Security Copilot in Entra ID: Best Practices for Administrators
What if your security department could think ahead 24/7?
Microsoft Security Copilot brings exactly that to Entra ID—with AI-powered analysis and risk evaluation. Intelligent security solutions are transforming the role of identity and security administrators. Unlike other Copilot experiences in Microsoft 365 or Azure, Security Copilot is designed to accelerate security decisions and back them with contextual intelligence.
Instead of generating text or simplifying administrative workflows, Security Copilot focuses on incident response, risk analysis, threat intelligence, and real-time protection—powered by generative AI based on GPT-4 and Microsoft’s own security model. This article gives you a comprehensive overview of how to use Microsoft Security Copilot in Entra ID to strengthen your security operations and make fast, informed decisions.
Index
Efficient Risk Detection and Damage Control with Security Copilot
In Microsoft Entra ID, Security Copilot shows its strength particularly in:
-
Analyzing sign-in events,
-
Identifying compromised accounts, and
-
Evaluating risks associated with user identities and applications.
Admins can use natural language queries to request information—for example, about risky users, major policy changes, or permission modifications. Copilot then provides actionable recommendations, highlights unusual activity, and offers contextual guidance for damage control.
The Entra integration also enables access to audit logs, sign-in logs, and role-based access data, which are automatically scanned for suspicious patterns. This turns Copilot in Entra ID into a tactical tool that not only speeds up identity-related security operations, but also improves them strategically.
Understanding Capacity Model and SCU Logic
Using Security Copilot requires strategic resource planning.
Microsoft charges usage based on Security Compute Units (SCUs). These are billed hourly and can be scheduled or consumed flexibly through so-called overage units.
Billing is done in blocks: any started hour counts as a full unit—whether you use it for 5 or 55 minutes. Overage usage, however, is billed by the minute. For example, if you activate an SCU at 9:05 AM, end it at 9:35 AM, and start a new one at 9:45 AM, you’ll be billed for two full SCUs for the 9:00–10:00 AM window.
Accessing Security Copilot requires at least one provisioned SCU.
👉 For a smooth start, Microsoft recommends a configuration with three SCUs and unlimited overage capacity.
This setup ensures stable response times even during traffic spikes. Important: SCUs for Security Copilot are not compatible with those used for Microsoft Purview—each must be licensed separately.
Securing Entra ID in Azure with Copilot Features
In Microsoft Azure, Entra ID can also be secured using AI features provided by the general Azure Copilot. This version differs significantly from the specialized Security Copilot—it primarily supports the configuration and management of Azure resources through explanations, automated suggestions, and code generation.
In the Entra ID context, Azure Copilot can help with setting up Conditional Access Policies, role concepts, or building hybrid identity models.
While Security Copilot focuses on threat analysis, incident response, and risk-based decision-making, Azure Copilot assists with structural tasks and helps optimize security policies during the design phase.
👉 The two tools complement each other: one works strategically in security operations, the other supports secure configuration and implementation.
Even without full Security Copilot access, Azure Copilot can still provide contextual, real-time analysis of security-related data. Particularly in identity and access management, it can uncover potential vulnerabilities, evaluate policies, and analyze user activity efficiently. It draws on the same Entra identity data as Security Copilot, but remains within the Entra portal interface and targets administrators focused on identity governance.
The key advantage is its low barrier to entry: it can be launched directly from the ribbon and does not require separate SCU provisioning.
Prompts in the Entra Admin Center
Security Copilot uses simple natural language prompts that are instantly processed and visualized.
-
Prompt: “Which users did not use multi-factor authentication in the past 24 hours?” → Identifies potentially vulnerable accounts.
-
Prompt: “What changes were made to the ‘User Administrator’ role?” → Lists all role assignments and removals with timestamps and the initiating account.
-
Prompt: “Show me all groups with more than 50 members and external access.” → Filters potentially over-privileged groups.
Copilot responds with structured answers, clear tables, and direct links to relevant admin areas. This helps even less experienced admins make informed security decisions.
Two-Step Security Copilot Onboarding
Unlike Azure Copilot, Security Copilot must be set up first. Onboarding happens in two steps.
First, you provision capacity via the Security Copilot portal or the Azure portal. Then, you assign this capacity to the default Entra ID environment. Roles with minimal necessary rights (e.g., Intune Admin or Entra Compliance Admin) should be used whenever possible. Global admin privileges should be reserved for emergencies.
During capacity setup, you can choose a geographic location. If the selected region is overloaded, prompts may be processed in a globally available fallback region. Once everything is configured, the dashboard allows you to monitor usage minute-by-minute—including SCUs in use and overage capacity. Data access always stays within the tenant’s geographic region.
Best practices for working with Copilot in Microsoft Entra ID
With the integration of Security Copilot into Microsoft Entra, new opportunities arise in identity and access management. Copilot supports admins and security teams by intelligently linking data from Entra, Microsoft Sentinel, Defender, and other sources—and generating actionable recommendations from it.
Security Copilot analyzes login events, group memberships, and access policies in real time—embedded in the context of current or past security incidents. The AI detects suspicious patterns, summarizes threat situations, and suggests concrete actions, such as quarantining compromised accounts or initiating an escalation.
