Security and IT teams operate in a constant stream of alerts, incidents, and investigations. As environments expand across identities, endpoints, cloud, and data, the challenge becomes clear: identifying real risk quickly enough to act.
Security Copilot agents bring AI directly into the flow of work, helping teams understand risk with greater context, investigate threats more efficiently, and take action sooner. Security Copilot is now included with Microsoft 365 E5 and E7 licenses at no additional cost, so teams can start using agents right away.
Over the past year, organizations have used Security Copilot to triage alerts, surface real threats earlier, and move faster from investigation to action. At this RSA 2026 conference, we are announcing new capabilities that reflect a continuous wave of innovation, evolving from built-in AI assistance and automated summaries to new agents that can analyze signals, investigate incidents, and execute security workflows.
Real-world impact: measurable results
Security Copilot agents help security and IT teams identify and respond to risk more effectively. Customers are seeing that impact in their day-to-day operations.
At St. Luke’s University Health Network, the Phishing Triage Agent in Microsoft Defender saves security analysts more than 200 hours every month, automatically triaging phishing alerts and surfacing those that actually matter.
That same impact extends beyond the SOC into other critical areas of security and IT.
A data security team at a large telecommunications organization used the Data Security Triage Agent in Microsoft Purview to triage more than 40,000 Data Loss Prevention (DLP) alerts in 90 days, surfacing the 10% most critical alerts that required investigation.
Identity teams are also seeing huge improvements with the Conditional Access Optimization Agent in Microsoft Entra, which continuously analyzes access policies against Zero Trust baselines and recommends actions. In controlled productivity studies, identity admins completed policy-related tasks 43% faster and 48% more accurately when identifying configuration weaknesses.
IT teams are also seeing impact using the Vulnerability Remediation Agent in Microsoft Intune, which continuously detects new vulnerabilities as threats emerge. As one CTO at a renewable energy and technology company shared, the agent is “dramatically changing the way we approach working with vulnerabilities in our environment. A two‑week process is now a two‑minute process, really huge number for us.”
Across these scenarios, teams begin investigations with clearer context and a better understanding of what actually matters. Instead of piecing together signals across dozens of tools, they can focus on the highest-risk issues and move from investigation to action with confidence.
As environments continue expanding across identities, endpoints, applications, and data, quickly connecting signals and understanding risk becomes essential.
New Security Copilot agents and capabilities announced at RSA Conference
Our innovation continues. Microsoft is introducing new Security Copilot agents and expanded capabilities designed to help organizations analyze complex security data, triage alerts more effectively, and strengthen security posture across identity, endpoint, cloud, and data environments.
New and updated Security Copilot agents built by Microsoft
Security Analyst Agent in Microsoft Defender
Security teams are often sitting on enormous volumes of security data, but turning that data into answers takes time. The Security Analyst Agent helps teams move from raw telemetry to real understanding much faster. By performing deep, multi-step investigations across Microsoft Defender and Sentinel telemetry, the agent can analyze up to ~100MB of security data to uncover anomalies, hidden risks, and high-impact threats that might otherwise stay buried. Analysts can chat directly with the agent to ask questions, explore hypotheses, and dig deeper into findings. The results include transparent reasoning and supporting evidence, helping teams quickly understand what matters and move forward with confidence.
Security Alert Triage Agent in Microsoft Defender
One of the biggest challenges for SOC teams is deciding which alerts actually deserve attention. The Security Alert Triage Agent helps cut through that noise so analysts can focus on the threats that truly matter. Building on its existing phishing triage capabilities, the agent now extends autonomous triage to identity and cloud alerts. Each verdict includes clear, transparent reasoning so analysts can quickly understand the outcome and prioritize the alerts that matter most.
New capabilities for Conditional Access Optimization Agent in Microsoft Entra
Identity environments are constantly evolving as organizations add new apps, users, and authentication methods. New capabilities in the Conditional Access Optimization Agent help identity teams identify and close critical policy gaps faster, with recommendations tailored to their organization’s needs. The agent now delivers business-context-aware recommendations, supports phased rollout of new policies, enables automated least-privilege enforcement for supported third-party agent identities, and helps drive passkey adoption. Together, these capabilities help organizations continuously strengthen identity security while maintaining productivity.
New capabilities for Data Security Posture Agent in Microsoft Purview
Sensitive data often moves through documents, emails, chats, and collaboration tools, which makes it easy for credentials or secrets to end up where they shouldn’t be. A new credential scanning capability in the Data Security Posture Agent helps data security teams proactively identify exposed credentials within their data environment. By analyzing data signals and access patterns, the agent surfaces potential credential exposure risks and helps teams quickly investigate and remediate them. This gives organizations better visibility into hidden data risks and strengthens overall protection of critical systems.
New capabilities for Data Security Triage Agent in Microsoft Purview Insider Risk Management
Investigating insider risk alerts often requires piecing together signals from many different sources to understand what is really happening. The Data Security Triage Agent now introduces an advanced AI reasoning layer that helps security teams evaluate those signals more holistically. By performing deeper, multi-step analysis across behavioral signals from users, devices, and data activity, the agent can surface the incidents that truly require investigation while filtering out noise. The result is faster, more accurate investigations and better confidence when responding to potential insider risks.
New capabilities for Data Security Triage Agent in Microsoft Purview Data Loss Prevention
Custom Sensitive Information Types (SITs) are often difficult for analysts to interpret quickly because the underlying definitions and patterns lack clear context at triage time. This latest enhancement makes custom Sensitive Information Types (SITs) easier for both the agent and analysts to understand in Data Loss Prevention alerts. Purview interprets custom SIT definitions, generates semantic descriptions of the data, and surfaces that context directly within the agent. This allows the agent to classify and prioritize alerts involving custom data more accurately, helping analysts quickly recognize real risk and respond appropriately.
New Security Copilot agents built by partners
To meet customers where they are across their existing security stack, the Security Copilot ecosystem continues to grow with more than 70 partner-built agents available today in the Security Store, bringing additional signals and investigation capabilities into the platform. Some of these agents include the following:
Security Investigation Agent by Commvault – Correlates backup anomalies with identity and security signals across platforms such as Entra, CrowdStrike, Netskope, and Darktrace.
Identity Threat Triage Agent by Silverfort– Correlates Silverfort’s identity risk signals with Entra ID and Defender for Endpoint data in the Sentinel data lake to surface risky sign‑ins, MFA abuse, suspicious processes, and anomalies.
Together, these partner agents extend Security Copilot’s ability to connect signals across Microsoft and third-party security platforms, giving organizations broader visibility and stronger investigation capabilities across their security environment. To explore all new Security Copilot agents, visit the Microsoft Security Store.
New Security Copilot innovations that turn insight into action
Security Copilot continues to integrate more deeply into the tools security and IT teams already use every day. These capabilities bring AI directly into the environments where investigations happen, helping teams explore threats, understand context, and take action without switching between tools.
Security Copilot interactive chat experience in Microsoft Defender
Analysts can ask questions, explore investigative hypotheses, and follow threat activity across incidents, alerts, identities, devices, and IPs without leaving their investigation. Copilot understands the context of the page analysts are working on and grounds responses in the relevant signals already available in Defender. As analysts ask questions, Copilot can run investigative steps, gather additional evidence, and surface new insights. This allows teams to iterate quickly, validate assumptions, and dig deeper into threats while staying in the same workflow.
Secret finder skill in Security Copilot is now generally available
Available in the Security Copilot standalone portal, the Secret Finder skill can be invoked to analyze unstructured content such as emails, chats, documents, and investigation notes to identify exposed credentials hidden in real-world workflows. Using agentic capabilities such as multi-step reasoning rather than simple pattern matching, it detects real, usable secrets and the systems they unlock, helping security teams quickly understand potential exposure and respond with confidence. Additional integrations and use cases are planned to expand how this capability can be used across security workflows.
