks, bridge gaps between tools, and accelerate complex projects. Security and Compliance information for more Apps and Agents Today, IT admins in the Teams admin center can view security and compliance data for apps and agents that are Microsoft 365 certified or publisher attested. This enhancement expands that visibility to include apps and agents that are not certified or attested. Where available, this data is sourced from Microsoft Defender for Cloud Apps (MDA) and helps admins more easily and quickly evaluate whether an app or agent meets their organization’s trust requirements. Agent and bot support for Entra authentication in group chats Agents and bots in group chats can now use Entra for secure authentication. If an agent/bot needs your Entra token in a group chat and you haven’t installed the agent/bot or granted permission yet, you’ll receive a private message that only you can see. This message will guide you through installing the Teams app and granting Entra permission, making the process simple and secure. Once you’ve completed both steps, the agent/bot will be able to access the permissions it needs—such as Microsoft Graph—so you can get the full experience without any hassle. This update gives you more control over your permissions and makes it easier for agents/bots to work smoothly in group chats. Permission and privilege level of Apps and Agents IT admins can now see which permissions an app or agent requires in the Teams admin center, along with each permission risk rating and the app's overall privilege level. This helps admins protect organizational data and make quicker, more informed approval choices. Speed up app reviews with trust-based filters Trust-based filters enable IT Administrators using Teams admin center to view and easily filter apps and agents by specific industry standards, certifications and compliance attributes such as SOC 2, ISO 27001, HIPAA, GDPR, and more. This will help to streamline app evaluation workflows, enabling broader access to trusted apps across the organization. Performance Audit Tool on Teams Mobile Performance Report is a mobile-first, self-serve tool that gives developers instant visibility into critical performance metrics such as app load latency, app package size, content paint times and more, alongside actionable guidance on Teams best practices. By surfacing these performance indicators with recommended thresholds, this tool streamlines diagnostics, ensures consistent benchmarking, and helps deliver higher-quality Teams Mobile apps—all on the go. Agent Analytics and App Validation Enhancements in Developer Portal The Developer Portal is expanding analytics coverage for custom engine agents to help developers track adoption and engagement with real-time insights, providing key metrics to refine and optimize agent performance. You can also validate your agent and apps in Developer Portal with new AI insights helping resolve common bugs prior to publishing. Meetings, webinars, and town halls Enhancements to Facilitator Agent Earlier this year, we introduced Facilitator to help teams run meetings that stay focused, productive, and on track. Today, we’re taking that a step further with a new set of skills designed to help your team stay aligned without extra effort. These updates combine richer context awareness with proactive support, so your team can move faster without juggling extra tools or tasks. Here’s what’s new: Facilitator can now recognize an agenda shared directly in the meeting chat, in addition to the meeting invite and meeting notes. Once detected, it automatically builds a live progress tracker at the top of the meeting, giving everyone a shared sense of where they are and what’s next. Now generally available. If someone who’s invited hasn’t joined yet, and their name comes up twice in conversation, the agent politely pings them in chat and nudges them to hop in, helping you bring the right people into the discussion at the right time. Coming next quarter. And when it’s time to turn discussion into action, you can ask Facilitator to draft documents in Word or Loop based on what was said in the meeting. It can shape the conversation into whatever output you need, whether that’s a blog, a whitepaper, or a project brief, helping your team turn ideas into action faster. This capability is currently in public preview and will be generally available in early December. As tasks are mentioned, the agent captures and assigns them. You can also direct it through chat to add, update, or reassign tasks. This capability is currently in public preview and will be generally available in early December. These new skills build on our commitment to make meetings smarter, smoother, and more collaborative, with AI that works alongside you and your team every step of the way. Meeting recap templates Staying aligned after a meeting shouldn’t mean settling for a one-size-fits-all recap. With our new customizable recap templates, you can shape your AI-generated notes to match exactly how your team works. Choose from two ready-made templates, a Speaker Summary that organizes insights by participant, or an Executive Summary that highlights key takeaways at a glance. And for teams who prefer their own style, you can design custom templates using a simple free-text prompt: just describe the structure you want—even paste in a format you’ve used before—and your AI notes will instantly adapt. You can also save your custom templates for future reuse, giving every meeting the same level of clarity, consistency, and efficiency. Available in public preview on both desktop and mobile in December. Branded reactions [Private preview] Visual identity shapes how your organization shows up. Whether it's a client presentation, an internal milestone, or a seasonal event, the right visuals set the tone and reinforce your brand. With new branded reactions, organizations can now extend their visual identity directly into meetings. IT admins simply upload custom reaction icons reflecting brand elements or event themes, and these instantly become available for meeting participants. Every clap, thumbs-up, or celebration now aligns with your organization's look and feel. A simple way to create more cohesive, on-brand meeting experiences. Branded reactions will be available in private preview in December. Screen & Window Sharing on Mac via Mac OS Native Picker Mac users can now share their screen or specific windows using the standard native picker experience. By opting in through settings, users can enjoy a fully integrated sharing flow that leverages macOS’s default desktop interface—ensuring a familiar, secure, and streamlined experience. Enhancements to Teams Town hall Recent updates to Teams Town hall make it easier than ever for organizers to create professional and polished experiences that engage audiences. Enhanced presenter controls, integrated Q&A and polls, and robust moderation tools ensure smooth delivery, while advanced production capabilities, like custom branding and rich layouts, help elevate the look and feel of a town hall. New experiences for town hall in Microsoft Teams Rooms help foster collaboration whether participants join in-person