What's new in OneNote for EDU - Back to School 2025
It’s back-to-school time, and OneNote EDU is rolling out fresh updates to make life easier for educators and students alike! In this article, we’ll cover the latest OneNote features and updates for education, including: Built-in Class Notebook toolbar in OneNote on Windows and for Mac (no more need to download the add-in!) – How to enable it and why it’s great New Microsoft 365 LTI 1.3 integration – Streamlined LMS access to Class Notebook, Assignments, Reflect, and more Broader OneNote updates – Merge table cells (finally!) and a new option to “paste text only” Education Insiders Program (EIP) – How to join and help shape the future of Class Notebook Let’s dive in and get you ready for an amazing school year with OneNote! 1. Enable the Class Notebook Toolbar natively in OneNote on Windows and for Mac Class Notebook features are now built directly into OneNote on desktop – no separate add-in required! This means if you’re using OneNote on Windows or for Mac, you already have the Class Notebook tools; you just might need to turn them on. Enabling the native toolbar gives you all the goodies (page distribution, review student work, etc.) right on the ribbon while ensuring you always have the latest updates and better performance than the old add-in. Why this matters: A built-in toolbar means one less installation to worry about and more reliable updates. Schools no longer need to deploy the legacy add-in for Class Notebook on each device. It’s simpler for IT and ensures every teacher has the Class Notebook tools by default. How to enable the Class Notebook toolbar: In OneNote for Windows (Microsoft 365), click File > Options > General. Under Class Notebook, check the box for “Enable Class Notebook” and select OK. The Class Notebook tab will appear on your OneNote ribbon, loaded with all the Class Notebook features you know and love. (Tip: If you previously installed the add-in, you might see two Class Notebook tabs. You can remove the old add-in to avoid confusion.) For more details, check out the Enable the Class Notebook Toolbar in OneNote Desktop support article. 2. New Microsoft 365 LTI 1.3 Integration for LMS The new Microsoft 365 LTI app brings OneNote Class Notebook along with other Microsoft 365 Education experiences like Microsoft Assignments, OneDrive/Microsoft 365 files, Teams for collaboration, Teams Meetings and more to your learning management system (LMS). It is compatible with any LTI 1.3 Advantage Platform, and setup instructions can be found here: https://aka.ms/LMSAdminDocs. Key benefits of the new M365 LTI integration: All-in-one access: Once your LMS admin installs the Microsoft 365 LTI, educators and students get one-click access to OneNote Class Notebook, assignments, OneDrive, Teams meetings, Reflect check-ins and more – right from your LMS course. No more juggling separate LTI apps for each tool. Automatic roster sync: Class Notebook now supports auto-rostering with LTI 1.3. When you create a Class Notebook through the LMS, all learners and educators in that course are automatically added to the notebook as students and teachers/co-teachers respectively (and will be added automatically if they join later). This beloved feature, previously in older LTI integration, is back – saving you setup time. Assignments and grades in your LMS: Using the new LTI, you can create Microsoft Assignments (with Learning Accelerator tools like Reading Progress, etc.) directly in your LMS. Students submit without leaving the LMS, and grades sync back to the LMS gradebook. It brings the power of Teams Assignments into the LMS environment, no Teams class needed. Streamlined and up-to-date: The Microsoft 365 LTI replaces several legacy LTI tools (like the old “Teams Classes LTI” and separate OneNote LTI 1.1 app). This reduces confusion and upkeep. Getting started with the new LTI is simple for IT admins, with full documentation here. If you’re an educator, check with your IT about enabling the Microsoft 365 LTI for your courses. 3. Broader OneNote updates: merge table cells and paste text only The OneNote team has been hard at work on core improvements that benefit both educators and students. Here are two notable updates rolling out: Merge table cells in OneNote on Windows and for Mac: You asked, and it’s finally here – the ability to merge cells in a table. This means you can take any adjacent cells (horizontal or vertical) in a OneNote table and combine them into one cell (just like in Word or Excel). Paste text only in OneNote on Windows, for Mac, and for the web: Ever copy-paste some text into OneNote only to have it bring in crazy fonts or colors from a website or another document? We hear you – and now in OneNote you can use the familiar shortcut Ctrl + Shift + V (Windows) or Cmd + Shift + V (Mac) to paste plain text, stripping out all the source formatting. The pasted content will match your current notebook’s font style. This also works via the right-click menu: choose Paste > Keep Text Only. It’s a small quality-of-life change that can save a ton of cleanup time, especially when gathering materials from various sources into your lesson plans or content library. Read more about this here: Paste text only in OneNote on Windows, for Mac, and for the web All these updates are either available now or rolling out to OneNote users: Merge table cells is currently in preview for Office Insiders (as of late July 2025) and will reach all OneNote desktop clients in the coming updates. Paste Text Only is rolling out to OneNote for the web users and OneNote users running the most recent versions on Windows and on Mac. Features are released over some time to ensure things are working smoothly, so don’t worry if you can’t see it quite yet. 4. Join the Education Insiders Program (EIP) Lastly, a call to action for passionate educators: if you love getting early access to new features or want to provide direct feedback to the OneNote and Class Notebook team, consider joining the Education Insiders Program (EIP). This is a free community for K-12 and higher-ed tech leaders, teachers, and IT administrators who use Microsoft tools. As an Education Insider, you can: Preview and influence new features: Get invites to try out early builds or pilot programs (with your school’s Office 365 tenant) and share feedback before features launch worldwide. For example, insiders often get to test things like the latest Class Notebook updates and provide input. Participate in the Class Notebook insiders channel: There’s a dedicated Class Notebook discussion space where you can discuss ideas, ask questions, and interact with Microsoft product managers and other educators. It’s a direct line to share what you’d love to see in OneNote. Sound interesting? Sign up for EIP via this form. Once accepted, you’ll be plugged into the insider community, including the Class Notebook channel where you can weigh in on the future of OneNote. (By joining EIP, you’ll help shape products like OneNote – many of the features in this blog (such as merged table cells and the new LTI integration) were influenced by feedback from educators. We’d love to have your voice in the mix!) We hope these updates get you excited for back to school with OneNote. Whether you’re empowering students with more organized Class Notebooks, integrating OneNote more seamlessly into your LMS, or just enjoying a smoother note-taking experience, there’s a lot to look forward to this year. Try out these new features in your classroom workflow, and let us know what you think. You can drop your thoughts in the comments or join the conversation in the Education Insiders community. Here’s to a successful and innovative school year ahead with OneNote! 💜 Which new OneNote EDU feature are you most excited about? Let us know in the comments, and have a fantastic start to the school year!What’s new in Microsoft Sentinel: February 2026
