In this blog, I will walk through how you can build functions based on a Microsoft Sentinel Log Analytics workspace for use in custom KQL-based plugins for Security Copilot. The same approach can be used for Azure Data Explorer and Defender XDR, so long as you follow the specific guidance for either platform. A link to those steps is provided in the Additional Resources section at the end of this blog.
But first, it’s helpful to clarify what parameterized functions are and why they are important in the context of Security Copilot KQL-based plugins. Parameterized functions accept input details (variables) such as lookback periods or entities, allowing you to dynamically alter parts of a query without rewriting the entire logic
Parameterized functions are important in the context of Security Copilot plugins because of:
Dynamic prompt completion: Security Copilot plugins often accept user input (e.g., usernames, time ranges, IPs). Parameterized functions allow these inputs to be consistently injected into KQL queries without rebuilding query logic.
Plugin reusability: By using parameters, a single function can serve multiple investigation scenarios (e.g., checking sign-ins, data access, or alerts for any user or timeframe) instead of hardcoding different versions.
Maintainability and modularity: Parameterized functions centralize query logic, making it easier to update or enhance without modifying every instance across the plugin spec. To modify the logic, just edit the function in Log Analytics, test it then save it- without needing to change the plugin at all or re-upload it into Security Copilot. It also significantly reduces the need to ensure that the query part of the YAML is perfectly indented and tabbed as is required by the Open API specification, you only need to worry about formatting a single line vs several-potentially hundreds.
Validation: Separating query logic from input parameters improves query reliability by avoiding the possibility of malformed queries. No matter what the input is, it’s treated as a value, not as part of the query logic.
Plugin Spec mapping: OpenAPI-based Security Copilot plugins can map user-provided inputs directly to function parameters, making the interaction between user intent and query execution seamless.
Practical example
In this case, we have a 139-line KQL query that we will reduce to exactly one line that goes into the KQL plugin. In other cases, this number could be even higher. Without using functions, this entire query would have to form part of the plugin
Note: The rest of this blog assumes you are familiar with KQL custom plugins-how they work and how to upload them into Security Copilot.
With parameterized functions, follow these steps to simplify the plugin that will be built based on the query above
Define the variable/parameters upfront in the query (BEFORE creating the parameters in the UI). This will put the query in a “temporary” unusable state because the parameters will cause syntax problems in this state. However, since the plan is to run the query as a function this is ok
Fig. 1: Image showing partial query with the parameters to defined highlighted in red i.e. lookback and User_Dept
Create the parameters in the Log Analytics UI
Fig 2. Screenshot showing how the function menu in the Log Analytics UI
Give the function a name and define the parameters exactly as they show up in the query in step 1 above. In this example, we are defining two parameters: lookback – to store the lookback period to be passed to the time filter and User_Dept to the user’s department.
Fig. 3. Function menu showing the two parameters defined in the function creation menu of Log Analytics
3. Test the query. Note the order of parameter definition in the UI. i.e. first the User_Dept THEN the lookback period. You can interchange them if you like but this will determine how you submit the query using the function. If the User_Dept parameter was defined first then it needs to come first when executing the function. See the below screenshot. Switching them will result in the wrong parameter being passed to the query and consequently 0 results will be returned.