or remotely. For more information on Teams town hall, click here to learn more. Front-of-room view control for Town Hall in Teams Rooms on Android When a Teams Rooms on Android is invited as a meeting presenter, the front-of-room display defaults to the attendee view. Presenters always have full control from the console, including green room and off-stage management, and can switch the front-of-room display to presenter view without impacting attendees. This feature was released for Teams Rooms on Windows in October 2025. Available in Teams Rooms Pro. Learn more here. Teams Town hall insights – Presenter analytics Presenter analytics for town hall provides organizers with visibility into the health of the presenter’s stream, providing insights covering video quality, audio clarity, and connection stability. Whether it’s a town hall, live training session, or an all-hands meeting, organizers can now proactively ensure presenters deliver their content without interruptions, boosting confidence and elevating the attendee experience. Presenter analytics is generally available today for all town hall organizers with a Teams Premium license. Immersive events in Teams Immersive events in Teams allow organizers to host customizable 3D events where people can connect, interact as avatars, and have natural conversations. This experience is now generally available and has additional new features to enhance user experience. Immersive event attendees and presenters can now join from Meta Quest VR headsets, enabling full 360-degree immersion. Immersive events are also easier to participate in and navigate thanks to text-to-speech and keyboard navigation in event instances. Teams Phone Microsoft 365 Copilot chat in Calls app post-calling experience [Public Preview] The post-call Copilot experience for Teams Phone on desktop and in mobile is now powered by Microsoft 365 Copilot Chat. After a call ends, users can open Microsoft 365 Copilot Chat as a side panel in the Teams ‘Calls’ app to generate summaries, surface key insights, and get suggested next steps. By using data from Microsoft Graph and the web—not just the call transcript—Microsoft 365 Copilot Chat delivers responses that are more personalized, relevant, and actionable, helping users quickly move from conversation to follow-up. Teams mobile: Shared call line pickup indicators Delegates can resume a Teams Phone call placed on hold from any shared line directly from Teams on their mobile phone. Clear line labels and “answered/resumed by” indicators show who is handling the call and from which line, so teammates can step in to resume a call on hold without confusion. For example, in a retail store, if a customer call is put on hold at the front desk, a floor associate can pick it up from their mobile device, ensuring the customer doesn’t wait long and the call isn’t abandoned. This helps teams keep calls moving and maintain service continuity across shifts. Set Teams Mobile as Your Default Calling App We’re making it easier for Teams Phone users to stay connected and productive on the go. With this update, you can now set Teams mobile as your iPhone’s default calling app. This means every call you initiate—from Contacts, Call History, or any app—will automatically route through Teams mobile instead of the native dialer. For organizations with regulatory requirements, this capability supports more calls occurring under the enterprise-grade security and compliance policies set up for Teams. Fundamentals and Security Copilot in Teams admin center Copilot in Teams admin center streamlines administrative tasks like setting up protected meetings or confirming who has a phone number assigned, provides insights into policy configurations and call quality, and recommends configurations to optimize Teams. It empowers IT admins to troubleshoot issues, save time, and enhance the overall Microsoft Teams experience. Teams Admin Agent in Teams admin center [Now in Technical Acceptance Program (Coming soon to TAP)] The Teams Admin Agent delivers AI-powered assistance to simplify admin tasks, automate workflows, and provide actionable insights—helping IT teams manage Teams environments efficiently and confidently. This feature is currently in the Technical Acceptance program. Meeting troubleshooting enhancements [Public Preview] Administrators can quickly diagnose and resolve meeting and call issues with a simplified troubleshooting flow in Teams admin center. This experience provides clear guidance, actionable insights, and detailed telemetry to pinpoint quality problems—helping IT teams restore performance faster and keep collaboration running smoothly. Meeting best practice configurations [Public Preview] Now in Teams admin center, administrators can monitor which locations and users are experiencing meeting quality issues caused by unoptimized Virtual Desktop Infrastructure (VDI) setups. By pinpointing these VDI-related problem areas, IT can take targeted action to optimize configurations—ensuring smoother, high-quality audio and video in meetings across the organization. Tenant-Owned Domain Impersonation Protection for Teams Messaging [Public Preview] Own domain Impersonation Detection in Teams helps protect users from spoofed domains by analyzing sender identity and domain authenticity in real time, alerting users to suspicious activity and reducing phishing risks across messaging. New VDI solution for Teams optimization in Amazon WorkSpaces [Public Preview] The New VDI solution for Teams introduces multimedia offloading and optimization solution for Microsoft Teams when running in Amazon WorkSpaces (Personal and Pooled). Users of the WorkSpaces Client for Windows can enjoy a high-definition experience in virtual desktops, where audio/video/screensharing are offloaded to the user's device and processed by the SlimCore media engine. This entry applies to WorkSpaces only. AppStream, a separate application streaming service, is not supported. Weaponizable File Type Protection for Teams chat and channels Security in Teams chat and channels just got stronger, with increased protection against malware and other file-based attacks. With weaponizable file type protection, Teams now automatically detects and blocks file types that could pose a security risk—such as executable or script-based files—before they reach your chat or channel. This proactive safeguard helps keep your organization’s data and conversations secure, without disrupting collaboration. Malicious URL Protection for Teams chat and channels Microsoft Teams is introducing enhanced protection against phishing attacks by detecting and warning users about malicious URLs shared in Teams chats and channels. This feature helps users make safer decisions before clicking potentially harmful links. It is on by default for users of Teams for Windows desktop, Teams for Mac desktop, Teams for the web, and Teams for iOS/Android. User reporting for incorrectly identified security concerns We’re giving users more control over security alerts in Teams. With user reporting for incorrectly identified security concerns, you can now flag false positives directly from your chat or channel. This feedback helps