Blog Post

Microsoft Entra Blog
7 MIN READ

New innovations in Microsoft Entra to strengthen AI security and identity protection

Alex_Simons's avatar
Alex_Simons
Icon for Microsoft rankMicrosoft
Mar 24, 2025

Howdy folks!

I hope you’re as excited as I am about what feels like day-by-day advancements in AI and how it’s changing the game for how we work – and just as importantly, how we secure our organizations. AI is accelerating decision-making, automating protections, and strengthening defenses. But AI itself needs protection. As your org adopts AI, you’re being challenged to ensure identities, data, and access remain secure against emerging threats.

And the challenges are only growing. As you’ll see in the graphic below, eighty-four percent of identity and network security leaders say employee use of GenAI apps will increase in 2025. And more than half are already reporting a rise in security incidents due to this surge in adoption.

 

You can go deeper into this data—and how identity security leaders are responding—in our latest survey of 300 identity and network access decision makers. Irina just shared a blog breaking down key insights from the report – you can check that out here.

Now let’s dive into the new AI-driven capabilities in Microsoft Entra and Microsoft Security Copilot that can help ease any concerns you may have about securing access in the era of AI. I’ve broken it down into two key areas:

 

  • Security for AI: Securing AI applications, identities, and access points to protect against evolving threats.
  • AI for Security: Using AI to enhance identity security while simplifying operations, including AI-driven app risk investigation, lifecycle workflow management, and conditional access policy optimization.

Security for AI: Protecting AI applications and workloads

Granular access controls for generative AI apps

As you all embrace AI-driven innovation, securing access to generative AI applications is more critical than ever. With Microsoft Entra Internet Access, which is a part of Microsoft's Secure Access Service Edge (SASE) solution, you can enforce identity-centric real-time access controls for all AI apps and resources—protecting employees from internet threats, compliance risks, and shadow AI.

Granular, identity-based access controls let you tailor policies for different AI apps based on user roles, context, risk level, and other conditions. Enhanced filtering capabilities including a dedicated AI web category and URL filtering (now in preview), provide even greater control over AI-related traffic. For example, you could create a policy that allows only developers to access GitHub Copilot, and only after they have completed training and signed an AI Terms of Use agreement drafted by your organization.

Learn about how to use Microsoft Entra Conditional Access to set adaptive policies for internet or private access.

AI for security: Strengthening identity protection with AI

You spend countless hours reviewing policies, managing access requests, and addressing security gaps – because securing identity is your first line of defense. It’s demanding work, and you have to stay vigilant – one oversight can result in a major incident!

We’ve introduced a few new capabilities in Security Copilot that not only simplify identity lifecycle management, secure your apps against evolving threats but also improve your workflows and efficiency. We’ve got you covered! I’m also pumped to introduce our first Security Copilot agent in Microsoft Entra to help optimize your Conditional Access policies. Finally, for those leveraging AI-driven experiences, we’re also making it easier to secure customer authentication for external users interacting with AI agents.

Microsoft Security Copilot in Entra just got even better

Microsoft is dedicated to making sure you get the most value from Microsoft Security Copilot, right inside the Microsoft Entra admin center:

  • Conditional Access Optimization Agent: Tracking consistent policy coverage is challenging as users, apps, and access needs evolve over time. This agent monitors for new users or apps that aren’t covered by your existing CA policies, detects potential security gaps, and suggests updates which can be deployed in preview mode with one click.
  • Assisted Lifecycle Workflow Management using Security Copilot: For your joiners, movers, and leavers, Security Copilot can help you streamline identity lifecycle tasks, reducing manual work while ensuring security and compliance.
  • Assisted Application Risk Management using Security Copilot: Investigate and remediate risky apps faster. Get real-time insights into app behaviors, flag misconfigurations, and tighten controls—before threats escalate.

 

Let’s dig into each of these a little more.

Conditional Access Optimization Agent: Smarter policy management

Microsoft Security Copilot is now your proactive problem solver. The Conditional Access Optimization Agent in Microsoft Entra (in Private Preview) continuously assesses your environment, monitoring for changes like new users and applications. It even identifies gaps in existing policies and provides one-click remediation suggestions, ensuring access controls stay aligned with your evolving security needs.

Skip the manual work – so no more self-built Excel sheets or PowerShell scripts. The agent suggests optimizations, letting you make policy updates faster, reducing misconfigurations, and strengthening your security posture. Have specific edge cases or business rules? You can even add custom instructions to guide the agent, tailoring it to better fit your needs.

 

Above, you can see the agent’s first run experience, streaming the agent’s workflow before generating suggested Conditional Access policy updates.

