How to Configure Microsoft Security Copilot: 5-Step Setup Guide
Microsoft Security Copilot turns natural language prompts into security operations workflows, pulling data from Defender XDR, Sentinel, Entra, Intune, and Purview in a single interface. Setting it up requires provisioning Azure capacity, assigning the right roles, and connecting the right plugins before anyone on your security team can run a single prompt. This guide walks through all five steps from zero to a working Security Copilot environment, covering both standalone purchases and the E5/E7 auto-provisioning path.
All facts verified against Microsoft Learn Security Copilot documentation, May 2026.
Prerequisites Checklist
Before you open securitycopilot.microsoft.com, confirm you have the following. Missing any one of these will block setup at different stages.
Step 1: Verify Your Azure Subscription
If you are a Microsoft 365 E5 or E7 customer, Microsoft auto-provisions Security Copilot for your tenant. You do not need an Azure subscription, and you can skip this step entirely. You will receive a 7-day advance notification before auto-provisioning begins.
For standalone purchases, sign in to portal.azure.com and navigate to Subscriptions. Confirm you have an active subscription. If you do not have one, select Add to create a free Azure account. You will need the subscription ID later when provisioning SCU capacity.
While in the Azure portal, verify your role on the target subscription. Go to the subscription, select Access control (IAM), then View my access. You need Contributor or Owner at the subscription or resource group level. If you do not see either role, your Azure administrator must grant it before you can provision Security Copilot capacity.
Step 2: Confirm Your Microsoft Entra ID Roles
Microsoft Entra role membership is managed exclusively from the Microsoft Entra admin center. Sign in, navigate to Users, select your account, and check Assigned roles. You need one of these Entra roles to complete onboarding:
- Global Administrator
- Security Administrator
- Billing Administrator
- Intune Administrator
- Entra Compliance Administrator
These five Entra roles automatically inherit Copilot Owner access inside Security Copilot. If you hold one of them, you do not need a separate Copilot role assignment. Three Purview roles also inherit Copilot Owner: Purview Compliance Administrator, Purview Data Governance Administrator, and Purview Organization Management.
Do not assign Security Administrator to users solely for Copilot access. That role carries broad permissions across the Microsoft security stack. Instead, create a dedicated Entra security group and add it to the Copilot Contributor role after setup is complete.
Step 3: Choose Your Licensing Path
This decision determines your entire provisioning workflow. There are two paths, and they are mutually exclusive:
- Standalone SCU purchase: You provision Security Compute Units at $4/SCU/hour through the Security Copilot portal or Azure portal. Minimum 1 SCU required. Microsoft recommends 3 SCUs with unlimited overage for an introductory exploration. You control capacity and cost directly.
- E5/E7 auto-provisioning: Microsoft provisions 400 SCUs per 1,000 users (capped at 10,000 SCUs) automatically. No Azure subscription or manual capacity setup required. If you exceed the included SCUs, overage units bill at $6/SCU/hour.
If you are unsure which license your organization holds, check the Microsoft 365 admin center under Billing > Your products. Look for Microsoft 365 E5 Security or Microsoft 365 E7 in your active subscriptions.
Check your license BEFORE you open securitycopilot.microsoft.com. The onboarding wizard does not ask which licensing path you want. It launches directly into standalone SCU provisioning — Azure subscription, resource group, capacity name, SCU count — with no prompt to verify whether your tenant qualifies for E5/E7 auto-provisioning. If you are an E5 or E7 customer, you do not need to provision anything manually. Microsoft auto-provisions your capacity after a 30-day notification period. Completing the standalone wizard when you have E5 creates a separate, billed capacity ($4/SCU/hour) that runs alongside your included allocation. Deleting it is permanent and requires the Security Administrator role. Verify your license at admin.microsoft.com → Billing → Your products before touching the Security Copilot portal.
Step 4: Verify Security Product Deployment
Security Copilot does not require any specific Microsoft security product to function. However, its value is directly tied to what telemetry it can reach. At minimum, verify one of these is operational:
- Microsoft Defender XDR: Sign in to security.microsoft.com. If the portal loads with incident data, Defender is operational. After Copilot is provisioned, the Copilot button appears in the top navigation bar.
- Microsoft Sentinel: In the Azure portal, search for Microsoft Sentinel and confirm you have at least one active workspace. Note the workspace name and subscription ID. You will need both when configuring the Sentinel plugin inside Security Copilot.