improve detection accuracy while ensuring your conversations stay secure without unnecessary interruptions. This feature is available in one-on-one chats, group and meeting chats, as well as public and private channels. Teams in the Windows Jump List experience On Windows, the Jump List in the taskbar provides quick access to key Teams actions. Now you can instantly view and join ongoing or upcoming meetings, schedule new meetings, or start a chat—all without opening the full app. Menu bar extension for meetings for Mac The Teams Mac menu bar extension lets users view and join imminent meetings directly from the menu bar, streamlining access to daily schedules and chats. With instant meeting visibility and join options, the menu bar extension boosts productivity and engagement, reflecting user feedback and supporting efficient workflows for busy professionals. Intelligent App shortcuts and workflows for Mac Teams now integrates with macOS Spotlight and Shortcuts, enabling users to quickly start chats and meetings. This unlocks advanced AI-powered workflows, streamlines daily tasks, and showcases Teams’ commitment to seamless, native Mac experiences for power users. Screen sharing improvement for Mac [Public Preview] Teams for Mac OS 15 (Sequoia) introduces Native Picker integration for screen sharing, streamlining permissions approvals. Users benefit from seamless sharing and Presenter Preview, while maintaining privacy and compliance with Apple’s new model—improving usability and satisfaction for Mac users in video meetings. Frontline Worker Solutions BYOD (Bring your own device) Simplify frontline onboarding on personal devices with the Teams BYOD Onboarding Wizard. Workers can use this self-serve, web-based onboarding wizard on shared PCs and kiosks for a guided experience that helps them easily set up the Teams mobile app on their personal device in compliance with organizational security policies. Reduce the need for manager assistance and IT support and deliver a low-friction experience that helps save time, cut IT overhead, and accelerate adoption, so frontline teams stay connected from day one. Pilots Kickstart frontline innovation with the Frontline Hub in Teams admin center. Create pilots in just a few clicks—choose the capabilities you want to test, select workers and managers, and monitor adoption through real-time usage insights. With built-in management controls, you can easily iterate as you learn: adjust features, update participants, and expand channels—all without slowing down your rollout. Teams Devices and Peripherals Yealink MP66W Wi-Fi based Teams device The MP66W Wi-Fi based wireless Teams device gives you the freedom to connect wherever work takes you. Designed for organizations with a mobile workforce, the Yealink MP66W wireless Teams device enhances wireless communication for the modern workplace. Currently undergoing certification as a Teams Device, this will be one of the industry’s first Wi-Fi-enabled wireless devices for Microsoft Teams, delivering greater mobility and reliability for frontline and hybrid workers. Built with a durable casing for demanding environments, such as construction job sites, it enables native Teams wireless calling—your desk is wherever there’s Wi-Fi. AI-powered noise cancellation ensures clear conversations even in noisy settings, and its long-lasting battery keeps you powered through extended shifts. Plus, an action button that can be configured to meet your organization's needs MAXHUB XBar W70 The MAXHUB XBar W70 Kit with console is a flagship Windows-based Teams videobar engineered for small to medium rooms. It features the industry-first MAXHUB Quad Sight lens with up to 200MP clarity, 16 beamforming microphones, AI-enhanced audio and video, and FlexMount for effortless installation. Out of the box, W70 Kit pairs with a dedicated Teams console for intuitive room control and seamless Teams integration. Built for enterprise scalability, W70 Kit supports extension to third-party AV devices and includes 3-year service coverage with remote management via MAXHUB Pivot — simplifying deployment and ongoing maintenance for IT teams. Owl Labs Lenovo & Owl Labs Microsoft Teams Rooms Bundles - ThinkSmart Core + IP or USB Controller Kit with Meeting Owl 4+, and ThinkSmart Tiny Kit Power seamless and immersive hybrid collaboration in any space with the Lenovo ThinkSmart Core and the Meeting Owl 4+. Available with IP or USB controller, The Owl Labs Meeting Owl 4+ and the Owl Labs 16' USB-C to USB-A cable. For productive and hassle-free collaboration in small Microsoft Teams Rooms, the Owl Labs ThinkSmart Tiny Kit bundle includes: the Lenovo i3 ThinkSmart Tiny Kit (Premium), the Lenovo ThinkSmart USB Controller, the Owl Labs Meeting Owl 4+, and the Owl Labs 16'/5 USB-C to USB-A cable. Logitech Express Install for Teams Rooms: Four Fast Solutions for Any Space Logitech’s new Express Install kits make setting up Teams Rooms easier than ever—no specialist required, and installation takes less than an hour. Choose from four variations: 1) Rally Bar Mini with Heckler Rolling Stand (Android), 2) Rally Bar Mini with Salamander Designs Acadia Tabletop Stand (Windows), 3) MeetUp 2 with Salamander Designs Acadia Tabletop Stand (Windows), and 4) Rally Bar Huddle with Heckler Rolling Stand (Android). All kits include a Logitech video bar, Teams Room controller, and LG display, delivering seamless Teams integration and flexible deployment for huddle and small rooms. Windows kits feature compute devices and Salamander stands, while Android kits offer mobile Heckler stands. Whether you need mobility or a sleek tabletop setup, there’s an Express Install kit for every collaboration need. Rally Bar Mini with Heckler Rolling Stand (Android) Rally Bar Mini with Salamander Designs Acadia Tabletop Stand (Windows) MeetUp 2 with Salamander Designs Acadia Tabletop Stand (Windows) Rally Bar Huddle with Heckler Rolling Stand (Android) Yealink LinkHub smart dock The Yealink LinkHub helps employees to find and reserve available desks with a clear LED indicator and intuitive touch display. Its screen syncs with Microsoft Teams to show real-time booking details, and it also works with Microsoft Places so employees can reserve a desk remotely before arriving onsite. Integrated with the Teams Pro Management Portal, LinkHub provides IT admins with centralized control and insights into workspace usage, helping organizations optimize space and enhance the hot-desking experience. This device is currently undergoing the process to be certified as a Certified for Teams device. Logitech Zone Wired 2 and Wireless 2ES for Business Zone Wired 2 for Business with adaptive hybrid ANC (active noise cancelation) helps employees stay focused and productive by dynamically adjusting sound to minimize background noise. 40 mm drivers and dual noise-canceling microphones are designed for open spaces and optimize ANC capabilities. Because it’s certified for Microsoft Teams and a variety of other calling solutions, you can be confident it will work with your calling platform. Intuitive controls, plug-and-play USB cable, and comfortable, gaming-inspired headband make the headset easy to use and wear all day. It’s also designed for sustainability and product longevity, including easily replaceable components for extended use and recycled plastics, fabric, and magnets. The Zone Wireless 2 ES for Business Native Bluetooth and with Receiver versions feature the same Adaptive hybrid ANC and proprietary 40 mm drivers as the Zone Wired 2, and also provide: Premium microphones, specifically designed for open office environments that deliver crystal-clear sound quality. Smart enumeration and multipoint Bluetooth to enable seamless audio switching Freedom of movement with a remarkable 50 m wireless range and long battery life. Available colors for the Wireless 2 ES with receiver are: graphite, off-white, and rose. The Wireless 2 ES -Native Bluetooth is available in graphite. Logitech Zone Wired 2 for Business Logitech Zone Wireless 2 ES for Business--With Receiver (Rose)What’s new in Microsoft Sentinel: February 2026