February brings a set of new innovations to Sentinel that helps you work with security content across your SOC. This month’s updates focus on how security teams ingest, manage, and operationalize content, with new connectors, multi-tenant content distribution capabilities, and an enhanced UEBA Essentials solution to surface high‑risk behavior faster across cloud and identity environments. We’re also introducing new partner-built agentic experiences available through Microsoft Security Store, enabling customers to extend Sentinel with specialized expertise directly inside their existing workflows. Together, these innovations help SOC teams move faster, scale smarter, and unlock deeper security insight without added complexity. Expand your visibility and capabilities with Sentinel content Seamlessly onboard security data with growing out-of-the-box connectors (general availability) Sentinel continues to expand its connector ecosystem, making it easier for security teams to bring together data from across cloud, SaaS, and on-premises‑premises environments so nothing critical slips through the cracks. With broader coverage and faster onboarding, SOCs can unlock unified visibility, stronger analytics, and deeper context across their entire security stack. Customers can now use out-of-the-box connectors and solutions for: o Mimecast Audit Logs o CrowdStrike Falcon Endpoint Protection o Vectra XDR o Palo Alto Networks Cloud NGFW o SocPrime o Proofpoint on Demand (POD) Email Security o Pathlock o MongoDB o Contrast ADR For the full list of connectors, see our documentation. Share your input on what to prioritize next with our App Assure team. Microsoft 365 Copilot data connector (public preview) The Microsoft 365 Copilot connector brings Microsoft 365 Copilot audit logs and activity data into Sentinel, giving security teams visibility into how Microsoft 365 Copilot is being used across their organization. Once ingested, this data can power analytics rules, custom detections, workbooks, automation, and investigations, helping SOC teams quickly spot anomalies, misuse, and policy violations. Customers can also send this data to the Sentinel data lake for advanced scenarios, such as custom graphs and MCP integrations, while benefiting from lower cost ingestion and flexible retention. Learn more here. Transition your Sentinel connectors to the codeless connector framework (CCF) Microsoft is modernizing data connectors by shifting from Azure Function based connectors to the codeless connector framework (CCF). CCF enables partners, customers, and developers to build custom connectors that ingest data into Sentinel with a fully SaaS managed experience, built-in health monitoring, centralized credential management, and enhanced performance. We recommend that customers review their deployed connectors and move to the latest CCF versions to ensure uninterrupted data collection and continued access to the latest Sentinel capabilities. As part of Azure’s modernization of custom data collection, the legacy custom data collection API will be retired in September 2026. Centrally manage and distribute Sentinel content across multiple tenants (public preview) For partners and SOCs managing multiple Sentinel tenants, you can centrally manage and distribute Sentinel content across multiple tenants from the Microsoft Defender portal. With multi-tenant content distribution, you can replicate analytics rules, automation rules, workbooks, and alert tuning rules across tenants instead of rebuilding the same detections, automation, and dashboards in one environment at a time. This helps you onboard new tenants faster, reduce configuration drift, and maintain a consistent security baseline while still keeping local execution in each target tenant under centralized control. Learn more: New content types supported in multi-tenant content distribution Find high-risk anomalous behavior faster with an enhanced UEBA essentials solution (public preview) UEBA Essentials solution now helps SOC teams uncover high‑risk anomalous behavior faster across Azure, AWS, GCP, and Okta. With expanded multi-cloud anomaly detection and new queries powered by the anomalies table, analysts can quickly surface the riskiest activity, establish reliable behavioral baselines, and understand anomalies in context without chasing noisy or disconnected signals. UEBA Essentials aligns activity to MITRE ATT&CK, highlights complex malicious IP patterns, and builds a comprehensive anomaly profile for users in seconds, reducing investigation time while improving signal quality across identity and cloud environments. UEBA Essentials is available directly from the Sentinel content hub, with 30+ prebuilt UEBA queries ready to deploy. Behavior analytics can be enabled automatically from the connectors page as new data sources are added, making it easy to turn deeper insight into immediate action. For more information, see: UEBA Solution Power Boost: Practical Tools for Anomaly Detection Extend Sentinel with partner-built Security Copilot agents in Microsoft Security Store (general availability) You can extend Sentinel with partner-built Security Copilot agents that are discoverable and deployable through Microsoft Security Store in the Defender experience. These AI-powered agents are created by trusted partners specifically to work with Sentinel to deliver packaged expertise for investigation, triage, and response without requiring you to build your own agentic workflows from scratch. These partner-built agents work with Sentinel analytics and incidents to help SOC teams triage faster, investigate deeper, and surface insights that would otherwise take hours of manual effort. For example, these agents can review Sentinel and Defender environments, map attacker activity, or automate forensic analysis and SOC reporting. BlueVoyant’s Watchtower agent helps optimize Sentinel and Defender configurations, AdaQuest’s Data Leak agent accelerates response by surfacing risky data exposure and identity misuse, and Glueckkanja’s Attack Mapping agent automatically maps fragmented entities and attacker behavior into a coherent investigation story. Together, these agents show how the Security Store turns partner innovation into enterprise-ready, Security Copilot-powered capabilities that you can use in your existing SOC workflows. Browse these and more partner-built Security Copilot agents in the Security Store within the Defender portal. At Ignite, we announced the native integration of Security Store within the Defender portal. Read more about the GA announcement here: Microsoft Security Store: Now Generally Available Explore Sentinel experience Enhanced reports in the Threat Intelligence Briefing Agent (general availability) The Threat Intelligence Briefing Agent now applies a structured knowledge graph to Microsoft Defender for Threat Intelligence, enabling it to surface fresher, more relevant threats tailored to a customer’s specific industry and region. Building on this foundation, the agent also features embedded, high‑fidelity Microsoft Threat Intelligence citations, providing authoritative context directly within each insight. With these advancements, security teams gain clearer, more actionable guidance and mitigation steps through context‑rich