The challenge isn’t just scale, it’s fragmentation. From our latest Secure Access report, research shows that 32% of organizations say their access management solutions are duplicative, and 40% say they have too many different vendors. That fragmentation for security vendors makes it harder to maintain consistent access controls and correlate risk across identities. When risk is distributed across dozens of disconnected accounts and permissions, visibility fragments and blind spots emerge—creating ideal conditions for cyberattackers to move laterally without detection. Securing identity in this reality requires more than incremental improvements. It calls for a shift from fragmented controls to an integrated, end-to-end approach that treats identity as a shared control plane that is informed by a continuous, foundational security signal.

Why fragmentation fails—and what must replace it

With the traditional model of identity security—built on siloed directories, disconnected access policies, and bolt-on threat detection—cyberattackers don’t have to break defenses, they just move between them. Permissions go uncorrelated, access policies drift as environments evolve, and lateral movement hides in the gaps.

For defenders, this creates a dangerous imbalance. Identity signals flood the security operations center (SOC) without the context to act, while identity teams enforce access without visibility into active cyberthreats. Risk accumulates across systems, but responsibility—and insight—remains fragmented.

Fixing this doesn’t require more alerts or point solutions. It requires an integrated fabric that brings together all of the identities, access, and signals.

A modern identity security solution must unify three critical layers:

• The identity infrastructure: The systems and services that underpin every access decision. This includes the identity provider, authentication services, single sign-on (SSO), user and group management, and the systems that establish and maintain trust across the enterprise. Without this foundation, there is no authoritative source of truth for who an identity is, what it can access, or how it should be governed. It’s the layer many security vendors lack—and the one Microsoft delivers at global scale.
• The identity control plane: Where privileged identity management and access decisions are enforced in real time, based on dynamic risk signals, behavioral context, and policy intent. This is where identity and security converge to adapt access as conditions change, powering real-time response to identity threats.
• End-to-end identity threat protection: Before a cyberattack, it proactively reduces posture risk by eliminating excessive access and closing identity exposure gaps. When threats emerge, it detects identity misuse in real time, surfaces lateral movement, and drives rapid containment—connecting integrated signals and response across the full attack lifecycle.

When these layers operate in isolation, risk is missed. When they operate as one, identity becomes a powerful security signal—enabling earlier detection, smarter decisions, and faster response.

Redefining identity security for real-time defense

Microsoft is delivering a new standard for identity security solution—one that unifies identity infrastructure, access control, and threat response into a single, real-time platform built for speed, precision, and autonomy.

We start with the identity infrastructure: the foundational identity layer powered by Microsoft Entra. As one of the most widely adopted identity platforms in the world with billions of authentications managed daily, it provides resilient SSO, user and group management, and trust establishment at global scale—a layer many security vendors simply don’t have access to.

We collapse identity sprawl, correlating related accounts across cloud and on-premises into a single identity view, so risk assessment is no longer scattered across disconnected systems. This gives security teams a real‑time understanding of what an identity and its correlated accounts can access, not just who it is—allowing them to spot dangerous access paths early, limit impact, and disrupt lateral movement before attackers turn access into impact. Likewise, it gives identity teams visibility into whether a user flagged as a high risk was just a one-off or if its associated with other accounts, informing what access decisions to make.

On top of that foundation is a real-time identity control plane designed for how attacks actually unfold. Microsoft Entra Conditional Access continuously evaluates risk as access is used, not just when it’s granted—tracking signals from identity, device, network, and broader threat intelligence throughout the session. As conditions change, access adapts in real time, helping identity teams limit exposure and prevent risky access while giving security teams the ability to interrupt attack paths while activity is still in motion. This is adaptive access driven by connected intelligence—not static policy.

And when risk turns into a threat, we act—automatically and inline, which results in a faster response. Microsoft’s threat protection is differentiated by automatic attack disruption: a capability that intervenes mid-attack to isolate compromised assets by terminating user sessions, revoking access, and applying just-in-time hardening to stop lateral movement and privilege escalation. It’s not just detection—it’s defense in motion.

To accelerate response, we’ve extended Microsoft Security Copilot’s triage agent to identity. It uses AI to filter noise, surface high-confidence alerts, and guide analysts with clear, explainable insights—reducing time to action and analyst fatigue.

This end-to-end approach shifts identity from an expanding source of exposure into a strategic advantage. Instead of reacting after access has already been abused, it helps ensure that risk is evaluated continuously, access decisions are made in real-time, and organizations can defend more effectively as attack paths emerge to stop identity‑based attacks before they escalate into business impact.

Innovation that moves the industry forward

At RSAC 2026, we announced a set of innovations in identity security that are designed to help organizations move from fragmented awareness to confident, identity-centric protection:

• The new identity security dashboard in Microsoft Defender doesn’t just summarize alerts, it reveals where identity risk actually concentrates across human and nonhuman identities, account types, and providers. Instead of hopping between consoles, teams can immediately see which access paths matter most, where blast radius is largest, and where action will have the greatest impact.
• A new unified identity risk score correlates together more than 100 trillion signals across Microsoft Security including identity behavior, access risk, and threat signals into a single, actionable view of risk. This allows teams to move directly from understanding exposure to enforcing protection—applying controls at the point of access, natively through risk-based Conditional Access policies.
• Adaptive risk remediation helps identity and security teams contain modern cyberattacks more efficiently while maintaining strong protection. When risk is detected, users easily regain access and Microsoft Entra ID Protection adapts risk remediation based on the type of cyberthreat and the credentials used. This reduces reliance on help desk processes and lowers manual response effort.
• Automatic attack disruption fundamentally changes the outcome of identity-based attacks. Instead of detecting suspicious behavior and waiting for the security teams to respond, it intervenes while cyberattacks are in progress—terminating sessions, revoking access, and applying just-in-time hardening to shut down cyberattacker movement before lateral spread or privilege escalation can occur.
• Security Copilot’s triage agent now extends to identity. Using AI to collapse signal overload into clear, recommended action, the agent surfaces high confidence threats, explaining why they matter, and guides analysts to the right response while attacks are still unfolding. The result is faster containment with far less analyst fatigue.
• Expanded coverage across the modern identity fabric, including deeper visibility into non-human identities and new integrations with third-party platforms like SailPoint and CyberArk—providing protection that spans the full ecosystem, not just first-party assets.
• A new coverage and maturity view helps organizations assess their current identity security posture, identify gaps, and prioritize next steps—transforming identity protection from a static checklist into a dynamic, guided journey.

These innovations are deeply integrated, continuously reinforced, and designed to work together—enabling security and identity teams to operate from a shared source of truth, with shared context, and shared urgency. Read more about redefining identity security for the modern enterprise.

They are designed to help organizations shift from reactive identity management to proactive identity defense—and from fragmented tools to a unified platform built for real-time security across human, non-human, and agentic identities.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Identity security is the new pressure point for modern cyberattacks appeared first on Microsoft Security Blog.

At the same time, this innovation is happening against a sea change in AI-powered attacks where agents can become “double agents.” And chief information officers (CIOs), chief information security officers (CISOs), and security decision makers are grappling with the resulting security implications: How do they observe, govern, and secure agents? How do they secure their foundations in this new era? How can they use agentic AI to protect their organization and detect and respond to traditional and emerging threats?

The answer starts with trust, and security has always been the root of trust. In this agentic era, security must be woven into, and around, every layer of the AI estate. It must be ambient and autonomous, just like the AI it protects. This is our vision for security as the core primitive of the AI stack.

At RSAC 2026, we are delivering on that vision with new purpose-built capabilities designed to help organizations secure agents, secure their foundations, and defend using agents and experts. Fueled by more than 100 trillion daily signals, Microsoft Security helps protect 1.6 million customers, one billion identities, and 24 billion Copilot interactions.² Read on to learn how we can help you secure agentic AI.

Secure agents

Earlier this month, we announced that Agent 365 will be generally available on May 1. Agent 365—the control plane for agents—gives IT, security, and business teams the visibility and tools they need to observe, secure, and govern agents at scale using the infrastructure you already have and trust. It includes new Microsoft Defender, Entra, and Purview capabilities to help you secure agent access, prevent data oversharing, and defend against emerging threats.

Agent 365 is included in Microsoft 365 E7: The Frontier Suite along with Microsoft 365 Copilot, Microsoft Entra Suite, and Microsoft 365 E5, which includes many of the advanced Microsoft Security capabilities below to deliver comprehensive protection for your organization.

