But most organizations are still operating across disparate systems. Identity signals are captured in one place, access policies enforced in another, and response workflows managed separately. That fragmentation slows decision-making, increases operational complexity, and creates gaps cyberattackers can exploit.

Customers are looking for an identity platform that meets their evolving needs. We’re pleased to share that Microsoft has been recognized as a Leader in The Forrester Wave™: Workforce Identity Security Platforms, Q2 2026, receiving the highest scores in both the current offering and strategy categories. We believe this recognition demonstrates the value that the Microsoft Entra product portfolio brings to our customers, which we are always striving to improve. This report also reflects a broader shift in the market. Identity is no longer just a checkpoint in the access flow. It has become the primary way organizations manage risk across environments.

Forrester’s research highlights the need for strong identity foundations, actionable intelligence, and support for emerging AI-powered scenarios. As identity surfaces expand and cyberthreats grow more dynamic, organizations need a model that connects signals, enforces policy consistently, and drives response in real time. Without that continuity, security remains reactive and incomplete.

This is especially important as identity continues to be one of the most targeted attack surfaces, with credential-based attacks still dominating. Securing access requires more than stronger authentication. It requires bringing identity, access, and response into a unified system.

Why this recognition matters now

As AI expands the number of identities and accelerates the pace of change, organizations need approaches that simplify how identity is managed while strengthening how risk is controlled. That means moving beyond disconnected tools toward systems that are integrated by design.

The priorities highlighted by Forrester in their report reflect this reality. They also align with Microsoft’s focus on delivering a comprehensive strategy based on Zero Trust principles, using AI in the flow of work, and extending identity and access controls to AI agents. Forrester noted Microsoft strengths in identity threat detection and response (ITDR), access control, phishing-resistant authentication, and identity verification. These capabilities are essential for organizations to stay ahead of evolving cyberthreats and improve their identity security posture continuously. Microsoft is focused on helping customers reap the benefits of a unified system that extends governance, visibility, and control across all identities.

AI is accelerating identity complexity

AI is reshaping the identity landscape. It is increasing both the number of identities and the speed at which they operate.

In addition to human users, organizations now need to manage AI agents and other non-human identities. These identities require authentication, authorization, lifecycle management, and governance. They operate at machine speed and interact with systems in ways traditional identity models were not designed to handle. At this scale, static policies and disconnected systems fall short. Organizations need continuous enforcement driven by real-time signals.

Treating AI-powered identities as core participants in an identity strategy enables organizations to extend governance, visibility, and control as their environments evolve. This is not an incremental change. It is a structural shift in how identity must be managed.

Evolving your identity and access approach

Identity and access should be an integrated system rather than a collection of tools, for human and non-human identities. An Access Fabric brings together identity signals, access policies, and security workflows into a continuous loop. Signals inform decisions. Decisions trigger enforcement. Enforcement drives response.

This model enables organizations to move beyond static, point-in-time checks to continuous, context-aware access decisions across environments.

With Microsoft Entra, organizations can apply consistent access policies to any identity across Microsoft cloud, on-premises, and third-party applications, helping reduce fragmentation while improving visibility and control.

By bringing signals, policy enforcement, and response together, Microsoft Entra helps organizations move from reactive identity management to continuous risk evaluation and control.

Learn more

Learn more about Microsoft Entra solutions. Bookmark the Microsoft Entra blog to keep up with our expert coverage on workforce identity matters.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. This report is part of a broader collection of Forrester resources, including interactive models, frameworks, tools, data, and access to analyst guidance. For more information, read about Forrester’s objectivity here . 

The post Microsoft recognized as a Leader in The Forrester Wave™ for Workforce Identity Security Platforms appeared first on Microsoft Security Blog.

Microsoft Purview visibility now extends to Anthropic’s Claude

Security and compliance teams can now detect and investigate Claude usage alongside other cloud applications in their broader AI ecosystem. The new Claude Compliance API for Microsoft Purview delivers centralized visibility and oversight for Claude Enterprise activity enabling Microsoft Purview to provide insights on Claude interactions and audit log signals. This integration will provide visibility across Claude Enterprise, extending the Microsoft Purview experience and helping your teams protect sensitive data across your AI estate.  

New data security posture management experience in Microsoft Purview

The new Microsoft Purview Data Security Posture Management (DSPM) experience is now generally available. This solution unifies and streamlines DSPM across scenarios, from discovery to protection, all the way to remediation, allowing teams to investigate risks and take actions on the same workflow. The new experience delivers goal-oriented flows, deeper remediation, expanded reporting, and third-party visibility. Your teams can efficiently discover sensitive data, assess risk, and take action at scale.

Microsoft Purview Data Security Investigations extends investigative depth with custom examinations

Microsoft Purview Data Security Investigations now includes optical character recognition (OCR) and custom examination capabilities to extend investigative depth. OCR extracts text from images, bringing previously inaccessible visual content into scope for AI-powered deep content analysis. In addition to existing examination types that identify credentials, risk, and personally identifiable data, and help inform mitigation, investigators can define their own analysis with custom examination, enabling more tailored and flexible investigations based on their unique needs. 

Microsoft Entra ID Account recovery securely restores account access

Microsoft Entra ID Account recovery is an advanced authentication recovery mechanism that enables users to regain access to their organizational accounts when they’ve lost access to all registered authentication methods. Unlike traditional password reset capabilities, Account recovery focuses on identity verification and trust re-establishment prior to replacement of authentication methods rather than simple credential recovery.

Windows 365 for Agents delivers a secure AI agent execution environment

Windows 365 for Agents, now expanding in public preview, and Microsoft Agent 365 work together to provide a consistent, secure environment to run and govern agents. Agent 365 determines the work an agent is authorized to do, using shared organizational policies and identity to govern agent behavior and access. Windows 365 for Agents defines where an agent executes the work, providing Cloud PCs that enable agents to operate their own desktops and applications within a fully managed and auditable environment. Read our blog for more details.

Stay In the Loop

Microsoft Security continually ships meaningful innovations across our portfolio and research-driven insights and reports for the security community. In the Loop posts are your reliable source of what’s new across Microsoft Security and what it means for your security strategy. Check back for the next drop and connect with us at Microsoft Build, June 2-3, 2026, in San Francisco, to hear directly from Microsoft Security experts and learn more about today’s releases.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post What’s new in Microsoft Security: May 2026 appeared first on Microsoft Security Blog.

Passwords remain a major source of risk; they’re difficult to manage and easy to steal. Along with weaker forms of multifactor authentication, they’re also highly vulnerable to phishing: AI-powered campaigns drive click-through rates as high as 54%.¹ In response, Microsoft is expanding passkey adoption across our ecosystem. We’re reducing reliance on legacy authentication and strengthening account recovery so it won’t become a backdoor for cyberattackers.

Passkey adoption continues to grow industry wide

Passkey adoption is accelerating: FIDO Alliance estimates 5 billion passkeys already in use worldwide.² Across Microsoft’s consumer services, including OneDrive, Xbox, and Copilot, hundreds of millions of users sign in with passkeys every day.