Fig. 4: Sample run of the function with the parameters specified in the correct order
Effect of switched parameters:
Fig. 5: Sample function run with the functions switched to show effect of this situation
To edit the function, follow the steps below:
Navigate to the Logs menu for your Log Analytics workspace then select the function icon
Fig. 6: Partial view of the function being edited within the Log Analytics UI
Fig. 7: Image showing how to select the code button in the function menu to edit the function code
Once satisfied with the query and function, build your spec file for the Security Copilot plugin. Note the parameter definition and usage in the sections highlighted in red below
Fig. 8: Partial view of the YAML plugin showing the encapsulation of the 139 lines of KWL into a single one
And that’s it, from 139 unwieldy KQL lines to one very manageable one! You are welcome 😊
Let’s now put it through its paces once uploaded into Security Copilot. We start by executing the plugin using its default settings via the direct skill invocation method. We see indeed that the prompt returns results based on the default values passed as parameters to the function:
Fig. 9: View of Secuity Copilot landing page showing an example of direct skill execution of the created pluginFig. 10: Sample output showing records of users from the Sales department
Next, we still use direct skill invocation, but this time specify our own parameters:
Fig. 11: Direct skill invocation example but with specified parameters-Department, and lookback periodFig 12: Prompt run showing the output corresponding to the selections of the previous direct skill invocation prompt
Lastly, we test it out with a natural language prompt:
Fig 13: Security Copilot prompt bar showing example of natural language prompt seeking events related to users in the Human Resources departmentFig 14: Output from previous natural language prompt focused on users from the HR department
Tip: The function does not execute successfully if the default summarize function is used without creating a variable i.e. If the summarize count() command is used in your query, it results in a system-defined output variable named count_. To bypass this issue, ensure to use a user-defined variable such as Event_Count as shown in line 77 below:
Fig. 15: Highlighting the creation of a variable to store results from the summarize count() command
Conclusion
In conclusion, leveraging parameterized functions within KQL-based custom plugins in Microsoft Security Copilot can significantly streamline your data querying and analysis capabilities. By encapsulating reusable logic, improving query efficiency, and ensuring maintainability, these functions provide an efficient approach for tapping into data stored across Microsoft Sentinel, Defender XDR and Azure Data Explorer clusters. Start integrating parameterized functions into your KQL-based Security Copilot plugins today and let us have your feedback.
We’re excited to announce that Power Pages AI usage analytics and governance controls are now available in public preview through the Copilot Hub in the Power Platform admin center
With AI capabilities becoming core to digital experiences, organizations need visibility and control over how these features are used. The Copilot Hub in the Power Platform admin center answers this need by offering a centralized dashboard for AI usage analytics and governance across Power Platform products. Power Pages now integrates with the Copilot Hub to help admins:
Track adoption of AI-powered features
Gain actionable insights
Control exposure based on org needs and compliance
Deep Dive into Usage Insights
Admins can switch between Maker Copilot and End User Copilot views to understand how AI features are used by site builders and site visitors.
Maker Copilot Analytics include:
Monthly active makers using Studio Copilot or Pro Dev Copilot
Sites with Copilot enabled
Most-used AI features
Usage trends over time
End User Copilot Analytics provide insights on:
Chat agent (Site Copilot) usage
Search summaries and query volume
Summarization API usage
AI-powered form fill assistance
Generative summaries for list views
AI Governance – In Your Control
The Copilot Hub empowers admins to control AI feature availability at both environment and site levels, with settings to:
Enable/disable features for makers or end users
Allow granular control per feature (e.g., chatbot, summaries etc)
AI features can be enabled across all sites, specific sites, or excluded sites
Visibility into configurations across environments
Warnings and fallbacks when features are blocked due to org policies
Transition to the Copilot Hub
Important: Governance settings for Power Pages AI features are now managed exclusively in the Copilot Hub. Existing settings are retained, but we recommend reviewing and aligning them in the new experience to ensure consistency.
Maker & End User Experience
Makers see clear messages in Design Studio when AI features are disabled by admins. End users experience fallback behaviors (e.g., standard search results instead of AI summary) without disruption or confusion
The Next Generation of Power Platform Adoption Guidance is here
Successfully adopting Microsoft Power Platform is about more than just deploying tools. It’s about building a strategy that empowers people, ensures governance, and delivers lasting business value. And to support you on your successful adoption journey, we’re excited to announce the launch of the newly refreshed Power Platform Adoption Guidance.
This update is the most significant evolution of our adoption content to date. It reflects insights from real-world customer experiences, partner feedback, MVP expertise, and Power CAT programs, all to deliver practical, actionable guidance at every stage of your journey. Whether you’re just getting started or looking to mature your platform strategy, this guidance is designed to help you activate business-led innovation with confidence.
What’s new?
Eight Pillars of Adoption: The guidance is now structured across eight strategic pillars, making it easier to plan, scale, and sustain your adoption journey.
Redesigned Experience: We’ve overhauled the information architecture and user experience so you can find what you need faster and more intuitively.
Expanded Content: The update includes over 200 pages of fresh content, covering everything from defining vision and metrics to managing mission-critical workloads and building thriving maker communities.
Actionable Tools: The updated Adoption Workbook now includes exercises and templates that you can work through with your stakeholders to guide the development of a strategy and action plan, based on real-world customer experiences.