February brings a set of new innovations to Sentinel that helps you work with security content across your SOC. This month’s updates focus on how security teams ingest, manage, and operationalize content, with new connectors, multi-tenant content distribution capabilities, and an enhanced UEBA Essentials solution to surface high‑risk behavior faster across cloud and identity environments. We’re also introducing new partner-built agentic experiences available through Microsoft Security Store, enabling customers to extend Sentinel with specialized expertise directly inside their existing workflows. Together, these innovations help SOC teams move faster, scale smarter, and unlock deeper security insight without added complexity. Expand your visibility and capabilities with Sentinel content Seamlessly onboard security data with growing out-of-the-box connectors (general availability) Sentinel continues to expand its connector ecosystem, making it easier for security teams to bring together data from across cloud, SaaS, and on-premises‑premises environments so nothing critical slips through the cracks. With broader coverage and faster onboarding, SOCs can unlock unified visibility, stronger analytics, and deeper context across their entire security stack. Customers can now use out-of-the-box connectors and solutions for: o Mimecast Audit Logs o CrowdStrike Falcon Endpoint Protection o Vectra XDR o Palo Alto Networks Cloud NGFW o SocPrime o Proofpoint on Demand (POD) Email Security o Pathlock o MongoDB o Contrast ADR For the full list of connectors, see our documentation. Share your input on what to prioritize next with our App Assure team. Microsoft 365 Copilot data connector (public preview) The Microsoft 365 Copilot connector brings Microsoft 365 Copilot audit logs and activity data into Sentinel, giving security teams visibility into how Microsoft 365 Copilot is being used across their organization. Once ingested, this data can power analytics rules, custom detections, workbooks, automation, and investigations, helping SOC teams quickly spot anomalies, misuse, and policy violations. Customers can also send this data to the Sentinel data lake for advanced scenarios, such as custom graphs and MCP integrations, while benefiting from lower cost ingestion and flexible retention. Learn more here. Transition your Sentinel connectors to the codeless connector framework (CCF) Microsoft is modernizing data connectors by shifting from Azure Function based connectors to the codeless connector framework (CCF). CCF enables partners, customers, and developers to build custom connectors that ingest data into Sentinel with a fully SaaS managed experience, built-in health monitoring, centralized credential management, and enhanced performance. We recommend that customers review their deployed connectors and move to the latest CCF versions to ensure uninterrupted data collection and continued access to the latest Sentinel capabilities. As part of Azure’s modernization of custom data collection, the legacy custom data collection API will be retired in September 2026. Centrally manage and distribute Sentinel content across multiple tenants (public preview) For partners and SOCs managing multiple Sentinel tenants, you can centrally manage and distribute Sentinel content across multiple tenants from the Microsoft Defender portal. With multi-tenant content distribution, you can replicate analytics rules, automation rules, workbooks, and alert tuning rules across tenants instead of rebuilding the same detections, automation, and dashboards in one environment at a time. This helps you onboard new tenants faster, reduce configuration drift, and maintain a consistent security baseline while still keeping local execution in each target tenant under centralized control. Learn more: New content types supported in multi-tenant content distribution Find high-risk anomalous behavior faster with an enhanced UEBA essentials solution (public preview) UEBA Essentials solution now helps SOC teams uncover high‑risk anomalous behavior faster across Azure, AWS, GCP, and Okta. With expanded multi-cloud anomaly detection and new queries powered by the anomalies table, analysts can quickly surface the riskiest activity, establish reliable behavioral baselines, and understand anomalies in context without chasing noisy or disconnected signals. UEBA Essentials aligns activity to MITRE ATT&CK, highlights complex malicious IP patterns, and builds a comprehensive anomaly profile for users in seconds, reducing investigation time while improving signal quality across identity and cloud environments. UEBA Essentials is available directly from the Sentinel content hub, with 30+ prebuilt UEBA queries ready to deploy. Behavior analytics can be enabled automatically from the connectors page as new data sources are added, making it easy to turn deeper insight into immediate action. For more information, see: UEBA Solution Power Boost: Practical Tools for Anomaly Detection Extend Sentinel with partner-built Security Copilot agents in Microsoft Security Store (general availability) You can extend Sentinel with partner-built Security Copilot agents that are discoverable and deployable through Microsoft Security Store in the Defender experience. These AI-powered agents are created by trusted partners specifically to work with Sentinel to deliver packaged expertise for investigation, triage, and response without requiring you to build your own agentic workflows from scratch. These partner-built agents work with Sentinel analytics and incidents to help SOC teams triage faster, investigate deeper, and surface insights that would otherwise take hours of manual effort. For example, these agents can review Sentinel and Defender environments, map attacker activity, or automate forensic analysis and SOC reporting. BlueVoyant’s Watchtower agent helps optimize Sentinel and Defender configurations, AdaQuest’s Data Leak agent accelerates response by surfacing risky data exposure and identity misuse, and Glueckkanja’s Attack Mapping agent automatically maps fragmented entities and attacker behavior into a coherent investigation story. Together, these agents show how the Security Store turns partner innovation into enterprise-ready, Security