 

This view shows an example scenario of the agent’s impact after a month has passed. In this case, the agent has automatically created a new group that includes the 16 users it recommends be added to an existing CA policy. The performance highlights the impact the agent has had over that 30-day timeframe - over 900 unprotected users discovered and over 700K sign-ins protected.

 

If you want to learn more about Conditional Access, you can access these resources:

Lifecycle workflow management: Automating identity governance

Microsoft Entra ID Governance capabilities for Security Copilot in Entra are now in public preview, helping you navigate lifecycle workflows with AI-powered guidance. Whether managing joiners, movers, or leavers, Security Copilot simplifies the process by providing insights and step-by-step support.

Right in the Microsoft Entra admin center, you can launch Security Copilot by clicking the ‘Copilot’ button in the menu bar. While there, you can engage with Security Copilot through natural language using starter prompts or suggested prompts to:

  • Get step-by-step guidance for setting up a lifecycle workflow
  • Explore available workflow configurations
  • Analyze the active workflow list
  • Troubleshoot the processing results of workflows

 

This view shows an identity admin prompting Security Copilot to list the lifecycle workflows enabled in their tenant.

 

Learn more about managing employee lifecycle using Microsoft Security Copilot in Entra.

 

Application risk management: AI-driven app security

Last November at Ignite, we introduced the App Risk scenarios in public preview for Microsoft Security Copilot. This scenario enables you to easily identify and understand the risks related to your apps in Microsoft Entra using natural language prompts. Use prompts like 'show me risky app details for my tenant' to get instant insights into high-privilege permissions, unused apps, and external applications. Security Copilot processes your prompt and responds with relevant details—like a list of risky apps and their permissions—while linking directly to the Microsoft Entra admin center so you can further investigate and take action.

Since then, we’ve added even more capabilities based on the feedback you’ve shared with us:

  • Identify app or service principal owners – critical for remediating unused apps
  • Detect whether an app has a verified publisher – critical for assessing external app risk
  • Dive straight into admin center reports with links in the Security Copilot chat, like the Identity Protection risk detections report

We embedded AI-driven risk assessments directly into your workflows, so you can quickly spot and secure your risky apps – proactively or in response to an app threat – before they cause harm.

 

We’re seeing more organizations deploy AI agents to engage with customers and external users. But securing these interactions while keeping the experience smooth is critical.

With Microsoft Entra External ID, you can now enable secure customer authentication for Copilot Studio agents. This means:

  • Secure identity-aware interactions - Your customers and external users can log in safely, protecting access to AI-driven experiences.
  • Personalized experiences – Users can securely access relevant services and account details, improving engagement with personalized AI experiences.
  • Enterprise-grade identity security – Identity protections that reduce fraud risks while ensuring seamless, authenticated interactions with AI-driven systems.

With this integration, you get trusted, identity-secured AI experiences, so every interaction stays trusted, personalized, and protected.

Learn more about investigating and remediating application risk using Microsoft Security Copilot in Entra 

Bringing it all together

AI is transforming how we work, how we stay secure, and how we protect AI itself. With Microsoft Entra and Microsoft Security Copilot, we’re bringing you AI-driven security that is both reactive and proactive – helping you stay ahead of threats, simplify identity operations, and optimize access at scale.

Whether your goal is securing your AI apps or making identity security more intelligent and efficient, these innovations make your job easier while strengthening your defenses. And we’re just getting started – we’re extremely optimistic for the future.

We can’t wait to see how you put these capabilities to work in your environment. Stay tuned for more updates, and as always, we’d love to hear your feedback!

 

Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9.

 

Get started today and explore how Microsoft is redefining secure access for the AI era:

Updated Apr 02, 2025
Version 3.0
entra id
entra suite
external id
id governance
id protection
internet access
Alex_Simons's avatar
Icon for Microsoft rankMicrosoft
Joined May 01, 2017
View Profile
Microsoft Entra Blog
Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.

2 Comments

Sort By
  • john66571's avatar
    john66571
    Copper Contributor
    Apr 03, 2025

    Awesome stuff Microsoft.
    But the price for Security Copilot is off the charts running these agents. For me it consumed my 3 compute hours almost immediately just running 1 CA agent analysis. Am i doing something wrong ?

    • Lee Mayger's avatar
      Lee Mayger
      Copper Contributor
      Apr 06, 2025

      Agreed Security Copilot looks an awesome tool, but not only is it mega expensive we also have no way of testing it. Either their should be a trial license or add it to the list of developer tenants we can use. At the moment as an identity consultant it's hugely frustrating to not be able to test it.