Security Copilot trigger in Logic Apps
Building on how many organizations already use Logic Apps to automate security workflows, a new connector action for Security Copilot in Logic Apps flows allows teams to easily invoke partner-built agents and custom agents they create as part of repeatable workflows. This brings deeper AI-driven investigation, context, and decision support into tasks such as incident triage, threat intelligence analysis, and policy validation.
See Security Copilot in action at RSA Conference
Join us at RSA Conference to see the latest Security Copilot agents and capabilities in action. Stop by the Microsoft booth to connect with the team, explore new innovations, and experience how agents are helping security and IT teams investigate threats, understand risk, and strengthen security posture.
Hear from Microsoft Security product leaders in these booth sessions
March 23 | 5:15 PM Empowering the SOC with assistive and autonomous AI, Yuval Derman
March 24 | 3:00 PM Security Copilot agents: Insight. Action. Impact., Lizzie Heinze and Donna Lee
March 25 | 10:30 AM Turning Data Risk into Action with Security Copilot Agents, Paige Johnson and Tanay Baldua
March 26 | 12:00 PM Defend identity autonomously with agentic AI in Microsoft Entra, Mitch Muro, Rahul Prakash, Nikhil Reddy
Stop by the Microsoft booth for a hands-on experience
Test out the latest Security Copilot agents at the demo station and connect with our experts.
Agentic AI Arena: Try a fun, gamified experience that shows how Security Copilot agents investigate threats, surface risk, and help security teams respond faster.
Start using Security Copilot in your daily workflows
If you have received access to Security Copilot as part of your Microsoft 365 E5 plan, we recommend following steps to get started quickly:
Summary Welcome to the Power Platform monthly feature update! We will use this blog to share news in Power Platform from the last month, so you can find a summary of product, community, and learning updates from Power Platform in one easy place. Now, let’s dive into what’s new in Power Platform:
Get started with the latest updates today!
Jump into Power Apps, Power Automate, and Power Pages to try the latest updates, you can use an existing environment or get started for free using the Developer plan.
Licensing capacity reporting is now fully available in the Power Platform admin center (Licensing → Power Automate → Usage), giving admins a single place to see which users are over capacity and which flows are driving that usage. Export options, a consolidated licensing page, and additional improvements are on the way.
Power Platform inventory
Power Platform inventory is now generally available, giving tenant administrators a unified view of cloud flows, Copilot Studio agent flows, and Workflows agent workflows across every environment. Expansion with connectors, actions, and key usage data is on the way — making it even easier to spot your most active automations, enforce compliance, and prevent orphaned resources.
The new usage page is now in public preview with modern dashboards showing adoption trends and resource-level analytics for Power Apps, Power Automate, and Copilot Studio. For Power Automate, the page already shows flow run data so you can track execution patterns across your tenant.
Bringing Microsoft 365 Copilot into model-driven apps
In this demo from the Microsoft 365 & Power Platform Community call, you see how Microsoft 365 Copilot integrates with model-driven Power Apps to answer questions about your app data, generate visualizations using code interpreter, and take action across Microsoft 365. You’ll see how Copilot uses app and data context to generate documents, create presentations, and even schedule meetings—all directly from your app
Turn app data into action with Microsoft 365 Copilot
Previously, we walked through how to enable Microsoft 365 Copilot in model-driven apps. Now it’s time to put it to work where your business processes actually run. In the Copilot side pane, you can ask Copilot to summarize table data, visualize what’s active, see what’s pending, recap the history of a specific record, and reference related content surfaced through Work IQ. The result is a more natural transition from “what’s going on?” to “what should I do next?” without ever leaving the app.
Because this experience is powered by Microsoft 365 Copilot, you can also bring in the right agent at the right moment. You can @mention first‑party agents like Researcher and Analyst, or involve a custom agent your organization has made available. That agent collaboration helps turn insights into action, whether that means drafting a document, creating a PowerPoint, or taking next steps like scheduling a meeting. All of this stays grounded in your app context and chat history. Ready to get started? Begin with the admin and maker setup guidance, then explore how end users work in the pane, and finally learn how to tailor the experience with agents.
New quality updates for modern controls in canvas apps
We’ve shipped quality updates across all nine modern controls in Power Apps canvas apps—Text, Number Input, Date Picker, Text Input, Tab List, Combo Box, Radio, Link, and Info Button. This is one of the most comprehensive control refreshes to date, addressing top maker feedback around consistency, reliability, and flexibility. Whether you’re building new apps or maintaining existing ones, these updates make modern controls noticeably better to work with.
The biggest improvements are in consistency, performance, and developer experience. Controls now share a unified property model with standardized names and typed enum values predefined value sets, which means better IntelliSense, fewer formula errors, and less guesswork. The OnChange behavior has been refined across controls to fire at the right moments—reducing unnecessary recalculations and making apps feel faster and more responsive. Mobile-optimized defaults are also now applied automatically when you add controls to a mobile layout.
Migration is guided every step of the way. When you open an app using a previous version of a modern control, you’ll see an in-product notification with a “learn more” link and an “update” button coming soon on all controls. Dedicated per-control migration guides walk you through every property rename and formula change needed—so you stay in control of when and how you upgrade.
This video explores the new vibe.powerapps.com preview, which enables developers to build full code Power Apps from a prompt using AI-driven plan, data, and app generation. You’ll see how the unified experience simplifies app creation, editing, and publishing without requiring VS Code or manual code authoring.
Object-centric process mining analyzes processes by following real interacting business objects
Object-Centric Process Mining (OCPM) is a new approach to process analysis in Power Automate Process Mining that models processes as they occur in real business environments. Unlike traditional case-centric process mining, which groups events under a single case notion (e.g., Order ID), OCPM allows a single event to belong to multiple objects and object types — such as orders, invoices, deliveries, and payments — preserving the full web of interactions and dependencies end-to-end.
This capability solves a fundamental limitation of case-centric mining: when events routinely touch several objects of different types simultaneously, forcing them into a single case can hide cross-object relationships, duplicate events, or distort metrics. OCPM keeps these relationships explicit, rendering object-centric process maps that show object lifecycles, activity nodes spanning multiple object types, and color-coded object-flow edges. This makes it straightforward to identify multi-object bottlenecks, verify compliance policies that span entities (e.g., “ship only after payment”), and analyze how different process flows converge and interact.
OCPM is ideal for scenarios where dependencies across object types drive outcomes — such as order-to-cash, procure-to-pay, or supply chain processes — while case-centric mining remains the right choice for tightly scoped, single-instance workflows.
Process intelligence experience: a customizable interface for process analysis
The process intelligence experience is the next-generation interface for process analysis in Power Automate Process Mining. It replaces the previous fixed process overview with a flexible, card-based dashboard system that adapts to your analysis needs. Users can create multiple tabs to organize different analytical perspectives, apply dynamic filters across all visualizations, and arrange, resize, and configure cards to build personalized analytical workspaces.
Key enhancements include the ability to group related metrics and visualizations together logically, switch between preconfigured analytical perspectives instantly, and share dashboard configurations with team members. Continuous data refresh ensures you’re always working with current information, while the customizable layouts give you complete control over what you see and how you see it — enabling tailored views for different stakeholders and use cases.
Infuse intelligent experiences into Power Pages sites with the new Agent API
Agent API for Power Pages enables site creators to build custom chat and other user experiences and integrate these seamlessly with their custom-built Microsoft Copilot Studio agents. This enhancement gives organizations more flexibility for integrating intelligence into their web experiences.
Public preview: Build Power Pages sites with AI using agentic coding tools
We’re announcing the public preview of the Power Pages plugin for GitHub Copilot CLI and Claude Code. Describe the site you want in natural language and the plugin handles the rest — from project scaffolding and setup to Web API integrations, permissions, and site deployment.