There are many reasons to choose passkeys as the standard authentication method over passwords. Sign-in success rates are significantly higher than with passwords, and exposure to credential-based attacks is significantly lower.³ Organizations and individual users alike prefer the simpler, more secure sign-in experience passkeys offer.⁴

Inside Microsoft, we’ve eliminated weaker authentication methods and rolled out phishing-resistant authentication, covering 99.6% of users and devices in our environment.⁵ It’s made signing in a lot simpler: no codes to enter, no extra prompts to manage, just a straightforward experience for everyone.

Product updates across sign-in and recovery

Across Microsoft, we’ve been steadily building passkey support into every layer of the identity experience from consumer accounts to enterprise access with Microsoft Entra, and from device-based authentication like Windows Hello to Microsoft’s password manager. This work ensures people can create and use passkeys wherever they sign in, with a consistent, phishing-resistant experience across devices, apps, and environments.

To make passkeys more accessible, we’re expanding where and how people can use them:

• Synced passkeys and passkey profiles in Microsoft Entra ID make it easier to scale passwordless sign-in across diverse environments. We’re expanding flexibility in cloud passkey management, including support for larger and more complex policies, and transitioning tenants to a unified passkey profile model.
• Entra passkeys on Windows make it simple for users to create and use device-bound passkeys directly on personal or unmanaged Windows devices using Windows Hello, and will be generally available in late May 2026.
• Passkeys for Microsoft Entra External ID will be generally available late May 2026, so your customer-facing applications can offer a more seamless, consumer-grade sign-in experience.
• Passkey-preferred authentication in Microsoft Entra ID (preview) detects registered methods and prompts the strongest one first. If a passkey is registered, that’s what the user sees—immediately. 
• On the consumer side, with Microsoft Password Manager, users can now save and sync passkeys across devices signed in with their Microsoft account, with support for iOS and Android rolling out soon through Microsoft Edge. 

Account recovery also plays a critical role in maintaining the integrity of identity systems. Historically, it’s been vulnerable to cyberattackers who try to hijack the recovery process, for example by impersonating legitimate users and requesting new credentials.

Microsoft Entra ID account recovery, generally available today, strengthens security for recovery flows by enabling users to regain access to their accounts through a robust identity verification process. Users can regain access after losing all authentication methods by using government-issued ID and biometric face checks. At general availability, we are expanding our identity verification ecosystem with two new partners—1Kosmos and CLEAR1—joining our existing partners Au10tix, IDEMIA, and TrueCredential. 

Removing phishable credentials from user accounts

Strengthening authentication is important, but reducing risk means eliminating phishable credentials entirely. Microsoft is continuing to phase out legacy methods and move users toward phishing-resistant authentication. Starting in January 2027, security questions will be removed as a password reset option in Microsoft Entra ID due to their susceptibility to guessing and social engineering.

The rationale is straightforward: improving strong methods while removing weak ones shrinks the attack surface. This is increasingly urgent as AI agents act on behalf of users. If an identity is compromised, cyberattackers can leverage those agents to access systems, execute workflows, and operate within existing permissions. Organizations need to address this risk quickly.

A more secure and usable future

Last year, Microsoft joined dozens of organizations in taking the Passkey Pledge, a commitment to accelerating the adoption of phishing-resistant authentication and to moving beyond passwords. Since then, we’ve seen meaningful progress, from hundreds of millions of better-protected consumer accounts to large-scale deployments across organizations like our own.

What once felt like a long-term shift is finally gaining real momentum: authentication is becoming simpler, safer, and passwordless.

For a more in-depth perspective on how cyberattackers try to bypass authentication through fallback methods and recovery flows—and how to address those gaps—read our companion post.

Getting started

Organizations that want to strengthen their identity security posture can enable passkeys for their users and extend policy protections across both sign-in and recovery scenarios.

Get started with a phishing-resistant passwordless authentication deployment in Microsoft Entra ID.

Individuals can create and use passkeys for their personal accounts for better security and convenience.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2025.

²FIDO Alliance reports mainstream global usage on World Passkey Day. FIDO Alliance, 2026.

³Synced passkeys and high assurance account recovery, Microsoft Entra blog. December 16, 2025.

⁴FIDO Alliance Champions Widespread Passkey Adoption and a Passwordless Future on World Passkey Day 2025, FIDO News Center. May 1, 2025.

⁵Microsoft Security and Future Initiative (SFI) Progress Report—November 2025.

The post World Passkey Day: Advancing passwordless authentication appeared first on Microsoft Security Blog.

The challenge isn’t just scale, it’s fragmentation. From our latest Secure Access report, research shows that 32% of organizations say their access management solutions are duplicative, and 40% say they have too many different vendors. That fragmentation for security vendors makes it harder to maintain consistent access controls and correlate risk across identities. When risk is distributed across dozens of disconnected accounts and permissions, visibility fragments and blind spots emerge—creating ideal conditions for cyberattackers to move laterally without detection. Securing identity in this reality requires more than incremental improvements. It calls for a shift from fragmented controls to an integrated, end-to-end approach that treats identity as a shared control plane that is informed by a continuous, foundational security signal.

Why fragmentation fails—and what must replace it

With the traditional model of identity security—built on siloed directories, disconnected access policies, and bolt-on threat detection—cyberattackers don’t have to break defenses, they just move between them. Permissions go uncorrelated, access policies drift as environments evolve, and lateral movement hides in the gaps.

For defenders, this creates a dangerous imbalance. Identity signals flood the security operations center (SOC) without the context to act, while identity teams enforce access without visibility into active cyberthreats. Risk accumulates across systems, but responsibility—and insight—remains fragmented.

Fixing this doesn’t require more alerts or point solutions. It requires an integrated fabric that brings together all of the identities, access, and signals.

A modern identity security solution must unify three critical layers:

• The identity infrastructure: The systems and services that underpin every access decision. This includes the identity provider, authentication services, single sign-on (SSO), user and group management, and the systems that establish and maintain trust across the enterprise. Without this foundation, there is no authoritative source of truth for who an identity is, what it can access, or how it should be governed. It’s the layer many security vendors lack—and the one Microsoft delivers at global scale.
• The identity control plane: Where privileged identity management and access decisions are enforced in real time, based on dynamic risk signals, behavioral context, and policy intent. This is where identity and security converge to adapt access as conditions change, powering real-time response to identity threats.
• End-to-end identity threat protection: Before a cyberattack, it proactively reduces posture risk by eliminating excessive access and closing identity exposure gaps. When threats emerge, it detects identity misuse in real time, surfaces lateral movement, and drives rapid containment—connecting integrated signals and response across the full attack lifecycle.

When these layers operate in isolation, risk is missed. When they operate as one, identity becomes a powerful security signal—enabling earlier detection, smarter decisions, and faster response.

Redefining identity security for real-time defense

Microsoft is delivering a new standard for identity security solution—one that unifies identity infrastructure, access control, and threat response into a single, real-time platform built for speed, precision, and autonomy.

We start with the identity infrastructure: the foundational identity layer powered by Microsoft Entra. As one of the most widely adopted identity platforms in the world with billions of authentications managed daily, it provides resilient SSO, user and group management, and trust establishment at global scale—a layer many security vendors simply don’t have access to.

