Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Security Copilot is a powerful tool that can help you manage and secure your Microsoft Entra ID environment. This article describes how to use Microsoft Security Copilot with Microsoft Entra ID core features to enhance your identity protection efforts. Using this feature requires a tenant with Microsoft Security Copilot enabled.
Microsoft Entra ID scenarios supported by Microsoft Security Copilot
Security Copilot is integrated into the Microsoft Entra admin center and works seamlessly with Microsoft Entra ID features. The following table provides an overview of the scenarios supported by Security Copilot:
Enterprise user management scenarios
With Microsoft Security Copilot, administrators can now manage and investigate their Microsoft Entra tenants, users, groups, domains and licenses using natural language.
Tenants
Using Security Copilot, admins can ask questions about their tenant, such as the tenant ID, display name, and active licenses assigned to their tenant. It also provides insights into the technical and security compliance contacts for the tenant, and whether users can create new tenants.
This feature requires a minimum of the Global Reader role in Microsoft Entra ID, and can be used with any tenant and Microsoft Entra ID license.
Refer to the prompts and examples in Enterprise user management with Microsoft Security Copilot to learn how to use Microsoft Security Copilot for tenant information scenarios.
Users
Using Security Copilot, IT administrators can quickly view user details, manage roles, and troubleshoot access issues. This helps keep user identities secure and up to date, reducing time spent navigating portals and improving response times for user-related requests.
Refer to the prompts and examples in Enterprise user management with Microsoft Security Copilot to learn how to use Microsoft Security Copilot with user management for the following use-cases;
Groups
Using Security Copilot, IT administrators can quickly view group configurations, manage memberships, and identify group hygiene issues such as ownerless groups. By providing relevant group information in context, Copilot helps minimize time spent navigating portals and improves response times for group-related tasks.
Users with the following can use this feature:
Refer to the prompts and examples in Enterprise user management with Microsoft Security Copilot to learn how to use Microsoft Security Copilot with group management for the following use-cases;
Domains
Security Copilot can help IT admins simplify domain management in the Microsoft Entra admin center. This feature allows administrators to quickly access domain information, verify DNS records, and manage domain settings using natural language queries.
Refer to the prompts and examples in Enterprise user management with Microsoft Security Copilot to learn how to use Microsoft Security Copilot with domain management for the following use-case;
Licenses
Managing license purchases and usage across your Microsoft Entra tenant can be challenging. Using Security Copilot, you can ask questions about license usage, helping your organization optimize license utilization and get the most value from your Microsoft Entra investment.
Refer to the prompts and examples in Enterprise user management with Microsoft Security Copilot to learn how to use Microsoft Security Copilot with license usage for the following use-case;
For more information, see:
Monitoring and Health scenarios
Microsoft Entra uses the capabilities of Microsoft Security Copilot to help administrators monitor and maintain the health of their Microsoft Entra ID environment. By using natural language queries, admins can quickly access and analyze sign-in logs, audit logs, recommendations, health monitoring alerts, and SLA performance data. This enables them to identify potential issues, investigate anomalies, and take proactive measures to ensure the security and reliability of their identity infrastructure.
Sign-in logs
With Security Copilot, IT admins can streamline the process of reviewing and troubleshooting sign-in activities in Microsoft Entra. Instead of manually sorting through complex log data, IT administrators and Helpdesk teams can quickly analyze sign-in logs, identify issues, and receive clear, actionable answers. Security Copilot also suggests helpful follow-up questions to support your troubleshooting process and guide your next steps.
Refer to the prompts and examples in Understand monitoring and operations with Microsoft Security Copilot to learn how to use Microsoft Security Copilot with sign-in logs for the following use-cases;
- Application and authentication analysis
- Device and location analysis
- User activity and security monitoring
Audit logs
With Security Copilot, IT admins can streamline the process of investigating and troubleshooting audit logs in Microsoft Entra. Instead of manually searching through extensive log data, IT administrators and Helpdesk teams can quickly analyze audit activities, identify issues, and receive clear, actionable answers. Security Copilot also suggests helpful follow-up questions to support your investigation and guide your next steps.
Refer to the prompts and examples in Understand monitoring and operations with Microsoft Security Copilot to learn how to use Microsoft Security Copilot with audit logs for the following use-cases;
Provisioning logs
With Security Copilot, IT admins can provide valuable insights into provisioning activities within Microsoft Entra. By analyzing provisioning logs, administrators can quickly identify issues, track changes, and ensure that user accounts are being created, updated, and deleted as intended. These insights help maintain the integrity of your identity infrastructure and streamline user management processes.