Additional products that expand Copilot's capabilities include Entra (identity and access), Intune (endpoint management), Purview (data security), Defender for Cloud (cloud posture), and Azure Firewall (network security). Each product adds plugin capabilities, but none are required for initial setup.
Step 5: Verify Your Tenant
Security Copilot does not support tenant or subscription transfers. If you provision capacity in the wrong tenant, there is no way to move it. Deleting capacity is permanent and irreversible. A wrong-tenant deployment is a write-off. Verify your tenant before provisioning.
In the Azure portal, navigate to Microsoft Entra ID > Overview. Confirm the Tenant ID and Primary domain match your production environment. If your organization has multiple tenants (dev, staging, production), confirm with your Azure administrator which tenant will host Security Copilot. Security Copilot is bound to a single Microsoft Entra ID tenant, and cross-tenant queries are not supported.
Understanding Security Copilot Licensing
Security Copilot is billed through Security Compute Units (SCUs). An SCU is a unit of computing capacity that powers prompt processing, plugin calls, and data retrieval. There are two ways to acquire SCUs.
Standalone SCU Purchase
You provision SCU capacity through the Azure portal or during Security Copilot first-run setup. The minimum is 1 SCU. Each provisioned SCU costs $4 per hour, billed continuously whether or not the capacity is being used. If demand exceeds provisioned capacity, overage SCUs engage at $6 per hour. You set an overage limit during provisioning to control costs.
Running 1 SCU around the clock costs approximately $2,920 per month. Most security operations centers start with 1-3 SCUs and adjust based on actual usage patterns over the first billing cycle.
E5/E7 Auto-Provisioning
Organizations with Microsoft 365 E5 Security or E7 licenses receive 400 SCUs per month for every 1,000 licensed users, up to a maximum of 10,000 SCUs. No Azure subscription is required. The capacity is auto-provisioned to your tenant, and the setup flow skips the Azure provisioning step entirely.
Sources: Microsoft Security Copilot pricing page, Microsoft Learn: capacity management.
What Does an SCU Actually Buy?
The raw numbers ($4/hr, $2,920/month) mean nothing without context. Here is what common security operations actually consume, based on Microsoft's published billing scenarios and community benchmarks.
| Activity | SCU Cost | Dollar Cost (Provisioned Rate) |
|---|---|---|
| Focused prompt — goal, data source, scope, and output format specified | ~1 SCU | ~$4 |
| Incident summary in Defender XDR (embedded feature) | ~0.5 SCU | ~$2 |
| Complex investigation prompt — multi-step reasoning across data sources | ~3 SCU | ~$12 |
| Promptbook execution — saved sequence of queries run together | ~3.7 SCU | ~$15 |
| Vague exploratory prompt — no scope, no format, requires multiple refinements | 5–8 SCU | $20–$32 |
The 5–8x multiplier is real. A vague prompt like "tell me about threats in my environment" forces Copilot to reason broadly, then you refine, then it reasons again. Three interactions doing what one specific prompt would have done. Your prompting discipline directly determines your bill.
Monthly Cost Scenarios for a Security Team
SCU billing is per-hour capacity. If your team's combined activity exceeds provisioned SCUs in any given hour, overage kicks in at $6/SCU. The question is: how many SCUs does your busiest hour consume?
| Team Profile | Typical Activity | Recommended Start | Monthly Cost |
|---|---|---|---|
| Pilot evaluation 1–2 analysts testing Copilot |
5–10 focused prompts/day, scattered across hours | 1 SCU provisioned, overage unlimited | ~$2,920 + overage spikes |
| Small SOC 3–5 analysts, daily investigations |
20–40 prompts/day, 2–3 promptbooks, peak hours overlap | 3 SCUs provisioned (Microsoft's recommendation) | ~$8,760/month |
| Enterprise SOC 10+ analysts, autonomous agents active |
100+ prompts/day, continuous agent processing, promptbooks | 5–10 SCUs provisioned + overage buffer | $14,600–$29,200/month |
| E5/E7 included 1,000 licensed users |
400 SCU monthly pool — consumption deducted only when used | No provisioning needed | $0 additional (included in E5/E7 license) |
The E5 math changes everything. At $57/user/month for E5 Security, a 1,000-user org pays $57,000/month total and gets 400 SCUs included. A standalone 3-SCU purchase costs $8,760/month with no E5 features. If you are already on E5 or evaluating E7 ($99/user/month), the Security Copilot SCU allocation is a significant bundled benefit — not a separate line item.