✅ Top 5 best practices for Copilot in Entra ID
- Use precise prompts
The more targeted the query, the better the results. Avoid general questions—use context-specific prompts instead. - Trust, but validate
Copilot provides well-founded insights—however, they should always be validated manually or with complementary tools like Sentinel. - Integrate into daily workflows
The more Copilot is embedded into daily routines, the more effectively it supports tasks—especially in early risk detection. - Enforce role-based access control
Only authorized users should be able to query security-critical information—achieved through finely tuned Entra role assignments. - Combine Copilot with other security solutions
Copilot delivers the most value when used alongside tools like Microsoft Sentinel, Defender for Identity, and Defender for Endpoint.
By entering “Summarize the risk details of the user Max.Mustermann@contoso.com”, Security Copilot generates a compact overview of detected anomalies and risk detections, such as unusual login attempts, the use of insecure authentication methods or violations of access policies.
The second prompt, “Which devices has Max.Mustermann@contoso.com registered?”, provides a list of the end devices connected to this account. It also includes details such as the operating system, device status, and compliance status. As a result, it creates a comprehensive overview of the user’s environment. Taken together, this information forms a solid basis for decision-making, allowing administrators to initiate actions such as enforcing MFA, cleaning up devices, or temporarily blocking the account if necessary.
Copilot not only identifies patterns such as logins from unusual IP addresses, but also detects the use of new devices and repeated failed authentication attempts, which may indicate suspicious activity.This information serves as the basis for automated recommendations for action.
Insight into sign-in behavior and audit logs
Security Copilot also demonstrates its strengths when analyzing user activities. Administrators can specifically search for activities of certain users, for example, related to role assignments, policy changes, or group modifications. For this purpose, Copilot accesses the audit logs of Entra ID and presents the results structured in natural language.
With targeted prompts, deep insights into user activities can be gained that are indispensable for forensic analyses or validating security-critical processes. The command “Show me all activities of Max.Mustermann@contoso.com in the audit logs of the last 72 hours” retrieves all logged changes and actions of this user within the specified period. These include, among others, role assignments, policy changes, app accesses, or administrative interventions, which can be traced precisely over time.
Additionally, the prompt “List the last 20 sign-in attempts of Max.Mustermann@contoso.com with status and device” provides a chronological overview of successful and failed logins, including metadata such as IP address, browser used, and device. This combination of audit and sign-in information enables precise investigation of suspicious activities and supports quick risk assessment on the user level.
If needed, the results can be formatted as tables and exported. Copilot provides information about the devices used, browsers employed, success or failure of the sign-in, and checks whether the devices are compliant and managed.
Group Analysis and Access Rights Management
In addition to analyzing individual user data, Copilot also allows administrators to examine the group structure. This is especially useful when reviewing permission inheritance or investigating potentially compromised groups.
Group-based analyses can also be efficiently performed with Security Copilot. The prompt “How many members does the group ‘Finance-External’ have?” delivers an exact number of active user accounts within the specified group, allowing for a quick assessment of its size and potential attack surface.
More detailed is the command “Show me the email address, job title, and phone number of all members of the ‘IT Project Management’ group.” This query provides a complete overview of all assigned users, including their organizational roles and contact information. With this data, you can specifically evaluate which groups have which accesses and permissions, e.g., during audits or security checks. These functions are available both in the standalone Copilot portal and directly embedded in the Entra interface. The embedded version allows working without context switching and performing security analyses directly from the user interface.
Analysis of Application Risks and Service Principals
Another focus lies on the management and assessment of applications and service principals. Administrators have access to features that identify risky applications, detect excessive permissions, and uncover unused registrations.
Particularly critical: applications with high privileges that are registered outside the tenant itself, a common attack vector for lateral movements by attackers.
The assessment of these risks is based on signals stored in Microsoft Entra ID Protection. Administrators can use Copilot to automatically receive recommended actions, such as restricting rights or disabling unnecessary applications.
The prompt “Show me all risky applications in my tenant” delivers a curated list of applications. Copilot evaluates them based on identity protection signals, including risky permissions, suspicious usage patterns, or expired certificates.
The query “Which applications were registered outside my tenant and are active?” reveals external apps. These apps have active service principals in your tenant. This is a possible risk factor for uncontrolled third-party access.
The prompt “What delegated permissions does the app ‘HR-SelfService’ have?” breaks down the app’s delegated permissions. It shows which rights the app receives on behalf of the signed-in user and whether it accesses sensitive data excessively.
The input “Show me all service principals with admin roles” provides a comprehensive overview of technical identities that hold privileged access rights. These identities often pose an increased risk of attack due to their elevated permissions. Additionally, the analysis triggered by the prompt “Which applications have not been used for 90 days?” helps identify outdated or orphaned applications. Such applications are frequently overlooked but can represent significant security vulnerabilities. Regularly reviewing these can reduce the attack surface and improve overall tenant security.
👉 We are happy to show you how Security Copilot and my-IAM together provide more overview, security, and automation.
More about the my-IAM platform
The my-IAM platform unifies all identities from various source systems and makes them available for applications and apps of all kinds. Besides the Teams-integrated app my-IAM PeopleConnect, it includes the business services my-IAM RealIdentity and my-IAM RealGroup.
You can also reach our team by phone at
+49 8196 998 4330.