We collapse identity sprawl, correlating related accounts across cloud and on-premises into a single identity view, so risk assessment is no longer scattered across disconnected systems. This gives security teams a real‑time understanding of what an identity and its correlated accounts can access, not just who it is—allowing them to spot dangerous access paths early, limit impact, and disrupt lateral movement before attackers turn access into impact. Likewise, it gives identity teams visibility into whether a user flagged as a high risk was just a one-off or if its associated with other accounts, informing what access decisions to make.

On top of that foundation is a real-time identity control plane designed for how attacks actually unfold. Microsoft Entra Conditional Access continuously evaluates risk as access is used, not just when it’s granted—tracking signals from identity, device, network, and broader threat intelligence throughout the session. As conditions change, access adapts in real time, helping identity teams limit exposure and prevent risky access while giving security teams the ability to interrupt attack paths while activity is still in motion. This is adaptive access driven by connected intelligence—not static policy.

And when risk turns into a threat, we act—automatically and inline, which results in a faster response. Microsoft’s threat protection is differentiated by automatic attack disruption: a capability that intervenes mid-attack to isolate compromised assets by terminating user sessions, revoking access, and applying just-in-time hardening to stop lateral movement and privilege escalation. It’s not just detection—it’s defense in motion.

To accelerate response, we’ve extended Microsoft Security Copilot’s triage agent to identity. It uses AI to filter noise, surface high-confidence alerts, and guide analysts with clear, explainable insights—reducing time to action and analyst fatigue.

This end-to-end approach shifts identity from an expanding source of exposure into a strategic advantage. Instead of reacting after access has already been abused, it helps ensure that risk is evaluated continuously, access decisions are made in real-time, and organizations can defend more effectively as attack paths emerge to stop identity‑based attacks before they escalate into business impact.

Innovation that moves the industry forward

At RSAC 2026, we announced a set of innovations in identity security that are designed to help organizations move from fragmented awareness to confident, identity-centric protection:

• The new identity security dashboard in Microsoft Defender doesn’t just summarize alerts, it reveals where identity risk actually concentrates across human and nonhuman identities, account types, and providers. Instead of hopping between consoles, teams can immediately see which access paths matter most, where blast radius is largest, and where action will have the greatest impact.
• A new unified identity risk score correlates together more than 100 trillion signals across Microsoft Security including identity behavior, access risk, and threat signals into a single, actionable view of risk. This allows teams to move directly from understanding exposure to enforcing protection—applying controls at the point of access, natively through risk-based Conditional Access policies.
• Adaptive risk remediation helps identity and security teams contain modern cyberattacks more efficiently while maintaining strong protection. When risk is detected, users easily regain access and Microsoft Entra ID Protection adapts risk remediation based on the type of cyberthreat and the credentials used. This reduces reliance on help desk processes and lowers manual response effort.
• Automatic attack disruption fundamentally changes the outcome of identity-based attacks. Instead of detecting suspicious behavior and waiting for the security teams to respond, it intervenes while cyberattacks are in progress—terminating sessions, revoking access, and applying just-in-time hardening to shut down cyberattacker movement before lateral spread or privilege escalation can occur.
• Security Copilot’s triage agent now extends to identity. Using AI to collapse signal overload into clear, recommended action, the agent surfaces high confidence threats, explaining why they matter, and guides analysts to the right response while attacks are still unfolding. The result is faster containment with far less analyst fatigue.
• Expanded coverage across the modern identity fabric, including deeper visibility into non-human identities and new integrations with third-party platforms like SailPoint and CyberArk—providing protection that spans the full ecosystem, not just first-party assets.
• A new coverage and maturity view helps organizations assess their current identity security posture, identify gaps, and prioritize next steps—transforming identity protection from a static checklist into a dynamic, guided journey.

These innovations are deeply integrated, continuously reinforced, and designed to work together—enabling security and identity teams to operate from a shared source of truth, with shared context, and shared urgency. Read more about redefining identity security for the modern enterprise.

They are designed to help organizations shift from reactive identity management to proactive identity defense—and from fragmented tools to a unified platform built for real-time security across human, non-human, and agentic identities.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Identity security is the new pressure point for modern cyberattacks appeared first on Microsoft Security Blog.

At the same time, this innovation is happening against a sea change in AI-powered attacks where agents can become “double agents.” And chief information officers (CIOs), chief information security officers (CISOs), and security decision makers are grappling with the resulting security implications: How do they observe, govern, and secure agents? How do they secure their foundations in this new era? How can they use agentic AI to protect their organization and detect and respond to traditional and emerging threats?

The answer starts with trust, and security has always been the root of trust. In this agentic era, security must be woven into, and around, every layer of the AI estate. It must be ambient and autonomous, just like the AI it protects. This is our vision for security as the core primitive of the AI stack.

At RSAC 2026, we are delivering on that vision with new purpose-built capabilities designed to help organizations secure agents, secure their foundations, and defend using agents and experts. Fueled by more than 100 trillion daily signals, Microsoft Security helps protect 1.6 million customers, one billion identities, and 24 billion Copilot interactions.² Read on to learn how we can help you secure agentic AI.

Secure agents

Earlier this month, we announced that Agent 365 will be generally available on May 1. Agent 365—the control plane for agents—gives IT, security, and business teams the visibility and tools they need to observe, secure, and govern agents at scale using the infrastructure you already have and trust. It includes new Microsoft Defender, Entra, and Purview capabilities to help you secure agent access, prevent data oversharing, and defend against emerging threats.

Agent 365 is included in Microsoft 365 E7: The Frontier Suite along with Microsoft 365 Copilot, Microsoft Entra Suite, and Microsoft 365 E5, which includes many of the advanced Microsoft Security capabilities below to deliver comprehensive protection for your organization.

Secure your foundations

Along with securing agents, we also need to think of securing AI comprehensively. To truly secure agentic AI, we must secure foundations—the systems that agentic AI is built and runs on and the people who are developing and using AI. At RSAC 2026, we are introducing new capabilities to help you gain visibility into risks across your enterprise, secure identities with continuous adaptive access, safeguard sensitive data across AI workflows, and defend against threats at the speed and scale of AI.

Gain visibility into risks across your enterprise

As AI adoption accelerates, so does the need for comprehensive and continuous visibility into AI risks across your environment—from agents to AI apps and services. We are addressing this challenge with new capabilities that give you insight into risks across your enterprise so you know where AI is showing up, how it is being used, and where your exposure to risk may be growing. New capabilities include:

• Security Dashboard for AI provides CISOs and security teams with unified visibility into AI-related risk across the organization. Now generally available.
• Entra Internet Access Shadow AI Detection uses the network layer to identify previously unknown AI applications and surface unmanaged AI usage that might otherwise go undetected. Generally available March 31.
• Enhanced Intune app inventory provides rich visibility into your app estate installed on devices, including AI-enabled apps, to support targeted remediation of high-risk software. Generally available in May.

Secure identities with continuous, adaptive access

Identity is the foundation of modern security, the most targeted layer in any environment, and the first line of defense. With Microsoft Entra, you can secure access and deliver comprehensive identity security using new capabilities that help you harden your identity infrastructure, improve tenant governance, modernize authentication, and make intelligent access decisions.