insights aligned to their environment, helping them focus on what matters most and respond more confidently to emerging threats. Learn more: Microsoft Security Copilot Threat Intelligence Briefing Agent in Microsoft Defender Microsoft Purview Data Security Investigations (DSI) integrated with Sentinel graph (general availability) Sentinel now brings together data‑centric and threat‑centric insights to help teams understand risk faster and respond with more confidence. By combining AI‑powered deep content analysis from Microsoft Purview with activity‑centric graph analytics in Sentinel, security teams can identify sensitive or risky data, see how it was accessed, moved, or exposed, and take action from a single experience. This gives SOC and data security teams a full, contextual view of the potential blast radius, connecting what happened to the data with who accessed it and how, so investigations are faster, clearer, and more actionable. Start using the Microsoft Purview Data Security Investigations (DSI) integration with the Sentinel graph to give your analysts richer context and streamline end‑to‑end data risk investigations. Deadline to migrate the Sentinel experience from Azure to Defender extended to March 2027 To reduce friction and support customers of all sizes, we are extending the sunset date for managing Sentinel in the Azure portal to March 31, 2027. This additional time ensures customers can transition confidently while taking advantage of new capabilities that are becoming available in the Defender portal. Learn more about this decision, why you should start planning your move today, and find helpful resources here: UPDATE: New timeline for transitioning Sentinel experience to Defender portal Events and webinars Stay connected with the latest security innovations and best practices through global conferences and expert‑led sessions that bring the community together to learn, connect, and explore how Microsoft is delivering AI‑driven, end‑to‑end security for the modern enterprise. Join us at RSAC, March 23–26, 2026 at the Moscone Center in San Francisco Register for RSAC and stop by the Microsoft booth to see our latest security innovations in action. Learn how Sentinel SIEM and platform help organizations stay ahead of threats, simplify operations, and protect what matters most. Register today! Microsoft Security Webinars Discover upcoming sessions on Sentinel SIEM & platform, Defender, and more. Sign up today and be part of the conversation that shapes security for everyone. Learn more about upcoming webinars. Additional resources Blogs: UPDATE: New timeline for transitioning Sentinel experience to Defender portal, Accelerate your move to Microsoft Sentinel with AI-powered SIEM migration tool, Automating Microsoft Sentinel: A blog series on enabling Smart Security, The Agentic SOC Era: How Sentinel MCP Enables Autonomous Security Reasoning Documentation: What Is a Security Graph? , SIEM migration tool, Onboarding to Microsoft Sentinel data lake from the Defender portal Stay connected Check back each month for the latest innovations, updates, and events to ensure you’re getting the most out of Sentinel. We’ll see you in the next edition!Data lake tier Ingestion for Microsoft Defender Advanced Hunting Tables is Now Generally Available
Today, we’re excited to announce the general availability (GA) of data lake tier ingestion for Microsoft XDR Advanced Hunting tables into Microsoft Sentinel data lake. Security teams continue to generate unprecedented volumes of high‑fidelity telemetry across endpoints, identities, cloud apps, and email. While this data is essential for detection, investigation, and threat hunting, it also creates new challenges around scale, cost, and long‑term retention. With this release, users can now ingest Advanced Hunting data from: Microsoft Defender for Endpoint (MDE) Microsoft Defender for Office 365 (MDO) Microsoft Defender for Cloud Apps (MDA) directly into Sentinel data lake, without requiring ingestion into the Microsoft Sentinel Analytics tier. Support for Microsoft Defender for Identity (MDI) Advanced Hunting tables will follow in the near future. Supported Tables This release enables data lake tier ingestion for Advanced Hunting data from: Defender for Endpoint (MDE) – DeviceInfo, DeviceNetworkInfo, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceLogonEvents, DeviceImageLoadEvents, DeviceEvents, DeviceFileCertificateInfo Defender for Office 365 (MDO) – EmailAttachmentInfo, EmailEvents, EmailPostDeliveryEvents, EmailUrlInfo, UrlClickEvents Defender for Cloud Apps (MDA) – CloudAppEvents Each source is ingested natively into Sentinel data lake, aligning with Microsoft’s broader lake‑centric security data strategy. As mentioned above, Microsoft Defender for Identity will be available in the near future. What’s New with data lake Tier Ingestion Until now, Advanced Hunting data was primarily optimized for near‑real‑time security operations and analytics. As users extend their detection strategies to include longer retention, retrospective analysis, AI‑driven investigations, and cross‑domain correlation, the need for a lake‑first architecture becomes critical. With data lake tier ingestion, Sentinel data lake becomes a must-have destination for XDR insights, enabling users to: Store high‑volume Defender Advanced Hunting data efficiently at scale while reducing operation overhead Extend security analytics and data beyond traditional analytics lifespans for investigation, compliance, and threat research with up to 12 years of retention Query data using KQL‑based experiences across unified datasets with the KQL explorer, KQL Jobs, and Notebook Jobs Integrate data with AI-driven tooling via MCP Server for quick and interactive insights into the environment Visualize threat landscapes and relational mappings while threat hunting with custom Sentinel graphs Decouple storage and retention decisions from real‑time SIEM operations while building a more flexible and futureproof Sentinel architecture Enabling Sentinel data lake Tier Ingestion for Advanced Hunting Tables The ingestion pipeline for sending Defender Advanced Hunting data to Sentinel data lake leverages existing infrastructure and UI experiences. To enable Advanced Hunting tables for Sentinel data lake ingestion: Within the Defender Portal, expand the Microsoft Sentinel section in the left navigation. Go to Configuration > Tables. Find any of the listed tables from above and select one. Within the side menu that opens, select Data Retention Settings. Once the options open, select the button next to ‘Data lake tier’ to set the table to ingest directly into Sentinel data lake. Set the desired total retention for the data. Click save. This configuration will allow Defender data to reside within each Advanced Hunting table for 30 days while remaining accessible via custom detections and queries, while a copy of the logs is sent to Sentinel data lake for usage with custom graphs, MCP server, and benefit from the option of retention up to 12 years. Why data lake Tier Ingestion Matters Built for Scale and Cost Efficiency Advanced Hunting data is rich—and voluminous. Sentinel data lake enables users to store this data using a lake‑optimized model, designed for high‑volume ingestion and long‑term analytical workloads while making it easy to manage table tiers and usage. A Foundation for Advanced Analytics With Defender data co‑located alongside other security and cloud signals, users can unlock: Cross‑domain investigations across endpoint, identity, cloud, and email Retrospective hunting