Improving IT efficiency with Microsoft Security Copilot in Microsoft Intune and Microsoft Entra
When Microsoft introduced Microsoft Security Copilot last year, our vision was to empower organizations with generative AI that helps security and IT teams simplify operations and respond faster. Since then, we’ve continuously innovated and learned alongside our customers. They consistently tell us that practitioners love it when Copilot is built directly into the tools they use every day.
That’s why we’re focused on delivering deeply integrated, scenario-based experiences that align with Zero Trust principles, making it easier for IT and security professionals to ask questions, take action, and gain insights directly within their existing workflows. These experiences not only reduce friction but also help IT teams stay in flow, making smarter decisions faster and with greater confidence. And the impact is real: organizations using Security Copilot have seen a 54% reduction in time to resolve device policy conflicts, and a 22.8% drop in alerts per incident within three months of adoption, freeing up teams to focus on more strategic work.
We’re excited to announce the Security Copilot capabilities in Microsoft Intune and Microsoft Entra have moved from preview to general availability. This milestone reflects the critical role Intune and Entra play in modern security strategies, serving as the foundation for implementing a Zero Trust model. Intune enforces device compliance, app protection, and endpoint privilege management, while Entra governs identity access with Conditional Access policies and granular authentication controls. Together, they create a unified security posture that aligns with Zero Trust principles across devices, users, applications, and even agents. Security Copilot amplifies this foundation by providing AI-assisted guidance, autonomous agents, and insights accessible through natural language, helping IT teams scale operations, accelerate skilling, and proactively remediate threats at machine speed.
Reimagining IT workflows with Security Copilot in Intune
IT administrators often face a daily flood of data, alerts, and configuration details, making it difficult to quickly find the right information and act with confidence. AI is changing how people work, and Copilot in Intune is evolving how IT admins interact with and act on their endpoint management data. The Security Copilot in Intune general availability release introduces a brand new, Copilot-assisted data exploration capability. IT admins now have a dedicated page in the Intune admin center to ask Copilot for the data they need, take action, and complete endpoint management tasks, all without leaving their workflow. This capability allows admins to extract insights across Intune domains—devices, apps, security policies, users, compliance data, app configurations, and more—and act on it using its deep integration into the Intune functionality they are familiar with. It represents the first step in a foundational shift from traditional reporting and queries to Copilot-powered investigation and IT-empowered action.
This new Security Copilot capability is designed to simplify the most time-consuming IT workflows, like assessing security posture, managing updates, troubleshooting issues, and generating custom reports. Whether it’s identifying non-compliant devices, tracking patch failures, previewing policy impact, or automating remediation, Copilot brings together the data and actions IT needs in one place.
Admins can ask natural language questions like, “Show me devices that are not on the latest version of Windows and Office,” or “Which of my Endpoint Privilege Management rules are in conflict and what are the source profiles?” and take action instantly, without switching context.
Figure 1. New experience to explore your Intune data with Copilot assistance across workloads.
The new Explorer experience also includes support for Windows 365 Cloud PCs, giving IT administrators a consistent way to view and act on device details across both cloud and physical endpoints. We are excited to share that in the coming weeks, we’ll introduce additional AI capabilities in Intune with Copilot assistance for Windows 365, offering insights into Cloud PC connectivity and connection quality, licensing optimization, and performance issues tied to compute resources. These capabilities build on the momentum of virtual computing and the ability to stream Windows from the Cloud, enhancing the IT experience and delivering even more endpoint management value—especially for Windows-based environments.
The general availability release of Security Copilot in Intune also provides chat-based contextual assistance and includes integration with core and Microsoft Intune Suite solutions. Intune Advanced Analytics multiple device query (MDQ), and Copilot help admins write detailed Kusto Query Language (KQL) queries and Endpoint Privilege Management with Copilot assesses app risks for admins to make informed decisions before approving Windows users’ elevation requests. And with the Surface Management Portal in Intune, Copilot provides unified visibility and controls for IT across Surface devices, further strengthening security posture and streamlining operations.
Just as Security Copilot is transforming endpoint management in Intune, it’s also reshaping how identity is managed in Microsoft Entra.
