Access your Microsoft Intune data in Copilot for Security

Copilot for Security is a cloud-based AI platform that provides a natural language Copilot experience. It can help support security professionals in different scenarios, like incident response, threat hunting, and intelligence gathering. For more information about what it can do, go to What is Microsoft Copilot for Security?.

Copilot for Security integrates with your Microsoft Intune data.

If you use Microsoft Intune in the same tenant as Copilot for Security, then you can use Copilot for Security to get insights about your Intune data.

There are Intune capabilities built into Copilot for Security, and you can use prompts to get more information, including:

  • Information about your devices, apps, compliance & configuration policies, and policy assignments managed in Intune
  • Managed device attributes and hardware details
  • Issue with specific devices and compare a working & non-working device

This article shows you how to access your Microsoft Intune data in Copilot for Security and includes sample prompts.

Security admin focus

Copilot for Security has a Security Operations Center (SOC) or security admin focus. So, if you're a SOC analyst or security admin, then you can use Copilot for Security to get the security posture of devices that Intune manages.

For example, there's a user or device that is showing signs of malicious intent. Also, you notice some events are happening after the malicious intent, like an unknown device enrolling in Intune. Maybe someone is trying to use stolen credentials to enroll and get access. You need to get more information.

In Copilot for Security, you can use the Intune capabilities to get more information, like:

  • Ask about a specific device, get all the properties about that device, including the device name, device ID, and device manufacturer.
  • Determine when the device is enrolled in Intune.
  • Find the primary user of a device
  • Determine the type of device, like a laptop or mobile phone.
  • Check the compliance status, especially if a device is noncompliant, and why it's noncompliant.

In Microsoft Defender, you can use this information, including the device type, to determine your next steps. For example, you might take different actions based on the type of device (laptop vs. mobile phone vs. tablet). Copilot for Security can also give you a link to the device in Microsoft Defender, so you can run any Defender actions.

What you need to know

Open Copilot for Security and enable Intune

To use the Intune capabilities in Copilot for Security, enable the Intune plugin.

  1. Go to Microsoft Copilot for Security and sign in with your credentials.

  2. In the prompt bar, select Sources (right corner).

    Screenshot that shows the plugin sources that are available, enabled, and disabled in Microsoft Copilot for Security.

  3. In Manage sources, turn on Microsoft Intune:

    Screenshot that shows the Microsoft Intune plug-in source is enabled in Microsoft Copilot for Security.

    Note

    Some roles can enable or disable plugins. For more information, go to Manage plugins in Microsoft Copilot for Security.

Use the built-in features

In Copilot for Security, there are built in system features that are helpful for Intune admins. For a walkthrough of Copilot for Security, go to Navigating Microsoft Copilot for Security.

This section describes some of the features that are helpful for Intune admins.

System capabilities

Capabilities are built-in features that can get data from the different plugins that you enable, including Microsoft Intune. When you use a prompt to ask something about your Intune data, like apps assigned to a user or device details, your prompts use these Intune capabilities.

To view the list of Intune built-in system capabilities for Intune, use the following steps:

  1. In the Copilot for Security portal prompt bar, select the Copilot prompts icon > See all system capabilities.

    Screenshot that shows how to select the prompts icon and system capabilities in Microsoft Copilot for Security.

  2. In the Microsoft Intune section, there's a list of all the built-in capabilities for Intune. You can select any of the capabilities and get more information about that capability.

Sessions

When you use prompts in the Microsoft Intune admin center or in the Copilot for Security portal, the sessions are saved. To see the saved sessions, use the following steps:

  1. In the Copilot for Security portal, go to the menu > My sessions.

    Screenshot that shows the Microsoft Copilot for Security menu and My sessions with previous sessions in Copilot for Security portal.

  2. When you select a session, your previous prompts and results are shown. Every session also has a session ID in the URL. You can share this session ID with others to review the same prompt session.

    For example, your session ID is something like https://securitycopilot.microsoft.com/sessions/023d1c61-f3c7-4702-8924-075a1058900d.

Sample prompts for Intune

You can create your own prompts in Copilot for Security to get information about your Intune data. This section lists some ideas and examples.

Before you begin

  • Be clear and specific with your prompts. You might get better results if you include specific device IDs or names, app names, or policy names in your prompts.

    It might also help to add Intune to your prompt, like:

    • According to Intune, how many devices were enrolled this week?
    • Tell me about Intune devices for (user name).
  • Experiment with different prompts and variations to see what works best for your use case. Chat AI models vary, so iterate and refine your prompts based on the results you receive.

    You can also save your prompts in a promptbook for future use. For more information, go to:

General information about your Intune data

Get general information about your Intune data, like the number of devices, apps deployed, platform versions of your devices, and more.

Sample prompts:

  • What apps are added to Intune?
  • What Intune apps are assigned the most?
  • How many devices were enrolled in Intune in the last 24 hours?
  • Tell me about Intune devices for Jon Smith.

Policy targets

Get details on policy targets, like the groups that have a specific app assigned or how many users have a specific app assigned.

Sample prompts:

  • How many users is ContosoApp assigned to?
  • Which groups are ContosoApp assigned to?
  • How many apps are assigned to the device ID Enter the device ID in Intune?
  • Why is the "Allow Microsoft Store App to auto update" policy applying to DeviceA?
  • Tell me about Intune devices for user UserA.
  • Why is PolicyA applying on DeviceB?

Specific devices

Get information about a specific device, like its group memberships and the apps assigned to it.

Sample prompts:

  • What devices are used by [email protected]?
  • What groups is DeviceA in?
  • Tell me about DeviceA.
  • Who is the primary user for DeviceA?
  • Is ContosoApp installed on DeviceA?
  • Show me discovered apps on DeviceA.

Similarities and differences

Get the similarities and differences between two devices, like the compliance policies, hardware, and device configurations assigned to both devices.

Sample prompts:

  • What is the hardware configuration difference between the DeviceA and DeviceB devices?
  • What are the similarities in compliance policies between the DeviceA and DeviceB devices?
  • What is the difference in device configuration profile between the DeviceA and DeviceB devices?
  • Compare installed applications on DeviceA and DeviceB.

Provide feedback

Your feedback on the Intune integration with Copilot for Security helps with development. To provide feedback, in Copilot for Security, use the feedback buttons at the bottom of each completed prompt.

Screenshot that shows how to submit feedback on the prompt results in Microsoft Copilot for Security.

Whenever possible, and when the result isn't what you expect, write a few words explaining what can be done to improve the outcome. If you entered Intune-specific prompts and the results aren't Intune related, then include that information.

Data processing and privacy

For more information about data privacy in Copilot for Security, go to Privacy and data security in Microsoft Copilot for Security.

When you interact with the Security Copilot to get Intune data, the Security Copilot pulls that data from Intune. The prompts, the Intune data that's retrieved, and the output shown in the prompt results is processed and stored within the Security Copilot service.

When you use Copilot for Security to get Intune data, Copilot for Security also has access to the data and permissions defined by the RBAC roles and Intune scope tags assigned to you.