Secure your foundations

Along with securing agents, we also need to think of securing AI comprehensively. To truly secure agentic AI, we must secure foundations—the systems that agentic AI is built and runs on and the people who are developing and using AI. At RSAC 2026, we are introducing new capabilities to help you gain visibility into risks across your enterprise, secure identities with continuous adaptive access, safeguard sensitive data across AI workflows, and defend against threats at the speed and scale of AI.

Gain visibility into risks across your enterprise

As AI adoption accelerates, so does the need for comprehensive and continuous visibility into AI risks across your environment—from agents to AI apps and services. We are addressing this challenge with new capabilities that give you insight into risks across your enterprise so you know where AI is showing up, how it is being used, and where your exposure to risk may be growing. New capabilities include:

• Security Dashboard for AI provides CISOs and security teams with unified visibility into AI-related risk across the organization. Now generally available.
• Entra Internet Access Shadow AI Detection uses the network layer to identify previously unknown AI applications and surface unmanaged AI usage that might otherwise go undetected. Generally available March 31.
• Enhanced Intune app inventory provides rich visibility into your app estate installed on devices, including AI-enabled apps, to support targeted remediation of high-risk software. Generally available in May.

Secure identities with continuous, adaptive access

Identity is the foundation of modern security, the most targeted layer in any environment, and the first line of defense. With Microsoft Entra, you can secure access and deliver comprehensive identity security using new capabilities that help you harden your identity infrastructure, improve tenant governance, modernize authentication, and make intelligent access decisions.

• Entra Backup and Recovery strengthens resilience with an automated backup of Entra directory objects to enable rapid recovery in case of accidental data deletion or unauthorized changes. Now available in preview.
• Entra Tenant Governance helps organizations discover unmanaged (shadow) Entra tenants and establish consistent tenant policies and governance in multi-tenant environments. Now available in preview.
• Entra passkey capabilities now include synced passkeys and passkey profiles to enable maximum flexibility for end-users, making it easy to move between devices, while organizations looking for maximum control still have the option of device-bound passkeys. Plus, Entra passkeys are now natively integrated into the Windows Hello experience, making phishing-resistant passkey authentication more seamless on Windows devices. Synced passkeys and passkey profiles are generally available, passkey integration into Windows Hello is in preview. 
• Entra external Multi-Factor Authentication (MFA) allows organizations to connect external MFA providers directly with Microsoft Entra so they can leverage pre-existing MFA investments or use highly specialized MFA methods. Now generally available.
• Entra adaptive risk remediation helps users securely regain access without help-desk friction through automatic self-remediation across authentication methods, adapting to where they are in their modern authentication journey. Generally available in April.
• Unified identity security provides end-to-end coverage across identity infrastructure, the identity control plane, and identity threat detection and response (ITDR)—built for rapid response and real-time decisions. The new identity security dashboard in Microsoft Defender highlights the most impactful insights across human and non-human identities to help accelerate response, and the new identity risk score unifies account-level risk signals to deliver a comprehensive view of user risk to inform real-time access decisions and SecOps investigations. Now available in preview.

Safeguard sensitive data across AI workflows

With AI embedded in everyday work, sensitive data increasingly moves through prompts, responses, and grounding flows—often faster than policies can keep up. Security teams need visibility into how AI interacts with data as well as the ability to stop data oversharing and data leakage. Microsoft brings data security directly into the AI control plane, giving organizations clear insight into risk, real-time enforcement at the point of use, and the confidence to enable AI responsibly across the enterprise. New Microsoft Purview capabilities include:

• Expanded Purview data loss prevention for Microsoft 365 Copilot helps block sensitive information such as PII, credit card numbers, and custom data types in prompts from being processed or used for web grounding. Generally available March 31.
• Purview embedded in Copilot Control System provides a unified view of AI‑related data risk directly in the Microsoft 365 Admin Center. Generally available in April.
• Purview customizable data security reports enable tailored reporting and drilldowns to prioritized data security risks. Available in preview March 31.

Defend against threats across endpoints, cloud, and AI services

Security teams need proactive 24/7 threat protection that disrupts threats early and contains them automatically. Microsoft is extending predictive shielding to proactively limit impact and reduce exposure, expanding our container security capabilities, and introducing network-layer protection against malicious AI prompts.

• Entra Internet Access prompt injection protection helps block malicious AI prompts across apps and agents by enforcing universal network-level policies. Generally available March 31.
• Enhanced Defender for Cloud container security includes binary drift and antimalware prevention to close gaps attackers exploit in containerized environments. Now available in preview.
• Defender for Cloud posture management adds broader coverage and supports Amazon Web Services and Google Cloud Platform, delivering security recommendations and compliance insights for newly discovered resources. Available in preview in April.
• Defender predictive shielding dynamically adjusts identity and access policies during active attacks, reducing exposure and limiting impact. Now available in preview.

Defend with agents and experts

To defend in the agentic age, we need agentic defense. This means having an agentic defense platform and security agents embedded directly into the flow of work, augmented by deep human expertise and comprehensive security services when you need them.

Agents built into the flow of security work

Security teams move fastest with targeted help where and when work is happening. As alerts surface and investigations unfold across identities, data, endpoints, and cloud workloads, AI-powered assistance needs to operate alongside defenders. With Security Copilot now included in Microsoft 365 E5 and E7, we are empowering defenders with agents embedded directly into daily security and IT operations that help accelerate response and reduce manual effort so they can focus on what matters most.

New agents available now include:

• Security Analyst Agent in Microsoft Defender helps accelerate threat investigations by providing contextual analysis and guided workflows. Available in preview March 26.
• Security Alert Triage Agent in Microsoft Defender has the capabilities of the phishing triage agent and then extends to cloud and identity to autonomously analyze, classify, prioritize, and resolve repetitive low-value alerts at scale. Available in preview in April.
• Conditional Access Optimization Agent in Microsoft Entra enhancements add context-aware recommendations, deeper analysis, and phased rollout to strengthen identity security. Agent generally available, enhancements now available in preview.
• Data Security Posture Agent in Microsoft Purview enhancements include a credential scanning capability that can be used to proactively detect credential exposure in your data. Now available in preview.
• Data Security Triage Agent in Microsoft Purview enhancements include an advanced AI reasoning layer and improved interpretation of custom Sensitive Information Types (SITs), to improve agent outputs during alert triage. Agent generally available, enhancements available in preview March 31.
• Over 15 new partner-built agents extend Security Copilot with additional capabilities, all available in the Security Store.

Scale with an agentic defense platform

To help defenders and agents work together in a more coordinated, intelligence-driven way, Microsoft is expanding Sentinel, the agentic defense platform, to unify context, automate end-to-end workflows, and standardize access, governance, and deployment across security solutions.

• Sentinel data federation powered by Microsoft Fabric investigates external security data in place in Databricks, Microsoft Fabric, and Azure Data Lake Storage while preserving governance. Now available in preview.
• Sentinel playbook generator with natural language orchestration helps accelerate investigations and automate complex workflows. Now available in preview.
• Sentinel granular delegated administrator privileges and unified role-based access control enable secure and scaling management for partners and enterprise customers with cross-tenant collaboration. Now available in preview.
• Security Store embedded in Purview and Entra makes it easier to discover and deploy agents directly within existing security experiences. Generally available March 31.
• Sentinel custom graphs powered by Microsoft Fabric enable views unique to your organization of relationships across your environment. Now available in preview.
• Sentinel model context protocol (MCP) entity analyzer helps automate faster with natural language and harnesses the flexibility of code to accelerate responses. Generally available in April.

Strengthen with experts

Even the most mature security organizations face moments that call for deeper partnership—a sophisticated attack, a complex investigation, a situation where seasoned expertise alongside your team makes all the difference. The Microsoft Defender Experts Suite brings together expert-led services—technical advisory, managed extended detection and response (MXDR), and end-to-end proactive and reactive incident response—to help you defend against advanced cyber threats, build long-term resilience, and modernize security operations with confidence.

Apply Zero Trust for AI

Zero Trust has always been built on three principles: verify explicitly, use least privilege, and assume breach. As AI becomes embedded across your entire environment—from the models you build on, to the data they consume, to the agents that act on your behalf—applying those principles has never been more critical. At RSAC 2026, we’re extending our Zero Trust architecture, the full AI lifecycle—from data ingestion and model training to deployment agent behavior. And we’re making it actionable with an updated Zero Trust for AI reference architecture, workshop, assessment tool, and new patterns and practices articles to help you improve your security posture.