without re‑ingestion AI‑assisted analytics and large‑scale pattern detection Flexible Architecture for Modern Security Teams Data lake tier ingestion supports a layered security architecture, where: Workspaces remain optimized for real‑time detection and SOC workflows The data lake serves as the cost-effective and durable system for security telemetry Users can choose the right level of ingestion depending on operational needs, without duplicating data paths or cost. Designed to Work with Existing Sentinel and XDR Experiences This GA release builds on Microsoft Sentinel’s ongoing investment in unified data configuration and management: Native integration with Microsoft Defender XDR Advanced Hunting schemas Alignment with existing Sentinel data lake query and exploration experiences Consistent management alongside other first‑party and third‑party data sources Consistent experiences within the Defender Portal No changes are required to existing Defender deployments to begin using data lake tier ingestion. Get started To learn more about Microsoft Sentinel Data Lake and managing Defender XDR data within Sentinel, visit the Microsoft Sentinel documentation and explore how lake‑based analytics can complement your existing security operations. We look forward to seeing how users use this capability to explore new detection strategies, perform deeper investigations, and build long‑term security habits.The Microsoft Copilot Data Connector for Microsoft Sentinel is Now in Public Preview
We are happy to announce a new data connector that is available to the public: the Microsoft Copilot data connector for Microsoft Sentinel. The new Microsoft Copilot data connector will allow for audit logs and activities generated by different offerings of Copilot to be ingested into Microsoft Sentinel and Microsoft Sentinel data lake. This allows for Copilot activities to be leveraged within Microsoft Sentinel features such as analytic rules/custom detections, Workbooks, automation, and more. This also allows for Copilot data to be sent to Sentinel data lake, which opens the possibilities for integrations with custom graphs, MCP server, and more while offering lower cost ingestion and longer retention as needed. Eligibility for the Connector The connector is available for all customers within Microsoft Sentinel, but will only ingest data for environments that have access to Copilot licenses and SCUs as the activities rely on Copilot being used. These logs are available via the Purview Unified Audit Log (UAL) feed, which is available and enabled for all users by default. A big value of this new connector is that it eliminates the need for users to go to the Purview Portal in order to see these activities, as they are proactively brought into the workspace, enabling SOCs to generate detections and proactively threat hunt on this information. Note: This data connector is a single-tenant connector, meaning that it will ingest the data for the entire tenant that it resides in. This connector is not designed to handle multi-tenant configurations. What’s Included in the Connector The following are record types from Office 365 Management API that will be supported as part of this connector: 261 CopilotInteraction 310 CreateCopilotPlugin 311 UpdateCopilotPlugin 312 DeleteCopilotPlugin 313 EnableCopilotPlugin 314 DisableCopilotPlugin 315 CreateCopilotWorkspace 316 UpdateCopilotWorkspace 317 DeleteCopilotWorkspace 318 EnableCopilotWorkspace 319 DisableCopilotWorkspace 320 CreateCopilotPromptBook 321 UpdateCopilotPromptBook 322 DeleteCopilotPromptBook 323 EnableCopilotPromptBook 324 DisableCopilotPromptBook 325 UpdateCopilotSettings 334 TeamCopilotInteraction 363 Microsoft365CopilotScheduledPrompt 371 OutlookCopilotAutomation 389 CopilotForSecurityTrigger 390 CopilotAgentManagement These are great options for monitoring users who have permission to make changes to Copilot across the environment. This data can assist with identifying if there are anomalous interactions taking place between users and Copilot, unauthorized attempts of access, or malicious prompt usage. How to Deploy the Connector The connector is available via the Microsoft Sentinel Content Hub and can be installed today. To find the connector: Within the Defender Portal, expand the Microsoft Sentinel navigation in the left menu. Expand Configuration and select Content Hub. Within the search bar, search for “Copilot”. Click on the solution that appears and click Install. Once the solution is installed, the connector can be configured by clicking on the connector within the solution and selecting Open Connector Page. To enable the connector, the user will need either Global Administrator or Security Administrator on the tenant. Once the connector is enabled, the data will be sent to the table named CopilotActivity. Note: Data ingestion costs apply when using this data connector. Pricing will be based on the settings for the Microsoft Sentinel workspace or at the Microsoft Sentinel data lake tier pricing. As this data connector is in Public Preview, users can start deploying this connector right now! As always, let us know what you think in the comments so that we may continue to build what is most valuable to you. We hope that this new data connector continues to assist your SOC with high valuable insights that best empowers your security. Resources: Office Management API Event Number List: https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype Purview Unified Audit Log Library: Audit log activities | Microsoft Learn Copilot Inclusion in the Microsoft E5 Subscription: Learn about Security Copilot inclusion in Microsoft 365 E5 subscription | Microsoft Learn Microsoft Sentinel: What is Microsoft Sentinel SIEM? | Microsoft Learn Microsoft Sentinel Platform: Microsoft Sentinel data lake overview - Microsoft Security | Microsoft LearnMicrosoft Sentinel for SAP Agentless connector GA
Dear Community, Today is the day: Our new agentless connector for Microsoft Sentinel Solution for SAP applications is Generally Available now! Fully onboarded to SAP’s official Business Accelerator Hub and ready for prime time wherever your SAP systems are waiting – on-premises, hyperscalers, RISE, or GROW – to be protected. Let’s hear from an agentless customer: “With the Microsoft Sentinel Solution for SAP and its new agentless connector, we accelerated deployment across our SAP landscape without the complexity of containerized agents. This streamlined approach elevated our SOC’s visibility into SAP security events, strengthened our compliance posture, and enabled faster, more informed incident response” SOC Specialist, North American aviation company Use the video below to kick off your own agentless deployment today. #Kudos to the amazing mvigilante for showing us around the new connector! But we didn’t stop there! Security is being reengineered for the AI era - moving from static, rule-based controls to platform-driven, machine-speed defence that anticipates threats before they strike. Attackers think in graphs - Microsoft does too. We’re bringing relationship-aware context to Microsoft Security - so defenders and AI can see connections, understand the impact of a potential compromise (blast radius), and act faster across pre-breach and post-breach scenarios including SAP systems - your crown jewels. See it in action in below phishing-compromise which lead to an SAP login bypassing MFA with followed operating-system activities on the SAP host downloading trojan software. Enjoy this clickable experience for more details on the scenario. Shows how a phishing compromise