Copilot-powered capabilities that you can use in your existing SOC workflows. Browse these and more partner-built Security Copilot agents in the Security Store within the Defender portal. At Ignite, we announced the native integration of Security Store within the Defender portal. Read more about the GA announcement here: Microsoft Security Store: Now Generally Available Explore Sentinel experience Enhanced reports in the Threat Intelligence Briefing Agent (general availability) The Threat Intelligence Briefing Agent now applies a structured knowledge graph to Microsoft Defender for Threat Intelligence, enabling it to surface fresher, more relevant threats tailored to a customer’s specific industry and region. Building on this foundation, the agent also features embedded, high‑fidelity Microsoft Threat Intelligence citations, providing authoritative context directly within each insight. With these advancements, security teams gain clearer, more actionable guidance and mitigation steps through context‑rich insights aligned to their environment, helping them focus on what matters most and respond more confidently to emerging threats. Learn more: Microsoft Security Copilot Threat Intelligence Briefing Agent in Microsoft Defender Microsoft Purview Data Security Investigations (DSI) integrated with Sentinel graph (general availability) Sentinel now brings together data‑centric and threat‑centric insights to help teams understand risk faster and respond with more confidence. By combining AI‑powered deep content analysis from Microsoft Purview with activity‑centric graph analytics in Sentinel, security teams can identify sensitive or risky data, see how it was accessed, moved, or exposed, and take action from a single experience. This gives SOC and data security teams a full, contextual view of the potential blast radius, connecting what happened to the data with who accessed it and how, so investigations are faster, clearer, and more actionable. Start using the Microsoft Purview Data Security Investigations (DSI) integration with the Sentinel graph to give your analysts richer context and streamline end‑to‑end data risk investigations. Deadline to migrate the Sentinel experience from Azure to Defender extended to March 2027 To reduce friction and support customers of all sizes, we are extending the sunset date for managing Sentinel in the Azure portal to March 31, 2027. This additional time ensures customers can transition confidently while taking advantage of new capabilities that are becoming available in the Defender portal. Learn more about this decision, why you should start planning your move today, and find helpful resources here: UPDATE: New timeline for transitioning Sentinel experience to Defender portal Events and webinars Stay connected with the latest security innovations and best practices through global conferences and expert‑led sessions that bring the community together to learn, connect, and explore how Microsoft is delivering AI‑driven, end‑to‑end security for the modern enterprise. Join us at RSAC, March 23–26, 2026 at the Moscone Center in San Francisco Register for RSAC and stop by the Microsoft booth to see our latest security innovations in action. Learn how Sentinel SIEM and platform help organizations stay ahead of threats, simplify operations, and protect what matters most. Register today! Microsoft Security Webinars Discover upcoming sessions on Sentinel SIEM & platform, Defender, and more. Sign up today and be part of the conversation that shapes security for everyone. Learn more about upcoming webinars. Additional resources Blogs: UPDATE: New timeline for transitioning Sentinel experience to Defender portal, Accelerate your move to Microsoft Sentinel with AI-powered SIEM migration tool, Automating Microsoft Sentinel: A blog series on enabling Smart Security, The Agentic SOC Era: How Sentinel MCP Enables Autonomous Security Reasoning Documentation: What Is a Security Graph? , SIEM migration tool, Onboarding to Microsoft Sentinel data lake from the Defender portal Stay connected Check back each month for the latest innovations, updates, and events to ensure you’re getting the most out of Sentinel. We’ll see you in the next edition!What's new in OneNote for EDU - Back to School 2025
It’s back-to-school time, and OneNote EDU is rolling out fresh updates to make life easier for educators and students alike! In this article, we’ll cover the latest OneNote features and updates for education, including: Built-in Class Notebook toolbar in OneNote on Windows and for Mac (no more need to download the add-in!) – How to enable it and why it’s great New Microsoft 365 LTI 1.3 integration – Streamlined LMS access to Class Notebook, Assignments, Reflect, and more Broader OneNote updates – Merge table cells (finally!) and a new option to “paste text only” Education Insiders Program (EIP) – How to join and help shape the future of Class Notebook Let’s dive in and get you ready for an amazing school year with OneNote! 1. Enable the Class Notebook Toolbar natively in OneNote on Windows and for Mac Class Notebook features are now built directly into OneNote on desktop – no separate add-in required! This means if you’re using OneNote on Windows or for Mac, you already have the Class Notebook tools; you just might need to turn them on. Enabling the native toolbar gives you all the goodies (page distribution, review student work, etc.) right on the ribbon while ensuring you always have the latest updates and better performance than the old add-in. Why this matters: A built-in toolbar means one less installation to worry about and more reliable updates. Schools no longer need to deploy the legacy add-in for Class Notebook on each device. It’s simpler for IT and ensures every teacher has the Class Notebook tools by default. How to enable the Class Notebook toolbar: In OneNote for Windows (Microsoft 365), click File > Options > General. Under Class Notebook, check the box for “Enable Class Notebook” and select OK. The Class Notebook tab will appear on your OneNote ribbon, loaded with all the Class Notebook features you know and love. (Tip: If you previously installed the add-in, you might see two Class Notebook tabs. You can remove the old add-in to avoid confusion.) For more details, check out the Enable the Class Notebook Toolbar in OneNote Desktop support article. 