What's new in Microsoft Security Copilot
A major wave of updates has landed: integration with the new Sentinel data lake and graph, new ready-made and custom agents, and the debut of the Microsoft Security Store. Let’s take a look at what’s new. Microsoft Sentinel and Security Copilot integration delivers deeper context and smarter AI Sentinel data lake is now generally available, and new capabilities like Sentinel graph and the Model Context Protocol (MCP) server are in public preview, bringing in a new level of integration with Security Copilot. Agents can now access richer, more connected data from across Sentinel, combining graph, structured, and semantic context to reason and act with greater precision. This enhanced foundation transforms AI-driven detection and response, helping teams resolve incidents faster and uncover deeper insights across their environments. Read more in the Sentinel announcement blog: Introducing Microsoft Sentinel graph Build your own Security Copilot agents, no coding required Now anyone on your team can create custom Security Copilot agents. Use a no-code portal or developer tools to design, test, and deploy agents that automate the workflows you need most. Your team controls how they work and what they do. Learn more: Build your own Security Copilot agent New Microsoft and partner ready-made agents for real challenges These new agents help teams address common security and IT challenges faster and smarter: Access Review Agent in Microsoft Entra: Streamline access reviews, flag unusual patterns, and reduce fatigue for security and compliance teams. It helps maintain governance and compliance by automatically analyzing ongoing access reviews and highlighting potential risks. o Learn more: The Microsoft Entra agent for smarter access governance: Access Review Agent Phishing Triage Agent in Microsoft Defender saves nearly 200 hours a month: In this new customer spotlight, St. Luke’s is seeing the impact of integrating Security Copilot agents into their daily workflows. ACISO Krista Arndt says, “The Phishing Triage Agent is a game changer. It’s saving us nearly 200 hours monthly by autonomously handling and closing thousands of false positive alerts.” With routine triage automated, security teams can shift from reactive response to proactive threat hunting, freeing up time for higher-value work and faster threat mitigation. The launch of 30 new partner-built agents that can be found on the Microsoft Security Store with solutions like: Forensic Agent by glueckkanja AG: Delivers deep-dive analysis of Defender XDR incidents to accelerate investigations and uncover root causes faster. Privileged Admin Watchdog Agent by glueckkanja AG: Helps enforce zero standing privilege principles by removing persistent admin identities, reducing risk, and strengthening administrative security. Ransomware Kill Chain Investigator Agent by adaQuest: Automates ransomware triage to quickly detect and respond to threats, enabling security teams to focus on high-priority incidents. Entity Guard Investigator Agent by adaQuest: Investigates Defender incidents and provides actionable insights to accelerate incident resolution and strengthen security posture. Admin Guard Insight Agent by adaQuest: Analyzes administrative activity, detects anomalies, evaluates risk exposure and compliance, and delivers actionable guidance to improve administrative security. Identity Workload ID Agent by Invoke: Empowers identity administrators and security teams to manage and secure Workload Identities in Microsoft Entra, reducing risk, strengthening compliance, and controlling identity sprawl. o Find these agents and more in the Microsoft Security Store Microsoft Security Store – one, centralized place to find agents and SaaS solutions The Microsoft Security Store makes it simple to discover, deploy, and buy Security Copilot agents and partner solutions. Start using any of the 30 new agents or 50 SaaS solutions to power your SOC, IT, privacy, and compliance workflows. Read more in the announcement blog: Introducing Microsoft Security Store Stay tuned and explore more! Security Copilot is transforming how security and IT teams operate – bringing AI-powered insights, automation, and decision support into everyday workflows. With new capabilities landing every month, the pace of innovation is accelerating. We’ll be back in November with more updates. Until then, explore these resources to get hands-on, deepen your understanding, and see what’s possible: Security Copilot Video Hub – Watch demos and walkthroughs to see Security Copilot in action Microsoft Security Copilot Website – Learn about capabilities, use cases, and product details Security Copilot Adoption Hub – Access rollout guides, templates, and best practices Don’t miss Microsoft Ignite - we’ll be announcing exciting new capabilities for Security Copilot and sharing what’s next in AI-powered security.Microsoft Sentinel data lake FAQ
On September 30, 2025, Microsoft announced the general availability of the Microsoft Sentinel data lake, designed to centralize and retain massive volumes of security data in open formats like delta parquet. By decoupling storage from compute, the data lake supports flexible querying, while offering unified data management and cost-effective retention. The Sentinel data lake is a game changer for security teams, serving as the foundational layer for agentic defense, deeper security insights and graph-based enrichment. In this blog we offer answers to many of the questions we’ve heard from our customers and partners. General questions 1. What is the Microsoft Sentinel data lake? Microsoft has expanded its industry-leading SIEM solution, Microsoft Sentinel, to include a unified, security data lake, designed to help optimize costs, simplify data management, and accelerate the adoption of AI in security operations. This modern data lake serves as the foundation for the Microsoft Sentinel platform. It has a cloud-native architecture and is purpose-built for security—bringing together all security data for greater visibility, deeper security analysis and contextual awareness. It provides affordable, long-term retention, allowing organizations to maintain robust security while effectively managing budgetary requirements. 2. What are the benefits of Sentinel data lake? Microsoft Sentinel data lake is designed for flexible analytics, cost management, and deeper security insights. It centralizes security data in an open format like delta parquet for easy access. This unified view enhances threat detection, investigation, and response across hybrid and multi-cloud environments. It introduces a disaggregated storage and compute pricing model, allowing customers to store massive volumes of security data at a fraction of the cost compared to traditional SIEM solutions. It allows multiple analytics engines like Kusto, Spark, and ML to run on a single data copy, simplifying management, reducing costs, and supporting deeper security analysis. It integrates with GitHub Copilot and VS Code empowering SOC teams to automate enrichment, anomaly detection, and forensic analysis. It supports AI agents via the MCP server, allowing tools like GitHub Copilot to query and automate security tasks. The MCP Server layer brings intelligence to the data, offering Semantic Search, Query Tools, and Custom Analysis capabilities that make it easier to extract insights and automate workflows. Customers also benefit from streamlined onboarding, intuitive table management, and scalable multi-tenant support, making it ideal for MSSPs and large enterprises. The Sentinel data lake is purpose built for security workloads, ensuring that processes from ingestion to analytics meet cybersecurity requirements. 