See you at RSAC

If you’re joining the global security community in San Francisco for RSAC 2026 Conference, we invite you to connect with us. Join us at our Microsoft Pre-Day event and stop by our booth at the RSAC Conference North Expo (N-5744) to explore our latest innovations across Microsoft Agent 365, Microsoft Defender, Microsoft Entra, Microsoft Purview, Microsoft Sentinel, and Microsoft Security Copilot and see firsthand how we can help your organization secure agents, secure your foundation, and help you defend with agents and experts. The future of security is ambient, autonomous, and built for the era of AI. Let’s build it together.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Based on Microsoft first-party telemetry measuring agents built with Microsoft Copilot Studio or Microsoft Agent Builder that were in use during the last 28 days of November 2025.

²Microsoft Fiscal Year 2026 First Quarter Earnings Conference Call and Microsoft Fiscal Year 2026 Second Quarter Earnings Conference Call

The post Secure agentic AI end-to-end appeared first on Microsoft Security Blog.

AI has quickly become a powerful tool misused by threat actors, who use it to slip into the tiniest crack in your defenses. They use AI to automate and launch password attacks and phishing attempts at scale, craft emails that seem to come from people you know, manufacture voicemails and videos that impersonate people, join calls, request IT support, and reset passwords. They even use AI to rewrite AI agents on the fly as they compromise and traverse your network.

To stay ahead in the coming year, we recommend four priorities for identity security leaders:

1. Implement fast, adaptive, and relentless AI-powered protection.
2. Manage, govern, and protect AI and agents.
3. Extend Zero Trust principles everywhere with an integrated Access Fabric security solution.
4. Strengthen your identity and access foundation to start secure and stay secure.

Secure Access Webinar

Enhance your security strategy: Deep dive into how to unify identity and network access through practical Zero Trust measures in our comprehensive four-part series.

Sign up for the webinar

1. Implement fast, adaptive, and relentless AI-powered protection

2026 is the year to integrate AI agents into your workflows to reduce risk, accelerate decisions, and strengthen your defenses.

While security systems generate plenty of signals, the work of turning that data into clear next steps is still too manual and error-prone. Investigations, policy tuning, and response actions require stitching together an overwhelming volume of context from multiple tools, often under pressure. When cyberattackers are operating at the speed and scale of AI, human-only workflows constrain defenders.

That’s where generative AI and agentic AI come in. Instead of reacting to incidents after the fact, AI agents help your identity teams proactively design, refine, and govern access. Which policies should you create? How do you keep them current? Agents work alongside you to identify policy gaps, recommend smarter and more consistent controls, and continuously improve coverage without adding friction for your users. You can interact with these agents the same way you’d talk to a colleague. They can help you analyze sign-in patterns, existing policies, and identity posture to understand what policies you need, why they matter, and how to improve them.

In a recent study, identity admins using the Conditional Access Optimization Agent in Microsoft Entra completed Conditional Access tasks 43% faster and 48% more accurately across tested scenarios. These gains directly translate into a stronger identity security posture with fewer gaps for cyberattackers to exploit. Microsoft Entra also includes built-in AI agents for reasoning over users, apps, sign-ins, risks, and configurations in context. They can help you investigate anomalies, summarize risky behavior, review sign-in changes, remediate and investigate risks, and refine access policies.

The real advantage of AI-powered protection is speed, scale, and adaptability. Static, human-only workflows just can’t keep up with constantly evolving cyberattacks. Working side-by-side with AI agents, your teams can continuously assess posture, strengthen access controls, and respond to emerging risks before they turn into compromise.

2. Manage, govern, and protect AI and agents 

Another critical shift is to make every AI agent a first-class identity and govern it with the same rigor as human identities. This means inventorying agents, assigning clear ownership, governing what they can access, and applying consistent security standards across all identities.

Just as unsanctioned software as a service (SaaS) apps once created shadow IT and data leakage risks, organizations now face agent sprawl—an exploding number of AI systems that can access data, call external services, and act autonomously. While you want your employees to get the most out of these powerful and convenient productivity tools, you also want to protect them from new risks.

Fortunately, the same Zero Trust principles that apply to human employees apply to AI agents, and now you can use the same tools to manage both. You can also add more advanced controls: monitoring agent interaction with external services, enforcing guardrails around internet access, and preventing sensitive data from flowing into unauthorized AI or SaaS applications.

With Microsoft Entra Agent ID, you can register and manage agents using familiar Entra experiences. Each agent receives its own identity, which improves visibility and auditability across your security stack. Requiring a human sponsor to govern an agent’s identity and lifecycle helps prevent orphaned agents and preserves accountability as agents and teams evolve. You can even automate lifecycle actions to onboard and retire agents. With Conditional Access policies, you can block risky agents and set guardrails for least privilege and just in time access to resources.

To govern how employees use agents and to prevent misuse, you can turn to Microsoft Entra Internet Access, included in Microsoft Entra Suite. It’s now a secure web and AI gateway that works with Microsoft Defender to help you discover use of unsanctioned private apps, shadow IT, generative AI, and SaaS apps. It also protects against prompt injection attacks and prevents data exfiltration by integrating network filtering with Microsoft Purview classification policies.

When you have observability into everything that traverses your network, you can embrace AI confidently while ensuring that agents operate safely, responsibly, and in line with organizational policy.

3. Extend Zero Trust principles everywhere with an integrated Access Fabric security solution

There’s often a gap between what your identity system can see and what’s happening on the network. That’s why our next recommendation is to unify the identity and network access layers of your Zero Trust architecture, so they can share signals and reinforce each other’s strengths through a unified policy engine. This gives you deeper visibility into and finer control over every user session.

Today, enterprise organizations juggle an average of five different identity solutions and four different network access solutions, usually from multiple vendors.¹ Each solution enforces access differently with disconnected policies that limit visibility across identity and network layers. Cyberattackers are weaponizing AI to scale phishing campaigns and automate intrusions to exploit the seams between these siloed solutions, resulting in more breaches.²

An access security platform that integrates context from identity, network, and endpoints creates a dynamic safety net—an Access Fabric—that surrounds every digital interaction and helps keep organizational resources secure. An Access Fabric solution wraps every connection, session, and resource in consistent, intelligent access security, wherever work happens—in the cloud, on-premises, or at the edge. Because it reasons over context from identity, network, devices, agents, and other security tools, it determines access risk more accurately than an identity-only system. It continuously re‑evaluates trust across authentication and network layers, so it can enforce real‑time, risk‑based access decisions beyond first sign‑in.

Microsoft Entra delivers integrated access security across AI and SaaS apps, internet traffic, and private resources by bringing identity and network access controls together under a unified Zero Trust policy engine, Microsoft Entra Conditional Access. It continuously monitors user and network risk levels. If any of those risk levels change, it enforces policies that adapt in real time, so you can block access for users, apps, and even AI agents before they cause damage.

Your security teams can set policies in one central place and trust Entra to enforce them everywhere. The same adaptive controls protect human users, devices, and AI agents wherever they move, closing access security gaps while reducing the burden of managing multiple policies across multiple tools.

4. Strengthen your identity and access foundation to start secure and stay secure

To address modern cyberthreats, you need to start from a secure baseline—anchored in phishing‑resistant credentials and strong identity proofing—so only the right person can access your environment at every step of authentication and recovery.

A baseline security model sets minimum guardrails for identity, access, hardening, and monitoring. These guardrails include must-have controls, like those in security defaults, Microsoft-managed Conditional Access policies, or Baseline Security Mode in Microsoft 365. This approach includes moving away from easily compromised credentials like passwords and adopting passkeys to balance security with a fast, familiar sign-in experience. Equally important is high‑assurance account recovery and onboarding that combines a government‑issued ID with a biometric match to ensure that no bad actors or AI impersonators gain access.

Microsoft Entra makes it easy to implement these best practices. You can require phishing‑resistant credentials for any account accessing your environment and tailor passkey policies based on risk and regulatory needs. For example, admins or users in highly regulated industries can be required to use device‑bound passkeys such as physical security keys or Microsoft Authenticator, while other worker groups can use synced passkeys for a simpler experience and easier recovery. At a minimum, protect all admin accounts with phishing‑resistant credentials included in Microsoft Entra ID. You can even require new employees to set up a passkey before they can access anything. With Microsoft Entra Verified ID, you can add a live‑person check and validate government‑issued ID for both onboarding and account recovery.

Combining access control policies with device compliance, threat detection, and identity protection will further fortify your foundation. 

Support your identity and network access priorities with Microsoft

The plan for 2026 is straightforward: use AI to automate protection at speed and scale, protect the AI and agents your teams use to boost productivity, extend Zero Trust principles with an Access Fabric solution, and strengthen your identity security baseline. These measures will give your organization the resilience it needs to move fast without compromise. The threats will keep evolving—but you can tip the scales in your favor against increasingly sophisticated cyberattackers.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Secure employee access in the age of AI report, Microsoft.