2. New Microsoft 365 LTI 1.3 Integration for LMS The new Microsoft 365 LTI app brings OneNote Class Notebook along with other Microsoft 365 Education experiences like Microsoft Assignments, OneDrive/Microsoft 365 files, Teams for collaboration, Teams Meetings and more to your learning management system (LMS). It is compatible with any LTI 1.3 Advantage Platform, and setup instructions can be found here: https://aka.ms/LMSAdminDocs. Key benefits of the new M365 LTI integration: All-in-one access: Once your LMS admin installs the Microsoft 365 LTI, educators and students get one-click access to OneNote Class Notebook, assignments, OneDrive, Teams meetings, Reflect check-ins and more – right from your LMS course. No more juggling separate LTI apps for each tool. Automatic roster sync: Class Notebook now supports auto-rostering with LTI 1.3. When you create a Class Notebook through the LMS, all learners and educators in that course are automatically added to the notebook as students and teachers/co-teachers respectively (and will be added automatically if they join later). This beloved feature, previously in older LTI integration, is back – saving you setup time. Assignments and grades in your LMS: Using the new LTI, you can create Microsoft Assignments (with Learning Accelerator tools like Reading Progress, etc.) directly in your LMS. Students submit without leaving the LMS, and grades sync back to the LMS gradebook. It brings the power of Teams Assignments into the LMS environment, no Teams class needed. Streamlined and up-to-date: The Microsoft 365 LTI replaces several legacy LTI tools (like the old “Teams Classes LTI” and separate OneNote LTI 1.1 app). This reduces confusion and upkeep. Getting started with the new LTI is simple for IT admins, with full documentation here. If you’re an educator, check with your IT about enabling the Microsoft 365 LTI for your courses. 3. Broader OneNote updates: merge table cells and paste text only The OneNote team has been hard at work on core improvements that benefit both educators and students. Here are two notable updates rolling out: Merge table cells in OneNote on Windows and for Mac: You asked, and it’s finally here – the ability to merge cells in a table. This means you can take any adjacent cells (horizontal or vertical) in a OneNote table and combine them into one cell (just like in Word or Excel). Paste text only in OneNote on Windows, for Mac, and for the web: Ever copy-paste some text into OneNote only to have it bring in crazy fonts or colors from a website or another document? We hear you – and now in OneNote you can use the familiar shortcut Ctrl + Shift + V (Windows) or Cmd + Shift + V (Mac) to paste plain text, stripping out all the source formatting. The pasted content will match your current notebook’s font style. This also works via the right-click menu: choose Paste > Keep Text Only. It’s a small quality-of-life change that can save a ton of cleanup time, especially when gathering materials from various sources into your lesson plans or content library. Read more about this here: Paste text only in OneNote on Windows, for Mac, and for the web All these updates are either available now or rolling out to OneNote users: Merge table cells is currently in preview for Office Insiders (as of late July 2025) and will reach all OneNote desktop clients in the coming updates. Paste Text Only is rolling out to OneNote for the web users and OneNote users running the most recent versions on Windows and on Mac. Features are released over some time to ensure things are working smoothly, so don’t worry if you can’t see it quite yet. 4. Join the Education Insiders Program (EIP) Lastly, a call to action for passionate educators: if you love getting early access to new features or want to provide direct feedback to the OneNote and Class Notebook team, consider joining the Education Insiders Program (EIP). This is a free community for K-12 and higher-ed tech leaders, teachers, and IT administrators who use Microsoft tools. As an Education Insider, you can: Preview and influence new features: Get invites to try out early builds or pilot programs (with your school’s Office 365 tenant) and share feedback before features launch worldwide. For example, insiders often get to test things like the latest Class Notebook updates and provide input. Participate in the Class Notebook insiders channel: There’s a dedicated Class Notebook discussion space where you can discuss ideas, ask questions, and interact with Microsoft product managers and other educators. It’s a direct line to share what you’d love to see in OneNote. Sound interesting? Sign up for EIP via this form. Once accepted, you’ll be plugged into the insider community, including the Class Notebook channel where you can weigh in on the future of OneNote. (By joining EIP, you’ll help shape products like OneNote – many of the features in this blog (such as merged table cells and the new LTI integration) were influenced by feedback from educators. We’d love to have your voice in the mix!) We hope these updates get you excited for back to school with OneNote. Whether you’re empowering students with more organized Class Notebooks, integrating OneNote more seamlessly into your LMS, or just enjoying a smoother note-taking experience, there’s a lot to look forward to this year. Try out these new features in your classroom workflow, and let us know what you think. You can drop your thoughts in the comments or join the conversation in the Education Insiders community. Here’s to a successful and innovative school year ahead with OneNote! 💜 Which new OneNote EDU feature are you most excited about? Let us know in the comments, and have a fantastic start to the school year!Data lake tier Ingestion for Microsoft Defender Advanced Hunting Tables is Now Generally Available
Today, we’re excited to announce the general availability (GA) of data lake tier ingestion for Microsoft XDR Advanced Hunting tables into Microsoft Sentinel data lake. Security teams continue to generate unprecedented volumes of high‑fidelity telemetry across endpoints, identities, cloud apps, and email. While this data is essential for detection, investigation, and threat hunting, it also creates new challenges around scale, cost, and long‑term retention. With this release, users can now ingest Advanced Hunting data from: Microsoft Defender for Endpoint (MDE) Microsoft Defender for Office 365 (MDO) Microsoft Defender for Cloud Apps (MDA) directly into Sentinel data lake, without requiring ingestion into the Microsoft Sentinel Analytics tier. Support for Microsoft Defender for Identity (MDI) Advanced Hunting tables will follow in the near future. Supported Tables This release enables data lake tier ingestion for Advanced Hunting data from: Defender for Endpoint (MDE) – DeviceInfo, DeviceNetworkInfo, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceLogonEvents, DeviceImageLoadEvents, DeviceEvents, DeviceFileCertificateInfo Defender for Office 365 (MDO) – EmailAttachmentInfo, EmailEvents, EmailPostDeliveryEvents, EmailUrlInfo, UrlClickEvents Defender for Cloud Apps (MDA) – CloudAppEvents Each source is ingested natively into Sentinel data lake, aligning with Microsoft’s broader lake‑centric security data strategy. As mentioned above, Microsoft Defender for Identity will be available in the near future. What’s New with data lake Tier Ingestion Until now, Advanced Hunting data was primarily optimized for near‑real‑time security operations and analytics. As users extend their detection strategies to include longer retention, retrospective analysis, AI‑driven investigations, and cross‑domain correlation, the need for a lake‑first architecture becomes critical. With data lake tier ingestion, Sentinel data lake becomes a must-have destination for XDR insights, enabling users to: Store high‑volume Defender Advanced Hunting data efficiently at scale while reducing operation overhead Extend security analytics and data beyond traditional analytics lifespans for