• Entra Backup and Recovery strengthens resilience with an automated backup of Entra directory objects to enable rapid recovery in case of accidental data deletion or unauthorized changes. Now available in preview.
• Entra Tenant Governance helps organizations discover unmanaged (shadow) Entra tenants and establish consistent tenant policies and governance in multi-tenant environments. Now available in preview.
• Entra passkey capabilities now include synced passkeys and passkey profiles to enable maximum flexibility for end-users, making it easy to move between devices, while organizations looking for maximum control still have the option of device-bound passkeys. Plus, Entra passkeys are now natively integrated into the Windows Hello experience, making phishing-resistant passkey authentication more seamless on Windows devices. Synced passkeys and passkey profiles are generally available, passkey integration into Windows Hello is in preview. 
• Entra external Multi-Factor Authentication (MFA) allows organizations to connect external MFA providers directly with Microsoft Entra so they can leverage pre-existing MFA investments or use highly specialized MFA methods. Now generally available.
• Entra adaptive risk remediation helps users securely regain access without help-desk friction through automatic self-remediation across authentication methods, adapting to where they are in their modern authentication journey. Generally available in April.
• Unified identity security provides end-to-end coverage across identity infrastructure, the identity control plane, and identity threat detection and response (ITDR)—built for rapid response and real-time decisions. The new identity security dashboard in Microsoft Defender highlights the most impactful insights across human and non-human identities to help accelerate response, and the new identity risk score unifies account-level risk signals to deliver a comprehensive view of user risk to inform real-time access decisions and SecOps investigations. Now available in preview.

Safeguard sensitive data across AI workflows

With AI embedded in everyday work, sensitive data increasingly moves through prompts, responses, and grounding flows—often faster than policies can keep up. Security teams need visibility into how AI interacts with data as well as the ability to stop data oversharing and data leakage. Microsoft brings data security directly into the AI control plane, giving organizations clear insight into risk, real-time enforcement at the point of use, and the confidence to enable AI responsibly across the enterprise. New Microsoft Purview capabilities include:

• Expanded Purview data loss prevention for Microsoft 365 Copilot helps block sensitive information such as PII, credit card numbers, and custom data types in prompts from being processed or used for web grounding. Generally available March 31.
• Purview embedded in Copilot Control System provides a unified view of AI‑related data risk directly in the Microsoft 365 Admin Center. Generally available in April.
• Purview customizable data security reports enable tailored reporting and drilldowns to prioritized data security risks. Available in preview March 31.

Defend against threats across endpoints, cloud, and AI services

Security teams need proactive 24/7 threat protection that disrupts threats early and contains them automatically. Microsoft is extending predictive shielding to proactively limit impact and reduce exposure, expanding our container security capabilities, and introducing network-layer protection against malicious AI prompts.

• Entra Internet Access prompt injection protection helps block malicious AI prompts across apps and agents by enforcing universal network-level policies. Generally available March 31.
• Enhanced Defender for Cloud container security includes binary drift and antimalware prevention to close gaps attackers exploit in containerized environments. Now available in preview.
• Defender for Cloud posture management adds broader coverage and supports Amazon Web Services and Google Cloud Platform, delivering security recommendations and compliance insights for newly discovered resources. Available in preview in April.
• Defender predictive shielding dynamically adjusts identity and access policies during active attacks, reducing exposure and limiting impact. Now available in preview.

Defend with agents and experts

To defend in the agentic age, we need agentic defense. This means having an agentic defense platform and security agents embedded directly into the flow of work, augmented by deep human expertise and comprehensive security services when you need them.

Agents built into the flow of security work

Security teams move fastest with targeted help where and when work is happening. As alerts surface and investigations unfold across identities, data, endpoints, and cloud workloads, AI-powered assistance needs to operate alongside defenders. With Security Copilot now included in Microsoft 365 E5 and E7, we are empowering defenders with agents embedded directly into daily security and IT operations that help accelerate response and reduce manual effort so they can focus on what matters most.

New agents available now include:

• Security Analyst Agent in Microsoft Defender helps accelerate threat investigations by providing contextual analysis and guided workflows. Available in preview March 26.
• Security Alert Triage Agent in Microsoft Defender has the capabilities of the phishing triage agent and then extends to cloud and identity to autonomously analyze, classify, prioritize, and resolve repetitive low-value alerts at scale. Available in preview in April.
• Conditional Access Optimization Agent in Microsoft Entra enhancements add context-aware recommendations, deeper analysis, and phased rollout to strengthen identity security. Agent generally available, enhancements now available in preview.
• Data Security Posture Agent in Microsoft Purview enhancements include a credential scanning capability that can be used to proactively detect credential exposure in your data. Now available in preview.
• Data Security Triage Agent in Microsoft Purview enhancements include an advanced AI reasoning layer and improved interpretation of custom Sensitive Information Types (SITs), to improve agent outputs during alert triage. Agent generally available, enhancements available in preview March 31.
• Over 15 new partner-built agents extend Security Copilot with additional capabilities, all available in the Security Store.

Scale with an agentic defense platform

To help defenders and agents work together in a more coordinated, intelligence-driven way, Microsoft is expanding Sentinel, the agentic defense platform, to unify context, automate end-to-end workflows, and standardize access, governance, and deployment across security solutions.

• Sentinel data federation powered by Microsoft Fabric investigates external security data in place in Databricks, Microsoft Fabric, and Azure Data Lake Storage while preserving governance. Now available in preview.
• Sentinel playbook generator with natural language orchestration helps accelerate investigations and automate complex workflows. Now available in preview.
• Sentinel granular delegated administrator privileges and unified role-based access control enable secure and scaling management for partners and enterprise customers with cross-tenant collaboration. Now available in preview.
• Security Store embedded in Purview and Entra makes it easier to discover and deploy agents directly within existing security experiences. Generally available March 31.
• Sentinel custom graphs powered by Microsoft Fabric enable views unique to your organization of relationships across your environment. Now available in preview.
• Sentinel model context protocol (MCP) entity analyzer helps automate faster with natural language and harnesses the flexibility of code to accelerate responses. Generally available in April.

Strengthen with experts

Even the most mature security organizations face moments that call for deeper partnership—a sophisticated attack, a complex investigation, a situation where seasoned expertise alongside your team makes all the difference. The Microsoft Defender Experts Suite brings together expert-led services—technical advisory, managed extended detection and response (MXDR), and end-to-end proactive and reactive incident response—to help you defend against advanced cyber threats, build long-term resilience, and modernize security operations with confidence.

Apply Zero Trust for AI

Zero Trust has always been built on three principles: verify explicitly, use least privilege, and assume breach. As AI becomes embedded across your entire environment—from the models you build on, to the data they consume, to the agents that act on your behalf—applying those principles has never been more critical. At RSAC 2026, we’re extending our Zero Trust architecture, the full AI lifecycle—from data ingestion and model training to deployment agent behavior. And we’re making it actionable with an updated Zero Trust for AI reference architecture, workshop, assessment tool, and new patterns and practices articles to help you improve your security posture.