The plugin is purpose-built for Power Pages. It understands table permissions, web roles, site settings, authentication configuration, and Web API patterns. Because it generates platform-aware code, you spend less time on manual configuration and more time building your site.
Secret Finder is an AI-powered capability in Microsoft Security Copilot that detects leaked credentials in unstructured content, such as emails, chat logs, documents, and screenshots, where traditional pattern-matching tools struggle. It relies on a multi‑step, multi‑agent reasoning workflow rather than a single pass detector. Detection, verification, and contextual analysis are handled by distinct reasoning stages, allowing Secret Finder to find real credentials without flooding users with false positives. Unlike regex-based scanners, Secret Finder uses reasoning to identify not just credentials, but the systems they unlock, helping security teams understand exposure and respond faster. In benchmark testing on synthetic datasets, Secret Finder achieved 98.33% true credential detection with zero false alarms on realistic emails, chats, notes, and documents—while traditional regex scanners detected only about 40% of the same credentials. Secret Finder is now generally available in Security Copilot, supporting 20+ credential types with high precision and actionable context.
The Problem: Credentials Hide Where Traditional Tools Can’t See
When security incidents happen, leaked credentials don’t always appear in clean, predictable formats. They show up buried in email threads, pasted into Teams messages, embedded in Word documents, or captured in screenshots of logs and terminals. These are exactly the places where security teams spend the most time and where traditional secret scanning tools fail.
Most existing tools rely on regular expressions or simple pattern matching. This works reasonably well for structured environments like source code repositories, where credentials follow predictable formats. But in real-world incidents, secrets look different. A storage key might be split across multiple messages in an email thread. A credential could be reformatted, partially redacted, or embedded alongside explanatory text.
In these situations, pattern matching produces two painful outcomes: it misses real credentials because the format doesn’t match a known rule, or it floods analysts with false positives that waste time. Security teams are left manually reviewing content, guessing which findings are real, and piecing together what systems might actually be at risk. In practice, this failure mode has a real human cost that security analysts end up reviewing thousands of alerts, manually inspecting email threads and chat logs, and trying to determine whether a suspicious string actually unlocks a storage account, API, or production service. Teams can spend days reconstructing context across messages and documents just to understand what a credential grants access to, slowing containment and increasing risk during active incidents.
This is the gap Secret Finder was built to close.
The Solution: Secret Finder Brings Reasoning to Secret Detection
Secret Finder approaches secret detection as a reasoning problem, not a string-matching exercise. Instead of asking “does this text match a pattern?” It asks human-like questions: Is this text describing a credential or access mechanism? Does the value look real and usable? What system or resource could this access?
This shift is subtle but powerful. Secret Finder doesn’t just detect credentials, it connects them to doors: the specific targets those credentials unlock, such as API endpoints, storage accounts, applications, or services. This is critical for triage. Instead of stopping at “this looks like a credential,” Secret Finder tells analysts what that credential actually opens. Without context, a credential triggers manual follow‑up. When it’s linked to a specific target, analysts can immediately assess impact and act.
By understanding messy, real-world content the way a human investigator would, Secret Finder delivers findings that security teams can trust and act on immediately. It’s designed specifically for the unstructured, noisy environments where incidents actually unfold.
Why Secret Finder Outperforms Traditional Pattern Matching
Traditional secret scanners are built for clean data. Secret Finder is built for reality.
Traditional tools struggle when:
Credentials appear in natural language descriptions rather than code
Context determines whether a string is sensitive or benign
Credentials are incomplete, malformed, or partially redacted
Secret Finder excels because it:
Reasons through context, understanding surrounding text to identify what’s truly sensitive
Detects credentials and their associated resources together, providing the “what” and the “where” in a single pass
Handles noisy, unstructured inputs like emails, chat logs, documents
Assigns confidence scores to help teams prioritize findings and reduce alert fatigue
What Secret Finder Can Do Today
Secret Finder is now generally available in Microsoft Security Copilot, with capabilities shaped directly by real security workflows across incident response, red teaming, and SOC operations.
It detects over 20 major credential categories, spanning cloud provider credentials like Azure Storage Keys and AWS Access Keys, authentication credentials including Microsoft Entra passwords and OAuth tokens, database connection strings, SSH private keys, API keys, and generic secrets that don’t fit predefined patterns. This broad coverage means analysts can scan investigation artifacts without worrying whether the secret type is supported.
What makes Secret Finder particularly effective is where it works. Email threads where credentials are discussed across multiple messages. Teams chats where credentials are pasted quickly during troubleshooting. Word documents and internal wikis where credentials are documented for operational handoffs. Incident reports and post-mortem notes written under pressure. These are the environments where traditional pattern-matching tools fail, and where Secret Finder delivers the most value.
In benchmark evaluations, Secret Finder achieved 100% recall with 0% false positives on synthetic datasets containing embedded Azure Storage credentials, compared to 40% recall from traditional regex‑based tools such as CredScan. In more complex scenarios involving multiple credential types and noisy email content, Secret Finder maintained 98.33% recall with 0% false positives. These results were observed on synthetically generated evaluation datasets spanning emails, chats, notes, and documents, designed to reflect how engineers communicate and how credentials may be inadvertently shared in real‑world workflows.
Scenario
Precision
Recall
Single credential type
100%
100%
Complex, multiple credential types
100%
98.33%
Secret Finder is currently integrated into Security Copilot, actively supporting incident response workflows, and working toward deeper integrations with developer platforms such as GitHub to bring contextual secret detection to source code analysis at scale.
Using Secret Finder in Security Copilot
Secret Finder is available as a skill in Microsoft Security Copilot, making credential detection a seamless part of analyst workflows.
How to use Secret Finder:
Enable the Secret Finder skill in Security Copilot via “Manage Sources” → “Manage Plugins” (Figure 1)
Select “FindSecretInText” from Promptbook (Figure 2)
Submit unstructured content directly in the Copilot prompt: paste the text blob that might contain credentials
Secret Finder analyzes the content using its multi-agent workflow, detecting credentials and associated doors
Review actionable findings with contextual details
Figure 1. Enabling the Secret Finder skill in Microsoft Security Copilot (Due to recent naming changes, users might see “Agentic secret finder” in Security copilot. Naming changes will reflect in a few weeks)
Figure 2. Selecting the FindSecretInText prompt, which invokes Secret Finder’s multi‑step credential detection and verification workflow
Figure 3. Submitting a text blob containing embedded credentials for analysis (example is synthetic)
Figure 4. Secret Finder output with detected credentials and associated doors (example credentials and associated doors are synthetic)
What’s Next for Secret Finder
Secret Finder is a living capability. Over the next six months, we are working towards coverage and deepening integrations:
Exploring integrations with GitHub to reduce false positives in secret scanning for code repositories
Optimizing for large-scale analysis to handle enterprise-wide scans efficiently with reduced latency
Exploring graph-based risk modeling to map relationships between credentials, services, and attack paths
Our long-term vision goes beyond detection: we want to help security teams understand how credentials are used, what risks exist if they’re exposed, and what the impact of rotation or revocation would be. By moving from “what’s leaked” to “what does it mean,” Secret Finder will enable smarter prioritization, faster response, and more confident decision-making.
Acknowledgments
Secret Finder has been a cross-team effort over the past year, evolving from early research and prototyping through private preview, public preview, and now general availability.
This milestone reflects contributions across many phases from initial system design and technical direction, to evaluation, product integration, and deployment at scale.
Contributors include Mariko Wakabayashi leading the early research through production and to the team including Zixiao Chen and Avy Challa for GA improvements and bringing Secret Finder to production readiness.