escalated to an SAP MFA bypass, highlighting cross-domain correlation. The Sentinel Solution for SAP has AI-first in mind and directly integrates with our security platform on the Defender portal for enterprise-wide signal correlation, Security Copilot reasoning, and Sentinel Data Lake usage. Your real-time SAP detections operate on the Analytics tier for instant results and threat hunting, while the same SAP logs get mirrored to the lake for cost-efficient long-term storage (up to 12 years). Access that data for compliance reporting or historic analysis through KQL jobs on the lake. No more – yeah, I have the data stored somewhere to tick the audit report check box – but be able to query and use your SAP telemetry in long term storage at scale. Learn more here. Findings from the Agentless Connector preview During our preview we learned that majority of customers immediately profit from the far smoother onboarding experience compared to the Docker-based approach. Deployment efforts and time to first SAP log arrival in Sentinel went from days and weeks to hours. ⚠️ Deprecation notice for containerized data connector agent ⚠️ The containerised SAP data connector will be deprecated on September 14th, 2026. This change aligns with the discontinuation of the SAP RFC SDK, SAP's strategic integration roadmap, and customer demand for simpler integration. Migrate to the new agentless connector for simplified onboarding and compliance with SAP’s roadmap. All new deployments starting October 31, 2025, will only have the new agentless connector option, and existing customers should plan their migration using the guidance on Microsoft Learn. It will be billed at the same price as the containerized agent, ensuring no cost impact for customers. Note📌: To support transition for those of you on the Docker-based data connector, we have enhanced our built-in KQL functions for SAP to work across data sources for hybrid and parallel execution. Spotlight on new Features Inspired by the feedback of early adopters we are shipping two of the most requested new capabilities with GA right away. Customizable polling frequency: Balance threat detection value (1min intervals best value) with utilization of SAP Integration Suite resources based on your needs. ⚠️Warning! Increasing the intervals may result in message processing truncation to avoid SAP CPI saturation. See this blog for more insights. Refer to the max-rows parameter and SAP documentation to make informed decisions. Customizable API endpoint path suffix: Flexible endpoints allow running all your SAP security integration flows from the agentless connector and adherence to your naming strategies. Furthermore, you can add the community extensions like SAP S/4HANA Cloud public edition (GROW), the SAP Table Reader, and more. Displays the simplified onboarding flow for the agentless SAP connector You want more? Here is your chance to share additional feature requests to influence our backlog. We would like to hear from you! Getting Started with Agentless The new agentless connector automatically appears in your environment – make sure to upgrade to the latest version 3.4.05 or higher. Sentinel Content Hub View: Highlights the agentless SAP connector tile in Microsoft Defender portal, ready for one-click deployment and integration with your security platform The deployment experience on Sentinel is fully automatic with a single button click: It creates the Azure Data Collection Endpoint (DCE), Data Collection Rule (DCR), and Microsoft Entra ID app registration assigned with RBAC role "Monitoring Metrics Publisher" on the DCR to allow SAP log ingest. Explore partner add-ons that build on top of agentless The ISV partner ecosystem for the Microsoft Sentinel Solution for SAP is growing to tailor the agentless offering even further. The current cohort has flagship providers like our co-engineering partner SAP SE themselves with their security products SAP LogServ & SAP Enterprise Threat Detection (ETD), and our mutual partners Onapsis and SecurityBridge. Ready to go agentless? ➤ Get started from here ➤ Explore partner add-ons here. ➤ Share feature requests here. Next Steps Once deployed, I recommend to check AryaG’s insightful blog series for details on how to move to production with the built-in SAP content of agentless. Looking to expand protection to SAP Business Technology Platform? Here you go. #Kudos to the amazing Sentinel for SAP team and our incredible community contributors! That's a wrap 🎬. Remember: bringing SAP under the protection of your central SIEM isn't just a checkbox - it's essential for comprehensive security and compliance across your entire IT estate. Cheers, MartinWhat's new in Microsoft Planner – June 2025
Discover the latest enhancements in Planner, designed to help you manage your work more efficiently. This month, we’re excited to highlight new features and updates that make planning, organizing, and tracking tasks simpler than ever. Get real-time task notifications for Project Manager agent via email In May, we introduced real-time task notifications for Project Manager agent in Planner in Teams, alerting you when a task is completed and ready for review or when your input is needed to move it forward. We’re now expanding these capabilities to send you notifications via email. This enhancement gives you more flexibility in how you stay informed, helping you maintain momentum on critical tasks—even when you’re away from Teams. Whether you prefer to manage your day from your inbox or your Activity feed, these notifications ensure you never miss a beat on the tasks assigned to Project Manager agent. Boost efficiency with Planner's bulk editing feature Planner’s new bulk editing feature is here to simplify task management. In the Grid view of any basic plan, you can now update multiple tasks simultaneously—assign tasks, adjust priorities, update progress, and modify start and due dates—all in one go. To get started, navigate to a basic plan and select the Grid view. Then, select a set of tasks you want to update by either selecting and dragging the tasks or by using Ctrl + the up arrow or down arrow. Use Project Manager agent to generate status reports - now in public preview The new Status Reports feature in Planner in Teams enables you to auto-synthesize your plan's progress, milestones, risks, and next steps, ensuring everyone on your team has shared visibility. All report features, including the ability to share the status report as a newsletter, are now available in public preview for all English users. Support for additional languages is being rolled out in the coming days. Learn more about how to generate status reports in minutes with Project Manager agent in Planner. Project Manager agent now supported in 40+ languages We’re excited to share that Project Manager agent is now multi-lingual! With this update, you can now use the Project Manager agent to generate and execute on tasks in any language that is also available for Microsoft 365 Copilot, excluding Arabic and Hebrew for now. Note that Arabic and Hebrew support, as well as the ability to generate status reports in these languages, will be available later this week. See the full list of supported languages for Microsoft 365 Copilot. ICYMI: A look back at what we shipped earlier this year Now that we’re halfway through the year, our team would love to recap some of our favorite Planner features that have shipped recently: Project Manager agent in public preview: The Project Manager agent is an AI-powered virtual project manager designed to enhance your planning experience