Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Twitter Facebook-f Pinterest-p Instagram
Diagnostic Checklist SCU Exhaustion Authentication Failures Plugin Issues Prompt Efficiency Agent Troubleshooting KQL Accuracy Environment Constraints Escalation Paths FAQ
Light / Dark
Microsoft Copilot

Troubleshooting Microsoft Security Copilot: 6 Common Errors and How to Fix Them

Security Copilot fails for predictable reasons. SCU exhaustion, missing RBAC roles, broken plugin configurations, and vague prompts account for the majority of support tickets. Each of these has a documented fix. This guide walks through the six most common failure modes, explains why each occurs at the infrastructure level, and provides step-by-step resolution paths. If you are already running Microsoft Security Copilot or planning to configure Security Copilot in your tenant, this is the reference to bookmark for when something breaks.

All troubleshooting procedures verified against Microsoft Learn documentation, May 2026.

Quick Diagnostic Checklist

Before digging into specific errors, run through this checklist. Most Security Copilot failures trace back to one of these four areas. Click each item as you verify it.

Diagnostic Checklist
SCU capacity is not exhausted
Check the Azure portal usage dashboard. Confirm provisioned SCUs are not at 100% and overage limits are configured if applicable.
User has required RBAC roles
Copilot Contributor role is not enough. Verify product-specific roles (Sentinel Reader, Intune Endpoint Security Manager, Defender for Endpoint Security Reader).
Plugins are enabled and configured
Open Sources menu. Confirm target plugins are toggled on. Click the gear icon on each plugin to verify per-user configuration (workspace ID, subscription, etc.).
Network connectivity is stable
Verify no proxy, firewall, or conditional access policy is blocking access to securitycopilot.microsoft.com and related Azure endpoints.

If all four items pass and the issue persists, continue to the relevant section below based on the specific error message or behavior.

SCU Exhaustion and Capacity Errors

Error message: Copilot can't respond to requests due to high usage

This error appears when 100% of provisioned Security Compute Unit (SCU) capacity has been consumed and no overage allowance is configured. It also triggers when an E5 Security licensed tenant has exhausted its monthly SCU pool.

$4
Per SCU
per hour
Microsoft Learn
$6
Per SCU
overage rate
Microsoft Learn
400
SCUs/month
per 1K E5 users
Microsoft Learn
~$2,920
Monthly cost
1 continuous SCU
Microsoft Learn

Root cause

SCU capacity operates on fixed clock-hour blocks (e.g., 9:00-10:00, 10:00-11:00). If your team burns through all provisioned capacity within a block, Copilot stops responding until the next hour starts. For E5 tenants, the 400 SCUs per 1,000 users (capped at 10,000 users) is a hard monthly ceiling with no overage billing option.

Resolution steps

  • Standalone deployments: The Azure capacity owner can increase provisioned SCUs in the Azure portal. You can also configure an overage limit to allow burst usage at the $6/SCU/hour rate instead of hard-stopping.
  • E5 deployments: Wait for the hourly capacity refresh, or provision additional standalone SCUs alongside the E5 allocation to handle peak investigation periods.
  • Monitoring: Use the Security Copilot usage dashboard to track consumption patterns. Identify which analysts or promptbooks consume the most SCUs and schedule high-consumption tasks outside peak hours.

Cost context: One continuously provisioned SCU costs approximately $2,920 per month ($4 x 730 hours). Overage at $6/hour adds up fast during incident response surges. Track usage before scaling up.

Authentication and Data Access Failures

Symptoms: User logs in successfully but sees blank results, incomplete summaries, or errors when querying specific products like Sentinel, Intune, or Defender.

Security Copilot uses On-Behalf-Of (OBO) authentication. This means every query Copilot runs against a security product inherits the permissions of the user who typed the prompt. Copilot does not have its own elevated access. If your account cannot read Sentinel data directly, Copilot cannot read it on your behalf either.

The RBAC gap most teams miss

The Copilot Contributor role grants access to the Security Copilot portal itself. It does NOT grant access to underlying security data in any Microsoft product. This is the most common misconception. A user with only the Copilot Contributor role will see the interface, can type prompts, and will receive blank or error responses for any query that requires product-level data.

OBO
On-Behalf-Of authentication means Copilot inherits the user's exact access scope. No extra permissions, no elevated access. What you can see, Copilot can see. What you cannot see, Copilot cannot access.