investigation, compliance, and threat research with up to 12 years of retention Query data using KQL‑based experiences across unified datasets with the KQL explorer, KQL Jobs, and Notebook Jobs Integrate data with AI-driven tooling via MCP Server for quick and interactive insights into the environment Visualize threat landscapes and relational mappings while threat hunting with custom Sentinel graphs Decouple storage and retention decisions from real‑time SIEM operations while building a more flexible and futureproof Sentinel architecture Enabling Sentinel data lake Tier Ingestion for Advanced Hunting Tables The ingestion pipeline for sending Defender Advanced Hunting data to Sentinel data lake leverages existing infrastructure and UI experiences. To enable Advanced Hunting tables for Sentinel data lake ingestion: Within the Defender Portal, expand the Microsoft Sentinel section in the left navigation. Go to Configuration > Tables. Find any of the listed tables from above and select one. Within the side menu that opens, select Data Retention Settings. Once the options open, select the button next to ‘Data lake tier’ to set the table to ingest directly into Sentinel data lake. Set the desired total retention for the data. Click save. This configuration will allow Defender data to reside within each Advanced Hunting table for 30 days while remaining accessible via custom detections and queries, while a copy of the logs is sent to Sentinel data lake for usage with custom graphs, MCP server, and benefit from the option of retention up to 12 years. Why data lake Tier Ingestion Matters Built for Scale and Cost Efficiency Advanced Hunting data is rich—and voluminous. Sentinel data lake enables users to store this data using a lake‑optimized model, designed for high‑volume ingestion and long‑term analytical workloads while making it easy to manage table tiers and usage. A Foundation for Advanced Analytics With Defender data co‑located alongside other security and cloud signals, users can unlock: Cross‑domain investigations across endpoint, identity, cloud, and email Retrospective hunting without re‑ingestion AI‑assisted analytics and large‑scale pattern detection Flexible Architecture for Modern Security Teams Data lake tier ingestion supports a layered security architecture, where: Workspaces remain optimized for real‑time detection and SOC workflows The data lake serves as the cost-effective and durable system for security telemetry Users can choose the right level of ingestion depending on operational needs, without duplicating data paths or cost. Designed to Work with Existing Sentinel and XDR Experiences This GA release builds on Microsoft Sentinel’s ongoing investment in unified data configuration and management: Native integration with Microsoft Defender XDR Advanced Hunting schemas Alignment with existing Sentinel data lake query and exploration experiences Consistent management alongside other first‑party and third‑party data sources Consistent experiences within the Defender Portal No changes are required to existing Defender deployments to begin using data lake tier ingestion. Get started To learn more about Microsoft Sentinel Data Lake and managing Defender XDR data within Sentinel, visit the Microsoft Sentinel documentation and explore how lake‑based analytics can complement your existing security operations. We look forward to seeing how users use this capability to explore new detection strategies, perform deeper investigations, and build long‑term security habits.The Microsoft Copilot Data Connector for Microsoft Sentinel is Now in Public Preview
We are happy to announce a new data connector that is available to the public: the Microsoft Copilot data connector for Microsoft Sentinel. The new Microsoft Copilot data connector will allow for audit logs and activities generated by different offerings of Copilot to be ingested into Microsoft Sentinel and Microsoft Sentinel data lake. This allows for Copilot activities to be leveraged within Microsoft Sentinel features such as analytic rules/custom detections, Workbooks, automation, and more. This also allows for Copilot data to be sent to Sentinel data lake, which opens the possibilities for integrations with custom graphs, MCP server, and more while offering lower cost ingestion and longer retention as needed. Eligibility for the Connector The connector is available for all customers within Microsoft Sentinel, but will only ingest data for environments that have access to Copilot licenses and SCUs as the activities rely on Copilot being used. These logs are available via the Purview Unified Audit Log (UAL) feed, which is available and enabled for all users by default. A big value of this new connector is that it eliminates the need for users to go to the Purview Portal in order to see these activities, as they are proactively brought into the workspace, enabling SOCs to generate detections and proactively threat hunt on this information. Note: This data connector is a single-tenant connector, meaning that it will ingest the data for the entire tenant that it resides in. This connector is not designed to handle multi-tenant configurations. What’s Included in the Connector The following are record types from Office 365 Management API that will be supported as part of this connector: 261 CopilotInteraction 310 CreateCopilotPlugin 311 UpdateCopilotPlugin 312 DeleteCopilotPlugin 313 EnableCopilotPlugin 314 DisableCopilotPlugin 315 CreateCopilotWorkspace 316 UpdateCopilotWorkspace 317 DeleteCopilotWorkspace 318 EnableCopilotWorkspace 319 DisableCopilotWorkspace 320 CreateCopilotPromptBook 321 UpdateCopilotPromptBook 322 DeleteCopilotPromptBook 323 EnableCopilotPromptBook 324 DisableCopilotPromptBook 325 UpdateCopilotSettings 334 TeamCopilotInteraction 363 Microsoft365CopilotScheduledPrompt 371 OutlookCopilotAutomation 389 CopilotForSecurityTrigger 390 CopilotAgentManagement These are great options for monitoring users who have permission to make changes to Copilot across the environment. This data can assist with identifying if there are anomalous interactions taking place between users and Copilot, unauthorized attempts of access, or malicious prompt usage. How to Deploy the Connector The connector is available via the Microsoft Sentinel Content Hub and can be installed today. To find the connector: Within the Defender Portal, expand the Microsoft Sentinel navigation in the left menu. Expand Configuration and select Content Hub. Within the search bar, search for “Copilot”. Click on the solution that appears and click Install. Once the solution is installed, the connector can be configured by clicking on the connector within the solution and selecting Open Connector Page. To enable the connector, the user will need either Global Administrator or Security Administrator on the tenant. Once the connector is enabled, the data will be sent to the table named CopilotActivity. Note: Data ingestion costs apply when using this data connector. Pricing will be based on the settings for the Microsoft Sentinel workspace or at the Microsoft Sentinel data lake tier pricing. As this data connector is in Public Preview, users can start deploying this connector right now! As always, let us know what you think in the comments so that we may continue to build what is most valuable to you. We hope that this new data connector continues to assist your SOC with high valuable insights that best empowers your security. Resources: Office Management API Event Number List: https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype Purview Unified Audit Log Library: Audit log activities | Microsoft Learn Copilot Inclusion in the Microsoft E5 Subscription: Learn about Security Copilot inclusion in Microsoft 365 E5 subscription | Microsoft Learn Microsoft Sentinel: What is Microsoft Sentinel SIEM? | Microsoft Learn Microsoft Sentinel Platform: Microsoft Sentinel data lake overview - Microsoft Security | Microsoft LearnMicrosoft Sentinel for SAP Agentless connector GA