Per-task SCU consumption figures from Microsoft Learn: capacity management. Monthly scenarios based on Microsoft's recommended starting configurations. Actual consumption varies by prompt complexity, data volume, and plugin usage.
Managing, Adjusting, and Canceling Capacity
Security Copilot does not offer a pause or suspend option. The minimum is 1 provisioned SCU, billed 24/7. The only way to stop billing entirely is to delete your capacity. This section covers cost estimation, scaling, cancellation, and transitioning to E5 included capacity.
Estimate Your Monthly SCU Cost
Drag the sliders below to model your provisioned capacity and expected overage. The calculator uses Microsoft's published rates: $4/SCU/hour for provisioned capacity and $6/SCU/hour for overage.
Need a more detailed estimate? Microsoft's Azure Pricing Calculator includes a Security Copilot estimator that models SCU usage based on your user count and automation plans. It requires a free Azure account to access.
Adjusting or Canceling Your Capacity
Changes to provisioned SCU count take effect within 30 minutes. Make adjustments at the beginning of an hour to avoid paying for a partial hour at both the old and new rate. Billing is calculated in full hourly blocks — if you delete at 9:15, you are billed through 10:00.
- Open Security Copilot > Owner settings
- Select Change under capacity management
- Reduce provisioned SCU count (minimum: 1)
- Optionally reduce overage limit to $0 for hard budget cap
- Open Owner settings > Change
- Click the overflow menu (...) next to your capacity
- Select Delete capacity
- Confirm deletion in the dialog
- Purchase Microsoft 365 E5 Security ($57/user/mo) or E7 ($99/user/mo)
- Wait for auto-provisioning (30-day advance notification)
- Receive 400 SCUs/month per 1,000 users (included)
- Keep standalone SCUs running until E5 is fully active
- Contact MS Support to export data, then delete standalone capacity
Transitioning from Standalone SCUs to E5 Included Capacity
If your organization purchases Microsoft 365 E5 Security or E7 while running standalone SCU capacity, the two billing models do not merge automatically. They are independent pools that can run simultaneously. The transition requires deliberate steps in a specific order.
Do not delete your standalone capacity early. Microsoft explicitly warns existing Security Copilot customers not to delete their previously provisioned standalone SCUs before the E5 inclusion is fully activated. There is a gap between being eligible and having access. Deleting too early means losing Security Copilot entirely until auto-provisioning completes.
- Receive the 30-day notification. Microsoft sends advance notice to Global Administrators, Security Admins, Message Center Readers, Purview Compliance Admins, and Intune Admins that E5 inclusion is eligible for your tenant.
- E5 capacity auto-provisions. After the notification period, a separate "Default Security Copilot Capacity" appears in your tenant. This is a monthly pool — 400 SCUs per 1,000 licensed users, capped at 10,000. Only actual consumption is deducted, unlike standalone which bills by the hour whether used or not.
- Run both pools in parallel. Keep your standalone SCUs active during the overlap. Verify the E5 capacity is working by checking the Usage monitoring dashboard for the new default capacity entry. Test prompts against it before decommissioning standalone.
- Contact Microsoft Support for data export. There is no self-service export. If you need to retain investigation data, session history, or custom promptbooks from your standalone deployment, you must open a support ticket before deletion.
- Delete standalone capacity. Once E5 is confirmed active and your data is exported: Owner settings → Change → overflow menu (…) → Delete capacity. This is permanent and irreversible.
Already deleted standalone and wondering about E5? Deleting standalone SCU capacity has no effect on your E5/E7 auto-provisioning eligibility. The two capacity types are completely independent Azure resources. Your E5 license entitlement, tenant configuration, and auto-provisioning timeline are unchanged. If you provisioned standalone capacity by mistake (the onboarding wizard does not check your license type), deleting it simply stops the $4/SCU/hour billing. Your E5 "Default Security Copilot Capacity" will still auto-provision on schedule after the 30-day notification period.
E5 inclusion is a hard cap, not a soft cap. If your team exhausts the monthly SCU allocation, analysts see an error message and cannot submit more prompts until the next hour. There is no automatic overflow into paid overage. Microsoft has stated that pay-as-you-go overage at $6/SCU will become available "at a future date" with 30 days' notice. Until then, exceeding the allocation means throttling, not a bill. If your team regularly hits the cap, keep standalone SCUs provisioned alongside the E5 pool.