Required RBAC roles by product

  • Microsoft Sentinel: Sentinel Reader (minimum for read queries), Sentinel Contributor (for write operations like updating incidents)
  • Microsoft Intune: Intune Endpoint Security Manager
  • Microsoft Defender for Endpoint: Security Reader
  • Microsoft Defender XDR: Security Reader at the Microsoft Defender portal level

Resolution workflow

  • Confirm the user has the Copilot Contributor or Copilot Owner role in Security Copilot settings.
  • Identify which product the user is querying (Sentinel, Intune, Defender, etc.).
  • Assign the corresponding product-level RBAC role listed above.
  • Wait 5-10 minutes for role propagation, then retry the query.
  • If blank results persist, verify the user can access the same data directly in the product's own portal (e.g., go to Sentinel and run the query manually).

Security best practice: Remove the "Everyone" group from Contributors in Security Copilot. Use Microsoft's recommended security roles instead, and assign product-level RBAC only to analysts who need specific data access. This follows least-privilege principles and reduces the blast radius of compromised accounts.

FREE TEMPLATE

NIST AI RMF Self-Assessment

Self-assess against the NIST AI Risk Management Framework

Download Free →

Plugin Connectivity Issues

Symptom: Copilot fails to retrieve information from a specific tool (Sentinel, Shodan, VirusTotal, or a custom plugin) while other plugins work normally.

Security Copilot plugins fall into three categories, and each has its own failure mode:

Preinstalled Microsoft plugins

These are built into Security Copilot (Sentinel, Defender, Intune, Entra). They are enabled by default but require per-user configuration. The most common failure: the plugin is toggled on, but the workspace ID or subscription is not set for the specific user.

Fix: Open the Sources menu in Security Copilot. Click the gear icon next to the plugin. Enter the required Sentinel workspace ID, Azure subscription ID, or tenant-specific parameters. Each user must configure this separately.

Third-party plugins

Plugins like Shodan, VirusTotal, and CIRCL require API keys or accounts configured per user. If the API key is expired, rate-limited, or misconfigured, that specific plugin will fail silently while others continue working.

Fix: Verify the API key is valid and not rate-limited. Re-enter credentials through the plugin's gear icon. Test with a simple query to confirm connectivity before complex workflows.

Custom plugins

Organizations can build custom plugins that connect to internal APIs or services. These have the most failure modes: authentication mismatches, URL changes, certificate expiration, and network policy blocks.

Fix: Verify the endpoint URL is reachable from Azure (not just your local network). Check that the authentication method matches what the API expects. Review the plugin manifest for schema changes.

Plugin availability restrictions

Plugin Owners can restrict a plugin's availability to "Owners only." When this setting is active, Contributors cannot use the plugin even if it appears in their Sources menu. If a user reports that a plugin is visible but returns no results, check the availability setting before troubleshooting RBAC or connectivity.

Prompt Efficiency and Cost Optimization

SCU consumption is directly tied to prompt quality. Vague prompts force Copilot through multiple reasoning cycles, and each cycle burns compute capacity.

3x
Vague prompts consume approximately 3x the SCUs of specific, well-scoped prompts. The pattern: broad reasoning, refine, reason again, refine again.

The vague prompt anti-pattern

Here is the consumption pattern that costs organizations the most:

  • Analyst types a vague prompt ("Tell me about threats in my environment")
  • Copilot triggers broad reasoning across multiple data sources
  • Result is too general; analyst refines with a follow-up prompt
  • Copilot reasons again with slightly narrower scope
  • Analyst refines again
  • Three reasoning cycles consumed where one specific prompt would have worked

Specific prompt examples

Instead of: "What threats are in my environment?"

Use: "Show me high-severity incidents from Microsoft Sentinel created in the last 24 hours that involve lateral movement techniques."

Instead of: "Analyze this IP address"

Use: "Check IP 203.0.113.42 against Defender Threat Intelligence. Return reputation score, associated campaigns, and WHOIS data."

Promptbooks for repeatable workflows

Promptbooks are pre-built prompt sequences that run a defined set of queries in order. They eliminate the vague-prompt cycle by encoding specific, tested prompt chains. Use promptbooks for:

  • Incident triage workflows that always need the same data points
  • Vulnerability assessment sequences run on a regular schedule
  • Threat intelligence lookups with consistent output formatting
  • Compliance checks against a standard query set

SCU consumption tracking

The Security Copilot usage dashboard shows consumption by user, by session, and by time period. Review this data weekly to identify analysts who consistently burn disproportionate SCUs. This is not a performance management tool; it is a training signal. Analysts burning 3x average are likely using vague prompts and need prompt engineering guidance.

Agent Troubleshooting

Security Copilot agents (both built-in and custom) introduce their own failure modes beyond standard prompt-and-response issues.