We also appreciate Tony Twum-Barimah, Malachi Jones, and the Security Copilot team, including Austin Trapp and Vinod Jagannathan for their technical and product support throughout the process, as well as Christian Rudnick and Helen Chang for guiding us through the responsible AI reviews before launch.
Finally, a huge thanks to the incident responders and security researchers who shared valuable insights along the way. Secret Finder wouldn’t have been possible without their work and feedback.
We’re entering a new era of AI-powered business applications, and today we’re excited to publish the 2026 release wave 1 plans for Microsoft Dynamics 365, Microsoft Power Platform, and role-based agents in Microsoft 365 Copilot, outlining a broad set of capabilities slated for release between April 2026 and September 2026. These updates reflect our ongoing commitment to making AI an essential partner in how organizations operate, innovate, and grow.
Dynamics 365 leads this wave with AI-powered, agentic innovations across sales, service, finance, supply chain, human resources (HR), and commerce—helping organizations unify data, automate processes, and elevate customer and employee experiences. Microsoft Power Platform continues to expand modern app development, intelligent automation, and enterprise-grade governance to empower makers and developers to innovate with confidence. Role-based agents in Microsoft 365 Copilot further evolve into intelligent daily command centers, helping to deliver richer, data-grounded insights and extensibility that help teams work smarter across every role.
To help you stay current on the most important and innovative capabilities, we’re moving beyond bi-annual launch events to lighter, more frequent business applications updates, featuring expert insights and demonstrations from Microsoft product leaders and engineers.
Watch the Dynamics 365 Business Applications Update March 18 at 9 AM PDT
Register for the Power Platform and Copilot Studio update April 15at 9 AM PDT
Be sure to stay updated on the latest features and create your personalized release plan using the release planner.
Highlights from Dynamics 365
2026 release wave 1 updates for Dynamics 365 deliver AI-powered, agentic experiences across sales, service, finance, supply chain, commerce, HR, projects, sustainability, and enterprise resource planning (ERP)—bringing deeper Copilot integration, intelligent automation, unified customer and operational data, and enhanced cross-app capabilities to help organizations drive efficiency, elevate customer and employee experiences, and operate with greater agility and confidence.
Dynamics 365 Sales
Dynamics 365 Sales brings the power of AI to help sellers build their pipeline, enrich opportunities, and accelerate deal closure, while helping sellers easily access accurate, up-to-date information and recommending high-impact actions that sellers can take. Copilot experiences in Dynamics 365 Sales can draw on data spanning customer relationship management (CRM) and Microsoft 365 signals, like email and meeting recaps, to deliver actionable insights across Dynamics 365 and Microsoft 365 experiences.
Dynamics 365 Customer Service
Dynamics 365 Customer Service will continue to enhance agentic capabilities across case management, email, customer intent, quality evaluation, and knowledge management. AI-infused admin and supervisor help to provide more transparency and quicker time-to-value. These investments strengthen end-to-end service orchestration, from helping identify customer intent to driving autonomous workflows that elevate service quality and responsiveness.
Dynamics 365 Contact Center
Dynamics 365 Contact Center advances the agentic contact center in 2026 release wave 1 with new AI-powered capabilities that improve self-service, support accelerate assisted service, and help organizations run contact center operations more intelligently in 2026 release wave 1. It expands to include emerging channels, supervisor insights, and extensibility, giving organizations a unified, AI-powered system to elevate the customer experience.
Dynamics 365 Field Service
Dynamics 365 Field Service strengthens service execution across technician productivity, resource scheduling, and work order management. Investments focus on mobile usability and reliability, intelligent scheduling through the Scheduling Operations Agent, and end‑to‑end execution across assets, projects, and financial operations in this release wave. Together, these updates help organizations manage service complexity and deliver consistent service outcomes.
Dynamics 365 Sustainability
Dynamics 365 Sustainability introduces more intuitive reporting navigation, advanced calculation versioning, and granular data‑locking to reinforce governance and regulatory confidence in this wave. Expanded finance integration, streamlined workflows, and updated templates and factor libraries will further empower organizations to make informed decisions and support progress toward their sustainability goals.
Dynamics 365 Finance
Dynamics 365 Finance delivers continued global scale enhancements that drive greater financial automation, strengthen global regulatory compliance posture, and enhance financial planning and analytics—helping organizations operate more efficiently and achieve their financial and operational goals with confidence.
Dynamics 365 Supply Chain Management
Dynamics 365 Supply Chain Management’s 2026 wave 1 enhances supply and demand planning with price-demand correlation and capacity-to-promise (CTP) date protection. Supplier communication and engagement are streamlined, while warehousing gains AI-powered picking, inventory rebalancing, and hands-free scanning—driving supply chain efficiency.
Dynamics 365 Project Operations
Dynamics 365 Project Operations brings rich capabilities in 2026 release wave 1—from change order support and smarter project planning to smoother quoting, budgeting, and contract workflows. New enhancements streamline item consumption, mobile expense management, subscription billing, and modern-architecture migration—delivering connected project experience.
Dynamics 365 Commerce
Dynamics 365 Commerce strengthens business-to-business (B2B) with multi-outlet ordering, unified sign-in, outlet-specific catalogs, and built-in credit management to help reduce friction and protect cash flow. It modernizes order management and assisted-selling workflows in retail stores, helping to improve associate productivity, and customer experiences across channels. It also enables cross-legal-entity inventory lookup and flexible, attribute-based pricing to help accelerate mass updates and help drive higher sales.
Dynamics 365 Human Resources
Dynamics 365 Human Resources continues to advance in areas such as recruitment, onboarding, reporting, and integrated workforce management. By merging enhanced user experiences with broader ecosystem integration and expanding regional payroll collaborations, the platform enables organizations to optimize employee engagement, support operational accuracy, and confidently achieve their workforce objectives.
Finance and operations cross-app capabilities
Finance and operations cross-app capabilities will introduce new enhancements that strengthen the foundation for AI experiences across Dynamics 365. These updates include improvements to Model Context Protocol (MCP) servers, as well as the general availability of immersive home, which is an AI-powered workspace designed to help users stay focused and prioritize what matters most.
Dynamics 365 Customer Insights – Data
Dynamics 365 Customer Insights – Data acts as the grounding layer for CRM copilots and AI agents, delivering real‑time, unified customer profiles that help power accurate decisions. With enriched data, teams can act on insights directly in their workflow to deliver timely, personalized experiences that deepen engagement and drive better outcomes. The result is an AI-ready data core that elevates agents and helps deliver more connected, intelligent CRM experiences.
Dynamics 365 Customer Insights – Journeys
Dynamics 365 Customer Insights – Journeysempowers end-to-end, agentic customer engagements across sales, marketing, and service, allowing businesses to proactively react to customer behavior using Copilot and AI agents. With smarter orchestration tools, teams can deliver impactful campaigns at scale to drive stronger relationships, higher efficiency, and revenue growth. Part of Dynamics 365, every interaction within your organization benefits from shared data and consistent intelligence across Microsoft CRM applications.
Dynamics 365 Business Central
Dynamics 365 Business Central accelerates the move to agentic ERP with enhancements to our AI‑powered agents that automate sales and purchase scenarios in 2026 release wave 1. Alongside new business capabilities, we invest heavily in developer productivity to support extensibility—improving advanced language (AL) testing, debugging, Copilot extensibility, and agent design.
Highlights from Microsoft Power Platform and Microsoft Copilot Studio
2026 release wave 1 updates for Microsoft Power Platform deliver modernized app experiences across Power Apps and Power Pages, AI-powered automation and agent innovation in Power Automate and Copilot Studio, enhanced Dataverse intelligence and programmability, and strengthened governance, security, and cost management capabilities to help organizations build, scale, and manage intelligent solutions with confidence.
