As organizations evaluate Microsoft Security Copilot, CISOs are increasingly focused on quantifying marketing claims related to cost reductions or greater efficiency of SecOps workflows. These discussions present an opportunity to spotlight how the integration between Microsoft Security Copilot and SecOps tools helps enhance overall effectiveness. Through this blog series I intend to help you better facilitate those conversations by going beyond buzzwords to demystify Microsoft Security Copilot Experiences.
This post is part of a series on Security Copilot Experiences. This is post 4. Click here if you want to check out post 1, and click here for post 2, and click here for post 3.
In my first post in this series, I clarified the difference between standalone vs. embedded Security Copilot experiences, and detailed the embedded experiences within Microsoft Defender. In my second post I described the main benefits of the embedded experiences in Microsoft Purview, which is a product your teams are probably using quite frequently. The third post was dedicated to exploring the main benefits of the embedded experiences in Microsoft Entra, and finally this series wrap-up will focus on the main benefits of the embedded experiences in 2 products: Microsoft Intune, and Azure Firewall.
The integration between Microsoft Security Copilot and Microsoft Intune or Azure Firewall can be quite helpful for large and increasingly more complex organizations that are straining CISO resources. Here is a list of these “embedded” Security Copilot experiences in Microsoft Intune and Azure Firewall, and the main benefits of each.
NOTE: the list of experiences is current as of June 2025, with more expected to be added in the future.
Product: Microsoft Intune.
| Embedded experience | Main benefits |
|---|---|
| Device query | IT admins benefit from the Security Copilot embedded experience in Intune with just one click to first ‘Summarize with Copilot” followed by selecting a specific prompt from the prompt guide. From here, the IT admin can quickly retrieve device-specific information such as installed apps, group membership and the primary user assigned to the device, policies assigned to the device, compare a specific device to another device, etc. |
| Troubleshoot devices | The same list of prompt guides from above includes the ability for an IT admin to analyze an error code, including error codes from a device configuration profile, compliance policy, app installation, etc. The error doesn’t have to be scoped to the selected device. |
| Policy and setting management | Security Copilot is embedded right within policy and setting management on both existing and new policies. In cases where an IT admin is a little unsure on whether a particular configuration is appropriate, a helpful tooltip can provide a rationale for each configuration and its purpose, so a more appropriate value can be set. The prompt guide for this embedded experience can also help the IT admin verify whether this setting has been configured in any other policies, whether there will be any potential policy conflicts, what Microsoft may recommend as specific values for a setting, or how a setting may affect users or security. At the time of this writing, Security Copilot tooltips in Intune are available for compliance policies, device configuration policies, and most endpoint security policies. |
| Manage lifecycle workflows | The embedded Security Copilot experience in Microsoft Entra ID Governance saves identity administrators time and effort when configuring custom workflows to manage the lifecycle of users across Joiner-Mover-Leaver scenario. This also includes the ability to customize workflows more efficiently using natural language to configure workflow information including custom tasks, execute workflows, and get workflow insights. The time savings can compound for organizations that have a lot of employee (or even contractor) turnover. |
Product: Azure Firewall.
| Embedded experience | Main benefits |
|---|---|
| Enrich the threat profile of an IDPS signature beyond log information | Azure Firewall’s network Intrusion Detection Prevention System (IDPS) uses a constantly updated database of signatures to identify specific patterns (like known malicious byte sequences or instruction sequences often used by malware) on all ports and protocols for non-encrypted network traffic. The main benefit of the Security Copilot experience in Azure Firewall (once integration has been enabled) is the ability to use natural language to further enrich the threat profile without compiling it manually. For example “what can you tell me about this attack? What are the other attacks this attacker is known for?”, and more. |
| Generate recommendations to secure your environment using Azure Firewall’s IDPS feature | After the threat profile of an IDPS signature has been enriched, information from published documentation can be compiled quickly instead of having to look it up manually. A prompt like “How do I protect myself from these kinds of attacks across my entire infrastructure?” can save considerable time it would otherwise take to protect your infrastructure from malicious traffic. |
| Look for a given IDPS signature across your tenant, subscription, or resource group | The embedded experience of Security Copilot in Azure Firewall can also perform a fleet-wide search (over any scope) for a threat across all your Firewalls instead of the time-intensive efforts of manual threat hunting. |
| Retrieve the top IDPS signature hits for an Azure Firewall | Getting log information using KQL queries can often be painful and arduous for all but the most seasoned IT admins. This embedded experience helps to retrieve log information about the traffic intercepted by the IDPS feature directly, without manual KQL queries – the ultimate success of which is always going to be limited by the quality/thoroughness of the person attempting to perform the query. The benefit of this embedded experience is that it lifts the floor of skill level across your team to improve the outputs and task completion time. |
If your organization is currently using Microsoft Security Copilot, and is a relying on Microsoft Purview or Defender, Entra, Intune, or Azure Firewall, I’d be eager to know which of the embedded experiences covered in this blog series your SecOps teams (or IT Admin teams) are using most frequently or finding the most value in.
I hope you have found this series on Security Copilot embedded experiences to be helpful. I’m looking forward to the list of experiences to grow over time, and some additional feature enhancements to the current list too. I will return to extend this series when there’s a meaningful set of additions made.
Thanks for reading, and please reach out if you have a question or just want to chat more!