Agent SCU consumption

Agents run multi-step workflows that consume SCUs at each step. A single agent invocation can trigger 5-10 individual operations (data retrieval, reasoning, action execution), each consuming capacity. During incident response, multiple agents running simultaneously can exhaust SCU capacity faster than individual analyst sessions.

Fix: Monitor agent-specific SCU consumption in the usage dashboard. Set agent concurrency limits if available. Prioritize critical agents during capacity-constrained periods and pause non-essential automation.

Agent permissions

Agents inherit the permissions of the user or service principal that deployed them. If an agent was deployed by an admin with broad access but a regular analyst triggers it, the agent runs with the analyst's permissions (OBO model), not the admin's. This is a security feature, not a bug, but it causes confusion when agents work for admins and fail for analysts.

Fix: Verify that all intended users of an agent have the required RBAC roles for every product the agent queries. Document the minimum role set required for each agent in your runbook.

Partner agent licensing

Third-party agents from security vendors may require separate licensing or API entitlements beyond the Security Copilot subscription. If a partner agent fails with authentication errors, check whether the partner's service requires its own license or API key configured at the tenant level.

KQL and Code Generation Accuracy

Security Copilot generates KQL (Kusto Query Language) queries, PowerShell scripts, and MITRE ATT&CK technique mappings. All of these are probabilistic outputs, not deterministic lookups. The AI generates what it predicts is correct based on your prompt and the data schema it has indexed.

When generated code fails

Symptom: Generated KQL queries return unexpected results or throw syntax errors when pasted into Sentinel.

Root cause: The AI may reference table names, column names, or functions that do not exist in your specific workspace. It may also generate syntactically valid KQL that logically queries the wrong data set.

Validation workflow

  • Step 1: Read the generated query before executing it. Verify that table names match your actual Sentinel workspace schema.
  • Step 2: Run the query in Sentinel's Log Analytics with a narrow time window first (e.g., last 1 hour) to validate output format.
  • Step 3: Compare results against known-good manual queries for the same data set.
  • Step 4: Only after validation, use the query in production or in automated workflows.

MITRE ATT&CK mapping caveats

Copilot maps detected behaviors to MITRE ATT&CK techniques, but these mappings are probabilistic. A behavior flagged as T1059 (Command and Scripting Interpreter) may be a legitimate admin task. The mapping indicates a pattern match, not a confirmed attack. Always cross-reference technique mappings with your incident context before taking defensive action.

Do not automate unvalidated code. Never pipe Copilot-generated KQL directly into automated response workflows without human review. A syntactically valid query that targets the wrong data set can trigger false positive responses or miss actual threats.

Environment and Compatibility Constraints

Some Security Copilot failures are not bugs. They are hard constraints of the platform that cannot be worked around.

No Government Cloud Support
Security Copilot is not available in GCC, GCC High, DoD, or Azure Government environments. There is no workaround and no announced timeline for government cloud availability.
OBO Authentication Boundary
On-Behalf-Of auth cannot be elevated or bypassed. Copilot will always have exactly the permissions of the logged-in user. Service accounts with broad access are a security risk and should not be used to work around RBAC limitations.
Tenant Lock
Security Copilot is bound to a single Microsoft Entra ID tenant. Cross-tenant queries are not supported. Multi-tenant organizations must provision and manage separate instances per tenant.
Permanent Capacity Deletion
Deleting a Security Copilot capacity in Azure is permanent. All session data, custom promptbooks, and plugin configurations are destroyed. There is no recovery option. Always document your configuration before making capacity changes.
IoT/OT Not Supported
Security Copilot does not support IoT or OT (Operational Technology) environments. If your security operations include industrial control systems, SCADA, or IoT device monitoring, those data sources cannot be queried through Copilot.
English-Optimized
Security Copilot is optimized for English. Other languages may produce reduced accuracy, especially for technical security terminology, KQL generation, and MITRE ATT&CK technique mapping.

Escalation and Support Paths

When self-service troubleshooting does not resolve the issue, here are the escalation options.

Escalation Checklist
Step 1
Run diagnostic checklist
Verify SCU capacity, RBAC roles, plugin configuration, and network connectivity using the checklist above.
Step 2
Document the error
Capture the exact error message, the prompt used, the user's role assignments, and the timestamp. Include screenshots of the usage dashboard.
Step 3
Check Microsoft service health
Verify there is no active service incident for Security Copilot in the Microsoft 365 Service Health Dashboard before opening a support case.
Step 4
Open a Microsoft support case
File a support request through the Azure portal or Microsoft 365 admin center. Include all documentation from Step 2. Severity should match business impact.
Step 5
Engage community resources
Microsoft Tech Community (Security Copilot forum), GitHub discussions, and your Microsoft account team for escalation beyond standard support.