Why it matters
To be sure, this guidance is more than a documentation refresh. It’s a strategic resource for Power Platform product owners, adoption leads, change managers, and Center of Excellence (CoE) teams. The guidance helps you:
The newly refreshed Adoption Guidance site includes other resources as well. Real-world case studies, toolkits documentation, and white papers aim to help you be successful with Power Platform.
Get started
Explore the new guidance at https://aka.ms/PowerPlatformGuidance. Share it with your teams. Use it to shape your strategy. And most importantly, let it guide you as you build what’s next with Power Platform.
Get ready for an incredible experience at Microsoft Build 2025. We’re pumped to showcase the latest advancements in Microsoft Power Pages, a platform that empowers enterprises to rapidly build secure, scalable business portals powered by agentic AI.
This week at Microsoft Build 2025, explore how Power Pages enables global scalability and availability with its robust security, administration, and governance. The native integration with Microsoft Copilot and Microsoft Copilot Studio transforms Power Pages portal design by combining conversational AI, intelligent suggestions, and contextual guidance. With generative user experience (UX) and role-based personalization, portals dynamically adapt to user behavior and context—delivering the right information at the right time to streamline workflows and elevate user engagement.
Now is the moment to see how enterprises can plan, build, and run business portals with dynamically tailored experiences.
Introducing cutting-edge security in Power Pages
Security isn’t just a feature—it’s a foundation. That’s why we’re thrilled to unveil the new security agent in Power Pages, now available in public preview. This is a game-changer for business users and admins who need to stay ahead of evolving threats without compromising agility.
Powered by Microsoft Sentinel, the security agent continuously monitors for anomalous traffic patterns and proactively detects potential Distributed Denial of Service (DDoS) attacks. But it doesn’t stop at detection—it empowers action. Business users and admins receive real-time alerts and actionable recommendations with Microsoft Outlook and Microsoft Teams, helping them respond swiftly and confidently.
This is more than just protection—it’s intelligent, integrated defense that brings enterprise-grade security directly into your Power Pages experience.
Image represents current UI for a public preview feature. UI is subject to change.
Improving developer productivity and enabling next-generation user experiences
Next, we have exciting new updates for all Power Pages creators. We’re introducing the ability to integrate Copilot Studio agents in Power Pages—enabling creators to embed multiple agents into their site. This capability greatly enhances the conversational chat experience and enables end users to perform, create, and update operations on their business data. Developers also get the ability to use these agents as an API, enabling them to build complex business logic with ease and power next-generation user experiences.
Now in public preview, users can bring their own code to Power Pages using third-party, next-generation code generation tools. This unlocks a new era of “vibe coding”—where natural language becomes the interface, and the user becomes the orchestrator. Instead of writing every line, developers guide, test, and refine AI-generated code, making the process more intuitive, creative, and aligned with enterprise-grade standards.
Power Pages is also expanding its multilingual support, allowing customers to create portals in any number of custom languages. This functionality allows all out-of-the-box components like forms, lists, multistep forms, and card galleries to use content snippets for specifying content translation, allowing customers to build websites in a language of their choice. This feature will be generally available and is set to uplevel the creation process for multilingual portals.
Additionally, the inline portal preview in Visual Studio Code is now in public preview. This feature lets you preview your Power Pages portals without ever leaving your development environment. With built-in user interface (UI) actions to run command-line interface (CLI) commands and switch environments, it streamlines development and testing.
Power Pages now supports Dataverse Git integration in public preview. This integration ensures that your Power Pages content is stored in a easy to read format. The file structure and naming conventions align closely with the experience provided by the Power Pages Visual Studio Code web and desktop. This integration significantly simplifies the process of reviewing, understanding, and managing your Power Pages content, enabling easier collaboration and version control.
Our event management template is also now in public preview. This template, along with custom components, is designed to streamline your development process and enhance portal capabilities, making event management more efficient and effective.
We’re also introducing the new intelligent list search and customization feature in Power Pages. This feature uses natural language to query large datasets and get filtered information. It also allows for customization of the AI insights to make data interaction more intuitive and efficient. This feature is currently in public preview.
Finally, multistep forms with Copilot in Power Pages is now generally available. This AI-assisted experience lets you design and build forms with natural language prompts, making it easier to create more dynamic and interactive forms.
