Skip to main content
6 min read
Share

Another Ignite in the books. I’m typing this from my hotel room on the last evening, still running on adrenaline after a mental few days in Chicago. My feet are wrecked, my voice is barely there, and I’ve had more coffee than any reasonable person should in three days. Wouldn’t change it though.

For anyone who couldn’t be there, here’s my best shot at a security highlights reel. There was a ridiculous amount to absorb, so I’ve focused on what I think will actually matter for those of us doing this stuff day to day.

Security Copilot - The Next Step

Microsoft went big on Security Copilot again this year. The improvements since the initial launch have been real, I’ll give them that. What stood out most for me was the expansion of Security Copilot agents — autonomous AI agents that handle specific security tasks like phishing triage, alert investigation, and conditional access optimisation.

Session BRK301 covered this in depth and was absolutely rammed. They demoed a phishing triage agent processing an entire queue of reported emails, classifying them, and kicking off initial response actions with zero analyst involvement. I chatted to a few people after and the vibe was cautious optimism. The potential? Obvious. But nobody’s getting carried away until they’ve seen it hold up at scale in production.

The embedded experiences across the Defender portal have come on a lot too. Copilot’s got noticeably better at picking up context during incident investigations. And the natural language to KQL translation? It’s gone from party trick to something I actually rely on.

Entra Suite Expansion

The Entra team had no shortage of news. Here’s what grabbed me:

  • Entra ID FIDO2 enhancements — Cross-device authentication flows have been expanded, which makes passkeys way more practical if you’ve got shared device scenarios in your organisation. Session BRK245 covered this and I’ve honestly been waiting ages for it.
  • Entra Private Access and Internet Access updates — The SSE capabilities are maturing nicely. Traffic forwarding profiles now offer finer-grained controls, there’s improved integration with third-party firewalls, and the Global Secure Access client is significantly more stable. That last bit was frankly overdue.
  • Entra Permissions Management — They’ve added capabilities for detecting and remediating overprivileged workload identities. Considering how many breaches come back to overprivileged service principals, it’s about time.

I ended up in a great hallway chat with one of the Entra product managers about where workload identity security is heading. Can’t share the specifics, but let’s just say I think 2026 is going to be interesting on that front.

Defender XDR Innovations

The Defender XDR news was steady rather than splashy. Honestly, that’s exactly what I want from a security product. Just make the tool better at its job:

  • Unified incident correlation got another upgrade. The engine’s noticeably better at stitching alerts from different sources into coherent incidents. If you’ve ever spent an afternoon manually correlating Defender for Endpoint alerts with Defender for Identity signals, you’ll appreciate this one.
  • Custom detection improvements — More data tables in advanced hunting, plus the custom detection wizard supports additional trigger conditions now. Session BRK189 walked through some advanced hunting scenarios that I found properly useful.
  • Automatic attack disruption expansion — Coverage now extends to more attack types, including business email compromise patterns that used to slip through. The session on this (BRK212) had case studies from organisations where attacks got automatically disrupted in production. Impressive stuff.

Purview and AI Security

No surprises that this was one of the biggest themes. Organisations are rolling out Copilot for Microsoft 365 and other AI tools at pace, and the security and compliance questions are piling up.

  • Microsoft Purview AI Hub — A centralised experience for managing AI security and compliance, pulling data security, compliance, and governance controls for AI applications into one place. Session BRK156 was standing room only.
  • Data Loss Prevention for AI interactions — DLP policies can now inspect and control data moving to and from AI applications, including Copilot for Microsoft 365 and third-party AI tools. I’ve lost count of how many customers have asked for this.
  • Insider Risk Management — New indicators and policy templates built specifically around AI usage patterns. So if someone’s chucking sensitive documents into AI tools, you’ve got much better sight of it now.

The Hallway Track

I’ll be honest, half the value of Ignite is what happens between sessions. I caught up with a bunch of fellow MVPs and the conversations were brilliant. Token theft and adversary-in-the-middle attacks kept coming up — basically everyone I spoke to has been dealing with these in one form or another. There’s a collective frustration that traditional MFA just isn’t cutting it anymore, and real enthusiasm for phishing-resistant authentication as the way forward.

Tuesday evening’s community meetup was ace as always. It’s probably my favourite part of these events — putting faces to the people I interact with online all year but almost never see in person. Massive thanks to everyone who pulled it together.

New Products and Previews

A couple of announcements that caught my eye:

  • Microsoft Security Exposure Management is expanding its integrations with third-party security tools. That was one of my biggest pieces of feedback during the preview, so good to see it addressed.
  • Unified Security Operations Platform keeps pulling Sentinel and Defender XDR closer together. The portal experience is getting increasingly seamless, and I reckon within a year the line between the two will be pretty much invisible to analysts.

My Overall Take

Good Ignite for security, this one. I appreciated the focus on practical improvements over flashy demos. The AI security story is growing up, the identity capabilities are still out front, and the XDR platform keeps getting better with each release.

If I had to name one theme, it’d be convergence. Identity, endpoint, cloud, network, data — it’s all coming together into something more unified. That’s been the pitch for a while now, but this year it actually felt like it was happening rather than just being talked about on slides.

I’ll be doing deeper dives on several of these announcements over the next few weeks. If there’s anything specific you want me to dig into, drop me a message. For now though — sleep.

You can find all the Ignite sessions on demand at Microsoft Ignite and the security-specific Book of News at Microsoft Security Blog.

Share
Previous & Next
Entra ID Governance Lifecycle Workflows - Automating Joiners, Movers, and Leavers Microsoft Exposure Management - Understanding Your Attack Surface

Related Posts

Microsoft Secure 2025 - Security Announcements
5 min read

Microsoft Secure 2025 - Security Announcements

Microsoft Events
Microsoft Ignite 2024 - Chicago -Preview
5 min read

Microsoft Ignite 2024 - Chicago -Preview

Microsoft Events
Microsoft Ignite - November 2021 - Book of News
5 min read

Microsoft Ignite - November 2021 - Book of News

The link to the Book of News is here- Microsoft Ignite 2021 Book of News

Microsoft Events