Capacity deletion warning: If you are considering deleting and re-provisioning a Security Copilot capacity as a troubleshooting step, be aware that deletion is permanent. All session history, promptbooks, and plugin configurations are destroyed with no recovery option. Document everything first.

Frequently Asked Questions

Your provisioned SCU capacity is 100% consumed with no overage allowance, or your E5 monthly pool is exhausted. The capacity owner needs to increase provisioned SCUs or raise the overage limit in Azure. SCU capacity refreshes on fixed clock-hour blocks.

Blank results almost always indicate missing RBAC roles. The Copilot Contributor role only grants portal access, not data access. You need product-specific roles like Sentinel Reader or Intune Endpoint Security Manager assigned to your account. Also verify that per-user plugin configuration (workspace ID, subscription) is complete.

Check three things in order: (1) Is the plugin toggled on in the Sources menu? (2) Is per-user configuration complete (click the gear icon)? (3) Has the Owner restricted the plugin to "Owners only"? For third-party plugins, also verify that the API key is valid and not rate-limited.

No. Security Copilot is not available in GCC, GCC High, DoD, or Azure Government environments. There is no workaround and no announced availability date for government cloud support.

Write specific, well-scoped prompts instead of vague questions. Use promptbooks for repetitive workflows to eliminate multi-cycle reasoning. Monitor the usage dashboard to identify analysts with disproportionate consumption and provide prompt engineering training.

Not without validation. Generated queries are probabilistic outputs that may reference incorrect table names, column names, or functions. Always test in a narrow time window, compare results against known-good queries, and validate before using in production workflows or automation.

Capacity deletion is permanent. All session data, custom promptbooks, and plugin configurations are destroyed with no recovery option. Always export your promptbooks and document plugin configurations before making any capacity changes.

Related Reading
Breakdown
What Is Microsoft Security Copilot?
Full breakdown of Security Copilot's architecture, capabilities, and where it fits in the Microsoft security stack.
 Guide
How to Configure Microsoft Security Copilot
Step-by-step deployment guide: Azure provisioning, SCU sizing, RBAC setup, and plugin configuration.
 Guide
Securing Copilot Studio Agents
Governance, DLP policies, and security controls for deploying custom AI agents in production environments.

Go Deeper

Resources from across Tech Jacks Solutions

Security Hub

Enterprise security frameworks and defense strategies

Threat Intelligence

This week's AI and cybersecurity threat briefings

Agent Threat Landscape

Security risks specific to autonomous AI agents

FREENIST AI RMF Self-Assessment

Self-assess against the NIST AI Risk Management Framework

CISSP Certification

The gold standard for enterprise security leadership
Fact-checked against vendor documentation and official sources, May 2026
Data verified: 2026-05-28. Microsoft Security Copilot, Microsoft Sentinel, Microsoft Intune, Microsoft Defender, Microsoft Entra ID, Azure, Microsoft 365, and Microsoft Copilot are trademarks of Microsoft Corporation. MITRE ATT&CK is a registered trademark of The MITRE Corporation. All product names used for identification purposes only.
Before You Use AI
Your Privacy

Microsoft Security Copilot processes data within your Azure tenant boundary. Queries and responses are not used to train foundation models. Data residency follows your existing Microsoft 365 and Azure compliance configuration. Enterprise tenants can configure data retention and geographic boundaries through Microsoft Purview. Review your organization's data classification policies before connecting security data sources to Copilot.

Microsoft Privacy Statement
Mental Health & AI Dependency

Security operations can be high-pressure work, especially during active incident response. AI tools like Security Copilot can reduce cognitive load, but over-reliance on automated analysis without critical review creates risk. If you are experiencing distress:

  • 988 Suicide & Crisis Lifeline: Call or text 988 (US)
  • SAMHSA Helpline: 1-800-662-4357
  • Crisis Text Line: Text HOME to 741741

AI systems can produce plausible-sounding but incorrect guidance. For mental health, medical, legal, or financial decisions, always consult a qualified professional.

NIST AI Risk Framework
Your Rights & Our Transparency

Under GDPR and CCPA, you have the right to access, correct, and delete your personal data. Tech Jacks Solutions maintains editorial independence from all vendors including Microsoft. This article was not sponsored, reviewed, or approved by Microsoft. We do not receive affiliate commissions from Microsoft Security Copilot licenses. All claims are verified against official Microsoft documentation as referenced in the EU AI Act transparency requirements.

Microsoft Privacy Statement AI Governance Hub EU AI Act overview