Elevating admin capabilities with advanced governance and compliance tools
Now, let’s dive into some powerful tools designed to transform the administrative experience.
The Copilot hub is a game-changer for admins. It provides visibility into AI usage at the feature level, empowering data-driven decisions and policy enforcement. Admins can control individual AI features, such as turning specific Copilot capabilities on or off at the environment or portal level. Currently in public preview, the Copilot hub is poised to significantly enhance administrative capabilities, fostering trust and compliance.
Image represents current UI for a public preview feature. UI is subject to change.
Next, the action center in the Power Pages homepage is another exciting addition to our suite of tools. This centralized hub is designed specifically for users and system admins, surfacing recommendations and actions that are applied within the Power Pages platform environment where applications, data, and resources are managed. Whether it’s enabling Web Application Firewall (WAF), renewing secure sockets layer (SSL) certificates, converting trials to production, or shutting down portals, this feature provides the insights you need to take action. It’s in public preview and ready to streamline your administrative tasks.
Image represents current UI for a public preview feature. UI is subject to change.
We’re also excited to introduce the self-service identity (SFI)—web authentication key renewal experience in the Power Pages Admin Center (PPAC), transitioning from certificate-based authentication to federated credentials. A one-time activity will be required to update the authentication key in PPAC. This update will be generally available and is designed to simplify and streamline your authentication processes.
Additionally, we can now surface insights and recommendations related to security scans in the PPAC security hub. This feature, currently inpublic preview, is designed to help keep your business portal secure and compliant.
Power Pages is helping organizations around the world build and enhance their online presence with remarkable efficiency
Check out how our customers have been using Power Pages across industries to create transformative business portal experiences:
Fortune Brand Innovations:Discover how Fortune Brands Innovations streamlined their customer experience across multiple brands using Power Pages and Microsoft Dynamics 365 Customer Service, creating a unified digital portal that integrates payment and enterprise resource planning system.
Belgotex:Learn how Belgotex Carpets transformed their operations and enhanced customer engagement by implementing Power Pages, Dynamics 365 Finance, Microsoft Power BI, and Microsoft Fabric, unifying their sales and manufacturing processes.
US Small Business Administration:Explore how the US Small Business Administration saved millions annually and improved disaster using recovery services by Power Pages, Dynamics 365 Customer Service, Power Automate, and Power BI to automate processes and enhance service delivery.
Okuma: Okuma has enhanced their customer and field service operations with Power Pages, unlocking new levels of efficiency and expertise utilization.
All Pro Electrical: All Pro Electrical harnesses Power Pages to streamline operations, driving efficiency and safety, with Power Automate adding seamless end-to-end automation.
Veterans’ Wellbeing Network:Discover how the Veterans’ Wellbeing Network significantly improved support for Australian service members by implementing Power Pages, Power Apps, and Power Automate to create a custom client management system that reduces case processing time by up to 40% and enhances collaboration among advocates.
How to get started with Power Pages
Power Pages offers a comprehensive set of tools designed with security at the forefront for both developers and users. Join us as we reshape the portal-building experience, empowering organizations to create secure, AI-powered business portals that scale.
As we gear up for Microsoft Build 2025, excitement is building around the latest advancements in agent governance, security, and management. This year, we’re bringing you groundbreaking insights and tools to enhance your experience with Microsoft Copilot and ensure robust governance and security for your AI agents. Join us at the booth and discover how our new offerings align with our comprehensive governance strategy for Copilot.
Come Find Us at the Copilot Control System Booth
At Microsoft Build 2025, our booth will be the hub of innovation and learning. Come and find us to explore our latest tools and strategies for agent governance, security, and management. Our experts will be on hand to discuss how these new features integrate in your agent adoption strategy.
Learn from Industry Leaders
Don’t miss the opportunity to attend sessions led by industry leaders like Zohar Raz, Shawn Nandi, Ryan Jones, Jocelyn Panchal, Casey Burke, Asaf Tzuk, Rashmi Mansur, and Marcel Ferreira. These sessions will provide invaluable insights into building, managing, and governing secure agents. You’ll learn best practices for managing agent lifecycle, implementing security measures, and ensuring compliance with organizational policies. Whether you’re a seasoned developer or new to AI, these sessions will equip you with the knowledge to excel in agent governance.