See you at RSAC

If you’re joining the global security community in San Francisco for RSAC 2026 Conference, we invite you to connect with us. Join us at our Microsoft Pre-Day event and stop by our booth at the RSAC Conference North Expo (N-5744) to explore our latest innovations across Microsoft Agent 365, Microsoft Defender, Microsoft Entra, Microsoft Purview, Microsoft Sentinel, and Microsoft Security Copilot and see firsthand how we can help your organization secure agents, secure your foundation, and help you defend with agents and experts. The future of security is ambient, autonomous, and built for the era of AI. Let’s build it together.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Based on Microsoft first-party telemetry measuring agents built with Microsoft Copilot Studio or Microsoft Agent Builder that were in use during the last 28 days of November 2025.

²Microsoft Fiscal Year 2026 First Quarter Earnings Conference Call and Microsoft Fiscal Year 2026 Second Quarter Earnings Conference Call

The post Secure agentic AI end-to-end appeared first on Microsoft Security Blog.

AI has quickly become a powerful tool misused by threat actors, who use it to slip into the tiniest crack in your defenses. They use AI to automate and launch password attacks and phishing attempts at scale, craft emails that seem to come from people you know, manufacture voicemails and videos that impersonate people, join calls, request IT support, and reset passwords. They even use AI to rewrite AI agents on the fly as they compromise and traverse your network.

To stay ahead in the coming year, we recommend four priorities for identity security leaders:

1. Implement fast, adaptive, and relentless AI-powered protection.
2. Manage, govern, and protect AI and agents.
3. Extend Zero Trust principles everywhere with an integrated Access Fabric security solution.
4. Strengthen your identity and access foundation to start secure and stay secure.

Secure Access Webinar

Enhance your security strategy: Deep dive into how to unify identity and network access through practical Zero Trust measures in our comprehensive four-part series.

Sign up for the webinar

1. Implement fast, adaptive, and relentless AI-powered protection

2026 is the year to integrate AI agents into your workflows to reduce risk, accelerate decisions, and strengthen your defenses.

While security systems generate plenty of signals, the work of turning that data into clear next steps is still too manual and error-prone. Investigations, policy tuning, and response actions require stitching together an overwhelming volume of context from multiple tools, often under pressure. When cyberattackers are operating at the speed and scale of AI, human-only workflows constrain defenders.

That’s where generative AI and agentic AI come in. Instead of reacting to incidents after the fact, AI agents help your identity teams proactively design, refine, and govern access. Which policies should you create? How do you keep them current? Agents work alongside you to identify policy gaps, recommend smarter and more consistent controls, and continuously improve coverage without adding friction for your users. You can interact with these agents the same way you’d talk to a colleague. They can help you analyze sign-in patterns, existing policies, and identity posture to understand what policies you need, why they matter, and how to improve them.

In a recent study, identity admins using the Conditional Access Optimization Agent in Microsoft Entra completed Conditional Access tasks 43% faster and 48% more accurately across tested scenarios. These gains directly translate into a stronger identity security posture with fewer gaps for cyberattackers to exploit. Microsoft Entra also includes built-in AI agents for reasoning over users, apps, sign-ins, risks, and configurations in context. They can help you investigate anomalies, summarize risky behavior, review sign-in changes, remediate and investigate risks, and refine access policies.

The real advantage of AI-powered protection is speed, scale, and adaptability. Static, human-only workflows just can’t keep up with constantly evolving cyberattacks. Working side-by-side with AI agents, your teams can continuously assess posture, strengthen access controls, and respond to emerging risks before they turn into compromise.

2. Manage, govern, and protect AI and agents 

Another critical shift is to make every AI agent a first-class identity and govern it with the same rigor as human identities. This means inventorying agents, assigning clear ownership, governing what they can access, and applying consistent security standards across all identities.

Just as unsanctioned software as a service (SaaS) apps once created shadow IT and data leakage risks, organizations now face agent sprawl—an exploding number of AI systems that can access data, call external services, and act autonomously. While you want your employees to get the most out of these powerful and convenient productivity tools, you also want to protect them from new risks.

Fortunately, the same Zero Trust principles that apply to human employees apply to AI agents, and now you can use the same tools to manage both. You can also add more advanced controls: monitoring agent interaction with external services, enforcing guardrails around internet access, and preventing sensitive data from flowing into unauthorized AI or SaaS applications.

With Microsoft Entra Agent ID, you can register and manage agents using familiar Entra experiences. Each agent receives its own identity, which improves visibility and auditability across your security stack. Requiring a human sponsor to govern an agent’s identity and lifecycle helps prevent orphaned agents and preserves accountability as agents and teams evolve. You can even automate lifecycle actions to onboard and retire agents. With Conditional Access policies, you can block risky agents and set guardrails for least privilege and just in time access to resources.

To govern how employees use agents and to prevent misuse, you can turn to Microsoft Entra Internet Access, included in Microsoft Entra Suite. It’s now a secure web and AI gateway that works with Microsoft Defender to help you discover use of unsanctioned private apps, shadow IT, generative AI, and SaaS apps. It also protects against prompt injection attacks and prevents data exfiltration by integrating network filtering with Microsoft Purview classification policies.

When you have observability into everything that traverses your network, you can embrace AI confidently while ensuring that agents operate safely, responsibly, and in line with organizational policy.

3. Extend Zero Trust principles everywhere with an integrated Access Fabric security solution

There’s often a gap between what your identity system can see and what’s happening on the network. That’s why our next recommendation is to unify the identity and network access layers of your Zero Trust architecture, so they can share signals and reinforce each other’s strengths through a unified policy engine. This gives you deeper visibility into and finer control over every user session.

Today, enterprise organizations juggle an average of five different identity solutions and four different network access solutions, usually from multiple vendors.¹ Each solution enforces access differently with disconnected policies that limit visibility across identity and network layers. Cyberattackers are weaponizing AI to scale phishing campaigns and automate intrusions to exploit the seams between these siloed solutions, resulting in more breaches.²

An access security platform that integrates context from identity, network, and endpoints creates a dynamic safety net—an Access Fabric—that surrounds every digital interaction and helps keep organizational resources secure. An Access Fabric solution wraps every connection, session, and resource in consistent, intelligent access security, wherever work happens—in the cloud, on-premises, or at the edge. Because it reasons over context from identity, network, devices, agents, and other security tools, it determines access risk more accurately than an identity-only system. It continuously re‑evaluates trust across authentication and network layers, so it can enforce real‑time, risk‑based access decisions beyond first sign‑in.

Microsoft Entra delivers integrated access security across AI and SaaS apps, internet traffic, and private resources by bringing identity and network access controls together under a unified Zero Trust policy engine, Microsoft Entra Conditional Access. It continuously monitors user and network risk levels. If any of those risk levels change, it enforces policies that adapt in real time, so you can block access for users, apps, and even AI agents before they cause damage.

Your security teams can set policies in one central place and trust Entra to enforce them everywhere. The same adaptive controls protect human users, devices, and AI agents wherever they move, closing access security gaps while reducing the burden of managing multiple policies across multiple tools.

4. Strengthen your identity and access foundation to start secure and stay secure

To address modern cyberthreats, you need to start from a secure baseline—anchored in phishing‑resistant credentials and strong identity proofing—so only the right person can access your environment at every step of authentication and recovery.