²Microsoft Digital Defense Report 2025.

The post Four priorities for AI-powered identity and network access security in 2026 appeared first on Microsoft Security Blog.

Simply adding more tools isn’t enough. No matter how many you have, when identity systems and network security systems don’t work together, visibility drops, gaps form, and risks skyrocket. A unified, adaptive approach to access security, in contrast, can better ensure that only the right users are accessing your data and resources from the right places.

When identity and network access work in concert, sharing signals and amplifying each other’s strengths through a unified policy engine, they create a dynamic safety net—an Access Fabric—that continuously evaluates trust at the authentication and network levels throughout every session and enforces risk-based access decisions in real-time, not just at first sign-in.

AI is amplifying the risk of defensive seams and gaps

Access isn’t a single wall between your organizational resources and cyberthreats. It’s a lattice of decisions about people, devices, applications, agents, and networks. With multiple tools, management becomes patchwork: identity controls in this console, network controls over there, endpoint rules somewhere else, and software as a service (SaaS) configurations scattered across dozens of admin planes. Although each solution strives to do the right thing, the overall experience is disjointed, the signals are incomplete, and the policies are rarely consistent.

In the age of AI, this fragmentation is dangerous. In fact, 79% of organizations that use six or more identity and network solutions reported an increase in significant breaches.¹ Threat actors are using AI to get better at finding and exploiting weaknesses in defenses. For example, our data shows that threat actors are using AI to make phishing campaigns four and a half times more effective and to automate intrusion vectors at scale.²

The best strategy moving forward is to remove seams and close gaps that cyberattackers target. This is what an Access Fabric does. It isn’t a product or platform but a unified approach to access security across AI and SaaS apps, internet traffic, and private resources to protect every identity, access point, session, and resource with the same adaptive controls.

An Access Fabric solution continuously decides who can access what, from where, and under what conditions—in real time. It reduces complexity and closes the gaps that cyberattackers look for, because the same adaptive controls protect human users, devices, and even AI agents as they move between locations and networks.

Why a unified approach to access security is better than a fragmented one

Let’s use an everyday example to illustrate the difference between an access security approach that uses fragmented tools versus one that uses an Access Fabric solution.

It’s a typical day at the office. After signing into your laptop and opening your confidential sales report, it hits you: You need coffee. There’s a great little cafe just in your building, so you pop downstairs with your laptop and connect to its public wireless network.

Unfortunately, disconnected identity and security systems won’t catch that you just switched from a secure network to a public one. This means that the token issued while you were connected to your secure network will stay valid until it expires. In other words, until the token times out, you can still connect to sensitive resources, like your sales report. What’s more, anything you access is now exposed over the cafe’s public wireless network to anyone nearby—even to AI-empowered cyberattackers stalking the public network, just waiting to pounce.

The system that issued your token worked exactly as designed. It simply had no mechanism to receive a signal from your laptop that you had switched to an insecure network mid-session.

Now let’s revise this scenario. This time you, your device, your applications, and your data are wrapped in the protection of an Access Fabric solution that connects identity, device, and network signals. You still need coffee and you still go down to the cafe. This time, however, your laptop sends a signal the moment you connect to the cafe’s public wireless network, triggering a policy that immediately revokes access to your confidential sales report.

The Access Fabric solution doesn’t simply trust a “one-and-done” sign-in but applies the Zero Trust principles of “never trust, always verify” and “assume breach” to keep checking: Is this still really you? Is your device still healthy? Is this network trustworthy? How sensitive is the app or data you’re trying to access?

Anything that looks off, like a change in network conditions, triggers a policy that automatically tightens or even pauses your access to sensitive resources. You don’t have to think about it. The safety net is always there, weaving identity and network signals together, updating risk scores, and continuously re-evaluating access to keep your data safe, wherever you are.

What makes an Access Fabric solution effective

For an Access Fabric solution to secure access in hybrid work environments effectively, it must be contextual, connected, and continuous.

• Contextual: Instead of granting a human user, device, or autonomous agent access based on a password or one-time authentication token, a rich set of signals across identity, device posture, network telemetry, and business context inform every access decision. If context changes, the policy engine re-evaluates conditions and reassesses risk in real-time.
• Connected: Instead of operating independently, identity and network controls share signals and apply consistent policies across applications, endpoints, and network edges. When identity and network telemetry reinforce one another, access decisions become comprehensive and dynamic instead of disjointed and episodic. This unified approach simplifies governance for security teams, who can set policies in one place.
• Continuous: Verification at the authentication and network levels is ongoing throughout every session—not just at sign-in—as users, devices, and agents interact with resources. The policy engine at the heart of the solution is always learning and adapting. If risk levels change in response to a shift in device health, network activity, or suspicious behavior, the system responds instantly to mitigate cyberthreats before they escalate.

With an Access Fabric solution, life gets more secure for everyone. Identity and network access teams can configure comprehensive policies, review granular logs, and take coordinated action in one place. They can deliver better security while employees get a more consistent and intuitive experience, which improves security even more. Organizations can experiment with AI more safely because their Access Fabric solution will ensure that machine identities and AI agents play by the same smart rules as people.

By moving beyond static identity checks to real-time, context-aware access decisions, an Access Fabric solution delivers stronger access security and a smoother user experience wherever and however work happens.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Secure employee access in the age of AI.

²Microsoft Digital Defense Report 2025.

The post Access Fabric: A modern approach to identity and network access appeared first on Microsoft Security Blog.

Staying ahead of the evolving cyberthreat landscape

Every day, Microsoft processes more than 100 trillion signals from our services. Together with insights from researchers, law enforcement, and cybersecurity teams, these signals reveal how quickly the threat landscape continues to evolve.

We’ve observed nation-state actors and organized cybercrime groups joining forces to deploy generative AI that automates cyberattacks at unprecedented scale. With password spray or brute force attacks still accounting for more than 97% of identity-related alerts we see, more customers are turning on multifactor authentication to defend themselves.¹ Multifactor authentication also reduces the risk of identity compromise by more than 99%, making it the single most important security measure an organization can implement.¹ This is forcing bad actors to evolve their tactics.

Using sophisticated phishing attacks, they trick users into authenticating on fake sites so they can intercept multifactor authentication codes and session tokens. And now they’re even using generative AI to impersonate colleagues and help desk personnel in fraudulent emails and Microsoft Teams chats, luring users into authenticating on their behalf or into granting broad permissions to malicious applications. They’re also targeting workloads, such as AI agents, which use non-human identities that may not have the same level of protection as human users.

This growing cyberthreat landscape is why a comprehensive, integrated identity and access management (IAM) strategy with strong identity governance and agentic AI controls is vital to every organization’s security posture.

A unified solution to simplify and strengthen security

Microsoft Entra is our unified secure access solution that simplifies IAM and consumer IAM (CIAM) for organizations and applications of all sizes across all industries. Instead of having to assemble multiple tools or rely on fragmented processes, security teams get a streamlined experience with centralized visibility and control.

And since we have fully integrated generative AI into the Microsoft Entra admin center, strengthening security posture is as simple as chatting with Microsoft Security Copilot, for example, to create and troubleshoot lifecycle workflows that automate joiner, mover, and leaver scenarios. Security teams can also use natural language prompting to investigate and respond to cyberthreats to any kind of identity.

We’ve also made it easier for developers to integrate authentication into their apps with Microsoft Entra External ID. These include AI-based tools for creating highly customized sign-up/sign-in flows and automated tools for migrating apps from Azure AD B2C or a third-party platform to External ID.

Investing to secure identities for the AI era

A comprehensive IAM solution for non-human identities requires visibility to your organization’s AI agents. We introduced Microsoft Entra Agent ID, which creates enterprise identities for AI agents. Now identity admins can manage and govern agents using the same granular access controls and lifecycle workflows they already use to manage and govern users and applications.

We’ve also expanded Security Copilot to include agents. For example, the Conditional Access Optimization Agent detects policy gaps and provides actionable recommendations to strengthen Zero Trust enforcement and eliminate blind spots.

The Access Review agent, currently in preview, surfaces intelligent recommendations directly in Microsoft Teams. By using AI to analyze sign-in activity, peer group changes, and unusual access patterns making access reviews faster and more secure.

Innovations such as these represent the continued commitment to securing all identities and access points. Stay tuned for more exciting advancements coming your way at Microsoft Ignite.

Explore more

• Read the full 2025 Gartner® Magic Quadrant™ for Access Management report.
• Learn more about Microsoft Entra and our identity solutions.
• Visit the Microsoft Security site for the latest innovations.

Are you a regular user of Microsoft Entra ID? Share your insights on Microsoft Entra ID and get rewarded with a $25 gift card on Gartner Peer Insights™.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

¹Microsoft Digital Defense Report 2025

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. 

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. 

Gartner, Magic Quadrant for Access Management, 11, November 2025, By Brian Guthrie, Nathan Harris, Yemi Davies, Steve Wessels

The post Microsoft named a Leader in the Gartner® Magic Quadrant™ for Access Management for the ninth consecutive year appeared first on Microsoft Security Blog.

This evolution demands a fundamental shift in Identity Threat Detection and Response (ITDR). It’s no longer simply about protecting users; it requires consistent, comprehensive protection for every piece of the identity fabric, whether human or non-human, on-premises or in the cloud, from Microsoft or another vendor.

ITDR for the modern enterprise

Successful identity security practices understand that seams in protection are the real enemy of identity security. A unified approach between identity and security teams is a necessity  and our unique perspective as both a leading identity and security provider allow us to further streamline the flow of contextual insights, actions, and workflows across these groups, minimizing the potential for gaps or oversight.

While both identity and security teams play critical roles in ITDR, it is just one piece of their overall charter and goal. For security operations center (SOC) professionals their core mission remains to prevent, detect, and respond to cyberthreats that could impact their organization’s security and business continuity. On a day-to-day basis, identity and security teams proactively harden their security posture, triage and investigate incoming alerts, and, when a true cyberthreat is confirmed, coordinate a rapid and effective response. Within this broader mission, ITDR resents a critical but focused subset. For instance, identity security posture recommendations are essential but only one piece of broader security hardening.

Similarly, identity alerts offer invaluable insights needed to detect anomalous identity activity, but they must be understood in the context of the overall cyberattack. And while identity response actions such as revoking sessions or enforcing multifactor authentication are critical to stop attacks, they must be coordinated with other response actions across endpoints and other domains to block lateral movement.

True defense requires enriching identity signals and delivering them in context as part of a unified threat picture, enabling coordinated response across domains, and continuously improving posture to stay ahead of evolving cyberthreats.

This blog explores how Microsoft is reimagining identity security to meet these challenges head-on—empowering defenders with the clarity, context, and control they need to stay ahead of identity-based threats.

Enriched and insightful: Building the foundation for identity security

Identity security starts with ensuring your environment is protected as a foundation. Visibility across your organization’s unique fabric of interconnected identities, infrastructure, and applications is what enables SOC teams to detect cyberthreats earlier, respond faster, and reduce risk across the board. Because in today’s identity-driven cyberthreat landscape, partial visibility is no longer an option. To meet this challenge, organizations need sensors for on-premises infrastructure and integrations with cloud-based identity solutions to pull in insights from the entirety of their identity fabric.

Understanding this, Microsoft is proud to offer one of the widest sets of dedicated sensors for on-premises identity infrastructure. Domain controllers, Active Directory Federation Services (AD FS), Active Directory Certificate Services (AD CS), and Microsoft Entra ID Connect each serve a distinct purpose within on-premises identity footprint and our dedicated sensors are purpose built to monitor and detect anomalies within their specific activity or configurations.

Additionally, I am excited to announce the general availability of the unified identity and endpoint sensors we unveiled at Microsoft Ignite in 2024. This amazing milestone makes it even easier for new Microsoft Defender for Identity customers to activate identity protections on qualifying domain controllers and start benefiting from identity-specific visibility, posture recommendations, alerts, and automatic attack disruption capabilities within the Defender experience.

Our protections don’t end on-premises, however. Defender’s native integration with Microsoft Entra ID empowers the SOC with real-time visibility into Entra identity activity, risk level, and seamless integration into Zero Ttrust policies through Conditional Access and user containment. And because identity fabrics are rarely homogenous, Microsoft also supports other cloud identities like Okta, offering unified visibility, posture insights, and ITDR capabilities across platforms.

The raw data into cloud and on-premises accounts is important but to be truly insightful it needs to be enriched. To do this we are shifting the paradigm from account-centric to identity-centric. This means correlating information across accounts, platforms, and environments to reveal an identity’s true footprint. With an understanding of how multiple accounts map back to a single identity, the SOC can more accurately investigate and respond to cyberthreats.

This enriched view is especially critical when dealing with privileged identities. Integrations with Privileged Access Management (PAM) solutions further empower security organizations to monitor and protect high-value identities.   

All of this is in addition to the native extended detection and response (XDR) correlation done by Microsoft Defender that automatically links identity signals with insights from other security domains, giving security teams a unified threat picture, breaking down silos, and improving response efficiency. From the Identity page in the Defender portal, SOC analysts can see related devices, applications, and alerts—creating a connected view of the threat landscape. These relationships are also exposed in Advanced Hunting, allowing defenders to query across domains and uncover patterns that would otherwise remain hidden. And because Microsoft extends protections to AI agents, service accounts, third-party identities and more, it can use behavioral signals to detect drift and enforce policy—an area where many competitors simply can’t match.

Context is everything

Microsoft Defender delivers deep, enriched visibility into your unique identity fabric. But the true magic lies in how this intelligence is operationalized within the SOC experience. Defender and Microsoft Entra work together generate identity alerts, which get correlated into broader security incidents within Microsoft Defender XDR, giving analysts a unified view of threat activity across endpoints, identities, and cloud resources. Similarly, identity-posture recommendations are part of Microsoft’s Exposure Management strategy, where they are surfaced alongside other risk signals to help teams proactively reduce their attack surface. And when a threat is confirmed, automatic attack disruption can dynamically contain not only the compromised user but also the devices and sessions associated with the attack. This contextualization turns the powerful insights into decisive action. And in today’s threat landscape it’s not just about seeing more—it’s about responding smarter, faster.

Getting started

New Defender for Identity customers interested in activating the unified sensor can learn more, including how to deploy, within our documentation here. Existing customers that have already deployed the Defender for Identity sensors do not need to do anything at this time, stay tuned for migration guidance in the coming months.  

Learn more about Microsoft ITDR solutions.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹State of Multicloud Security Risk, Microsoft, 2024.

The post Harden your identity defense with improved protection, deeper correlation, and richer context appeared first on Microsoft Security Blog.

The Total Economic Impact™ study of the Microsoft Entra Suite

To quantify the Suite’s impact, Microsoft commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study of Microsoft Entra Suite. Forrester interviewed four decision-makers and surveyed 119 respondents to form a composite reflecting a global enterprise with 85,000 users and USD28,000,000,000 in annual revenue. Forrester found that with the Microsoft Entra Suite, this composite organization experienced USD14,400,000 in benefits over three years, with a net present value of USD8,200,000 and a 131% return on investment (ROI)—driven by faster onboarding, reduced IT overhead, and stronger security.

This demonstrated value is what drives our continued focus across Microsoft Entra—ensuring organizations can keep pace with evolving security needs and maximize their operational efficiency. The momentum behind these results is fueling the next wave of Microsoft Entra innovation, as mentioned later in this blog and which will be highlighted this week at the Microsoft Entra Suite Summer Camp!

Let’s take a closer look at the findings from The Total Economic Impact™ of the Microsoft Entra Suite, and how organizations are realizing these benefits across four key pillars.

Unify identity and network access with a single policy engine

Organizations today often face inconsistent access policies and security gaps, as different teams configure and enforce policies using disconnected tools, leading to conflicting rules, gaps in protection, and poor coordination. Microsoft Entra Suite empowers organizations to converge access policies, using Conditional Access as a unified policy engine across identities, endpoints, apps, and networks.

With the Microsoft Entra Suite, Forrester found that the composite organization was able to reduce identity-related risk exposure by 30% by enforcing consistent Conditional Access policies and leveraging built-in identity protection, resulting in a three-year, risk-adjusted present value of USD535,000 in security savings.

We went from five engineers managing identity and access management tools to just one. Microsoft Entra Suite unified our stack and freed up resources for higher-value work.

—Chief Financial Officer and Vice President of Strategy in the technology industry

Automate governance and enforce least privilege at scale

As organizations manage more identities and resources, manual and disconnected processes often result in permission creep and increased risk, with threat actors exploiting abandoned or overprivileged accounts to access sensitive resources. It’s critical that organizations ensure only the right identities have access to the right apps and resources at the right time.

Forrester estimates that with the Microsoft Entra Suite, the composite organization reduced ongoing user management time by 80% by automated governance and lifecycle workflows, yielding a three-year, risk-adjusted present value of USD4,600,000 in IT time savings.

Onboarding used to take hours. Now it’s under 30 minutes. That’s a massive time savings across thousands of users.

—Head of Software and IT in the technology industry

Improve user experiences

Delivering a seamless and secure experience to all employees—regardless of where they work or what resources they need—remains a challenge, especially when outdated and poorly integrated security tools create friction and inefficiency. By implementing risk-based conditional access and extending self-services password reset and passwordless authentication to all apps and resources, organizations not only freed up IT resources and improved productivity, but also delivered a more streamlined and satisfying user experience for their workforce. Forrester estimates that the composite organization decreased the number of password reset help desk tickets by 90%, reducing annual tickets from 80,000 to just 8,000 per year. This dramatic reduction yielded a three-year, risk-adjusted present value of USD2,600,000 in avoided costs, making it easier for employees to get work done securely and efficiently.

With [Microsoft] Entra Suite, we cut onboarding time by 80%, reduced help desk tickets by 90%, and strengthened security—all while improving user experience.

—Director of identity and access management in the IT services industry

Modernize your security by retiring legacy tools

Legacy security solutions often fail to scale for cloud-first, AI-first environments and can be expensive to maintain, weakening both security posture and operational efficiency. The Microsoft Entra Suite enables organizations to reduce their attack surface and protect against identity- and network-based attacks by retiring legacy tools such as traditional firewalls and VPNs. Forrester estimates that customers modernizing their identity and network access security reduced VPN license usage by 60 percent, resulting in estimated savings of USD680,000 over three years.

We eliminated most of our VPN licenses after rolling out Microsoft Entra Private Access. It’s more secure and far more cost-effective.

—Chief Information Security Officer in the security services industry

Read the full Forrester Total Economic Impact™ study to see how Microsoft Entra Suite helped organizations reduce risk, streamline operations, and modernize access.

Alongside these results, we’re excited to announce several new innovations now in public preview across Microsoft Entra including:

• Group source of authority transfer: Manage on-premises active directory groups in the cloud with dynamic, policy-driven governance.
• Shadow AI and IT visibility: Gain visibility into all software as a service and AI applications accessed by users, derived from real-time network activity monitoring.
• Threat intelligence filtering: Safeguard users from accessing malicious online destinations by leveraging real-time threat data sourced from Microsoft first-party feeds and more than 40 third-party feeds.
• Netskope One Advanced Security Service Edge integration*: Get advanced threat protection and unified management against malware, zero-day threats, and data leaks.

Want to learn more about these new features? Join us at the Microsoft Entra Suite Summer Camp this week to see new demos in action and get your questions answered by our product experts!

Learn more

Learn more about the Microsoft Entra Suite and Microsoft Identity and Network Access.

Learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

*Licensed separately from the Microsoft Entra Suite

The post Microsoft Entra Suite delivers 131% ROI by unifying identity and network access appeared first on Microsoft Security Blog.

A unified approach to identity threat detection and response (ITDR) is no longer a luxury; it’s a necessity. Whether you are an identity admin or a security operations center (SOC) analyst, minimizing your risk starts with eliminating gaps in protection.

From chaos to control: Uniting identity and security solutions

As the corporate IT landscape has evolved organizations have been left managing complex webs of identities across multiple environments, tools, and vendors, giving cyber criminals many potential gaps to sneak through. The recent Secure Access Report illustrates the direct correlation between complex, multisolution identity vendors and the probability of a significant breach.

According to the report research, companies relying on a patchwork of six or more identity and network solutions not only face operational inefficiencies but also a 79% higher probability of a significant breach.²

At Microsoft, we understand that ITDR is an integrated partnership between identity and access management (IAM) and extended detection and response (XDR) and our vision has been to eliminate the organizational silos and unite these teams, their tools, and processes.

One of the key advantages of our integrated solution is its ability to provide end-to-end visibility and protection. Microsoft Entra natively feeds critical signals to Microsoft Defender and vice versa, enabling comprehensive identity protection across both on-premises, cloud environments, and third parties. Customers like ElringKlinger have recognized that fragmented, siloed security solutions were no longer sufficient to address the sophisticated nature of cyberthreats.

The combination of the individual Microsoft identity solutions is great. It helps us find issues that we might not uncover if we had siloed identity solutions and makes life easier for our team.

—Alexander Maute, Director of IT at ElringKlinger

Proactive protection: Hardening your Identity security posture

ITDR starts long before a cyberattack ever begins, specifically by minimizing your attack surface area. From an identity perspective this means eliminating the vulnerable configurations, stale accounts, and instances of over-privilege that cyberattackers often look to exploit. Microsoft’s approach to ITDR emphasizes this proactive stance: posture management isn’t just a best practice—it’s the foundation that makes real-time ITDR possible. We also understand that successful security practices require coordination across different teams and processes.

Microsoft Entra and Microsoft Defender surface actionable recommendations directly into Microsoft Secure Score and Extended Security Exposure Management (XSPM), enabling security teams to visualize attack paths, prioritize remediation, and proactively harden their defenses before threats materialize. The Identity Security initiative offers an identity-specific view of recommended actions from across on-premises and cloud identities, identity infrastructure, and third-party identity providers. These and other recommendations across endpoints, applications, data, networks, and identities help provide security leaders with unmatched visibility into potential attack paths and vulnerabilities, allowing them to identify and mitigate risks before they escalate.

Milliseconds matter: The power of real-time detection and response

Prevention alone is no longer sufficient in today’s evolving threat landscape—true cyber resilience relies on the ability to detect and respond at speed. In an environment where every second counts, Microsoft’s ITDR approach stands apart by delivering strategically layered defenses that help actively disrupt cyberthreats in real time by unifying the data, tools, and workflows across IAM and SOC teams.

The first layer comes in the form of dynamic, risk-based access controls leveraging the unparalleled insights from the identity landscape. As the identity provider, Microsoft Entra directly manages cloud authentication and enforces protection in real time at the point of authentication. This allows us to dynamically enforce access controls and step-up authentication faster and more consistently than anyone else. This is made possible through the native bi-directional integration between Entra and Defender, which enables continuous, real-time sharing of identity signals across identity and security operations.

What differentiates this approach is the built-in feedback loop: identity signals inform security detections instantly, and threat intelligence from Defender directly influences access decisions in Entra—without manual handoffs, or latency. In addition to adding more potential points of failure, multivendor solutions typically rely on older logs from prior log-on attempts and may not have the full context or see the changes that have happened since then.

Where the integration truly shines, however, is our identity threat response capabilities.  During an active cyberattack, speed of response is critical. That’s why Microsoft has automatic attack disruption, a built-in self-defense capability that uses the correlated native signal in XDR, AI, and latest threat intelligence to identify and contain in-progress attacks like AiTM, ransomware, and more to prevent further lateral movement. Attack disruption maps out the attack path using insights from the unified platform to accurately predict where the attacker will go next. Once a threat is confirmed, Defender initiates automatic containment—isolating compromised assets or shutting down user sessions to prevent further spread.

This near real-time response not only stops the attack but also minimizes its impact, giving security teams critical time to investigate and remediate without disruption to the broader environment. This closed-loop integration strengthens risk engines over time, and responses become smarter and faster, saving time and balancing productivity and security for your identity and SOC teams.

Extending Zero Trust beyond ITDR

ITDR is a critical component of a modern cybersecurity strategy, but it’s only one part of a larger, evolving vision. At Microsoft, Zero Trust is not a checkpoint—it’s a guiding security philosophy that continues to scale and adapt with the evolving threat landscape. Securing the modern organization means adopting a Zero Trust strategy that protects users, data, applications, and infrastructure—regardless of where they reside. This includes enforcing least privileged access, verifying explicitly, and assuming breach as a constant. These principles must extend across the digital estate, not just within identity, but across endpoints, applications, and networks.

Microsoft delivers on this vision through an end-to-end portfolio that supports the full spectrum of Zero Trust capabilities. Microsoft Entra provides robust identity and access management. Microsoft Intune ensures device compliance and health. Microsoft Purview enforces data security and governance. Microsoft Defender offers threat protection across endpoints, identities, software as a service apps, email and collaboration tools, multicloud workloads, and data security insights. And Microsoft’s network access capabilities—delivered through the Entra Suite—secure connections and reduce lateral movement risks. And when you use them together, you can secure any identities, any apps, anywhere.

As organizations navigate increasingly complex environments—from hybrid work to multicloud infrastructures—Microsoft is committed to being a trusted partner on the Zero Trust journey. With Microsoft, organizations are not only prepared for today’s identity threats—they’re equipped for the future of secure digital transformation.

Microsoft Identity Threat Detection and Response

Get comprehensive protection for all of your identities and identity infrastructure. Learn more and explore products.

The future of ITDR

As threat actors grow more sophisticated, security strategies must evolve beyond fragmented tools and isolated signals. Looking ahead, ITDR will continue to serve as a cornerstone of Zero Trust—one that is natively integrated across identity, apps, endpoints, cloud, network, and beyond. With Microsoft as a trusted partner, business leaders are equipped to go beyond ITDR and protect your identities, secure your operations, and build resilience for the future.

Watch our video to learn more.

Learn more about Microsoft Identity Threat Detection and Response.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2024

²Secure employee access in the age of AI

The post Modernize your identity defense with Microsoft Identity Threat Detection and Response appeared first on Microsoft Security Blog.

To help protect and inform customers, this blog highlights the protection coverage across the Microsoft Defender and Microsoft Sentinel security ecosystem and provides security posture hardening recommendations to protect against threat actors like Octo Tempest.

Overview of Octo Tempest 

Octo Tempest, also known in the industry as Scattered Spider, Muddled Libra, UNC3944, or 0ktapus, is a financially motivated cybercriminal group that has been observed impacting organizations using varying methods in their end-to-end attacks. Their approach includes: 

• Gaining initial access using social engineering attacks and impersonating a user and contacting service desk support through phone calls, emails, and messages.
• Short Message Service (SMS)-based phishing using adversary-in-the-middle (AiTM) domains that mimic legitimate organizations.
• Using tools such as ngrok, Chisel, and AADInternals.
• Impacting hybrid identity infrastructures and exfiltrating data to support extortion or ransomware operations.  

Recent activity shows Octo Tempest has deployed DragonForce ransomware with a particular focus on VMWare ESX hypervisor environments. In contrast to previous patterns where Octo Tempest used cloud identity privileges for on-premises access, recent activities have involved impacting both on-premises accounts and infrastructure at the initial stage of an intrusion before transitioning to cloud access. 

Octo Tempest detection coverage 

Microsoft Defender has a wide range of detections to detect Octo Tempest related activities and more. These detections span across all areas of the security portfolio including endpoints, identities, software as a service (SaaS) apps, email and collaboration tools, cloud workloads, and more to provide comprehensive protection coverage. Shown below is a list of known Octo Tempest tactics, techniques, and procedures (TTPs) observed in recent attack chains mapped to detection coverage.

Disrupting Octo Tempest attacks  

Disrupt in-progress attacks with automatic attack disruption:
Attack disruption is Microsoft Defender’s unique, built-in self-defense capability that consumes multi-domain signals, the latest threat intelligence, and AI-powered machine learning models to automatically predict and disrupt an attacker’s next move by containing the compromised asset (user, device). This technology uses multiple potential indicators and behaviors, including all the detections listed above, possible Microsoft Entra ID sign-in attempts, possible Octo Tempest-related sign-in activities and correlate them across the Microsoft Defender workloads into a high-fidelity incident. 

Based on previous learnings from popular Octo Tempest techniques, attack disruption will automatically disable the user account used by Octo Tempest and revokes all existing active sessions by the compromised user. 

While attack disruption can contain the attack by cutting off the attacker, it is critical for security operations center (SOC) teams to conduct incident response activities and post-incident analysis to help ensure the threat is fully contained and remediated.  

Investigate and hunt for Octo Tempest related activity:
Octo Tempest is infamously known for aggressive social engineering tactics, often impacting individuals with specific permissions to gain legitimate access and move laterally through networks. To help organizations identify these activities, customers can use Microsoft Defender’s advanced hunting capability to proactively investigate and respond to threats across their environment. Analysts can query across both first- and third-party data sources powered by Microsoft Defender XDR and Microsoft Sentinel. In addition to these tables, analysts can also use exposure insights from Microsoft Security Exposure Management.  

Using advanced hunting and the Exposure Graph, defenders can proactively assess and hunt for the threat actor’s related activity and identify which users are most likely to be targeted and what will be the effect of a compromise, strengthening defenses before an attack occurs.  

Proactive defense against Octo Tempest 

Microsoft Security Exposure Management, available in the Microsoft Defender portal, equips security teams with capabilities such as critical asset protection, threat actor initiatives, and attack path analysis that enable security teams to proactively reduce exposure and mitigate the impact of Octo Tempest’s hybrid attack tactics.

Ensure critical assets stay protected 

Customers should ensure critical assets are classified as critical in the Microsoft Defender portal to generate relevant attack paths and recommendations in initiatives. Microsoft Defender automatically identifies critical devices in your environment, but teams should also create custom rules and expand critical asset identifiers to enhance protection.  

Take action to minimize impact with initiatives 

Exposure Management’s initiatives feature provides goal-driven programs that unify key insights to help teams harden defenses and act fast on real threats. To address the most pressing risks related to Octo Tempest, we recommend organizations begin with the initiatives below: 

• Octo Tempest Threat Initiative: Octo Tempest is known for tactics like extracting credentials from Local Security Authority Subsystem Service (LSASS) using tools like Mimikatz and signing in from attacker-controlled IPs—both of which can be mitigated through controls like attack surface reduction (ASR) rules and sign-in policies. This initiative brings these mitigations together into a focused program, mapping real-world attacker behaviors to actionable controls that help reduce exposure and disrupt attack paths before they escalate.
• Ransomware Initiative: A broader initiative focused on reducing exposure to extortion-driven attacks through hardening identity, endpoint, and infrastructure layers. This will provide recommendations tailored for your organization.  

Investigate on-premises and hybrid attack paths

Security teams can use attack path analysis to trace cross-domain threats—like those used by Octo Tempest—who’ve exploited the critical Entra Connect server to pivot into cloud workloads, escalate privileges, and expand their reach. Teams can use the ‘Chokepoint’ view in the attack path dashboard to highlight entities appearing in multiple paths, making it easy to filter for helpdesk-linked accounts, a known Octo target, and prioritize their remediation.  

Given Octo Tempest’s hybrid attack strategy, a representative attack path may look like this: 

Recommendations 

In today’s threat landscape, proactive security is essential. By following security best practices, you reduce the attack surface and limit the potential impact of adversaries like Octo Tempest. Microsoft recommends implementing the following to help strengthen your overall posture and stay ahead of threats: 

Identity security recommendations 

• Ensure multifactor authentication is enabled for all users: Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised.
• Enable Microsoft Entra ID Identity Protection sign-in risk policies: Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for.
• Ensure phishing-resistant multifactor authentication strength is required for Administrators.
• Ensure Microsoft Azure overprovisioned identities should have only the necessary permissions.
• Enable Microsoft Entra Privileged Identity Management as well as other protective measures to mitigate the risk of unnecessary or unauthorized access.

Endpoint security recommendations 

• Enable Microsoft Defender Antivirus cloud-delivered protection for Linux.
• Turn on Microsoft Defender Antivirus real-time protection for Linux.
• Enable Microsoft Defender for Endpoint EDR in block mode to block post breach malicious behavior on the device through behavior blocking and containment capabilities.
• Turn on tamper protection that essentially prevents Microsoft Defender for Endpoint (your security settings) from being modified.
• Block credential stealing from the Windows local security authority subsystem: Attack surface reduction (ASR) rules are the most effective method for blocking the most common attack techniques being used in cyber-attacks and malicious software.
• Turn on Microsoft Defender Credential Guard to isolate secrets so that only privileged system software can access them.

Cloud security recommendations 

• Key Vaults should have purge protection enabled to prevent immediate, irreversible deletion of vaults and secrets.
• To reduce risks of overly permissive inbound rules on virtual machines’ management ports, enable just-in-time (JIT) network access control. 
• Microsoft Defender for Cloud recommends encrypting data with customer-managed keys (CMK) to support strict compliance or regulatory requirements. To reduce risk and increase control, enable CMK to manage your own encryption keys through Microsoft Azure Key Vault.
• Enable logs in Azure Key Vault and retain them for up to a year. This enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised.
• Microsoft Azure Backup should be enabled for virtual machines to protect the data on your Microsoft Azure virtual machines, and to create recovery points that are stored in geo-redundant recovery vaults.

Microsoft Defender

Comprehensive threat prevention, detection and response capabilities for everyone.

Discover more

Explore security solutions

​​To learn more about Microsoft Security solutions, visit our website. Bookmark the Microsoft Security blog to keep up with our expert coverage on security matters.

Also, follow us on Microsoft Security LinkedIn and @MSFTSecurity on X for the latest news and updates on cybersecurity. 

The post Protecting customers from Octo Tempest attacks across multiple industries appeared first on Microsoft Security Blog.

That’s why we’re focused on delivering deeply integrated, scenario-based experiences that align with Zero Trust principles, making it easier for IT and security professionals to ask questions, take action, and gain insights directly within their existing workflows. These experiences not only reduce friction but also help IT teams stay in flow, making smarter decisions faster and with greater confidence. And the impact is real: organizations using Security Copilot have seen a 54% reduction in time to resolve device policy conflicts, and a 22.8% drop in alerts per incident within three months of adoption, freeing up teams to focus on more strategic work.

We’re excited to announce the Security Copilot capabilities in Microsoft Intune and Microsoft Entra have moved from preview to general availability. This milestone reflects the critical role Intune and Entra play in modern security strategies, serving as the foundation for implementing a Zero Trust model. Intune enforces device compliance, app protection, and endpoint privilege management, while Entra governs identity access with Conditional Access policies and granular authentication controls. Together, they create a unified security posture that aligns with Zero Trust principles across devices, users, applications, and even agents. Security Copilot amplifies this foundation by providing AI-assisted guidance, autonomous agents, and insights accessible through natural language, helping IT teams scale operations, accelerate skilling, and proactively remediate threats at machine speed.

Reimagining IT workflows with Security Copilot in Intune

IT administrators often face a daily flood of data, alerts, and configuration details, making it difficult to quickly find the right information and act with confidence. AI is changing how people work, and Copilot in Intune is evolving how IT admins interact with and act on their endpoint management data. The Security Copilot in Intune general availability release introduces a brand new, Copilot-assisted data exploration capability. IT admins now have a dedicated page in the Intune admin center to ask Copilot for the data they need, take action, and complete endpoint management tasks, all without leaving their workflow. This capability allows admins to extract insights across Intune domains—devices, apps, security policies, users, compliance data, app configurations, and more—and act on it using its deep integration into the Intune functionality they are familiar with. It represents the first step in a foundational shift from traditional reporting and queries to Copilot-powered investigation and IT-empowered action.

This new Security Copilot capability is designed to simplify the most time-consuming IT workflows, like assessing security posture, managing updates, troubleshooting issues, and generating custom reports. Whether it’s identifying non-compliant devices, tracking patch failures, previewing policy impact, or automating remediation, Copilot brings together the data and actions IT needs in one place.

Admins can ask natural language questions like, “Show me devices that are not on the latest version of Windows and Office,” or “Which of my Endpoint Privilege Management rules are in conflict and what are the source profiles?” and take action instantly, without switching context.

Figure 1. New experience to explore your Intune data with Copilot assistance across workloads.

The new Explorer experience also includes support for Windows 365 Cloud PCs, giving IT administrators a consistent way to view and act on device details across both cloud and physical endpoints. We are excited to share that in the coming weeks, we’ll introduce additional AI capabilities in Intune with Copilot assistance for Windows 365, offering insights into Cloud PC connectivity and connection quality, licensing optimization, and performance issues tied to compute resources. These capabilities build on the momentum of virtual computing and the ability to stream Windows from the Cloud, enhancing the IT experience and delivering even more endpoint management value—especially for Windows-based environments.

The general availability release of Security Copilot in Intune also provides chat-based contextual assistance and includes integration with core and Microsoft Intune Suite solutions. Intune Advanced Analytics multiple device query (MDQ), and Copilot help admins write detailed Kusto Query Language (KQL) queries and Endpoint Privilege Management with Copilot assesses app risks for admins to make informed decisions before approving Windows users’ elevation requests. And with the Surface Management Portal in Intune, Copilot provides unified visibility and controls for IT across Surface devices, further strengthening security posture and streamlining operations.

Just as Security Copilot is transforming endpoint management in Intune, it’s also reshaping how identity is managed in Microsoft Entra.

Security Copilot in Entra brings clarity and speed to identity security

Identity environments evolve daily—new user, apps, and permissions are constantly introduced, making it difficult for IT and identity admins to keep policies up to date and user access properly governed. Manual investigations done the traditional way can be very time-consuming and reactive, giving cyberattackers more time to exploit gaps. With more than 600 million identity-based attacks happening daily, organizations can’t afford slow, manual investigations or infrequent policy reviews.¹

Security Copilot in Microsoft Entra, now generally available, brings AI-assisted reasoning, natural language prompts, and real-time insights across your identity and access estate, all within the Microsoft Entra admin center. We’ve made major enhancements to improve performance, scalability, and accuracy, enabling Security Copilot to better understand user intent, handle more complex questions, and deliver clearer answers.

 We’ve also expanded coverage to support a broader set of real-world identity scenarios. Copilot in Entra now helps admins investigate users, troubleshoot sign-ins, manage access reviews and entitlements, monitor tenant health and service-level agreement (SLAs), optimize license usage, and analyze role assignments and recommendations—all grounded in Microsoft Graph data.

Admins can now ask natural language questions like, “Which enterprise applications have credentials about to expire?” and “What role does the user have?” to quickly surface insights and take action. Whether it’s reviewing access packages, identifying risky apps, or checking license availability, Security Copilot in Entra helps teams move faster, stay ahead of cyberthreats, and focus on what matters most.

Purpose-built agents for real-world IT challenges

At Microsoft Secure 2025, as part of our vision to deliver an AI-first, end-to-end security platform, Microsoft announced 11 AI-powered Security Copilot agents that are seamlessly integrated with Microsoft Security and partner solutions. These agents autonomously handle high-volume, high-value tasks, learn from feedback, adapt to workflows, and operate securely, reflecting our commitment to helping organizations achieve what was previously impossible—at machine speed.

Today marks a meaningful milestone in our journey toward an AI-first, end-to-end security platform: we’re announcing the general availability of the Conditional Access Optimization Agent in Microsoft Entra. This launch brings AI-powered automation to IT and security operations, helping teams bring proactive protection directly into identity workflows.

The Conditional Access Optimization Agent runs autonomously, scanning your environment for gaps, overlaps, and outdated policy assignments. It then recommends precise, one-click remediations to help close the gaps fast, turning reactive cleanup into proactive defense.

The Conditional Access Optimization Agent provides:

• Autonomous protection, every day—Automatically detects newly created users or apps not covered by Conditional Access policies, reducing risk between manual audits.
• Real-time, explainable decisions—Every recommendation includes a plain-language summary and visual activity map showing how the agent reached its conclusion.
• Continuous adaptability to your organization’s needs—Support for custom business rules, the agent can learn based on your natural-language feedback (for example, excluding break-glass accounts).
• Full auditability—Agent actions like install, enable and disable, and recommendations are recorded in the audit log for compliance and operational transparency.

With the Conditional Access Optimization Agent, policy coverage becomes continuous. You gain daily protection, policy clarity, and built-in expertise without the manual lift. As one security leader put it:

“The Conditional Access Optimization Agent is like having a security analyst on call 24/7. It proactively identifies gaps in our Conditional Access policies and ensures every user is protected from day one, and with report-only mode and AI-driven recommendations, we can test and refine access policies without disruption. It’s a secure path to innovation that every chief information security officer can trust.”

—Julian Rasmussen, Senior consultant and Partner, Point Taken, Microsoft MVP

Step into the future of IT with Security Copilot

We’re in a new era of AI that has implications for IT operations and security. Now with Microsoft Security Copilot in Intune and Entra, you can make your organization future-ready with AI solutions that help organizations transform IT and security at machine speed.

As part of our ongoing commitment to enhancing the embedded experience of Security Copilot across Microsoft Security products, we’re excited to introduce a new in-portal capacity calculator available in the Security Copilot standalone experience (Azure account required). This tool allows organizations to estimate the number of Security Compute Units (SCUs) they may need based on the number of Security Copilot users in each Microsoft Security product. Users can generate a quick estimate, providing a practical starting point for capacity planning. SCU allocations can be adjusted at any time as real-world usage patterns emerge. Learn more.

Explore more use cases for IT and identity admins in the Security Copilot adoption hub. Explore Copilot in Intune and Entra and take these steps to learn more:

• Get started with Microsoft Security Copilot.
• Learn more about how to apply Microsoft Intune and Microsoft Entra to your program.
• Connect with your Microsoft representative to schedule a demo or get more information.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2024.

The data, insights, and events in this report represent July 2023 through June 2024 (Microsoft fiscal year 2024), unless otherwise noted.

The post Improving IT efficiency with Microsoft Security Copilot in Microsoft Intune and Microsoft Entra appeared first on Microsoft Security Blog.