Power Apps
Power Apps continues to modernize app experiences with a refreshed model-driven user interface (UI), improved mobile and offline capabilities, streamlined search, and expanded AI features. This release brings standardized modern theming to everyone, real-time Dataverse access for offline-first canvas apps, enhanced search in grids and lookups, and broader availability and extensibility of generative pages to help teams build and scale intelligent apps faster.
Power Pages
Power Pages will further empower pro-developers and low-code makers to build intelligent business portals for your employees, customers, citizens, and partners through better integration with market leading AI tools. Additionally, enhanced security agent features will further support low-code makers, pro-developers, and admins with actionable insights and abilities for securing their websites.
Power Automate
Power Automateis Microsoft’s comprehensive automation platform for cloud flows, desktop flows, and process mining. This release introduces AI agent authoring, optimization, and self-healing capabilities for desktop flows, Copilot Studio-powered actions in cloud flows, enhanced maker and collaboration tools across both, general availability of object-centric process mining, and consolidated governance reporting.
Microsoft Copilot Studio
Microsoft Copilot Studiocontinues its journey to make agent and agentic workflows even easier to build and more powerful. Now you can further customize agents built with Agent Builder in Microsoft 365 Copilot, and power your automation with high value AI actions. Deeper governance, multi-agent orchestration, and evaluations enable further scaling. With connections to Microsoft Foundry and Work IQ, your agents can use the latest AI technology in coordination with your organizational data.
Microsoft Dataverse
Microsoft Dataversecontinues to invest in enterprise-ready agentic and low-code data platform capabilities. The spotlight is on Work IQ and Copilot integration, delivering organization-specific decisions with adaptive learning and full auditability. We’re also enhancing agent programmability with Dataverse APIs, MCP servers, and Python SDK, plus new storage management tools for enterprise-grade compliance at scale.
Microsoft Power Platform governance and administration
Microsoft Power Platform governance and administrationintroduces admin controls for agent security, real-time risk assessment in Copilot Studio, and AI-powered governance agents that automate tenant monitoring and remediation in this release. Enhanced visibility into usage patterns, granular Copilot credit consumption with pay-as-you-go (PAYG) caps, and connector dependencies help you optimize costs, demonstrate return on investment (ROI), and enforce compliance with organizational policies using features within the Power Platform Admin Center. GitHub integration and deploy from Git mature your application lifecycle management (ALM) practices with full audit trails.
Updates to role-based agents in Microsoft 365 Copilot
2026 release wave 1 updates for Microsoft role-based agents transform Sales Agent and Finance Agent in Microsoft 365 Copilot into intelligent daily command centers, helping to deliver richer, data-grounded insights, enhanced chat and mobile experiences, contextual support across Outlook and Teams, and strengthened governance and extensibility to help organizations drive productivity and scale AI responsibly.
Sales Agent
Sales Agentbecomes the seller’s daily command center with richer Sales Chat and Sales Home experiences across desktop and mobile in 2026 release wave 1. Sellers will gain streamlined access to deal and account insights through configurable record summaries, contextual support in Outlook and Teams, and improved email and meeting intelligence. New governance and extensibility controls will also help organizations scale AI responsibly.
Finance Agent
Finance Agenthelps finance professionals and their stakeholders interact with financial information from their ERP within the flow of work. In 2026 release wave 1, we continue expanding how this financial assistant supports common finance tasks such as reconciliation, variance analysis, and data preparation in Excel, as well as customer communications in Outlook. By bringing financial insights and assistance directly into familiar productivity tools, the Finance Agent helps teams investigate issues faster, respond to stakeholders more efficiently, and spend less time manually preparing or reconciling data so they can focus more on financial analysis and decision support.
For a complete list of new capabilities, please refer to the Dynamics 365 2026 release wave 1 plan, the Microsoft Power Platform 2026 release wave 1 plan, and role-based agents 2026 release wave 1. We also encourage you to share your feedback in the community forums for Dynamics 365 and Microsoft Power Platform.
Business Applications Update
The Business Applications Update offers an early preview of new capabilities coming in the months ahead. This refreshed structure is designed to reflect the reality of our time: innovation does not happen twice a year; it is constant. Whether you are a strategic leader or a hands-on practitioner, this new cadence is built to get you quickly up to speed.
Watch the Dynamics 365 Business Applications Update March 18 at 9 AM PDT
Register for the Power Platform and Copilot Studio update April 15 at 9 AM PDT
Agentic Secret Finder (ASF) is an AI-powered capability in Microsoft Security Copilot that detects leaked credentials in unstructured content, such as emails, chat logs, documents, and screenshots, where traditional pattern-matching tools struggle. Agentic Secret Finder (ASF) is “agentic” because it relies on a multi‑step, multi‑agent reasoning workflow rather than a single pass detector. Detection, verification, and contextual analysis are handled by distinct reasoning stages, allowing ASF to find real credentials without flooding users with false positives. Unlike regex-based scanners, ASF uses reasoning to identify not just credentials, but the systems they unlock, helping security teams understand exposure and respond faster. In benchmark testing on synthetic datasets, ASF achieved 98.33% true credential detection with zero false alarms on realistic emails, chats, notes, and documents—while traditional regex scanners detected only about 40% of the same credentials. ASF is now generally available in Security Copilot, supporting 20+ credential types with high precision and actionable context.
The Problem: Credentials Hide Where Traditional Tools Can’t See
When security incidents happen, leaked credentials don’t always appear in clean, predictable formats. They show up buried in email threads, pasted into Teams messages, embedded in Word documents, or captured in screenshots of logs and terminals. These are exactly the places where security teams spend the most time and where traditional credential scanning tools fail.
Most existing tools rely on regular expressions or simple pattern matching. This works reasonably well for structured environments like source code repositories, where credentials follow predictable formats. But in real-world incidents, credentials look different. A storage key might be split across multiple messages in an email thread. A credential could be reformatted, partially redacted, or embedded alongside explanatory text.
In these situations, pattern matching produces two painful outcomes: it misses real credentials because the format doesn’t match a known rule, or it floods analysts with false positives that waste time. Security teams are left manually reviewing content, guessing which findings are real, and piecing together what systems might actually be at risk. In practice, this failure mode has a real human cost that security analysts end up reviewing thousands of alerts, manually inspecting email threads and chat logs, and trying to determine whether a suspicious string actually unlocks a storage account, API, or production service. Teams can spend days reconstructing context across messages and documents just to understand what a credential grants access to, slowing containment and increasing risk during active incidents.
This is the gap Agentic Secret Finder was built to close.
The Solution: ASF Brings Reasoning to Credential Detection
Agentic Secret Finder approaches credential detection as a reasoning problem, not a string-matching exercise. Instead of asking “does this text match a pattern?” ASF asks human-like questions: Is this text describing a credential or access mechanism? Does the value look real and usable? What system or resource could this access?
This shift is subtle but powerful. ASF doesn’t just detect credentials, it connects them to doors: the specific targets those credentials unlock, such as API endpoints, storage accounts, applications, or services. This is critical for triage. Instead of stopping at “this looks like a credential,” ASF tells analysts what that credential actually opens. Without context, a credential triggers manual follow‑up. When it’s linked to a specific target, analysts can immediately assess impact and act.
By understanding messy, real-world content the way a human investigator would, ASF delivers findings that security teams can trust and act on immediately. It’s designed specifically for the unstructured, noisy environments where incidents actually unfold.
Why ASF Outperforms Traditional Pattern Matching
Traditional credential scanners are built for clean data. ASF is built for reality.