A baseline security model sets minimum guardrails for identity, access, hardening, and monitoring. These guardrails include must-have controls, like those in security defaults, Microsoft-managed Conditional Access policies, or Baseline Security Mode in Microsoft 365. This approach includes moving away from easily compromised credentials like passwords and adopting passkeys to balance security with a fast, familiar sign-in experience. Equally important is high‑assurance account recovery and onboarding that combines a government‑issued ID with a biometric match to ensure that no bad actors or AI impersonators gain access.

Microsoft Entra makes it easy to implement these best practices. You can require phishing‑resistant credentials for any account accessing your environment and tailor passkey policies based on risk and regulatory needs. For example, admins or users in highly regulated industries can be required to use device‑bound passkeys such as physical security keys or Microsoft Authenticator, while other worker groups can use synced passkeys for a simpler experience and easier recovery. At a minimum, protect all admin accounts with phishing‑resistant credentials included in Microsoft Entra ID. You can even require new employees to set up a passkey before they can access anything. With Microsoft Entra Verified ID, you can add a live‑person check and validate government‑issued ID for both onboarding and account recovery.

Combining access control policies with device compliance, threat detection, and identity protection will further fortify your foundation. 

Support your identity and network access priorities with Microsoft

The plan for 2026 is straightforward: use AI to automate protection at speed and scale, protect the AI and agents your teams use to boost productivity, extend Zero Trust principles with an Access Fabric solution, and strengthen your identity security baseline. These measures will give your organization the resilience it needs to move fast without compromise. The threats will keep evolving—but you can tip the scales in your favor against increasingly sophisticated cyberattackers.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Secure employee access in the age of AI report, Microsoft.

²Microsoft Digital Defense Report 2025.

The post Four priorities for AI-powered identity and network access security in 2026 appeared first on Microsoft Security Blog.

Simply adding more tools isn’t enough. No matter how many you have, when identity systems and network security systems don’t work together, visibility drops, gaps form, and risks skyrocket. A unified, adaptive approach to access security, in contrast, can better ensure that only the right users are accessing your data and resources from the right places.

When identity and network access work in concert, sharing signals and amplifying each other’s strengths through a unified policy engine, they create a dynamic safety net—an Access Fabric—that continuously evaluates trust at the authentication and network levels throughout every session and enforces risk-based access decisions in real-time, not just at first sign-in.

AI is amplifying the risk of defensive seams and gaps

Access isn’t a single wall between your organizational resources and cyberthreats. It’s a lattice of decisions about people, devices, applications, agents, and networks. With multiple tools, management becomes patchwork: identity controls in this console, network controls over there, endpoint rules somewhere else, and software as a service (SaaS) configurations scattered across dozens of admin planes. Although each solution strives to do the right thing, the overall experience is disjointed, the signals are incomplete, and the policies are rarely consistent.

In the age of AI, this fragmentation is dangerous. In fact, 79% of organizations that use six or more identity and network solutions reported an increase in significant breaches.¹ Threat actors are using AI to get better at finding and exploiting weaknesses in defenses. For example, our data shows that threat actors are using AI to make phishing campaigns four and a half times more effective and to automate intrusion vectors at scale.²

The best strategy moving forward is to remove seams and close gaps that cyberattackers target. This is what an Access Fabric does. It isn’t a product or platform but a unified approach to access security across AI and SaaS apps, internet traffic, and private resources to protect every identity, access point, session, and resource with the same adaptive controls.

An Access Fabric solution continuously decides who can access what, from where, and under what conditions—in real time. It reduces complexity and closes the gaps that cyberattackers look for, because the same adaptive controls protect human users, devices, and even AI agents as they move between locations and networks.

Why a unified approach to access security is better than a fragmented one

Let’s use an everyday example to illustrate the difference between an access security approach that uses fragmented tools versus one that uses an Access Fabric solution.

It’s a typical day at the office. After signing into your laptop and opening your confidential sales report, it hits you: You need coffee. There’s a great little cafe just in your building, so you pop downstairs with your laptop and connect to its public wireless network.

Unfortunately, disconnected identity and security systems won’t catch that you just switched from a secure network to a public one. This means that the token issued while you were connected to your secure network will stay valid until it expires. In other words, until the token times out, you can still connect to sensitive resources, like your sales report. What’s more, anything you access is now exposed over the cafe’s public wireless network to anyone nearby—even to AI-empowered cyberattackers stalking the public network, just waiting to pounce.

The system that issued your token worked exactly as designed. It simply had no mechanism to receive a signal from your laptop that you had switched to an insecure network mid-session.

Now let’s revise this scenario. This time you, your device, your applications, and your data are wrapped in the protection of an Access Fabric solution that connects identity, device, and network signals. You still need coffee and you still go down to the cafe. This time, however, your laptop sends a signal the moment you connect to the cafe’s public wireless network, triggering a policy that immediately revokes access to your confidential sales report.

The Access Fabric solution doesn’t simply trust a “one-and-done” sign-in but applies the Zero Trust principles of “never trust, always verify” and “assume breach” to keep checking: Is this still really you? Is your device still healthy? Is this network trustworthy? How sensitive is the app or data you’re trying to access?

Anything that looks off, like a change in network conditions, triggers a policy that automatically tightens or even pauses your access to sensitive resources. You don’t have to think about it. The safety net is always there, weaving identity and network signals together, updating risk scores, and continuously re-evaluating access to keep your data safe, wherever you are.

What makes an Access Fabric solution effective

For an Access Fabric solution to secure access in hybrid work environments effectively, it must be contextual, connected, and continuous.

• Contextual: Instead of granting a human user, device, or autonomous agent access based on a password or one-time authentication token, a rich set of signals across identity, device posture, network telemetry, and business context inform every access decision. If context changes, the policy engine re-evaluates conditions and reassesses risk in real-time.
• Connected: Instead of operating independently, identity and network controls share signals and apply consistent policies across applications, endpoints, and network edges. When identity and network telemetry reinforce one another, access decisions become comprehensive and dynamic instead of disjointed and episodic. This unified approach simplifies governance for security teams, who can set policies in one place.
• Continuous: Verification at the authentication and network levels is ongoing throughout every session—not just at sign-in—as users, devices, and agents interact with resources. The policy engine at the heart of the solution is always learning and adapting. If risk levels change in response to a shift in device health, network activity, or suspicious behavior, the system responds instantly to mitigate cyberthreats before they escalate.

With an Access Fabric solution, life gets more secure for everyone. Identity and network access teams can configure comprehensive policies, review granular logs, and take coordinated action in one place. They can deliver better security while employees get a more consistent and intuitive experience, which improves security even more. Organizations can experiment with AI more safely because their Access Fabric solution will ensure that machine identities and AI agents play by the same smart rules as people.

By moving beyond static identity checks to real-time, context-aware access decisions, an Access Fabric solution delivers stronger access security and a smoother user experience wherever and however work happens.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Secure employee access in the age of AI.

²Microsoft Digital Defense Report 2025.

The post Access Fabric: A modern approach to identity and network access appeared first on Microsoft Security Blog.

Staying ahead of the evolving cyberthreat landscape

Every day, Microsoft processes more than 100 trillion signals from our services. Together with insights from researchers, law enforcement, and cybersecurity teams, these signals reveal how quickly the threat landscape continues to evolve.