3. Is the Sentinel data lake generally available? Yes. The Sentinel data lake is generally available (GA) starting September 30, 2025. To learn more, see GA announcement blog. 4. What happens to Microsoft Sentinel SIEM? Microsoft is expanding Sentinel into an AI powered end-to-end security platform that includes SIEM and new platform capabilities - Security data lake, graph-powered analytics and MCP Server. SIEM remains a core component and will be actively developed and supported. Getting started 1. What are the prerequisites for Sentinel data lake? To get started: Connect your Sentinel workspace to Microsoft Defender prior to onboarding to Sentinel data lake. Once in the Defender experience see data lake onboarding documentation for next steps. Note: Sentinel is moving to the Microsoft Defender portal and the Sentinel Azure portal will be retired by July 2026. 2. I am a Sentinel-only customer, and not a Defender customer, can I use the Sentinel data lake? Yes. You must connect Sentinel to the Defender experience before onboarding to the Sentinel data lake. Microsoft Sentinel is generally available in the Microsoft Defender portal, with or without Microsoft Defender XDR or an E5 license. If you have created a log analytics workspace, enabled it for Sentinel and have the right Microsoft Entra roles (e.g. Global Administrator + Subscription Owner, Security Administrator + Sentinel Contributor), you can enable Sentinel in the Defender portal. For more details on how to connect Sentinel to Defender review these sources: Microsoft Sentinel in the Microsoft Defender portal 3. In what regions is Sentinel data lake available? For supported regions see: Geographical availability and data residency in Microsoft Sentinel | Microsoft Learn 4. Is there an expected release date for Microsoft Sentinel data lake in Government clouds? While the exact date is not yet finalized, we anticipate support for these clouds soon. 5. How will URBAC and Entra RBAC work together to manage the data lake given there is no centralized model? Entra RBAC will provide broad access to the data lake (URBAC maps the right permissions to specific Entra role holders: GA/SA/SO/GR/SR). URBAC will become a centralized pane for configuring non-global delegated access to the data lake. For today, you will use this for the “default data lake” workspace. In the future, this will be enabled for non-default Sentinel workspaces as well – meaning all workspaces in the data lake can be managed here for data lake RBAC requirements. Azure RBAC on the Log Analytics (LA) workspace in the data lake is respected through URBAC as well today. If you already hold a built-in role like log analytics reader, you will be able to run interactive queries over the tables in that workspace. Or, if you hold log analytics contributor, you can read and manage table data. For more details see: Roles and permissions in the Microsoft Sentinel platform | Microsoft Learn Data ingestion and storage 1. How do I ingest data into the Sentinel data lake? To ingest data into the Sentinel data lake, you can use existing Sentinel data connectors or custom connectors to bring data from Microsoft and third-party sources. Data can be ingested into the analytic tier and/or data lake tier. Data ingested into the analytics tier is automatically mirrored to the lake, while lake-only ingestion is available for select tables. Data retention is configured in table management. Note: Certain tables do not support data lake-only ingestion via either API or data connector UI. See here for more information: Custom log tables. 2. What is Microsoft’s guidance on when to use analytics tier vs. the data lake tier? Sentinel data lake offers flexible, built-in data tiering (analytics and data lake tiers) to effectively meet diverse business use cases and achieve cost optimization goals. Analytics tier: Is ideal for high-performance, real-time, end-to-end detections, enrichments, investigation and interactive dashboards. Typically, high-fidelity data from EDRs, email gateways, identity, SaaS and cloud logs, threat intelligence (TI) should be ingested into the analytics tier. Data in the analytics tier is best monitored proactively with scheduled alerts and scheduled analytics to enable security detections Data in this tier is retained at no cost for up to 90 days by default, extendable to 2 years. A copy of the data in this tier is automatically available in the data lake tier at no extra cost, ensuring a unified copy of security data for both tiers. Data lake tier: Is designed for cost-effective, long-term storage. High-volume logs like NetFlow logs, TLS/SSL certificate logs, firewall logs and proxy logs are best suited for data lake tier. Customers can use these logs for historical analysis, compliance and auditing, incident response (IR), forensics over historical data, build tenant baselines, TI matching and then promote resulting insights into the analytics tier. Customers can run full Kusto queries, Spark Notebooks and scheduled jobs over a single copy of their data in the data lake. Customers can also search, enrich and restore data from the data lake tier to the analytics tier for full analytics. For more details see documentation. 3. What does it mean that a copy of all new analytics tier data will be available in the data lake? When Sentinel data lake is enabled, a copy of all new data ingested into the analytics tier is automatically duplicated into the data lake tier. This means customers don’t need to manually configure or manage this process—every new log or telemetry added to the analytics tier becomes instantly available in the data lake. This allows security teams to run advanced analytics, historical investigations, and machine learning models on a single, unified copy of data in the lake, while still using the analytics tier for real-time SOC workflows. It’s a seamless way to support both operational and long-term use cases—without duplicating effort or cost. 4. Is there any cost for retention in the analytics tier? You will get 90 days of analytics retention free. Simply set analytics retention to 90 days or less. Total retention setting – only the mirrored portion that overlaps with the free analytics retention is free in the data lake. Retaining data in the lake beyond the analytics retention period incurs additional storage costs. See documentation for more details: Manage data tiers and retention in Microsoft Sentinel | Microsoft Learn 5. What is the guidance for Microsoft Sentinel Basic and Auxiliary Logs customers? If you previously enabled Basic or Auxiliary Logs plan in Sentinel: You can view Basic Logs in the Defender portal but manage it from the Log Analytics workspace. To manage it in the Defender portal, you must change the plan from Basic to Analytics. Existing Auxiliary Log tables will be available in the data lake tier for use once the Sentinel data lake is enabled. Prior to the availability of Sentinel data lake, Auxiliary Logs provided a long-term retention solution for Sentinel SIEM. Now once the data lake is enabled, Auxiliary Log tables will be available in the Sentinel data lake for use with the data lake experiences. Billing for Auxiliary Logs will switch to Sentinel data lake meters. Microsoft Sentinel customers are recommended to start planning their data management strategy with the data lake. While Basic and auxiliary Logs are still available, they are not being enhanced further. Please plan on onboarding your security data to the Sentinel data lake. Azure Monitor customers can continue to use Basic and Auxiliary Logs for observability scenarios. 6. What happens to customers that already have Archive logs enabled? If a customer has already configured tables for Archive retention, those settings will be inherited by the Sentinel data lake and will not change. Data in the Archive logs will continue to be accessible through Sentinel search and restore experiences. Mirrored data (in the data lake) will be accessible via lake explorer and notebook jobs. Example: If a customer has 12 months of total retention enabled on a table, 2 months after enabling ingestion into the Sentinel data lake, the customer will still have access to 12 months of archived data (through Sentinel search and restore experiences), but access to only 2 months of data in the data lake (since the data lake was enabled). Key considerations for customers that currently have Archive logs enabled: The existing archive will remain, with new data ingested into the data lake going forward; previously stored archive data will not be backfilled into the lake. Archive logs will continue to be accessible via the Search and Restore tab under Sentinel. If analytics and data lake mode are enabled on table, which is the default setting for analytics tables when Sentinel data lake is enabled, data will continue to be ingested into the Sentinel data lake and archive going forward. There will only be one retention billing meter going forward. Archive will continue to be accessible via Search and Restore. If Sentinel data lake-only mode is enabled on table, new data will be ingested only into the data lake; any data that’s not already in the Sentinel data lake won’t be migrated/backfilled. Data that was previously ingested under the archive plan will be accessible via Search and Restore. 7. What is the guidance for customers using Azure Data Explorer (ADX) alongside Microsoft Sentinel? Some customers might have set up ADX cluster to augment their Sentinel deployment. Customers can choose to continue using that setup and gradually migrate to Sentinel data lake for new data to receive the benefits of a fully managed data lake. For all new implementations it is recommended to use the Sentinel data lake. 8. What happens to the Defender XDR data after enabling Sentinel data lake? By default, Defender XDR retains threat hunting data in the XDR default tier, which includes 30 days of analytics retention, which is included in the XDR license. You can extend the table retention period for supported Defender XDR tables beyond 30 days. For more information see Manage XDR data in Microsoft Sentinel. Note: Today you can't ingest XDR tables directly to the data lake tier without ingesting into the analytics tier first. 9. Are there any special considerations for XDR tables? Yes, XDR tables are unique in that they are available for querying in advanced hunting by default for 30 days. To retain data beyond this period, an explicit change to the retention setting is required, either by extending the analytics tier retention or the total retention period. A list of XDR advanced hunting tables supported by Sentinel are documented here: Connect Microsoft Defender XDR data to Microsoft Sentinel | Microsoft Learn. KQL queries and jobs 1. Is KQL and Notebook supported over the Sentinel data lake? Yes, via the data lake KQL query experience along with a fully managed Notebook experience which enables spark-based big data analytics over a single copy of all your security data. Customers can run queries across any time range of data in their Sentinel data lake. In the future, this will be extended to enable SQL query over lake as well. 2. Why are there two different places to run KQL queries in Sentinel experience? Consolidating advanced hunting and KQL Explorer user interfaces is on the roadmap. Security analysts will benefit from unified query experience across both analytics and data lake tiers. 3. Where is the output from KQL jobs stored? KQL jobs are written into existing or new analytics tier table. 4. Is it possible to run KQL queries on multiple data lake tables? Yes, you can run KQL interactive queries and jobs using operators like join or union. 5. Can KQL queries (either interactive or via KQL jobs) join data across multiple workspaces? Yes, security teams can run multi-workspace KQL queries for broader threat correlation. Pricing and billing 1. How does a customer pay for Sentinel data lake? Sentinel data lake is a consumption-based service with disaggregated storage and compute business model. Customers continue to pay for ingestion. Customers set up billing as a part of their onboarding for storage and analytics over data in the data lake (e.g. Queries, KQL or Notebook Jobs). See Sentinel pricing page for more details. 2. What are the pricing components for Sentinel data lake? Sentinel data lake offers a flexible pricing model designed to optimize security coverage and costs. For specific meter definitions, see documentation. 3. What are the billing updates at GA? We are enabling data compression billed with a simple and uniform data compression rate of 6:1 across all data sources, applicable only to data lake storage. Starting October 1, 2025, the data storage billing begins on the first day data is stored. To support ingestion and standardization of diverse data sources, we are introducing a new Data Processing feature that applies a $0.10 per GB charge for all uncompressed data ingested into the data lake for tables configured for data lake only retention. (does not apply to tables configured for both analytic and data lake tier retention). 4. How is retention billed for tables that use data lake-only ingestion & retention? During the public preview, data lake-only tables included the first 30 days of retention at no cost. At GA, storage costs will be billed. In addition, when retention billing switches to using compressed data size (instead of ingested size), this will change, and charges will apply for the entire retention period. Because billing will be based on compressed data size, customers can expect significant savings on storage costs. 5. Does “Data processing” meter apply to analytics tier data duplicated in the data lake? No. 6. What happens to billing for customers that activate Sentinel data lake on a table with archive logs enabled? Customers will automatically be billed using the data lake storage meter. Note: This means that customers will be charged using the 6X compression rate for data lake retention. 7. How do I control my Sentinel data lake costs? Sentinel is billed based on consumption and prices vary based on usage. An important tool in managing the majority of the cost is usage of analytics “Commitment Tiers”. The data lake complements this strategy for higher-volume data like network and firewall data to reduce analytics tier costs. Use the Azure pricing calculator and the Sentinel pricing page to estimate costs and understand pricing. 8. How do I manage Sentinel data lake costs? We are introducing a new cost management experience (public preview) to help customers with cost predictability, billing transparency, and operational efficiency. These in-product reports provide customers with insights into usage trends over time, enabling them to identify cost drivers and optimize data retention and processing strategies. Customers will also be able to set usage-based alerts on specific meters to monitor and control costs. For example, you can receive alerts when query or notebook usage passes set limits, helping avoid unexpected expenses and manage budgets. See documentation to learn more. 9. If I’m an Auxiliary Logs customer, how will onboarding to the Sentinel data lake affect my billing? Once a workspace is onboarded to Sentinel data lake, all Auxiliary Logs meters will be replaced by new data lake meters. Thank you Thank you to our customers and partners for your continued trust and collaboration. Your feedback drives our innovation, and we’re excited to keep evolving Microsoft Sentinel to meet your security needs. If you have any questions, please don’t hesitate to reach out—we’re here to support you every step of the way.
