Microsoft Defender Enhances Identity Security with AI-Driven Threat Detection and Response

As cyberattacks grow faster and more identity‑driven, Microsoft is enhancing how organizations defend their digital environments. At RSA 2026, the company announced major Microsoft Defender and Security Copilot updates to help organizations defend against the latest threats.

Microsoft emphasizes that modern attacks increasingly start with identity compromise, especially as organizations manage dozens of human, non‑human, and AI-driven identities per user. Microsoft Defender is evolving from reactive detection to a continuous, end‑to‑end identity security approach that improves posture, detects threats earlier, and responds automatically.

Microsoft Defender has introduced broader identity coverage across cloud services, SaaS apps, and on‑prem environments. A new identity security dashboard provides a unified hub to monitor the most important posture gaps, active exposures, and identity risk. There is also a unified risk score that helps security teams assess risk across all accounts and identity types.

Autonomous identity threat detection and response (ITDR)

Microsoft Defender now strengthens identity protection by using agentic AI in two ways. It leverages the new Security Alert Triage Agent to automatically triage large volumes of identity-related alerts, distinguish real threats from false positives, and provide clear, explainable decisions for analysts. Predictive shielding anticipates attacker behavior and automatically applies just‑in‑time protections to block lateral movement within enterprise networks.

Additionally, Microsoft Defender now addresses voice‑based attacks in Microsoft Teams, such as impersonation and social engineering calls. Users receive real‑time warnings during suspicious calls, and security teams gain investigation and hunting capabilities for call-based threats.

Clear measurement of security impact

The new Protection & Posture Insights report provides tenant‑specific data on phishing, spam, and malware activity. It helps organizations demonstrate security effectiveness, receive tailored policy recommendations, and communicate results to business leaders without manual reporting effort.

Lastly, Microsoft is expanding Security Copilot with a Security Alert Triage Agent that covers identity, phishing, and cloud alerts. Moreover, a new Security Analyst Agent performs deep, multi‑step investigations and surfaces high‑risk threats with supporting evidence. A built‑in chat experience for Security Copilot within Microsoft Defender reduces tool switching and speeds investigations.