We’ve observed nation-state actors and organized cybercrime groups joining forces to deploy generative AI that automates cyberattacks at unprecedented scale. With password spray or brute force attacks still accounting for more than 97% of identity-related alerts we see, more customers are turning on multifactor authentication to defend themselves.¹ Multifactor authentication also reduces the risk of identity compromise by more than 99%, making it the single most important security measure an organization can implement.¹ This is forcing bad actors to evolve their tactics.

Using sophisticated phishing attacks, they trick users into authenticating on fake sites so they can intercept multifactor authentication codes and session tokens. And now they’re even using generative AI to impersonate colleagues and help desk personnel in fraudulent emails and Microsoft Teams chats, luring users into authenticating on their behalf or into granting broad permissions to malicious applications. They’re also targeting workloads, such as AI agents, which use non-human identities that may not have the same level of protection as human users.

This growing cyberthreat landscape is why a comprehensive, integrated identity and access management (IAM) strategy with strong identity governance and agentic AI controls is vital to every organization’s security posture.

A unified solution to simplify and strengthen security

Microsoft Entra is our unified secure access solution that simplifies IAM and consumer IAM (CIAM) for organizations and applications of all sizes across all industries. Instead of having to assemble multiple tools or rely on fragmented processes, security teams get a streamlined experience with centralized visibility and control.

And since we have fully integrated generative AI into the Microsoft Entra admin center, strengthening security posture is as simple as chatting with Microsoft Security Copilot, for example, to create and troubleshoot lifecycle workflows that automate joiner, mover, and leaver scenarios. Security teams can also use natural language prompting to investigate and respond to cyberthreats to any kind of identity.

We’ve also made it easier for developers to integrate authentication into their apps with Microsoft Entra External ID. These include AI-based tools for creating highly customized sign-up/sign-in flows and automated tools for migrating apps from Azure AD B2C or a third-party platform to External ID.

Investing to secure identities for the AI era

A comprehensive IAM solution for non-human identities requires visibility to your organization’s AI agents. We introduced Microsoft Entra Agent ID, which creates enterprise identities for AI agents. Now identity admins can manage and govern agents using the same granular access controls and lifecycle workflows they already use to manage and govern users and applications.

We’ve also expanded Security Copilot to include agents. For example, the Conditional Access Optimization Agent detects policy gaps and provides actionable recommendations to strengthen Zero Trust enforcement and eliminate blind spots.

The Access Review agent, currently in preview, surfaces intelligent recommendations directly in Microsoft Teams. By using AI to analyze sign-in activity, peer group changes, and unusual access patterns making access reviews faster and more secure.

Innovations such as these represent the continued commitment to securing all identities and access points. Stay tuned for more exciting advancements coming your way at Microsoft Ignite.

Explore more

• Read the full 2025 Gartner® Magic Quadrant™ for Access Management report.
• Learn more about Microsoft Entra and our identity solutions.
• Visit the Microsoft Security site for the latest innovations.

Are you a regular user of Microsoft Entra ID? Share your insights on Microsoft Entra ID and get rewarded with a $25 gift card on Gartner Peer Insights™.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

¹Microsoft Digital Defense Report 2025

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. 

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. 

Gartner, Magic Quadrant for Access Management, 11, November 2025, By Brian Guthrie, Nathan Harris, Yemi Davies, Steve Wessels

The post Microsoft named a Leader in the Gartner® Magic Quadrant™ for Access Management for the ninth consecutive year appeared first on Microsoft Security Blog.

This evolution demands a fundamental shift in Identity Threat Detection and Response (ITDR). It’s no longer simply about protecting users; it requires consistent, comprehensive protection for every piece of the identity fabric, whether human or non-human, on-premises or in the cloud, from Microsoft or another vendor.

ITDR for the modern enterprise

Successful identity security practices understand that seams in protection are the real enemy of identity security. A unified approach between identity and security teams is a necessity  and our unique perspective as both a leading identity and security provider allow us to further streamline the flow of contextual insights, actions, and workflows across these groups, minimizing the potential for gaps or oversight.

While both identity and security teams play critical roles in ITDR, it is just one piece of their overall charter and goal. For security operations center (SOC) professionals their core mission remains to prevent, detect, and respond to cyberthreats that could impact their organization’s security and business continuity. On a day-to-day basis, identity and security teams proactively harden their security posture, triage and investigate incoming alerts, and, when a true cyberthreat is confirmed, coordinate a rapid and effective response. Within this broader mission, ITDR resents a critical but focused subset. For instance, identity security posture recommendations are essential but only one piece of broader security hardening.

Similarly, identity alerts offer invaluable insights needed to detect anomalous identity activity, but they must be understood in the context of the overall cyberattack. And while identity response actions such as revoking sessions or enforcing multifactor authentication are critical to stop attacks, they must be coordinated with other response actions across endpoints and other domains to block lateral movement.

True defense requires enriching identity signals and delivering them in context as part of a unified threat picture, enabling coordinated response across domains, and continuously improving posture to stay ahead of evolving cyberthreats.

This blog explores how Microsoft is reimagining identity security to meet these challenges head-on—empowering defenders with the clarity, context, and control they need to stay ahead of identity-based threats.

Enriched and insightful: Building the foundation for identity security

Identity security starts with ensuring your environment is protected as a foundation. Visibility across your organization’s unique fabric of interconnected identities, infrastructure, and applications is what enables SOC teams to detect cyberthreats earlier, respond faster, and reduce risk across the board. Because in today’s identity-driven cyberthreat landscape, partial visibility is no longer an option. To meet this challenge, organizations need sensors for on-premises infrastructure and integrations with cloud-based identity solutions to pull in insights from the entirety of their identity fabric.

Understanding this, Microsoft is proud to offer one of the widest sets of dedicated sensors for on-premises identity infrastructure. Domain controllers, Active Directory Federation Services (AD FS), Active Directory Certificate Services (AD CS), and Microsoft Entra ID Connect each serve a distinct purpose within on-premises identity footprint and our dedicated sensors are purpose built to monitor and detect anomalies within their specific activity or configurations.

Additionally, I am excited to announce the general availability of the unified identity and endpoint sensors we unveiled at Microsoft Ignite in 2024. This amazing milestone makes it even easier for new Microsoft Defender for Identity customers to activate identity protections on qualifying domain controllers and start benefiting from identity-specific visibility, posture recommendations, alerts, and automatic attack disruption capabilities within the Defender experience.

Our protections don’t end on-premises, however. Defender’s native integration with Microsoft Entra ID empowers the SOC with real-time visibility into Entra identity activity, risk level, and seamless integration into Zero Ttrust policies through Conditional Access and user containment. And because identity fabrics are rarely homogenous, Microsoft also supports other cloud identities like Okta, offering unified visibility, posture insights, and ITDR capabilities across platforms.

The raw data into cloud and on-premises accounts is important but to be truly insightful it needs to be enriched. To do this we are shifting the paradigm from account-centric to identity-centric. This means correlating information across accounts, platforms, and environments to reveal an identity’s true footprint. With an understanding of how multiple accounts map back to a single identity, the SOC can more accurately investigate and respond to cyberthreats.