Benchmarks to compare Copilot adoption coming to Copilot Dashboard
We’re excited to announce the initial rollout of Benchmarks in the Microsoft Copilot Dashboard in Viva Insights. This new feature lets organizations compare Copilot usage internally across different company groups, as well as externally against similar companies. These insights help identify adoption trends and provide broader context and new opportunities to improve Copilot engagement. With these changes, the Microsoft Copilot Dashboard will include: Internal benchmarks to compare cohorts within your company based on manager types, regions, and job functions: Percentage of active Copilot users Adoption by app Returning user percentage External benchmarks to compare your percentage of active Copilot users with: Top 10% and Top 25% of companies like yours Top 10% and Top 25% overall benchmarks FAQs What are cohort benchmarks? The cohort benchmark is based on a comparison cohort of employees within your company who share similar job functions, regions, or manager roles. The calculation uses Job function, Region, and Manager attributes to determine expected values by role. The cohort result looks at the role composition of the selected group, and constructs a weighted average expected result based on matching roles across the tenant. What are external benchmarks? External benchmarks represent results for other companies that use Copilot or a group of companies like yours. Benchmarks based on “companies like yours” can include companies that share the same industry, size tier, and/or headquarters region as your own company. Industry and headquarters region are descriptive values that your company provides to Microsoft when using Microsoft services and can be updated through your sales representative. Any external benchmark represents at least 20 companies. How does Microsoft ensure privacy when calculating external benchmarks? External benchmarks are calculated using randomized mathematical models to ensure privacy. Each benchmark group includes at least 20 companies and is derived from approximations to prevent the use of any single company’s actual data. Are you planning to add more benchmarked metrics? We’re carefully assessing the quality of external benchmarks and plan to incorporate user feedback as we evaluate adding additional benchmarks. Benchmarks in the Copilot Dashboard are currently only available to private preview customers. We’ll begin to roll out this new functionality to all customers later this month. Learn more about how to use the Copilot Dashboard.What's New in Microsoft EDU - October 2025
Join us on Wednesday, October 22nd, 2025 for our latest "What's New in Microsoft EDU" webinar! These 30-minute webinars are put on by the Microsoft Education Product Management group and happen once per month, this month both 8:00am Pacific Time and 4:00pm Pacific time to cover as many global time zones as possible around the world. And don’t worry – we’ll be recording these and posting on our Microsoft Education YouTube channel in the new “What’s New in Microsoft EDU” playlist, so you’ll always to able to watch later or share with others! Here is our October 2025 webinar agenda: M365 Copilot and AI updates for Educators and Students Learning Zone public preview and the Copilot+ PC Microsoft 365 LTI for Learning Management Systems AMA - Ask Microsoft EDU Anything (Q&A) We look forward to having you attend the event! How to sign up OPTION 1: October 22nd, Wednesday @ 8:00am Pacific Time Register here OPTION 2: October 22nd, Wednesday @ 4:00pm Pacific Time Register here This is what the webinar portal will look like when you register: We look forward to seeing you there! Mike Tholfsen Group Product Manager Microsoft Education
Revolutionizing log collection with Azure Monitor Agent
The much awaited deprecation of the MMA agent is finally here. While still sunsetting, this blog post reviews the advantages of AMA, different deployment options and important updates to your favorite Windows, Syslog and CEF events via AMA data connectors.What’s New in Microsoft Teams | September 2025
Hey Microsoft Tech Community, we’re back with the latest updates to Microsoft Teams! This month we’re excited to spotlight many new features, like Threads in Channels which lets you reply directly to specific messages, keeping related conversations grouped together and preserving context without disrupting the main flow; updates to Teams AI Library that enables developers to build more powerful collaborative agents for Teams; and Teams Phone Extensibility for CCaaS and Dynamics 365 Contact Center that helps customers benefit from and extend their existing telephony investment with Teams Phone into the contact center. In addition to these exciting features, earlier this month, we announced the latest wave of Copilot innovation in Teams: we are now giving every channel, meeting, and community an agent that can collaborate with you and your team, acting as a virtual teammate. We share more about these agents below. Teams Rooms users have reason to celebrate as well, because the Facilitator agent is available in Microsoft Teams rooms with a Pro license. And Windows touch boards now support private browsing with Microsoft Edge, enabling secure access to websites and business web apps during and outside of meetings. Using touch boards in Teams Rooms is easier too, with Universal Touch Console support. Users can control Teams Rooms from either the table console or directly on the touch board, including devices like Surface Hub 3. All these updates are designed to help you work smarter, automate the routine, and get more from every minute you spend in Teams. Our goal is to give you the tools to maximize your productivity and improve collaboration and communication across your team. Let’s take a closer look at what’s new! New features released this month: Chat and collaboration Platform Meetings, webinars, and town halls Teams Phone Workplace: Places and Teams Rooms Fundamentals and Security Frontline Worker Solutions Certified for Teams Devices Chat and Collaboration Agents in channels [Public Preview] Teams channels provide an organized space for teams to manage workstreams and communicate with stakeholders. Now, each channel can have a Channel Agent that draws on its conversations and meetings to act as a domain expert for the team. These agents adopt the channel’s name and help with common tasks – for example, flagging important deadlines that are buried in conversations, summarizing progress with succinct status reports, assigning tasks and due dates, and answering questions asked in natural language like “What’s the latest on our budget?” You can even invite these agents into meetings when you need expert insights in the discussion. Channel Agent is now in Public Preview* for users with a Microsoft 365 Copilot license. Learn more. Threads in channels Threads in channels let you reply directly to specific messages, keeping related conversations grouped together and preserving context without disrupting the main flow. This makes it easier to stay up to date, while allowing for in-depth discussions. You can follow the threads that matter most to you, and when an important update or decision is made, you can send it back to the main conversation, so everyone stays aligned without requiring them to sift through every reply. The Followed Threads view brings all your followed conversations into one interactive list. You can quickly access all your threads, triage and respond—without jumping between channels. And when you're done with a thread, unfollow it to stop receiving future updates. Learn more here. Enhanced AI thread summary in channels Stay on top of your conversations with enhanced AI-generated thread summaries, available in post/reply and threaded channels. When a conversation becomes lengthy, Copilot helps you catch up without reading every message by offering a “summarize thread” entry point, making it easy to stay informed within your workflow. Based on customer feedback, we structured these summaries to a clear, scannable format, which includes a brief overview highlighting the key takeaways, followed by a bulleted list organized by topic. Thread summaries provide a fast, focused way for users to get caught up on content that matters most to them. AI thread summary is available with Microsoft 365 Copilot license. New Workflows app experience in Teams [Public Preview] The newly redesigned Workflows experience in Teams makes automation easier and more accessible than ever. With a simple interface, it helps you automate day-to-day tasks, like getting updates from your teammates, automatically routing documents for approvals as they get modified, or adding tasks to Planner from messages without ever having to leave Teams. Additionally, you can now use new AI-powered workflow templates to automate tasks with Copilot or your channel’s agent — no coding required. This experience is currently in Public Preview. To access the AI workflows, users need a M365 Copilot license. Teams platform Sharing Apps and Agents in Teams To streamline interactions with apps and agents in Teams, we have introduced context aware buttons to link previews. These buttons will show the main action you can take with the link, depending on the app and where the link is shared. For example, if you share a SharePoint agent in a Teams Channel, the button CTA will say “Add to this Channel”, making the next step for the end user intuitive and efficient. Teams AI Library The updated Teams AI Library enables developers to build more powerful collaborative agents for Teams. With the enhanced version in GA for JavaScript and C#, and in Public Preview for Python, the library simplifies the creation of custom agents and provides access to the latest capabilities including Agent-to-Agent collaboration (A2A), Model Context Protocol (MCP), agentic memory, and more. It is generally available in C# and JavaScript, and in Public Preview for Python. GitHub app for Teams [Public Preview] Developers can @mention GitHub in a Teams channel to generate code directly from team discussions, turning conversations into working code without leaving Teams. The GitHub app for Teams understands your conversation in the Teams channel and helps turn that conversation into code, tests, documentation and pull requests. Github app for Teams is currently in Public Preview. Learn more in our recent GitHub blog post. Meetings, webinars, and town halls Facilitator agent Facilitator, the AI agent for every meeting, is now generally available. It joins your Microsoft Teams meetings to keep conversations focused, organized, and action‑oriented—adding productivity, not work. With a natural, conversational interface, participants can collaborate with each other and the agent in real time while Facilitator manages the end‑to‑end flow: it sets an agenda from the invite or infers goals from the discussion; keeps conversations on track with a visible timeline, smart time allocations, and gentle reminders; captures editable, real‑time notes; answers questions with meeting context and relevant web information; and records, assigns, and updates tasks, syncing with Planner for seamless follow‑through. When a new document is needed, it offers one‑click creation and generates a first draft in Word or Loop. Facilitator is also available in Teams Rooms and on mobile—extending chat, notes, and timers, and even capturing ad‑hoc hallway syncs—so every decision and action is captured. Enhanced Meeting Protection – Prevent Screen Capture [Premium] To address the issue of unauthorized screen captures during meetings, the Prevent Screen Capture feature ensures that if a user attempts to take a screen capture, the meeting window will turn black, thereby protecting sensitive information. This feature will be available on Teams desktop applications (both Windows and Mac) and Teams mobile applications (both iOS and Android). For users joining from unsupported platforms, they will be placed in audio-only mode to maintain the integrity of the meeting's content. This feature is available with a Teams Premium license. Countdown timer for Teams Meetings Manage time and streamline meeting discussions with the new countdown timer for Teams meetings, a tool designed to keep meetings efficient and on schedule. Any user can easily add a timer of any duration to the meeting (up to 100 minutes), which will appear in the meeting window for all participants with controls to start, stop, pause, and add more time. Colors automatically change as the timer gets closer to zero to help keep the speaker on track. Decorate your background in GCC (Premium) Decorate your background is now available to customers in GCC and GCC High environments. It is a generative background effect in Teams that makes meetings more fun and personal by using AI to spruce up your meeting background. With it, you can blend your physical and digital spaces and revamp what can be seen of your physical meeting space for each call. This technology allows for effortless room clean-up and adds virtual plants or festive decorations for special events. Decorate your background requires a Teams Premium license. Real-Time Mic Volume Indicator for Teams Meetings Introducing the Mic Volume Indicator for Teams meetings, a feature designed to provide real-time visual feedback on your audio levels. Positioned on the user bar, this indicator ensures your voice is captured correctly, eliminating the need to ask, “Can you hear me?” By offering continuous visual confirmation, it enhances user confidence and reduces communication breakdowns. It streamlines meeting efficiency by minimizing interruptions and ensuring communication that works. Organizer controls now available in meeting toolbar Take control of your meetings—right from the toolbar! Managing your Teams meetings is now faster and easier. Organizers and co-organizers will see a new ‘Controls’ button directly