Dear Community, Today is the day: Our new agentless connector for Microsoft Sentinel Solution for SAP applications is Generally Available now! Fully onboarded to SAP’s official Business Accelerator Hub and ready for prime time wherever your SAP systems are waiting – on-premises, hyperscalers, RISE, or GROW – to be protected. Let’s hear from an agentless customer: “With the Microsoft Sentinel Solution for SAP and its new agentless connector, we accelerated deployment across our SAP landscape without the complexity of containerized agents. This streamlined approach elevated our SOC’s visibility into SAP security events, strengthened our compliance posture, and enabled faster, more informed incident response” SOC Specialist, North American aviation company Use the video below to kick off your own agentless deployment today. #Kudos to the amazing mvigilante for showing us around the new connector! But we didn’t stop there! Security is being reengineered for the AI era - moving from static, rule-based controls to platform-driven, machine-speed defence that anticipates threats before they strike. Attackers think in graphs - Microsoft does too. We’re bringing relationship-aware context to Microsoft Security - so defenders and AI can see connections, understand the impact of a potential compromise (blast radius), and act faster across pre-breach and post-breach scenarios including SAP systems - your crown jewels. See it in action in below phishing-compromise which lead to an SAP login bypassing MFA with followed operating-system activities on the SAP host downloading trojan software. Enjoy this clickable experience for more details on the scenario. Shows how a phishing compromise escalated to an SAP MFA bypass, highlighting cross-domain correlation. The Sentinel Solution for SAP has AI-first in mind and directly integrates with our security platform on the Defender portal for enterprise-wide signal correlation, Security Copilot reasoning, and Sentinel Data Lake usage. Your real-time SAP detections operate on the Analytics tier for instant results and threat hunting, while the same SAP logs get mirrored to the lake for cost-efficient long-term storage (up to 12 years). Access that data for compliance reporting or historic analysis through KQL jobs on the lake. No more – yeah, I have the data stored somewhere to tick the audit report check box – but be able to query and use your SAP telemetry in long term storage at scale. Learn more here. Findings from the Agentless Connector preview During our preview we learned that majority of customers immediately profit from the far smoother onboarding experience compared to the Docker-based approach. Deployment efforts and time to first SAP log arrival in Sentinel went from days and weeks to hours. ⚠️ Deprecation notice for containerized data connector agent ⚠️ The containerised SAP data connector will be deprecated on September 14th, 2026. This change aligns with the discontinuation of the SAP RFC SDK, SAP's strategic integration roadmap, and customer demand for simpler integration. Migrate to the new agentless connector for simplified onboarding and compliance with SAP’s roadmap. All new deployments starting October 31, 2025, will only have the new agentless connector option, and existing customers should plan their migration using the guidance on Microsoft Learn. It will be billed at the same price as the containerized agent, ensuring no cost impact for customers. Note📌: To support transition for those of you on the Docker-based data connector, we have enhanced our built-in KQL functions for SAP to work across data sources for hybrid and parallel execution. Spotlight on new Features Inspired by the feedback of early adopters we are shipping two of the most requested new capabilities with GA right away. Customizable polling frequency: Balance threat detection value (1min intervals best value) with utilization of SAP Integration Suite resources based on your needs. ⚠️Warning! Increasing the intervals may result in message processing truncation to avoid SAP CPI saturation. See this blog for more insights. Refer to the max-rows parameter and SAP documentation to make informed decisions. Customizable API endpoint path suffix: Flexible endpoints allow running all your SAP security integration flows from the agentless connector and adherence to your naming strategies. Furthermore, you can add the community extensions like SAP S/4HANA Cloud public edition (GROW), the SAP Table Reader, and more. Displays the simplified onboarding flow for the agentless SAP connector You want more? Here is your chance to share additional feature requests to influence our backlog. We would like to hear from you! Getting Started with Agentless The new agentless connector automatically appears in your environment – make sure to upgrade to the latest version 3.4.05 or higher. Sentinel Content Hub View: Highlights the agentless SAP connector tile in Microsoft Defender portal, ready for one-click deployment and integration with your security platform The deployment experience on Sentinel is fully automatic with a single button click: It creates the Azure Data Collection Endpoint (DCE), Data Collection Rule (DCR), and Microsoft Entra ID app registration assigned with RBAC role "Monitoring Metrics Publisher" on the DCR to allow SAP log ingest. Explore partner add-ons that build on top of agentless The ISV partner ecosystem for the Microsoft Sentinel Solution for SAP is growing to tailor the agentless offering even further. The current cohort has flagship providers like our co-engineering partner SAP SE themselves with their security products SAP LogServ & SAP Enterprise Threat Detection (ETD), and our mutual partners Onapsis and SecurityBridge. Ready to go agentless? ➤ Get started from here ➤ Explore partner add-ons here. ➤ Share feature requests here. Next Steps Once deployed, I recommend to check AryaG’s insightful blog series for details on how to move to production with the built-in SAP content of agentless. Looking to expand protection to SAP Business Technology Platform? Here you go. #Kudos to the amazing Sentinel for SAP team and our incredible community contributors! That's a wrap 🎬. Remember: bringing SAP under the protection of your central SIEM isn't just a checkbox - it's essential for comprehensive security and compliance across your entire IT estate. Cheers, Martin