This enriched view is especially critical when dealing with privileged identities. Integrations with Privileged Access Management (PAM) solutions further empower security organizations to monitor and protect high-value identities.   

All of this is in addition to the native extended detection and response (XDR) correlation done by Microsoft Defender that automatically links identity signals with insights from other security domains, giving security teams a unified threat picture, breaking down silos, and improving response efficiency. From the Identity page in the Defender portal, SOC analysts can see related devices, applications, and alerts—creating a connected view of the threat landscape. These relationships are also exposed in Advanced Hunting, allowing defenders to query across domains and uncover patterns that would otherwise remain hidden. And because Microsoft extends protections to AI agents, service accounts, third-party identities and more, it can use behavioral signals to detect drift and enforce policy—an area where many competitors simply can’t match.

Context is everything

Microsoft Defender delivers deep, enriched visibility into your unique identity fabric. But the true magic lies in how this intelligence is operationalized within the SOC experience. Defender and Microsoft Entra work together generate identity alerts, which get correlated into broader security incidents within Microsoft Defender XDR, giving analysts a unified view of threat activity across endpoints, identities, and cloud resources. Similarly, identity-posture recommendations are part of Microsoft’s Exposure Management strategy, where they are surfaced alongside other risk signals to help teams proactively reduce their attack surface. And when a threat is confirmed, automatic attack disruption can dynamically contain not only the compromised user but also the devices and sessions associated with the attack. This contextualization turns the powerful insights into decisive action. And in today’s threat landscape it’s not just about seeing more—it’s about responding smarter, faster.

Getting started

New Defender for Identity customers interested in activating the unified sensor can learn more, including how to deploy, within our documentation here. Existing customers that have already deployed the Defender for Identity sensors do not need to do anything at this time, stay tuned for migration guidance in the coming months.  

Learn more about Microsoft ITDR solutions.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹State of Multicloud Security Risk, Microsoft, 2024.

The post Harden your identity defense with improved protection, deeper correlation, and richer context appeared first on Microsoft Security Blog.

The Total Economic Impact™ study of the Microsoft Entra Suite

To quantify the Suite’s impact, Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study of Microsoft Entra Suite. Forrester interviewed four decision-makers and surveyed 119 respondents to form a composite reflecting a global enterprise with 85,000 users and USD28,000,000,000 in annual revenue. Forrester found that with the Microsoft Entra Suite, this composite organization experienced USD14,400,000 in benefits over three years, with a net present value of USD8,200,000 and a 131% return on investment (ROI)—driven by faster onboarding, reduced IT overhead, and stronger security.

This demonstrated value is what drives our continued focus across Microsoft Entra—ensuring organizations can keep pace with evolving security needs and maximize their operational efficiency. The momentum behind these results is fueling the next wave of Microsoft Entra innovation, as mentioned later in this blog and which will be highlighted this week at the Microsoft Entra Suite Summer Camp!

Let’s take a closer look at the findings from The Total Economic Impact™ of the Microsoft Entra Suite, and how organizations are realizing these benefits across four key pillars.

Unify identity and network access with a single policy engine

Organizations today often face inconsistent access policies and security gaps, as different teams configure and enforce policies using disconnected tools, leading to conflicting rules, gaps in protection, and poor coordination. Microsoft Entra Suite empowers organizations to converge access policies, using Conditional Access as a unified policy engine across identities, endpoints, apps, and networks.

With the Microsoft Entra Suite, Forrester found that the composite organization was able to reduce identity-related risk exposure by 30% by enforcing consistent Conditional Access policies and leveraging built-in identity protection, resulting in a three-year, risk-adjusted present value of USD535,000 in security savings.

We went from five engineers managing identity and access management tools to just one. Microsoft Entra Suite unified our stack and freed up resources for higher-value work.

—Chief Financial Officer and Vice President of Strategy in the technology industry

Automate governance and enforce least privilege at scale

As organizations manage more identities and resources, manual and disconnected processes often result in permission creep and increased risk, with threat actors exploiting abandoned or overprivileged accounts to access sensitive resources. It’s critical that organizations ensure only the right identities have access to the right apps and resources at the right time.

Forrester estimates that with the Microsoft Entra Suite, the composite organization reduced ongoing user management time by 80% by automated governance and lifecycle workflows, yielding a three-year, risk-adjusted present value of USD4,600,000 in IT time savings.

Onboarding used to take hours. Now it’s under 30 minutes. That’s a massive time savings across thousands of users.

—Head of Software and IT in the technology industry

Improve user experiences

Delivering a seamless and secure experience to all employees—regardless of where they work or what resources they need—remains a challenge, especially when outdated and poorly integrated security tools create friction and inefficiency. By implementing risk-based conditional access and extending self-services password reset and passwordless authentication to all apps and resources, organizations not only freed up IT resources and improved productivity, but also delivered a more streamlined and satisfying user experience for their workforce. Forrester estimates that the composite organization decreased the number of password reset help desk tickets by 90%, reducing annual tickets from 80,000 to just 8,000 per year. This dramatic reduction yielded a three-year, risk-adjusted present value of USD2,600,000 in avoided costs, making it easier for employees to get work done securely and efficiently.

With [Microsoft] Entra Suite, we cut onboarding time by 80%, reduced help desk tickets by 90%, and strengthened security—all while improving user experience.

—Director of identity and access management in the IT services industry

Modernize your security by retiring legacy tools

Legacy security solutions often fail to scale for cloud-first, AI-first environments and can be expensive to maintain, weakening both security posture and operational efficiency. The Microsoft Entra Suite enables organizations to reduce their attack surface and protect against identity- and network-based attacks by retiring legacy tools such as traditional firewalls and VPNs. Forrester estimates that customers modernizing their identity and network access security reduced VPN license usage by 60 percent, resulting in estimated savings of USD680,000 over three years.

We eliminated most of our VPN licenses after rolling out Microsoft Entra Private Access. It’s more secure and far more cost-effective.

—Chief Information Security Officer in the security services industry

Read the full Forrester Total Economic Impact™ study to see how Microsoft Entra Suite helped organizations reduce risk, streamline operations, and modernize access.

Alongside these results, we’re excited to announce several new innovations now in public preview across Microsoft Entra including:

• Group source of authority transfer: Manage on-premises active directory groups in the cloud with dynamic, policy-driven governance.
• Shadow AI and IT visibility: Gain visibility into all software as a service and AI applications accessed by users, derived from real-time network activity monitoring.
• Threat intelligence filtering: Safeguard users from accessing malicious online destinations by leveraging real-time threat data sourced from Microsoft first-party feeds and more than 40 third-party feeds.
• Netskope One Advanced Security Service Edge integration*: Get advanced threat protection and unified management against malware, zero-day threats, and data leaks.

Want to learn more about these new features? Join us at the Microsoft Entra Suite Summer Camp this week to see new demos in action and get your questions answered by our product experts!

Learn more

Learn more about the Microsoft Entra Suite and Microsoft Identity and Network Access.

Learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

*Licensed separately from the Microsoft Entra Suite

The post Microsoft Entra Suite delivers 131% ROI by unifying identity and network access appeared first on Microsoft Security Blog.