on the meeting toolbar—giving instant access to key settings for secure and seamless meetings. If an organizer has Teams Premium license, they'll unlock even more functionality with the Advanced Protection section inside the Controls flyout. Need deeper customization? Just click ‘View more’ at the bottom of the flyout to open the full Meeting Options panel. Enhanced privacy and stability for live captions To improve privacy, when transcription is off, captions will now show only the past five minutes of dialogue instead of the full meeting. If transcription is on, captions display the entire conversation, just like with live transcription. We’ve also fixed an issue where changing the caption position could cause data loss—now, moving captions will not affect the text shown. These updates also apply to Real-time Text (RTT), ensuring a consistent and reliable experience. Chat for organizers and presenters in webinars Organizers, co-organizers, and presenters can now take advantage of a dedicated private chat in webinars, separate from attendee conversations. This feature is available before, during, and after the event, allowing presenters and event staff to coordinate easily and ensure smooth webinar delivery. Teams Phone Teams Phone extensibility for CCaaS and Microsoft D365 Contact Center Teams Phone extensibility is generally available for contact center as a service (CCaaS) ISV solutions and Dynamics 365 Contact Center to help customers benefit from and extend their existing telephony investment with Teams Phone into the contact center. Customers of Teams Phone can now leverage Teams Phone as a single, integrated solution to power calling across their unified communications as a service (UCaaS) and CCaaS solutions. According to a commissioned Total Economic Impact™ study conducted by Forrester Consulting 1 , organizations using Teams Phone extensibility with Dynamics 365 Contact Center could see projected ROI and benefits PV as high as 345% and $3.5M respectively by year 3. Download the full report to learn more. ISV solutions that have completed certification for Teams Phone extensibility include AudioCodes, CentrePal, ComputerTalk, Heedify, and Landis 2 . We look forward to adding additional certified contact solutions to this growing ecosystem in the months ahead. 1 Projected benefits for a composite customer. New Technology: The Projected Total Economic Impact™ Of Microsoft Dynamics 365 Contact Center with Teams Phone extensibility, Forrester Consulting, Casey Sirotnak, Jonathan Lipsitz, August 2025 2 While certification is not required to access the Azure Communication Services API that enables Teams Phone extensibility, we recommend selecting a contact center solution that has completed the certification process for the best experience. If you are a contact center developer, learn more about enabling Teams Phone calling for your CCaaS solution. Support for Voice Applications Settings for Authorized Users in GCC High and DoD cloud environments [Premium] Teams Premium admins in GCC High and DoD cloud environments can now assign voice application policies to authorized users, granting them permission to configure auto attendants and call queues directly in Teams settings. Authorized users can opt team members in or out, streamlining team communications and response to business needs while maintaining security and oversight. Learn more. Workplace: Places and Teams Rooms Facilitator agent generally available for scheduled meetings in Teams Rooms You can take advantage of the Facilitator agent in Teams Rooms on Windows or Android for real-time AI-generated notes, follow up items, and keeping everyone on time during scheduled meetings. Facilitator appears in the meeting chat and participants can toggle between notes, chat, and the agent. Facilitator for ad-hoc meetings, invoked by QR code scan, is available in public preview. Available with Teams Rooms Pro. Learn more here. Browser support on Teams Rooms on Windows touch boards Now you can access websites and line-of-business web applications using private browsing mode with Microsoft Edge on Teams Rooms on Windows touch boards, including Surface Hub 3. You can use the browser during meetings or outside of them, and admins can manage browsing policies, via the Pro Management portal, to ensure a secure and safe browsing experience. Available with Teams Rooms Pro. Learn more. Universal Touch Console support for Teams Rooms on Windows touch boards Using touch boards in a room is easier than ever with Universal Touch Console support. Once set up by an admin, you can control Teams Rooms on Windows touch boards, including Surface Hub 3, using the console on the table or by touching the board device. Preview of multiple camera view in Teams Rooms on Windows When multiple camera views are enabled in Teams Rooms on Windows, the preview video on the front-of-room display and the camera settings dialog will show multiple camera views. This feature allows in-room users to be aware of all camera feeds that are simultaneously streaming to remote users. Available with the Teams Rooms Pro license. Learn more here. DoD support in Teams Rooms Pro Management Department of Defense (DoD) customer tenants now have access to the Teams Rooms Pro Management service and portal, enabling them to use the remote device management and analytics features of the solution while meeting high security and privacy standards. Learn more here. Fundamentals and Security Migration Tool for Teams IT admins can now seamlessly migrate content from public and private channels in a third-party solution to Teams standard channels. Using a new first-party Migration tool in Microsoft Admin Center (MAC), admins can connect the third-party workspace, plan the migration, and execute the content transfer to Teams with ease. Unified building and endpoint metadata for reporting Teams Administrators can now use a single, unified process to upload and maintain the building and endpoint metadata that enriches calling and meeting reports. This new process replaces Reporting Labels and ensures that the building and endpoint information you upload is used in both Tenant Admin Center and Call Quality Dashboard. The data is stored in the Call Quality Dashboard (CQD) system and is used for call reporting, with no connection to Places or e911. Silent test call Silent test call provides the ability for IT admins to proactively run a synthetic simulation of a Teams call to the subnet, and to examine network readiness before any issue occurs. It provides tenant admins comprehensive visibility of their Teams environment, including infrastructure aspects such as network and devices, even during periods of no activity or minimal user interactions. Frontline Worker Solutions Link your existing frontline teams with flexible membership Save valuable time while transforming how you manage your frontline teams with flexible membership. By connecting your existing teams to the frontline workforce