Traditional tools struggle when:
Credentials appear in natural language descriptions rather than code
Context determines whether a string is sensitive or benign
Credentials are incomplete, malformed, or partially redacted
ASF excels because it:
Reasons through context, understanding surrounding text to identify what’s truly sensitive
Detects credentials and their associated resources together, providing the “what” and the “where” in a single pass
Handles noisy, unstructured inputs like emails, chat logs, documents
Assigns confidence scores to help teams prioritize findings and reduce alert fatigue
What ASF Can Do Today
ASF is now generally available in Microsoft Security Copilot, with capabilities shaped directly by real security workflows across incident response, red teaming, and SOC operations.
ASF detects over 20 major credential categories, spanning cloud provider credentials like Azure Storage Keys and AWS Access Keys, authentication credentials including Microsoft Entra passwords and OAuth tokens, database connection strings, SSH private keys, API keys, and generic credentials that don’t fit predefined patterns. This broad coverage means analysts can scan investigation artifacts without worrying whether the credential type is supported.
What makes ASF particularly effective is where it works. Email threads where credentials are discussed across multiple messages. Teams chats where credentials are pasted quickly during troubleshooting. Word documents and internal wikis where credentials are documented for operational handoffs. Incident reports and post-mortem notes written under pressure. These are the environments where traditional pattern-matching tools fail, and where ASF delivers the most value.
In benchmark evaluations, ASF achieved 100% recall with 0% false positives on synthetic datasets containing embedded Azure Storage credentials, compared to 40% recall from traditional regex‑based tools such as CredScan. In more complex scenarios involving multiple credential types and noisy email content, ASF maintained 98.33% recall with 0% false positives. These results were observed on synthetically generated evaluation datasets spanning emails, chats, notes, and documents, designed to reflect how engineers communicate and how credentials may be inadvertently shared in real‑world workflows.
Scenario
Precision
Recall
Single credential type
100%
100%
Complex, multiple credential types
100%
98.33%
ASF is currently integrated into Security Copilot, actively supporting incident response workflows, and working toward deeper integrations with developer platforms such as GitHub to bring contextual credential detection to source code analysis at scale.
Using ASF in Security Copilot
ASF is available as a skill in Microsoft Security Copilot, making credential detection a seamless part of analyst workflows.
How to use ASF:
Enable the ASF skill in Security Copilot via “Manage Sources” → “Manage Plugins” (Figure 1)
Select “FindSecretInText” from Promptbook (Figure 2)
Submit unstructured content directly in the Copilot prompt: paste the text blob that might contain credentials (Figure 3)
ASF analyzes the content using its multi-agent workflow, detecting credentials and associated doors (Figure 4)
Review actionable findings with contextual details
Figure 1. Enabling the Agentic Secret Finder (ASF) skill in Microsoft Security Copilot
Figure 2. Selecting the FindSecretInText prompt, which invokes ASF’s multi‑step credential detection and verification workflow
Figure 3. Submitting a text blob containing embedded credentials for analysis (example is synthetic)
Figure 4. ASF output with detected credentials and associated doors (example credentials and associated doors are synthetic)
What’s Next for ASF
ASF is a living capability. Over the next six months, we are working towards coverage and deepening integrations:
Exploring integrations with GitHub to reduce false positives in credential scanning for code repositories
Optimizing for large-scale analysis to handle enterprise-wide scans efficiently with reduced latency
Exploring graph-based risk modeling to map relationships between credentials, services, and attack paths
Our long-term vision goes beyond detection: we want to help security teams understand how credentials are used, what risks exist if they’re exposed, and what the impact of rotation or revocation would be. By moving from “what’s leaked” to “what does it mean,” ASF will enable smarter prioritization, faster response, and more confident decision-making.
A Unified Control Center for Queue Monitoring and SLA Tracking
Work queues in Power Automate are structured lists that let you assign, track, and manage work items across users or automations in an organized, scalable way.
We’re excited to announce powerful new enhancements to work queues in the automation center that will transform how your teams manage and monitor automated workflows. With the introduction of work queue alerts and the new aggregated operator view, we’re giving businesses unprecedented visibility and control over their automation operations.
What’s New
Work Queue Alerts for Admin in Monitoring Hub
With monitoring in the Power Platform Admin Center (PPAC), you can track the health and the performance of your automation queues. View real-time metrics on items pending action, exceptions requiring resolution, and queue status to maintain visibility across your automation operations.
Now, you can also configure proactive alerts to notify you when SLA violation counts exceed thresholds defined by your organization’s administrator. Receive timely notifications when queues require attention, ensuring you can respond before service level agreements are compromised.
With SLA violation alerts, you can stay informed and responsive with notifications about your automation queues. No more manual monitoring; the system comes to you.
Aggregated View for Operators in Automation Center
Operators now have a unified, comprehensive dashboard in the automation center that aggregates work queue data across your entire automation estate.
This consolidated view enables operators to monitor multiple queues simultaneously, prioritize work effectively, and respond to issues faster than ever before.
Top 5 benefits of using Work Queues in Power Automate
Increased efficiency & scalability – Work queues allow you to decouple complex processes, enabling different parts of an automation to run asynchronously and independently.
Better resource utilization – Because work items are stored centrally, you can optimize robot usage, balance load, and reduce the number of machines required.
Consistent prioritization of work – Work queues natively support priority-based execution, making sure the most important items are processed first.
Centralized monitoring & exception handling – Work queues provide a human‑in‑the‑loop monitoring experience, helping fusion teams track the status of items, manage exceptions, and take corrective actions.
Improved resiliency & fault tolerance – By decoupling work and allowing multiple robots to process items in parallel, work queues offer better fault isolation.
Transform Your Automation Operations Today
These enhancements represent our commitment to making automation not just powerful, but manageable at enterprise scale. Work queues with alerts and aggregated operator views give your teams the tools they need to run automation operations with confidence, efficiency, and complete control.
Ready to experience these capabilities? navigate to the automation center in Power Automate and discover how work queues can elevate your automation program from task execution to strategic business operations.
Today, organizations are being measured by how quickly they can innovate. Whether it’s launching new digital experiences, streamlining operations, or responding to customer needs in real time, the ability to move fast has always been a competitive differentiator. And it only grew on importance in the agentic era. But speed alone isn’t enough. Innovation must be scalable, secure, and sustainable.
Microsoft Power Platform is designed to meet that challenge. It empowers teams to build solutions faster, automate more processes, and scale across the business within a framework that puts security and governance first. With tools that are AI-ready and built for enterprise-grade environments from Copilot-assisted development to intelligent threat detection and posture management, the platform helps organizations move with both agility and control.
Let’s break down the facts about building secure, modern applications.
Fact: Low code does not mean low security
Despite the ever-growing usage and strong ROI, there are still people who think that low-code tools are not built for enterprise grade applications. Power Platform proves otherwise by delivering a comprehensive, layered security model designed to meet the demands of large organizations. As part of a managed security approach, the platform integrates governance and security controls directly into the development lifecycle ensuring that policies are consistently applied across environments.
From identity and access management to data protection and network security, Power Platform provides native capabilities that reduce risk without slowing innovation. Features like role-based access control, conditional access for individual apps, and data loss prevention policies are all included. Azure Virtual Network (VNet) helps keep apps and data private by creating a secure connection that blocks public internet access and limits traffic to only trusted sources.
Visibility and access control are central to this approach. Power Platform includes tenant-level analytics and inventory tracking that allow IT teams to monitor what’s being built, which connectors are in use, and whether apps are operating within approved environments. Advanced connector policies complement these tools by helping enforce data boundaries and prevent unauthorized connections, rather than providing direct visibility or access control. With tools like IP filtering, cookie binding, and role-based permissions, IT can ensure that only the right users have access to sensitive data. This helps prevent shadow IT before it starts giving teams a secure space to innovate while ensuring IT retains oversight.