Refer to the prompts and examples in Understand monitoring and operations with Microsoft Security Copilot to learn how to use Microsoft Security Copilot with provisioning logs for the following use-cases;
- User provisioning monitoring
- Provisioning failure analysis
- Provisioning success tracking
- Provisioning job status monitoring
Recommendations
With recommendations, Security Copilot can help you quickly investigate how to evolve your tenant to a secure and healthy state, by providing actionable insights and guidance. These recommendations cover features, best practices, and settings of Microsoft Entra, such as using least privileged administrator roles, configuring Self-Service Password Reset, and protecting your tenant with Conditional Access policies. Some recommendations factor into your Identity Secure Score, which can help you monitor and improve the security of your tenant. Using the capabilities of Microsoft Security Copilot, you can now interact with these recommendations using natural language, enabling your security team to quickly investigate how to evolve your tenant to a secure and healthy state.
Refer to the prompts and examples in Governance and optimization with Microsoft Security Copilot to learn how to use Microsoft Security Copilot with recommendations for the following use-cases;
- General recommendations and secure score
- Targeted recommendations by category
- Application credential management
For more information, see;
Health monitoring alerts
Using Security Copilot, administrators can now investigate health monitoring alerts in External Health Monitoring to analyze scenario-specific metrics for each tenant, detect anomalies, and raise alerts. Metrics include sign-in success rates, failure rates, and counts for multifactor authentication (MFA).
Refer to the prompts and examples in Understand monitoring and operations with Microsoft Security Copilot to learn how to use Microsoft Security Copilot with health monitoring for the following use-cases;
For more information, see:
- What is Microsoft Entra Health monitoring?
- How to investigate Microsoft Entra Health monitoring alerts
Service Level Agreement
With Microsoft Security Copilot, IT administrators can easily access and analyze Service Level Agreement (SLA) reports for authentication availability in their Microsoft Entra tenant. Security Copilot uses the Microsoft Graph API to provide monthly look-back insights on core authentication availability, helping admins quickly identify periods where SLA attainment may have fallen below 99.99%. This enables proactive review of SLA data alongside service outages, and helps determine eligibility for service credits according to the Microsoft Entra SLA. Security Copilot streamlines the process, allowing admins to use natural language queries to investigate SLA performance and ensure their organization’s authentication reliability.
Refer to the prompts and examples in Understand monitoring and operations with Microsoft Security Copilot to learn how to use Microsoft Security Copilot with SLA information for the following use-cases;
For more information, see:
Roles and administrators
Microsoft Entra role-based access control (RBAC) helps you manage who has access to Microsoft Entra resources by assigning roles to users, groups, or applications. You can use built-in roles or create custom roles with specific permissions to meet your organization's needs. You can now use Microsoft Security Copilot to investigate roles within a directory. For example, you can ask which roles a user or group has, who has a specific role, or get details about a particular role. This makes it easier for administrators and analysts to understand and manage role assignments across your environment.
Refer to the prompts and examples in Security and access control with Microsoft Security Copilot to learn how to use Microsoft Security Copilot with role management for the following use-cases;
For more information, see:
Devices
Microsoft Entra uses the capabilities of Security Copilot to help administrators investigate their Microsoft Entra ID devices using natural language queries. This feature allows admins to quickly access device information, such as device IDs, compliance status, activity and whether devices are Entra ID registered, joined, or hybrid joined.
Refer to the prompts and examples in Enterprise user management with Microsoft Security CopilotManage identities with Microsoft Security Copilot to learn how to use Microsoft Security Copilot with device management for the following use-cases;
- Device identification and status
- Device join types and configuration
- Device activity and operating systems
Conditional Access
Microsoft Entra Conditional Access applies the capabilities of Microsoft Security Copilot to help admins easily understand and evaluate their Conditional Access policies. By combining Conditional Access APIs with the power of generative AI, Security Copilot enables analysts to ask natural language questions, such as identifying what policies apply to users or what policies use certain controls, and receive clear insights in seconds.
Refer to the prompts and examples in Security and access control with Microsoft Security Copilot to learn how to use Microsoft Security Copilot with Conditional Access for the following use-cases;
Authentication
Microsoft Security Copilot empowers administrators to quickly assess and manage authentication methods across their Microsoft Entra tenant. By using natural language queries, you can easily discover which authentication methods are enabled, understand user registration status, and identify potential gaps in your organization's authentication strategy. This capability streamlines security management, helping you ensure that strong authentication practices are in place to protect your users and resources.
Refer to the prompts and examples in Security and access control with Microsoft Security Copilot to learn how to use Microsoft Security Copilot with authentication methods for the following use-cases;