management tool in the Teams Admin Center, memberships automatically sync with Microsoft Entra attributes—keeping everything up to date with zero extra effort. And when you need added control, frontline managers can easily add or remove team members with just a few clicks. Learn more here. Certified for Teams Devices Yealink MeetingBoard Pro MTRW Series-65 and-75 The MeetingBoard Pro combines video conferencing, display, and smart whiteboard into an all-in-one solution with plug-and-play convenience and a clutter-free design. Delivering Pro View, Pro Sound, Pro Interact and powered by Pro Core, it features a triple 50MP camera system with advanced AI for precise tracking and a 16 MEMS mic array with AI-enhanced audio for crystal-clear conversations up to 12m/129 Sq Ft. MAXHUB XBar U50 and V50 Kit The MAXHUB XBar U50 is a USB-mode dual-camera videobar designed for small rooms and BYOD scenarios. With 100MP dual-lens camera, 12 beamforming microphones, AI-enhanced audio, and FlexMount for easy installation, it offers plug-and-play conferencing without fixed systems for ultimate flexibility. The solution includes 3-year service coverage and remote device management via MAXHUB Pivot — simplifying deployment and maintenance for IT admins. AudioCodes RXV200 + RXVCam70 + Shure Large Room Kit Elevate your large meeting spaces with a state-of-the-art collaboration solution, seamlessly integrating the AudioCodes RXV200 Android Intelligent A/V Hub, the AudioCodes RXVCam70 PTZ Camera and a Shure Large Room Audio System. Also included is the RX-PAD meeting room controller that simplifies meeting setup and device control. This bundle is engineered to deliver an exceptional Microsoft Teams Rooms experience for exceptional hybrid productivity, ensuring every participant, regardless of location, feels fully engaged and clearly heard. Owl Labs Meeting Owl 4+ The Meeting Owl 4+ is the first AI-powered 360° camera, speaker and microphone device that powers millions of global meetings. It combines 360° video and audio coverage with award-winning speaker-switching software to power effective hybrid collaboration in any space. The Meeting Owl’s proprietary Owl Intelligence System™ uses visual and audio cues to automatically focus on and capture the best view of in-room speakers in 4K video so remote participants can engage and participate in hybrid discussions effectively and productively. Yealink MP45 Teams MP45 USB desktop phone brings new meaning to the USB desktop phone with a 4-inch touch screen, telephone keypad and HD audio. You can connect and power the MP45 USB desktop phone via the USB cable with a USB-A/C adapter for easy installation and use without carrying additional cables or installing drivers. Connect the phone to any PC running Microsoft Teams and it will instantly be ready to start placing or receiving phone calls. The MP45 USB desktop phone provides convenient buttons for call control, such as a full dial pad, keys for controlling volume, mute, speakerphone, hold, redial, external headset mode and a dedicated Teams button to move Microsoft Teams instantly to the foreground. Logitech Zone Vibe Wireless (Native Bluetooth) Now you can ditch the dongle with Zone Vibe Wireless, an over-the-ear headset with modern design and comfort. Certified for Microsoft Teams over native Bluetooth, this product is ideal for video conferencing. Multipoint Bluetooth® enables users to easily switch between devices and delivers business-grade audio quality. The Zone Vibe’s lightweight design and battery longevity make it great for both office and home use. New Yealink Headsets: Yealink WH68 Teams USB-C/A This headset is designed for efficient communication, integrating DECT and Bluetooth dual-mode technology for seamless multi-device switching and ANC (Active Noise Cancellation) technology. Yealink WH64 Mono Teams & WH64 Dual Teams Ideal for clear conversations and smooth office experiences, these wireless headsets for business communication integrate DECT and Bluetooth modes, offering efficiency and flexibility. Advanced acoustic shield technology 2.0 filters out background noise, the busy light signals your call status, and the ergonomic design provides all-day comfort. Yealink WH64 Hybrid Mono Teams & WH64 Hybrid Dual Teams Wireless headsets with a DECT dongle for Hybrid working. Integrated DECT and Bluetooth modes offer a flexible and efficient solution for multi-connection mobile working in various scenarios. Advanced acoustic shield technology 2.0 filters out background noise, and the DECT wireless connectivity technology offers an exceptional call range of up to 150 m. Yealink WH63 E2 Teams A convertible DECT wireless headset supporting multi-device connection and control, designed for flexible and efficient calls in diverse office environments. Yealink UH48 Dual Teams USB-C/A A wired headset featuring hybrid ANC with two levels of ANC depth, 4-mic noise cancellation with acoustic shield 3.0 technology and extensively researched ergonomic design to ensure optimal stability and long-term comfort. Yealink UH46 Mono Teams USB-C/A & UH46 Dual Teams USB-C/A Wired headsets featuring 3-mic AI noise cancellation, ergonomic comfort, durable materials, flexible and fast plug-and-play, inline controls, and dual busy lights for all-angle visibility and fewer interruptions. Yealink UH35 Mono Teams USB-A & UH35 Dual Teams USB-A Professional USB wired headset with 35mm stereo speakers, dual mics with advanced noise cancellation, noise-isolating oval foam ear cushions. They are lightweight and comfortable for extended wear and can work seamlessly with UC platforms and Yealink IP phones. Yealink BH74 Teams USB-C/A A versatile headset for office, home, or travel, equipped with advanced microphone noise cancellation and ANC to ensure clear and immersive phone conferences and music enjoyment. The BH74 boasts long battery life, effortless usability and exceptional comfort for extended wear throughout the day. With impeccable stereo playback sound quality, you can always indulge in an unparalleled audio experience.From idea to Security Copilot agent: Create, customize, and deploy
