As organizations evaluate Microsoft Security Copilot, CISOs are increasingly focused on quantifying marketing claims related to cost reductions or greater efficiency of SecOps workflows. These discussions present an opportunity to spotlight how the integration between Microsoft Security Copilot and SecOps tools helps enhance overall effectiveness. Through this blog series I intend to help you better facilitate those conversations by going beyond buzzwords to demystify Microsoft Security Copilot Experiences.
This post is part of a series on Security Copilot Experiences. This is post 3. Click here if you want to check out post 1, and click here for post 2.
In my first post in this series, I clarified the difference between standalone vs. embedded Security Copilot experiences, and detailed the embedded experiences within Microsoft Defender. In my second post I described the main benefits of the embedded experiences in Microsoft Purview, which is a product your teams are probably using quite frequently. This post is dedicated to exploring the main benefits of the embedded experiences in Microsoft Entra.
The integration between Microsoft Security Copilot and Microsoft Entra can be quite helpful for large and increasingly more complex organizations that are straining CISO resources. Here is a list of these “embedded” Security Copilot experiences, and the main benefits of each.
NOTE: the list of experiences is current as of June 2025, with more expected to be added in the future.
Product: Microsoft Entra.
| Embedded experience | Main benefits |
|---|---|
| Investigate app risk | The ability to identify and understand application or workload identity risks simply using natural language. By using natural language prompts like, “List risky app details for my tenant“, the analyst gets a better picture of the risk from application identities and can discover other application details in Microsoft Entra. Details can include permissions granted (especially high privileged permissions), unused apps in their tenant, and apps from outside their tenant. Security Copilot then uses prompt context to respond, such as with a list of apps or permissions, then surfaces links to the Microsoft Entra admin center so that admins can see a full list and take the appropriate remediation actions for your risky apps. If your organization has even a mid level of M365 adoption maturity, you likely have a ton of apps you’ll need your analysts to keep tabs on. Natural language prompting improves the time to complete the original intent. |
| Investigate incidents | Given the seamless integration within M365, Security Copilot gets insights from your Microsoft Entra data through many different ‘skills’ to help SecOps analysts contextually investigate and remediate identity-based incidents using natural language prompts, rather than reliance on a query-based approach. Query-based approaches are highly dependent on operator skill. |
| Investigate risky users | Natural language prompts in Security Copilot help SecOps analysts quickly determine the risk level, state, and risk details for a specific user(s). The investigations can be further enhanced by prompting for risk history, recent risky sign-ins, and risk details using natural language prompts rather than reliance on a query-based approach. When all pertinent info has been gathered, Security Copilot attack mitigation recommendations and response playbooks can be used to shorten the time it would otherwise take to properly remediate. |
| Manage lifecycle workflows | The embedded Security Copilot experience in Microsoft Entra ID Governance saves identity administrators time and effort when configuring custom workflows to manage the lifecycle of users across Joiner-Mover-Leaver scenario. This also includes the ability to customize workflows more efficiently using natural language to configure workflow information including custom tasks, execute workflows, and get workflow insights. The time savings can compound for organizations that have a lot of employee (or even contractor) turnover. |
If your organization is currently using Microsoft Security Copilot, and is a heavy user of Microsoft Entra, I’d be eager to know which of these embedded experiences your SecOps teams (or IT Admin teams) are using most frequently. Look out for the next (and final) post in this series which will be dedicated to the Security Copilot embedded experiences in Microsoft Intune and Azure Firewall. Be sure to come back and check that out too!
Thanks for reading, and please reach out if you have a question or just want to chat more!