by streamlining workflows and handling tasks on your behalf. The Project Manager agent integrates AI directly into your plans, empowering you to focus on strategy, while enabling smarter team collaboration. See our announcement blog post to learn more. Custom backgrounds: Personalize your workspace with images or themes, enhancing visual appeal and organization. To add a background, open the Plan details of any basic plan by either selecting the plan name or the dropdown menu next to it in the plan header. Board view in My Day and My Tasks: With Board view now available in My Day and My Tasks, you can manage and prioritize your tasks in a more visual way. Reorder columns across all plans: Previously, reordering columns was only available in premium plans. With this update, reordering columns is available across all Grid views. To try it out, simply select and drag the column headers to rearrange them, or use the CTRL + Shift + < and CTRL + Shift + > keyboard shortcuts. Generate status reports using Project Manager agent: The new Status Reports feature in Planner in Teams enables you to auto-synthesize your plan's progress, milestones, risks, and next steps, ensuring everyone on your team has shared visibility. Learn more about how to generate status reports in minutes with Project Manager agent in Planner. Retirement of Microsoft Project for the web: We also wanted to take this opportunity to remind everyone that starting August 1st, 2025, we will be transitioning all users to Microsoft Planner. As an effort to provide a unified work management experience, we are retiring Project for the web, as well as the Project and Roadmap apps in Microsoft Teams. No actions are necessary in preparation for this change as all licensing should carry over seamlessly. Learn more about this change in our announcement blog post. Do you have a Planner feature you’ve been enjoying recently? Let us know in the comments! Share your feedback Tell us what you think about the new Planner using the Feedback button in the top right corner of the app. We also encourage you to share any feature requests by adding your ideas to the Planner Feedback Portal. Your feedback helps inform our feature updates, and we look forward to hearing from you as you try Planner’s new and existing capabilities! Resources Check out the Planner adoption page. Sign up to receive future communication about Planner. Check out the Microsoft 365 roadmap for feature descriptions and estimated release dates for Planner. Watch Planner demos for inspiration on how to get the most out of Planner in Teams. Visit the Planner help page to learn more about the new Planner.What’s New in Microsoft Teams | October 2025
Before we get to this month’s new Teams features, I’m thrilled to share that Microsoft has been recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Unified Communications as a Service for the 7th year in a row. We are honored to again be positioned highest for ability to execute and furthest for completeness of vision in the evaluation’s axes. We believe this recognition underscores the product innovations we delivered over this past year, such as the launch of agents in meetings and a redesigned chat and channels experience, to make Microsoft Teams the AI-powered platform for work—one that is simple, smart, and secure. In our opinion, the support and trust of our customers and partners helped make this recognition possible. We’re deeply grateful to the hundreds of millions of users who turn to Teams to get their work done and our partners whose expertise and commitment amplify the impact of Teams worldwide. If you’ve been a member of the Microsoft tech community for a while, you might be aware that next month, we’ll highlight many exciting new Teams features at Microsoft Ignite and in our special What’s new in Teams Ignite edition blog. That’s going to be something to look forward to, but this month, we’ve got plenty of new productivity-boosting updates to celebrate too. The power of Copilot continues to grow. We first introduced meeting recaps to help you quickly catch up on what you missed, now we’re taking them further. With audio recap, your written recaps are transformed into dynamic audio experiences you can listen to anytime, anywhere. Teams Rooms just leveled up too, with smarter voice and face recognition and real-time caption translations. And if you’re a Teams Rooms on Android user, Facilitator is now available to help keep your meetings productive and on track. Explore all the latest additions and updates below! *GARTNER is a registered trademark and service mark of Gartner and Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. New features released this month: Chat and collaboration Meetings, webinars, and town halls Teams Phone Workplace: Places and Teams Rooms Certified for Teams Devices Chat and collaboration Summarize files shared in Teams chat with Copilot When a file is shared in a chat, you don’t always have the time to open it, read through, and grasp the key ideas. With file summaries in 1:1 and group chats in Teams, Microsoft 365 Copilot can quickly summarize content from Microsoft Word documents so you can understand the main points without opening the file. This feature is also available on mobile, making it easier to grasp key ideas without reading an entire document on a small screen while on the move. It respects the file's security policies, ensuring that only users with access to the file receive a summary, which will carry the same sensitivity label as the original file. Add emoji updated keyboard shortcut Use colons to quickly insert the emoji you want without slowing down to use the mouse. Type : followed by the name of the emoji you want, then type : again. Once done, the emoji is selected and added to your text. The new shortcut aligns with industry standards and helps make emoji insertion intuitive and consistent. You can now type keywords to find both standard and custom emojis using the improved search. Meetings, webinars, and town halls Audio recap now generally available Staying informed shouldn’t mean being glued to your screen. That’s why we’re introducing audio recap, a new way to catch up on your meetings. With audio recap, your meeting recap is transformed into an audio experience you can listen to on the go. Whether you’re commuting, walking between meetings, or simply prefer listening, it’s a hands-free way to stay connected and informed. You can generate an audio recap for up to eight meetings at a time, and choose the delivery style that best fits how you want to listen: Newscast—one AI speaker delivering a fast, concise summary Executive—two AI speakers offering an efficient summary with minimal commentary. Casual—two AI speakers providing a summary with extra color and commentary. All your audio recaps are easily accessible from the meeting recap page, ready to replay anytime. And with availability on both desktop and mobile, you can catch up wherever work takes you. Support for multiple camera views and IntelliFrame from Teams Rooms on Windows in Teams webinar and structured meetings Multiple camera views and IntelliFrame (Multi-stream and cloud) from Teams Rooms on Windows are now available in Teams webinar and structured meetings with "Manage what attendees see" enabled. Organizers and presenters of these meetings can access intelligent camera views and bring them on the live stage for attendees. Available with Teams Rooms Pro. Event Chat now available in Town halls for GCC, GCCH and DoD [Premium] Teams is bringing richer engagement to your Town halls on more cloud