This week at Microsoft Secure, we announced the next big step forward in agentic security. In addition to Microsoft and partner-built agents, you can now create your own Security Copilot agents, extending the growing ecosystem of agents that help teams automate workflows, close gaps, and drive stronger security and IT outcomes. Why it matters: no two environments are the same. Out-of-the-box agents give you powerful starting points, but your workflows are unique. With custom agents, you get the flexibility to design and deploy solutions that fit your organization. Two ways to build: Your choice, your workflow Security Copilot gives you options. Analysts can easily build with a no-code interface. Developers can stay in their preferred coding environment. Either way, you end up with a fully functional, testable, and deployable agent. For full documentation and detailed guidance on building agents, check out the Microsoft Security Copilot documentation. But now, let’s walk through the key steps so you can get started building your own agent today. Option 1: Build in Security Copilot, no coding required Step 1: Create in natural language Click ‘Build’ in the left nav, describe what you want your agent to do in plain language, and submit. Security Copilot will engage in a back-and-forth conversation to clarify and capture your intent so you start with precision. Step 2: Auto-generate the configuration Security Copilot instantly creates a starter setup, giving you: An agent name and description Clear instructions and input parameters Recommended tools pulled from the catalog, including Microsoft, partner, and Sentinel MCP tools This saves time and generates a strong foundation you can build on Step 3: Customize to fit your needs Tailor the configuration to your needs, you can edit any part. Update instructions, swap tools, or add new ones from the tool catalog. If the right tool isn’t available, you can create one in natural language or a form-based experience. You’re in full control of how your agent works. Step 4: Keep YAML and no-code views aligned Every change you make is automatically reflected in the underlying YAML code. This ensures consistency between the no-code visual and code views, so both analysts and developers can work with confidence. Toggle on ‘view code’ to see it live. Step 5: Test and elevate with autotune instruction optimization Run full end-to-end tests or test individual components to see how your agent performs. Security Copilot shows detailed outputs and a step-by-step activity map of the agent’s dynamic plan, including the tools, inputs, and outputs. While you can test without it, turning on autotune instruction optimization delivers major advantages: Refined instruction recommendations you can copy directly into your config AI quality scoring on clarity, grounding, and detail to ensure your agent is effective before publishing Faster iteration with confidence your agent is tuned for real-world use Explore the activity graph tab to view a visual node map of the run, and click any node to see details of what happened at each step. Step 6: Publish and share When you’re ready, publish the agent into your Security Copilot instance at either a user or workspace scope (depending on admin permissions). If you’re a partner, you can also download the agent code, publish to the Microsoft Partner Center and contribute it to the Microsoft Security Store for broader visibility and adoption by customers. Benefit: Build production-ready agents in minutes without writing a single line of code. It’s that easy to build an agent tailored to your unique workflows, and you are not limited to the Security Copilot portal. If you prefer a developer-friendly environment, you can build entirely in VS Code using GitHub Copilot and Microsoft Sentinel MCP tools. You still get AI-powered guidance, YAML scaffolding, and testing support, along with rich context from Sentinel data and the full platform toolset, all while staying in the environment that works best for you. Option 2: Build in VS Code using GitHub Copilot + Microsoft Sentinel MCP Tools Step 1: Set up your development environment Enable the Microsoft Sentinel MCP server in VS Code. This gives you direct access to the collection of Security Copilot agent creation MCP tools and integrates with GitHub Copilot for code generation – all while staying in your preferred workspace. Step 2: Define agent behavior from natural language with platform context Describe the agent you want to build in natural language. GitHub Copilot interprets your intent, selects the relevant MCP tools, find relevant skills and tools in Security Copilot for your agent, and crafts the agent instructions. The agent YAML gets generated and outputted back to you. Because your agent is built on Microsoft Security Copilot and Sentinel, it automatically leverages rich data and tooling across the platform for context-aware, more effective results. Step 3: Iterate, customize and extend your agent Modify instructions, add tools, or create new tools as needed. Use prompts to vibe code your edits or copy the YAML into the code editor and directly modify the agent YAML there. GitHub Copilot keeps the chat and code in sync. Step 4: Deploy to Security Copilot for testing Once you’re ready to test your agent YAML, prompt GitHub Copilot to deploy the agent to your user scope. Then head to the Security Copilot portal to test and optimize your agent with autotune instruction optimization. Take advantage of detailed outputs, activity maps, and AI scoring to refine instructions and ensure your agent performs effectively in real-world scenarios. Step 5: Publish and share your agent Once validated, publish the agent into your Security Copilot instance at either user or workspace scope (depending on admin permissions). Partners can also download the agent code, publish to the Microsoft Partner Center, and contribute it to the Microsoft Security Store for broader discoverability and adoption. What you get: Full code-level control and the same AI-powered agent development experience while staying in your preferred workspace. Whichever approach you choose, you can build, test, and deploy agents that fit your workflows and environment. Microsoft Security Copilot and Microsoft Sentinel give you the tools and advanced AI guidance to create agents that work for your organization. Explore the Microsoft Security Store Automate your workflows with pre-built solutions. The Microsoft Security Store gives you a central place to discover and deploy agents and SaaS solutions created by Microsoft and partners. Browse ready-to-use solutions, learn from proven approaches, and adapt them with your own customizations. It’s the quickest way to expand your ecosystem of agents and accelerate impact. More resources about the Security Store: What is Security Store? Microsoft Learn Build, deploy, defend Security Copilot puts the power of agentic AI directly in your hands. Start with ready-to-use agents from Microsoft and partners, or create custom agents designed specifically for your environment and workflows. These agents streamline decision-making, surface critical insights, and free your team to focus on strategic security initiatives - making operations faster, smarter, and more responsive. Join us at Microsoft Ignite, online or in-person, for hands-on demos and insights on how Security Copilot agents empower teams to act faster and protect better. More resources on building Security Copilot agents: Watch the Mechanics video to see agents in action: Security Copilot agents Mechanics video For more detailed guidance on building agents, check out the Microsoft Security Copilot documentation Special thanks to my co-authors, Namrata Puri (Principal PM, Security Copilot) and Sherie Pan (PM, Security Copilot), for their insights and contributions