Security Copilot in Entra brings clarity and speed to identity security
Identity environments evolve daily—new user, apps, and permissions are constantly introduced, making it difficult for IT and identity admins to keep policies up to date and user access properly governed. Manual investigations done the traditional way can be very time-consuming and reactive, giving cyberattackers more time to exploit gaps. With more than 600 million identity-based attacks happening daily, organizations can’t afford slow, manual investigations or infrequent policy reviews.1
Security Copilot in Microsoft Entra, now generally available, brings AI-assisted reasoning, natural language prompts, and real-time insights across your identity and access estate, all within the Microsoft Entra admin center. We’ve made major enhancements to improve performance, scalability, and accuracy, enabling Security Copilot to better understand user intent, handle more complex questions, and deliver clearer answers.
We’ve also expanded coverage to support a broader set of real-world identity scenarios. Copilot in Entra now helps admins investigate users, troubleshoot sign-ins, manage access reviews and entitlements, monitor tenant health and service-level agreement (SLAs), optimize license usage, and analyze role assignments and recommendations—all grounded in Microsoft Graph data.
Admins can now ask natural language questions like, “Which enterprise applications have credentials about to expire?” and “What role does the user have?” to quickly surface insights and take action. Whether it’s reviewing access packages, identifying risky apps, or checking license availability, Security Copilot in Entra helps teams move faster, stay ahead of cyberthreats, and focus on what matters most.
Purpose-built agents for real-world IT challenges
At Microsoft Secure 2025, as part of our vision to deliver an AI-first, end-to-end security platform, Microsoft announced 11 AI-powered Security Copilot agents that are seamlessly integrated with Microsoft Security and partner solutions. These agents autonomously handle high-volume, high-value tasks, learn from feedback, adapt to workflows, and operate securely, reflecting our commitment to helping organizations achieve what was previously impossible—at machine speed.
Today marks a meaningful milestone in our journey toward an AI-first, end-to-end security platform: we’re announcing the general availability of the Conditional Access Optimization Agent in Microsoft Entra. This launch brings AI-powered automation to IT and security operations, helping teams bring proactive protection directly into identity workflows.
The Conditional Access Optimization Agent runs autonomously, scanning your environment for gaps, overlaps, and outdated policy assignments. It then recommends precise, one-click remediations to help close the gaps fast, turning reactive cleanup into proactive defense.
The Conditional Access Optimization Agent provides:
- Autonomous protection, every day—Automatically detects newly created users or apps not covered by Conditional Access policies, reducing risk between manual audits.
- Real-time, explainable decisions—Every recommendation includes a plain-language summary and visual activity map showing how the agent reached its conclusion.
- Continuous adaptability to your organization’s needs—Support for custom business rules, the agent can learn based on your natural-language feedback (for example, excluding break-glass accounts).
- Full auditability—Agent actions like install, enable and disable, and recommendations are recorded in the audit log for compliance and operational transparency.
With the Conditional Access Optimization Agent, policy coverage becomes continuous. You gain daily protection, policy clarity, and built-in expertise without the manual lift. As one security leader put it:
“The Conditional Access Optimization Agent is like having a security analyst on call 24/7. It proactively identifies gaps in our Conditional Access policies and ensures every user is protected from day one, and with report-only mode and AI-driven recommendations, we can test and refine access policies without disruption. It’s a secure path to innovation that every chief information security officer can trust.”
—Julian Rasmussen, Senior consultant and Partner, Point Taken, Microsoft MVP
Step into the future of IT with Security Copilot
We’re in a new era of AI that has implications for IT operations and security. Now with Microsoft Security Copilot in Intune and Entra, you can make your organization future-ready with AI solutions that help organizations transform IT and security at machine speed.
As part of our ongoing commitment to enhancing the embedded experience of Security Copilot across Microsoft Security products, we’re excited to introduce a new in-portal capacity calculator available in the Security Copilot standalone experience (Azure account required). This tool allows organizations to estimate the number of Security Compute Units (SCUs) they may need based on the number of Security Copilot users in each Microsoft Security product. Users can generate a quick estimate, providing a practical starting point for capacity planning. SCU allocations can be adjusted at any time as real-world usage patterns emerge. Learn more.
Explore more use cases for IT and identity admins in the Security Copilot adoption hub. Explore Copilot in Intune and Entra and take these steps to learn more:
- Get started with Microsoft Security Copilot.
- Learn more about how to apply Microsoft Intune and Microsoft Entra to your program.
- Connect with your Microsoft representative to schedule a demo or get more information.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
1Microsoft Digital Defense Report 2024.
The data, insights, and events in this report represent July 2023 through June 2024 (Microsoft fiscal year 2024), unless otherwise noted.
The post Improving IT efficiency with Microsoft Security Copilot in Microsoft Intune and Microsoft Entra appeared first on Microsoft Security Blog.
Source: Microsoft Security