The platform’s approach to security also extends to AIand agents. Security is enforced across all components of the platform, including apps and AI agents. As organizations adopt tools like M365 Copilot and Copilot Studio, Power Platform provides a secure foundation for building and deploying AI agents. These agents follow existing data loss prevention policies, access controls, and network protections, ensuring AI adoption does not create new exposure.
Power Platform also provides the flexibility to extend Copilot Studio agent protection beyond default safeguards with additional runtime protection. Organizations can choose to integrate additional monitoring systems such as Microsoft Defender, custom tools, or other security platforms for a defense-in-depth approach to agent runtime security.
Centrica, the UK’s largest retailer of zero-carbon electricity, is a good example of secure low-code innovation. With over 800 Power Platform solutions and 15,000 users, Centrica maintains enterprise-grade governance by embedding security, oversight, and controls into every stage of development.
Accenture also demonstrates how Power Platform helps reduce risk at scale. By giving more than 50,000 employees the ability to build within defined guardrails, the company reduced demand for short-term IT projects by 30%. Their approach to low-code governance helped them gain visibility into platform activity while supporting global collaboration. As one Accenture executive put it, “For us, we define shadow IT as things we cannot see or control when we need to. By standing up the platform and inviting our people to create and build—at its very core we have gained visibility into what people are doing and how they are connecting, which starts governance at the platform level.”
Fact: You do not have to outsource to be compliant
There is a perception that distributed development models increase compliance risk. Power Platform addresses this with centralized administration and clear visibility into who is building, what they are building, and how data is being used.
From the Power Platform admin center, IT teams can configure environments, enforce policies, and monitor usage across the entire organization. Tools like Dataverse audit logging, Microsoft Purview integration, and Lockbox support provide deep visibility into sensitive operations and data access.
Purview enhances compliance by enabling data classification, sensitivity labeling, and activity tracking across Power Platform environments. It also helps organizations enforce retention policies and ensure data governance requirements are met supporting alignment with global regulations like GDPR and HIPAA.
AI capabilities introduce new governance needs, which Power Platform meets with built-in support for risk assessment and proactive recommendations. Copilot capabilities also assist admins in identifying misconfigurations and streamlining compliance reporting.
Power Platform also integrates with Microsoft Sentinel and solution checkers to detect anomalies, surface vulnerabilities, and alert administrators to unusual behavior. Security posture management tools help teams assess and adjust configurations over time, helping organizations scale AI responsibly while maintaining strong governance.
PG&E is a case in point. With more than 4,300 developers and 300 Power Platform solutions, the company has embedded governance and risk management into its development lifecycle. This approach has helped PG&E achieve more than $75 million in annual savings, while ensuring that compliance and oversight remain strong.
Fact: You are not alone in your administering. You have guidance and support.
Another misconception is that managing low-code platforms at scale requires external tools or consultants. Power Platform includes everything needed to govern, secure, and scale app development from within your organization.
IT admins can use Power Platform admin center and advisor to receive AI-driven, real-time recommendations tailored to their environment. These insights help assess environment health, refine governance policies, and proactively manage security posture. Advisor also provides a security score, giving teams a clear view of how well they are securing their environments and a concrete way to demonstrate progress and accountability to leadership.
The platform is designed to adapt to each organization’s structure and needs. Recommendations can be dismissed when covered by other controls, and environmental groups allow governance to be tailored to specific business units or departments. This flexibility ensures that security doesn’t get in the way of progress but works alongside it.
Advanced features like test automation, environment isolation, and integrated observability help maintain consistent performance. VNet integration allows organizations to connect securely to on-premises systems without exposing resources to the public internet.
An example of one of leading automotive manufacturers highlights these capabilities. The company used VNet support in Power Platform to securely connect AI agents to internal systems without relying on an on-premises data gateway. The result was faster deployment, better compliance with internal security policies, and more than 3,000 hours saved through improved data access.
Start building secure, scalable solutions
Foster innovation while still maintaining security and governance principles. Microsoft Power Platform gives IT leaders and developers the ability to move quickly while maintaining the control their organizations require. With built-in governance, privacy protections, and AI-powered insights, teams can confidently scale low-code development without introducing risk. You no longer have to choose between innovation and security. With Power Platform, you can deliver both.
Explore real-world success stories and best practices. Visit the Power Platform site and follow this blog for the next article in the series breaking down the facts of the modern development.
At Microsoft, we believe that security is a team sport. That’s why we are committed to meeting customers where they are, integrating with the solutions they already use to ensure that everyone can take advantage of the agentic capabilities of Security Copilot.
And it’s not just an idea—it’s a reality. We’re excited to share why partners such as BlueVoyant, OneTrust, and Tanium chose to build agents with Security Copilot—and the value this brings to their customers.
By watching the videos featuring BlueVoyant, OneTrust, and Tanium, you’ll see firsthand how collaboration drives innovation and empowers security teams to tackle today’s threats with agility and confidence. Together, these partner-built agents show how organizations and partners can transform Security Copilot into an integrated force multiplier—proving that security is a team sport.
Partner-built agents power smarter protection
BlueVoyant – Specializing in comprehensive cyber risk management, BlueVoyant provides a suite of services to protect organizations from cyberattacks. In this video, we learn about BlueVoyant Watchtower and how their agents help customers get the most out of their Sentinel and Defender products by using an agent to always review the environment and recommend updated rules, configurations, and policies that catch bad actors Security Copilot gives us the advantage of moving more quickly.” – Micah Heaton, Executive Director, Microsoft Product & Innovation Strategy at BlueVoyant
OneTrust – OneTrust, a privacy and consent management platform, specializes in helping customers responsibly use data and AI. By partnering with Microsoft—specifically Microsoft’s Sentinel platform—OneTrust is able to provide their customers with a full view of their data estate. The Privacy Breach Response Agent by OneTrust combines the deep privacy and regulatory expertise of OneTrust with the robust generative AI capabilities of Microsoft Security Copilot, automating privacy risk assessments improving their accuracy.
Tanium – Specializing in endpoint management and security, Tanium gives IT teams visibility and control over every device in their environment. Tanium’s partnership with Microsoft provides Tanium with seamless integration into Microsoft’s Security products via Copilot, which combined with Tanium’s real-time environment insights, power powerful end to end workflows across Defender, Entra, Tanium, and Intune. The Security Triage Agent by Tanium accelerates alert triage, providing security teams with the context they need to make informed decisions on Tanium Threat Response alerts swiftly.
The work of partners like BlueVoyant, OneTrust, and Tanium is shaping a new security ecosystem—one where the Microsoft Security Store is a launchpad for partner innovation to drive real-world customer impact. The Store turns partner-built agents into enterprise-ready solutions by providing Microsoft-validated certification, high‑quality metadata, consistent deployment flows, secure authentication and transactions, and in‑product visibility inside Defender, Entra, and Security Copilot. These deployed agents run securely in your Security Copilot zero-trust environment.
The power of the Security Store is that it doesn’t just distribute agents—it amplifiesthem. It gives partners a unified, trusted surface where their solutions are discoverable directly within Microsoft Security products; where customers can compare capabilities through standardized metadata; where installation is guided and repeatable; and where Microsoft’s AI foundation elevates the value of every partner-built capability. For customers, this means direct access to the best of partner-driven security innovation. Partner-built agents deliver value at every stage of the security journey: proactively monitoring sensor health, surfacing actionable insights, accelerating investigations, and automating incident response. These capabilities help organizations strengthen their security posture, respond faster to threats, and stay ahead of attackers.
For partners, success begins with identifying the unique value their agent brings to customers and designing real security outcomes—such as improved detection, automated investigations, and measurable risk reduction. As more partners publish agents, the ecosystem expands- unlocking advanced scenarios like phishing and identity alert triage, incident enrichment, policy optimization, and automated remediation. By combining Microsoft’s AI foundation with specialized partner expertise, Security Copilot agents deliver differentiated solutions that address a wide range of security challenges—from privacy and compliance workflows to vulnerability management and forensics—helping customers strengthen their security posture and respond faster to threats.