environments. With Event Chat, organizers and attendees in GCC, GCCH, and DoD environments can now interact in real time during Town hall sessions. This feature enables secure, threaded conversations, allowing participants to share insights, ask questions, and stay connected throughout the event. After the session ends, the chat remains accessible for follow-up discussions, ensuring continuity and collaboration beyond the live broadcast. Teams Phone Intelligent recap popout window in Calls app Users can now access Intelligent recap pop-out pages through the Calls app. Intelligent recap uses AI to automatically provide a comprehensive overview of your recorded or transcribed calls, helping users save time catching up and coordinating next steps. Go to the Calls app, look up the transcribed or recorded call in the call history, and select "View recap". This will launch the call’s Intelligent recap as a new pop-out page containing AI-generated discussion summary notes and recommended tasks to help users quickly find the most important information from the call. Teams Phone Mobile is now generally available with AT&T Teams Phone Mobile enables end-users to make and receive calls using a single number across their mobile phone and all their Teams endpoints. AT&T customers can now enjoy seamless mobile and Teams integration with this unified calling experience. Learn more about how IT admins can configure Teams Phone Mobile in Teams admin center and view the expanding set of mobile operators providing Teams Phone Mobile. Phone Devices: Improved Feedback Sharing for Teams Certified Phone Devices Giving feedback on Teams-certified Phone devices just got easier. Previously, users rated their experience with a 1–5 star score, and then had the option to type additional comments—a process that could feel cumbersome on a phone’s touch screen keyboard. Now, after you select your rating, Teams will suggest text prompts tailored to your score, making it simple to share what’s working well or what could be improved. You can still add your own notes for extra detail, but the new prompts help streamline feedback and save time. Phone devices: Enhanced Call Transfer experiences Teams Phone certified devices now have an improved interface that simplifies transfer actions. Users can select “Consult first” to place the original caller on hold and privately speak with the recipient before completing the transfer. The “Transfer” option is only enabled after the consult recipient answers the call to reduce the risk of adding the original caller back into the call prematurely. Direct transfers without a consultation step provide real-time status updates such as “Transferring [User A] to [User B]” while the transfer is in progress and “Successfully completed” at the conclusion. This visibility into the call transfer progress helps the transferrer know when it is safe to disconnect. Workplace: Places and Teams Rooms Facilitator agent for scheduled meetings in Teams Rooms on Android You can now take advantage of the Facilitator agent in Teams Rooms on Android for real-time AI-generated notes, follow up items, and keeping everyone updated on time during scheduled meetings. Facilitator appears in the meeting chat, and participants can toggle between notes, chat, and the agent. Available in rooms licensed for Teams Rooms Pro. Learn more here. Cloud IntelliFrame support on Teams Rooms on Android Now Cloud IntelliFrame, the AI-based cloud technology that optimizes views of in-room participants for hybrid meetings, is available for Teams Rooms on Android using group framing. Group framing delivers a more natural hybrid meeting experience by focusing on individuals, allowing remote attendees to see visual expressions and gestures better. It is set as the default in Teams Rooms on Android rooms, while remaining disabled by default in others. Admins can enable or disable IntelliFrame through console settings. Learn more here. Dynamic video tile resizing based on occupancy count from Teams Rooms on Android The room video tile dynamically adjusts size based on the number of people in the room. When one person is in the room, the tile matches the remote participant's size. With two or more people, the room tile expands to be four times larger. Admins can manage this behavior through console settings. Live caption translation in Teams Rooms on Android You can now choose the translation language you prefer from 40 supported spoken languages without affecting what other meeting participants see in Teams Rooms on Android. Previously, live captions were displayed in the spoken language by default, but this change allows individuals to select their own experience. This feature is available on Teams Rooms Pro. Learn more here. Join Town Halls and Webinars as an attendee from Teams Rooms on Android Microsoft Teams Rooms on Android can now join Town Halls and webinars in Teams as attendees. You can attend directly from the invited Teams Room, with the same features that attendees have on the Teams desktop app. Available in Teams Rooms Pro. Learn more. Front-of-room view control for Town Hall and Webinar in Teams Rooms on Windows or Android When a Teams Rooms on Windows (available now) or Android (available in November) is invited as a meeting presenter, the front-of-room display defaults to the attendee view. Presenters always have full control from the console, including green room and off-stage management, and can switch the front-of-room display to presenter view without impacting attendees. Available in Teams Rooms Pro. Learn more here. Enhanced production experience for Town hall in Teams Rooms on Windows The enhanced ‘Manage what attendees see’ feature gives Town hall hosts greater control over what attendees experience. Organizers, co-organizers, and presenters joining from a Teams Room on Windows with a Pro license can manage which presenters can be seen and heard at any time during a large-scale event, creating an organized, polished experience for viewers. Organizers licensed for Teams Premium can adjust layout, background, and name tag changes through the Teams Desktop. Learn more here. Simplified device settings for voice and face recognition on Teams Rooms on Windows or Android It's now easier for admins to enable the benefits of benefits of Copilot and intelligent audio and video features for users in Teams Rooms through a new user interface and admin settings. These new settings, on the device and in the Pro Management portal, simplify configuration and remove the requirement to use PowerShell, offering improved visibility across rooms. Learn more here. People count captured by Cloud IntelliFrame in the Pro Management portal reports Admins get enhanced visibility into room usage from Pro Management portal reports with detailed occupancy data captured by Cloud IntelliFrame during meetings. This insight helps IT more effectively plan and optimize meeting spaces, and is currently available for Teams Rooms on Windows licensed with Teams Rooms Pro. Learn more here. Recommended actions page in the Teams Rooms Pro Management portal This new page in the Pro Management portal provides proactive recommendations based on your organization’s environment and upcoming events that can impact devices, such as support or certification expirations. Admins are prompted to update device and account data enabling rich insights from the portal. Additional guidance based on space and device usage data is coming soon. This feature helps admins maintain smooth operations - planning and budgeting efficiently. At least one Teams Rooms Pro or Teams