Discover how to secure Microsoft Copilot Studio agents using Power Platform security and governance capabilities, Microsoft Purview, and Microsoft Admin Center. This session explores best practices for managing data access, compliance, and risk mitigation while ensuring responsible AI use. Learn how to enforce policies, monitor agent activity, and safeguard enterprise data. Gain insights into securing Copilot agents at scale while maintaining agility and innovation.
Join us as we delve into agent management controls. We’ll focus on enterprise-grade security, maintaining healthy and seamless operations, and governing at scale. Attendees will gain insights into best practices, tools, and strategies to ensure their organization is AI-ready. Discover how to leverage a robust management suite to enhance your development processes and secure your enterprise environment.
Learn how your development team can build AI enabled applications faster with Power Platform and DevOps. We’ll show you how the new developer capabilities combined with DevOps best practices can empower your team to build, test, and deploy enterprise-grade apps faster.
With the fully managed suite of capabilities for Power Platform, admins and makers alike are equipped with the necessary tools to ensure that Copilot Studio agents are protected and healthy. Tune in to learn more about the latest enhancements and upcoming plans for a fully managed platform designed for the Era of AI.
Key Topics Covered
Agent Governance Strategy: Learn about the comprehensive governance frameworks and strategies for managing AI agents across Microsoft 365, Power Platform, and Copilot Studio. Discover how existing governance models are being integrated to provide a unified experience for administrators.
Security Measures: Explore robust security measures in place to protect sensitive data and ensure compliance. From encryption and isolation to persistent label inheritance and connector management policies, you’ll see how Microsoft Copilot safeguards your information.
Management Tools: Get hands-on with the latest management tools available in the Microsoft 365 Admin Center and Power Platform Admin Center. These tools streamline the administration of permissions, policies, and compliance settings, making it easier to manage agents at scale.
Upcoming Features: Stay informed about the upcoming features and enhancements for agent governance and security. Learn about the new capabilities for monitoring, reporting, and data security, and how these will impact your agent governance strategies.
Get Ready to Learn and Build
Microsoft Build 2025 is the event of the year for developers, IT professionals, and AI enthusiasts. With a focus on agent governance, security, and management, this year’s conference will provide you with the tools and knowledge to take your AI projects to the next level. Don’t miss out on the opportunity to learn from thought leaders, explore new technologies, and connect with peers. We look forward to seeing you.
We’re thrilled to announce the public preview of Process Map in Power Automate, a significant advancement for process-centric observability at scale. This feature is seamlessly integrated into the Automation Center, your hub for end-to-end automation monitoring and management in Power Automate.
What is the Process Map?
The Process Map is designed to enhance process-centric troubleshooting and monitoring in Power Automate by providing increased visibility and efficiency. It offers a detailed, end-to-end view of a process that’s managed by a parent orchestrating flow, showing all of the associated child and desktop flows. The map also recognizes structural flow elements, such as conditions, and displays flows that didn’t execute due to specific conditional logic or upstream errors. This is critical for understanding how a problem in one part of the process can affect other parts and assists in taking appropriate countermeasures to address issues.
Key benefits:
Accelerated troubleshooting: Quickly identify and resolve issues with an end-to-end, process-centric view that includes contextual information on runs, connections, and design-time aspects.
Comprehensive visibility: Gain full transparency into your automation processes, including flows that were skipped or missed due to conditional logic or upstream issues.
Enhanced impact analysis: Understand and analyze how issues affect the entire process, facilitating faster recovery and implement effective countermeasures.
Stronger collaboration: End-to-end process visibility enables faster, context-rich communication with impacted teams, accelerating recovery and driving continuous improvement.
Key features
Runsview: Displays the main flow run that orchestrates the process and its child runs, enabling users to track execution, identify issues, and optimize processes.
Overviewview: Provides a design-time process hierarchy view with connected subprocesses, offering quick insights and serving as the future home for aggregated process data and configurations.
Runs tab integration: We’ve enhanced the flow runs page with new run row hover options. New icons let you create or view process maps for the selected process run and its child runs.
How to get started
This feature is being rolled-out now and you can test it today in the US preview region. Further details are available in the Process Map documentation.
