Microsoft Entra adds identity skills to Copilot for Security

Today we announced that Microsoft Copilot for Security will be generally available worldwide on April 1. The following new Microsoft Entra skills will be available in the standalone Copilot for Security experience: User Details, Group Details, Sign-in Logs, Audit Logs, and Diagnostic Logs. User Risk Investigation, a skill embedded in Microsoft Entra, will also be available in public preview.  

  

These skills help identity admins protect against identity compromise through providing identity context and insights for security incidents and helping to resolve identity-related risks and sign-in issues. We’re excited to bring new identity capabilities to Copilot for Security and help identity and security operators protect at machine speed.  

 

Identity skills in Copilot for Security 

 

Let's take a closer look at what each of these new Entra Skills in Copilot for Security do to help identity professionals secure access, while easily integrating into any admin's daily workflow via natural language prompts: 

 

User details can quickly surface context on any user managed in Entra, such as username, location, job title, contact information, authentication methods, the account creation date, and account status. Admins can prompt Copilot with phrases like "tell me more about this user”, “list the active users created in the last 5 days”, “what authentication methods does this user have”, and “is this user’s account enabled” to pull up this kind of information in a matter of seconds. 

 

Group details can summarize details on any group managed in Entra.  Admins can ask Copilot questions like “who is the owner of group X?”, “tell me about the group that starts with XYZ”, and “how many members are in this group?” for immediate context. 

 

Sign-in logs can highlight information about sign-in logs and conditional access policies applied to your tenant to assist with identity investigations and troubleshooting. Admins must simply instruct their Copilot to “show me recent sign-ins for this user”, “show me the sign-ins from this IP address”, or “show me the failed sign-ins for this user.” 

   

Audit logs can help isolate anomalies associated with audit logs, including changes to roles and access privileges. Admins just have to ask Copilot to “show me audit logs for actions initiated by this user” or “show me the audit logs for this kind of event”. 

 

An identity admin, who has identified a risky user under the username ‘rashok’, asks Copilot for the March 5th audit logs for ‘rashok’ to discover what actions that user took while at a heightened risk of compromise.

 

Diagnostic logs can help assess the health and completeness of your tenant's policy configurations. This helps ensure sign-in and audit logs are correctly set up, and that there are no gaps in the log collection process. Admins can ask “what logs are being collected in my tenant” or “are audit logs enabled” to quickly remediate any gaps. 

 

Learn more in our documentation about these new Entra Skills in Copilot for Security. 

 

Using Copilot in Entra for risk investigation 

 

To get a better picture of how Copilot for Security can increase the speed at which you respond to identity risks, let’s imagine a scenario in which a user is flagged for having a high-risk level due to several abnormal sign-in attempts. With the User Risk Investigation skill in Microsoft Entra, now in public preview, admins can get an analysis of the user risk level coupled with recommendations on how to mitigate an incident and resolve the situation: 

 

An identity admin notices that a user has been flagged as high risk due to a series of abnormal sign-ins. With Copilot for Security, the admin can quickly investigate and resolve the risk by clicking on the user in question to receive an immediate summary of risk and instructions for remediation.

 

Copilot summarizes in natural language why the user risk level was elevated. Then, Copilot provides an actionable list of steps to help nullify the risk and close the alert. Finally, Copilot provides a series of recommendations an identity admin can take to automate the response to identity threats, minimizing exposure to a compromised identity. 

 

Learn more in our documentation about the User Risk Investigation skill in Microsoft Entra. 

 

How to use Copilot for Security 

 

We are introducing a provisioned pay-as-you-go licensing model that makes Copilot for Security accessible to a wider range of organizations than any other solution on the market. With this flexible, consumption-based pricing model, you can get started quickly, then scale your usage and costs according to your needs and budget. Copilot for Security will be available for purchase April 1, 2024. Connect with your account representative now so your organization can be among the first to realize the incredible benefits. 

 

Copilot for Security helps security and IT teams transition into the age of AI and strengthen their skillsets. This is a huge milestone towards empowering organizations with generative AI tools, and we are so proud to work alongside our customers and partners to bring you a better way to secure identities and access for everyone, to everything. 

 

Sarah Scott, 

Principal Manager, Product Management 

 

 

Learn more about Microsoft Entra: 

• See recent Microsoft Entra blogs 
• Dive into Microsoft Entra technical documentation 
• Learn more at Azure Active Directory (Azure AD) rename to Microsoft Entra ID 
• Join the conversation on the Microsoft Entra discussion space 
• Learn more about Microsoft Security