Why “Like” and “Comment” Features Should Be Disabled in SharePoint Sites
In our wonderful age of digital collaboration, SharePoint is continuing on its march to be what it is – a great platform for content publishing, knowledge sharing and governance (my go to!). But not every feature should be enabled in every site. Two of the most deceptively harmless and sometimes mis-understood in terms of impact are the ‘Like’ and ‘Comment’ options on SharePoint modern pages.
While Like and Comment, classed as social features may seem like a ‘Oh yes! Let’s enable them throughout because doing that will increase engagement’ Utopian statement, enabling them can undermine governance, compliance, and clarity. This is especially true in structured, regulated or formal SharePoint sites.
Why? Brainstorm time:
Governance and Compliance Risks
Unmoderated Feedback: Comments are not subject to approval workflows using any automation engine. Anyone with access to the site from a contributor perspective can post; and guess what, those posts are immediately visible to others;
Audit Gaps: Comments and Likes are not version controlled. They are not visible in any audit trails, so that makes them invisible to compliance reviews. Forget using say Microsoft Purview to try track Likes or Comments – these interactions are not captured in Purview logs;
Policy Confusion: When users comment on pages, those comments create the illusion of a ‘feedback loop’. There would be no mechanism to act on them.
Content Integrity and User Experience (UX) Clarity
Noise Over Signal: Comments can dilute the authority and authenticity of ‘official’ content. Users can post anything – post questions, complaints, or off-topic remarks.
Visual Clutter: The social bar (Like, Comment, View Count, Save for Later, etc.) adds UI elements that may distract from the page’s purpose. So, not at all useful for pages whose key objectives are Dashboards, Standard Operating Procedures (SOPs), or compliance repositories.
Misleading Metrics: A “Like” on a ‘policy page’ does not mean the content of that page is understood. ‘Like’ is classed as simply a ‘vanity metric’ that can mislead stakeholders.
🛠️ 3. Operational and Technical Limitations
No Central Moderation: SharePoint does not have an Out-Of-The-Box (OOTB) ‘centralised comment moderation’ dashboard. Site ‘owners’ must manually monitor each page on the SharePoint site.
Default Enablement: If comments are enabled by default on modern pages this leads to no proactive governance – proliferate unnoticed.
No Alerts: Page owners will never receive notifications when comments are posted. This leads to stale and/or unaddressed feedback.
Example: Healthcare Intranet Misstep
Time to give you an example as to how a mid-sized healthcare provider learned the hard way. They launched a SharePoint Online communication site to publish internal policies, including those related to patient data handling and emergency standards. Unknown to the governance team, Like and Comments were enabled by default on every page on the SharePoint tenant. So, every page being created going forward on their SharePoint site had Like and Comments enabled.
Within weeks:
Staff began posting unmoderated feedback on sensitive policy pages;
Some comments included anecdotal patient references, violating internal privacy standards;
Others expressed disagreement with procedures, creating confusion about which policies were enforceable;
No one was alerted—the comments sat visible for weeks before being discovered during a routine audit.
The fallout?
A formal compliance review;
Emergency PowerShell scripts to disable comments across the tenant;
A new provisioning routine to enforce social feature settings;
Mandatory training for site owners on page settings and governance.
Best Practices for Disabling Social Features
Disable Comments Per Page: Use the page settings UI or PowerShell (Set-PnPClientSidePage -CommentsEnabled $false);
Hide the Social Bar: Use custom page templates or SPFx extensions to remove Likes, Views, and Save for Later. Check out the SharePoint Frameworks SPFX examples;
Automate at Scale: Include social feature settings in your site provisioning scripts or site designs;
Educate Site Owners: Make social feature governance part of your SharePoint training and onboarding;
Define the Environments. In a SharePoint / Teams instance mixed environment, split your governance based on the kind of collaboration needed. Things like Like and Comments are ‘post’ oriented and more related to the Teams Client than a SharePoint page.
My final thoughts to project to you 😊
In SharePoint, not every feature is a fit and ‘yes plonk every feature’ for every site. ‘Likes’ and ‘Comments’ are a part of Community / Project environments such as Microsoft Teams (Posts in Channels) or say Yammer-integrated pages. For policy repository based sites, policy pages, compliance dashboards, and formal communications – a governance liability.
Disable them by default. Enable them only with intent
A major wave of updates has landed: integration with the new Sentinel data lake and graph, new ready-made and custom agents, and the debut of the Microsoft Security Store.
Let’s take a look at what’s new.
Microsoft Sentinel and Security Copilot integration delivers deeper context and smarter AI
Sentinel data lake is now generally available, and new capabilities like Sentinel graph and the Model Context Protocol (MCP) server are in public preview, bringing in a new level of integration with Security Copilot. Agents can now access richer, more connected data from across Sentinel, combining graph, structured, and semantic context to reason and act with greater precision. This enhanced foundation transforms AI-driven detection and response, helping teams resolve incidents faster and uncover deeper insights across their environments.
Build your own Security Copilot agents, no coding required
Now anyone on your team can create custom Security Copilot agents. Use a no-code portal or developer tools to design, test, and deploy agents that automate the workflows you need most. Your team controls how they work and what they do.
New Microsoft and partner ready-made agents for real challenges
These new agents help teams address common security and IT challenges faster and smarter:
Access Review Agent in Microsoft Entra: Streamline access reviews, flag unusual patterns, and reduce fatigue for security and compliance teams. It helps maintain governance and compliance by automatically analyzing ongoing access reviews and highlighting potential risks.
Phishing Triage Agent in Microsoft Defender saves nearly 200 hours a month: In this new customer spotlight, St. Luke’s is seeing the impact of integrating Security Copilot agents into their daily workflows. ACISO Krista Arndt says, “The Phishing Triage Agent is a game changer. It’s saving us nearly 200 hours monthly by autonomously handling and closing thousands of false positive alerts.” With routine triage automated, security teams can shift from reactive response to proactive threat hunting, freeing up time for higher-value work and faster threat mitigation.
The launch of 30 new partner-built agents that can be found on the Microsoft Security Store with solutions like:
Forensic Agent by glueckkanja AG: Delivers deep-dive analysis of Defender XDR incidents to accelerate investigations and uncover root causes faster.
Privileged Admin Watchdog Agent by glueckkanja AG: Helps enforce zero standing privilege principles by removing persistent admin identities, reducing risk, and strengthening administrative security.
Ransomware Kill Chain Investigator Agent by adaQuest: Automates ransomware triage to quickly detect and respond to threats, enabling security teams to focus on high-priority incidents.
Entity Guard Investigator Agent by adaQuest: Investigates Defender incidents and provides actionable insights to accelerate incident resolution and strengthen security posture.
Admin Guard Insight Agent by adaQuest: Analyzes administrative activity, detects anomalies, evaluates risk exposure and compliance, and delivers actionable guidance to improve administrative security.
Identity Workload ID Agent by Invoke: Empowers identity administrators and security teams to manage and secure Workload Identities in Microsoft Entra, reducing risk, strengthening compliance, and controlling identity sprawl.
Microsoft Security Store – one, centralized place to find agents and SaaS solutions
The Microsoft Security Store makes it simple to discover, deploy, and buy Security Copilot agents and partner solutions. Start using any of the 30 new agents or 50 SaaS solutions to power your SOC, IT, privacy, and compliance workflows.
Security Copilot is transforming how security and IT teams operate – bringing AI-powered insights, automation, and decision support into everyday workflows. With new capabilities landing every month, the pace of innovation is accelerating.
We’ll be back in November with more updates. Until then, explore these resources to get hands-on, deepen your understanding, and see what’s possible:
