Explore the capabilities of Copilot in Microsoft Entra

  • 30 minutes

In this exercise, you explore multiple, real world scenarios that highlight the benefits and value of Copilot in Microsoft Entra.

Note

The environment for this exercise is a simulation generated from the product. As a limited simulation, links on a page may not be enabled and text-based inputs that fall outside of the specified script may not be supported. A pop-up message displays stating, "This feature is not available within the simulation." When this occurs, select OK and continue the exercise steps.

Screenshot of pop-up screen indicating that this feature isn't available within the simulation.

Exercise

This exercise consists of four independent tasks that explore the capabilities of Security Copilot in Microsoft Entra.

This exercise should take approximately 30 minutes to complete.

Note

When a lab instruction calls for opening a link to the simulated environment, it's recommended that you open the link in a new browser window so that you can simultaneously view the instructions and the exercise environment. To do so, select the right mouse key and select the option.

Task: Research and remediation of risky users with Copilot in Microsoft Entra

You're an identity admin with Woodgrove. You believe there are some users at the company that might be compromised by phishing attacks. You want to use Copilot in Microsoft Entra to review any risky users. If you find any, you can use Copilot to help you remediate the issue and prevent future occurrences. The primary user you suspect at being compromised is Serena Markunaite.

  1. Open the simulated environment by selecting this link: Microsoft Entra admin center.

  2. From the menu on the left, scroll down and open the Protection menu.

  3. Select Identity Protection from the submenu.

    • We want to use the Dashboard to look at the Number of high risk users chart. Notice there are more than 100 risky user activities detected.
    • We'll come back to this report in a couple of minutes.

  4. Let’s do some research on potential Risky Users.

  5. Select the Copilot button from the top right of the screen.

  6. Take a moment to review the sample prompts that are provided in Copilot.

  7. Enter the prompt Show me my most risky users and select the arrow.

    • Note, the user we were concerned about (Serena) is in the list.

  8. Look at the bottom of the Copilot response for a link to the Risky Users report.

  9. Select the link Risky Users report in Entra ID Protection.

  10. Select Serena Markunaite from the list of Risky Users.

    • This opens a Copilot autogenerated user risk summary. You now see a specific reason why Serena is at elevated risk.
    • Also note the What to do recommendations.

  11. We need to dig a little deeper and see if we can track this risky user behavior. Have they performed activities outside of their normal usage?

  12. In the Copilot dialog, enter the prompt Show me the sign-ins for the Serena one day before and after the alert.

    • Note the failed user sign in attempt then some immediate successful attempts from an alternate IP-address. Looks like suspicious behavior.
    • Just resetting a password or MFA may not be enough if an attacker has logged into the system. Let’s check to see if any changes have been made to the MFA settings recently.

  13. Enter the Copilot prompt What MFA methods are available for this user?.

    • Note the company MFA standard of Password plus Authenticator are still set.

  14. We have researched the issue and gathered the needed information. Now is time to plan for remediation of attacker-in-the-middle style attacks.

  15. Ask copilot for recommendations with the prompt What should I do to remediate this attacker-in-the-middle threat?.

  16. Scroll up in the copilot window to review the entire response.

    • Copilot response includes ways to remediate the current issues. All of these items are great to stop to current potential breach, but won't stop future attempts. What can we do?
    • Reminder - In the Risky User Details provided What to do recommendations to secure for future attacks.

  17. There's a suggestion to use Conditional Access policies to protect this user. Use Copilot for find out more.

  18. Enter the prompt Can I use risk based conditional access policy to automate response to these detections?

    • Note that you can use Conditional Access policies. The same as the previous recommendations we got.

  19. Ask Copilot to give you step by step instructions to set this up with the prompt How would I create a sign in risk based conditional access policy for this user?.

    • Review the steps provided.

    Note

    The instructions generated are for a single user policy. Microsoft doesn't recommend that you make a policy for each user, but to create them using security groups to help with maintenance.

  20. Close the simulated environment by exiting the browser.

Review: You have completed this lab simulation. Remember how you were able to quickly use Copilot to get a list of Risky users, research their identity based activities, check to see if the account appeared compromised, and find a remediation path. Copilot embedded for Microsoft Entra is a power tool to support your identity and access administrative tasks.

Task: Using Security Copilot in Microsoft Entra to troubleshoot access

You're an identity admin with Woodgrove. You're a member of the helpdesk and have been asked to look into a trouble ticket that was submitted by a remote employee who often works at secure customer locations. The employee reports that they are unable to authenticate when working from a customer’s secure location that that doesn’t allow users to bring any external devices including mobile devices and laptops. As an identity admin, you know that the authentication process is set up to always use phone-based MFA, but you want to investigate the user's sign in attempts. Copilot can help investigate and research how to quickly resolve the user sign in challenge. The user is Khamala Ervello.

  1. Open the simulated environment by selecting this link: Microsoft Entra admin center.

  2. Select the Security Copilot button in the upper right of the screen.

  3. Enter the prompt Tell me more about kher40@woodgrove.ms to get details on Khamala.

    • Note the details that Khamala is a valid user and should have access.

  4. We need to research the failed sign in attempt. Use the prompt Show me kher40@woodgrove.ms most recent failed sign in‌ to get a view into sign in failure.

    • Notice that the exact failure the user described did happen, MFA timeout.
    • Can we check to see if there's any other suspicious activity?

  5. Enter the prompt in Security Copilot Was there any unusual or risky behaviors for kher40@woodgrove.ms sign in attempt?.

    • We don't see any risky or unusual behavior for this user.
    • Can we help them get logged in, so they can work?

  6. Check to see what MFA methods are available at Woodgrove with the prompt Which authentication methods are considered MFA?.

    • Note the list of available MFA methods and the provided links to research their value and strength.

  7. FIDO2 passkey is the most secure option, without the need for phone verification. Can we check to see if Khamala is registered for FIDO2?

  8. Check with Copilot using the prompt Is kher40@woodgrove.ms registered for FIDO2 authentication?‌.

    • The user is not set up for FIDO2, can we get them set up for passwordless?

  9. Ask copilot how to set this up with the prompt How would I go about getting kher40@woodgrove.ms set up for passwordless authentication?.

  10. Review the step provide by Security Copilot to help Khamala set up passwordless sign in, so this issue is resolved.

  11. After you review the steps with Khamala, you can send an email with a copy of the instructions.

  12. Close the simulated environment by exiting the browser.

Review: Security Copilot in Microsoft Entra is your companion at the helpdesk. With a few simple prompts you can confirm a user’s role in the company, research that their account is not showing risky activities, and help them resolve sign in issues.

Task: Remediating app security issues with Security Copilot in Microsoft Entra

You're an identity admin with Woodgrove. Your company has used many enterprise applications over the years, and some are no longer used. Your job is to track down unused application in your Microsoft Entra tenant, and remove them. You should research if there's any suspicious activity associated with the apps or their data as part of the work. Security Copilot in Microsoft Entra can help.

  1. Open the simulated environment by selecting this link: Microsoft Entra admin center.

  2. Review the data provided on the Microsoft Entra dashboard.

  3. Find the section on your Identity Secure Score.

    • Note there are recommendations on how you can make your tenant even more secure.
    • Notice one of the items is "Removed unused application."

  4. Select the Security Copilot button on the upper right of the screen.

  5. Use the prompt Show me unused applications to find any unused applications.

    • Review the list of apps.

  6. It would be great to know who owns those apps.

  7. Enter the prompt Who are the owners of the service principals associated with these apps? to find the owners.

    • Note that many of them don’t have owners.

  8. Let’s ask copilot how to remove the apps with the prompt How do I remove these?.

  9. Review the steps provided to remove the application manually using the Microsoft Entra admin center or view PowerShell scripts.

    Note

    While this simulation doesn't actively use these steps to remove application, you can see how Security Copilot can quickly help you remove unused applications.

  10. Scroll up in the Copilot window to see the list of apps originally provided.

  11. Find the application called Woodgrove Intranet, and take note of the owner’s name: Braden Goudy (Corp).

  12. Close the Security Copilot window for now.

  13. Select the Favorites menu from the menu on the left side of the screen.

    • Favorites is a great place to store your most commonly used tools.

  14. Select Risky activities from the list of favorites.

    • Alternatively, you can open the Protection menu, and then select Risky Activities from the menu.

  15. Find Braden’s name on the list and notice that he is At Risk.

  16. Select his name to open a Security Copilot summary of the risky behavior.

    • There are several unfamiliar sign-in attempts in their history.

  17. Review the suggestions on how to mitigate any risks posed by the user.

  18. Close the simulated environment by exiting the browser.

Review: In this simulation, you used Security Copilot to help you quickly identify unused applications and their owners. You were able to find the step-by-step instructions to remove them from your system. Additionally, you noticed that of the three applications with an owner, the one whose owner is listed as Braden Goudy (Corp) did not have an associated user ID. With this information, you were able to review the application owner’s usage and find some potential risky behavior.

Task: Exploring Security Copilot in Microsoft Entra

You're an identity admin with Woodgrove. You have been advised that the user Rovshan Hasanli might have some strange behavior when connecting to the Woodgrove site. You want to use the Audit Logs to research the activities.

  1. Open the simulated environment by selecting this link: Microsoft Entra admin center.

  2. In the upper right side of the screen select the Security Copilot button.

  3. Let’s start with a simple prompt like Tell me about user Rovshan Hasanli?. Note that the prompt response shows the Account Enabled field is set to false, so the account is disabled.

  4. We need to find out information about the user from the Audit Logs. Use the prompt Show me Microsoft Entra audit log events initiated by that user in the last week to find more information.

    • Review the information about User Administrator role being assigned in PIM.
    • Notice the Security Copilot remembered that we asked about Rovshan already, and kept that context. You could have specified the name in the prompt also.
    • Without Security Copilot would have to open the logs and manually search for entries.

  5. Let’s check the user’s sign-in with the prompt Show me sign-ins from that user?.

    • It's unusual that a user whose account is disabled has been able to sign-in and use PIM.

  6. Scroll up in the Security Copilot window to the find the link Rovshan Hasanli's Profile from the first query we did in Security Copilot.

  7. Select the link Rovshan Hasanli's Profile.

    • Alternatively, you can navigate to the All Users page by going to the left side menu and picking Identity, then Users, and then All Users.
    • Select Search for users box and enter Rovshan.
    • Select the Rovshan Hasanli account.

  8. Interesting, we can see the account is Disabled in the Account status.

  9. Return to the Security Copilot windows and scroll to the link Audit Logs page.

  10. Select the link Audit Logs page.

    • Alternatively, you can navigate to the page from the left side menu by going to Identity, then Monitoring & health, and then Sign-in logs.

  11. When the page opens select the Add filters button.

  12. Choose the Initiated by (actor) from the lost filters and enter Rovshan, then select Apply.

    • There are several PIM activities performed by Rovshan.

  13. Again return to the Security Copilot window and find the link Sign-in events page.

  14. Select the link Sign-in events page.

    • Alternatively, you can navigate to the page from the left side menu by going to Identity, then Monitoring & health, and then Sign-in logs.

  15. When the page opens select the Add filters button.

  16. Choose User from the list, then select Apply.

  17. Enter Rovshan into the dialog box.

    • Review the list of sign-in attempts.

  18. Close the simulated environment by exiting the browser.

Review: In this short simulation you can see how Security Copilot in Microsoft Entra is able to quickly share information about a specific user’s activity. Then Security Copilot includes links to where more details can be found to get more details. This feature lets you ask questions about Microsoft Entra data, without having to guess where to go next.