Shared Devices license is required for access. Learn more here. Certified for Teams Devices MAXHUB Express Install A–F: Simplifying Teams Rooms for Every Space The MAXHUB Express Install series makes setting up Microsoft Teams Rooms easier than ever. All six versions feature the integrated MAXHUB Smart Stand, streamlined cable management, and reliable audio/video for seamless collaboration. Every bundle supports BYOD, single-cable deployment, and comes with a 3-year warranty and local support. Display size: Versions A–D include a 43" display; E and F upgrade to 55". Videobar & kit: Choose between USB or Android-based videobars, with Pro kits offering enhanced performance. Room fit: A–D are ideal for huddle and focus rooms, while E and F are designed for small rooms. No matter your space or tech preference, there’s a MAXHUB Express Install to fit your Teams Rooms needs. Version Display Size Videobar Type Kit Type Room Size Target Key Features/Extras A 43" UC S07 USB Videobar XCore Kit Huddle/Focus XT10-VB Kit, streamlined setup B 43" XBar U50 USB Videobar XCore Kit Huddle/Focus USB videobar, BYOD flexibility C 43" XBar U50 USB Videobar XCore Kit Pro Huddle/Focus Pro kit for enhanced performance D 43" V50 Android Videobar MDEP V50 Kit Huddle/Focus Android-based, console included E 55" XBar U50 USB Videobar XCore Kit Pro Small Room Larger display, Pro kit F 55" V50 Android Videobar MDEP V50 Kit Small Room Larger display, Android-based kit Lenovo ThinkVision T24D-4v and T27QD-4v ThinkVision T27QD-4v and T27QD-4v are 24 and 27-inch QHD VoIP monitors with Microsoft Teams certification, designed to enhance your online collaboration experience. Dedicated Teams and VoIP buttons get you to your meeting with a click. Two noise-cancellation microphones, coupled with two 5W speakers and a 5MP QHD webcam ensure your video conferences and meetings run without any hiccups. Superior connectivity with a one-cable docking solution provides up to 100W of power delivery, data and internet. Enjoy content that looks completely stutter-free and color accurate with 99% sRGB & BT.709 color space and 48-120Hz variable refresh rate. Eye Comfort 5-star and Eyesafe 2.0 certified display technology significantly reduces harmful blue light emissions to benefit eye health.
Where Partners Build and Scale: Partner-Built Security Copilot Agents in Security Store
At Microsoft, we believe that security is a team sport. That’s why we are committed to meeting customers where they are, integrating with the solutions they already use to ensure that everyone can take advantage of the agentic capabilities of Security Copilot. And it’s not just an idea—it’s a reality. We’re excited to share why partners such as BlueVoyant, OneTrust, and Tanium chose to build agents with Security Copilot—and the value this brings to their customers. By watching the videos featuring BlueVoyant, OneTrust, and Tanium, you’ll see firsthand how collaboration drives innovation and empowers security teams to tackle today’s threats with agility and confidence. Together, these partner-built agents show how organizations and partners can transform Security Copilot into an integrated force multiplier—proving that security is a team sport. Partner-built agents power smarter protection BlueVoyant – Specializing in comprehensive cyber risk management, BlueVoyant provides a suite of services to protect organizations from cyberattacks. In this video, we learn about BlueVoyant Watchtower and how their agents help customers get the most out of their Sentinel and Defender products by using an agent to always review the environment and recommend updated rules, configurations, and policies that catch bad actors Security Copilot gives us the advantage of moving more quickly.” – Micah Heaton, Executive Director, Microsoft Product & Innovation Strategy at BlueVoyant OneTrust – OneTrust, a privacy and consent management platform, specializes in helping customers responsibly use data and AI. By partnering with Microsoft—specifically Microsoft’s Sentinel platform—OneTrust is able to provide their customers with a full view of their data estate. The Privacy Breach Response Agent by OneTrust combines the deep privacy and regulatory expertise of OneTrust with the robust generative AI capabilities of Microsoft Security Copilot, automating privacy risk assessments improving their accuracy. Tanium – Specializing in endpoint management and security, Tanium gives IT teams visibility and control over every device in their environment. Tanium’s partnership with Microsoft provides Tanium with seamless integration into Microsoft’s Security products via Copilot, which combined with Tanium’s real-time environment insights, power powerful end to end workflows across Defender, Entra, Tanium, and Intune. The Security Triage Agent by Tanium accelerates alert triage, providing security teams with the context they need to make informed decisions on Tanium Threat Response alerts swiftly. The work of partners like BlueVoyant, OneTrust, and Tanium is shaping a new security ecosystem—one where the Microsoft Security Store is a launchpad for partner innovation to drive real-world customer impact. The Store turns partner-built agents into enterprise-ready solutions by providing Microsoft-validated certification, high‑quality metadata, consistent deployment flows, secure authentication and transactions, and in‑product visibility inside Defender, Entra, and Security Copilot. These deployed agents run securely in your Security Copilot zero-trust environment. The power of the Security Store is that it doesn’t just distribute agents—it amplifies them. It gives partners a unified, trusted surface where their solutions are discoverable directly within Microsoft Security products; where customers can compare capabilities through standardized metadata; where installation is guided and repeatable; and where Microsoft’s AI foundation elevates the value of every partner-built capability. For customers, this means direct access to the best of partner-driven security innovation. Partner-built agents deliver value at every stage of the security journey: proactively monitoring sensor health, surfacing actionable insights, accelerating investigations, and automating incident response. These capabilities help organizations strengthen their security posture, respond faster to threats, and stay ahead of attackers. For partners, success begins with identifying the unique value their agent brings to customers and designing real security outcomes—such as improved detection, automated investigations, and measurable risk reduction. As more partners publish agents, the ecosystem expands- unlocking advanced scenarios like phishing and identity alert triage, incident enrichment, policy optimization, and automated remediation. By combining Microsoft’s AI foundation with specialized partner expertise, Security Copilot agents deliver differentiated solutions that address a wide range of security challenges—from privacy and compliance workflows to vulnerability management and forensics—helping customers strengthen their security posture and respond faster to threats. Explore resources and documentation Explore all the partner-built agents in Security Copilot and partner SaaS offerings at the Microsoft Security Store and at the Security Store Learn page Security Store documentation - Security Store | Microsoft Learn. Or read more documentation on Security Copilot agents to learn: What agents are and how they work in Security Copilot How partners build and integrate agents Links to related resources for development and deployment