What E5 Auto-Provisioning Handles (and What It Does Not)
If your organization holds E5 Security or E7 licenses, the provisioning path is significantly simpler — but not entirely automatic.
| Automatic (no action needed) | Still manual (you configure these) |
|---|---|
| SCU capacity allocation (400/month per 1,000 users, capped at 10,000) | Copilot Owner and Contributor role assignments (Step 2) |
| Azure subscription — not required | Per-user plugin setup — Sentinel workspace, Azure AI Search (Step 3) |
| Provisioning wizard — skips Azure setup steps | Agent configuration and review policies (Step 4) |
| Billing — consumption deducted from monthly pool | Replacing the default "Everyone" group with scoped security groups |
Rollout timing: E5/E7 auto-provisioning is rolling out in phases. Not all tenants have access simultaneously. There is no minimum E5 user count required — all customers with E5 licenses qualify. Microsoft Sentinel customers without E5 do not qualify, even though Sentinel is one of the most prominent Security Copilot integration points. Check the Microsoft Learn Security Copilot documentation for current rollout status.
Transition process and data continuity details from Microsoft Learn: capacity management and Microsoft Learn: Security Copilot onboarding.
Configuration Checklist
Track your progress through the five configuration steps. Click each step to mark it complete as you work through the guide.
NIST AI RMF Self-Assessment
Self-assess against the NIST AI Risk Management Framework
Download Free →Step 1: Provision Capacity
Navigate to securitycopilot.microsoft.com and select Get Started. The provisioning wizard walks you through four decisions.
Workspace Name
This is a tenant-bound environment name. It identifies your Security Copilot instance and cannot be changed after creation. Choose something descriptive for your organization.
Azure Subscription and Resource Group
Select the Azure subscription and resource group where SCU capacity will be provisioned. This determines which Azure billing account is charged. Your account needs Contributor or Owner role on the selected subscription or resource group.
Geo-Location for Prompt Evaluation
Choose the geographic region where your prompts will be processed. This affects data residency. Prompts and responses are processed in the selected region. Choose a region that aligns with your organization's compliance requirements.
SCU Configuration
Set the number of provisioned SCUs (minimum 1) and the overage limit. Provisioned SCUs run at $4/hour whether you are using them or not. The overage limit caps how many additional SCUs can engage at $6/hour during demand spikes. Setting the overage limit to 0 means no overage is permitted, and prompts that exceed provisioned capacity will be queued or throttled.
Cost awareness: 1 provisioned SCU running continuously costs approximately $2,920/month. Start with the minimum and increase after observing your team's actual usage patterns over the first 2-4 weeks.
Step 2: Configure Role Assignments
From the Security Copilot home menu, navigate to Role assignment and select Add members. Security Copilot has its own RBAC system, separate from Microsoft Entra ID roles.
Copilot Owner vs. Copilot Contributor
| Capability | Copilot Owner | Copilot Contributor |
|---|---|---|
| Create sessions | Yes | Yes |
| Run promptbooks | Yes | Yes |
| Upload files | Yes | If allowed by Owner |
| Manage capacity | Yes | No |
| Change settings | Yes | No |
| Custom plugins | Yes | No |
| Usage dashboard | Yes | No |
Best Practice: Replace the Default Group
By default, Security Copilot grants access to Everyone in your tenant. For a security tool, that is too broad. Remove the Everyone group and replace it with Recommended Microsoft Security roles, which scopes access to users who already hold security-relevant Entra ID roles.
Auto-Inheriting Roles
Several Entra ID roles automatically receive Copilot Owner permissions when the user accesses Security Copilot for the first time:
- Global Administrator
- Security Administrator
- Billing Administrator
- Intune Administrator
- Entra Compliance Administrator
For Purview integration, additional roles apply: Purview Compliance Administrator, Data Governance Administrator, and Organization Management.
Key distinction: Copilot RBAC is separate from Entra RBAC. A user with Security Reader in Entra still needs a Copilot role (Owner or Contributor) to access the Security Copilot interface. Both layers must be configured for full access.
Source: Microsoft Learn: Security Copilot roles and authentication.
Step 3: Set Up Plugins
Plugins are how Security Copilot connects to data sources. Click the Sources (plugin) icon in the prompt bar to access the plugin management interface.
Preinstalled Microsoft Plugins
These plugins activate automatically if the corresponding security product is deployed in your tenant. No manual configuration needed for most of them.
| Plugin | Capabilities | Setup |
|---|---|---|
| Defender XDR | Incident investigation, alert triage, threat hunting | Automatic |
| Sentinel | Log analysis, KQL generation, incident correlation | Per-user (workspace + subscription) |
| Entra | Identity risk assessment, Conditional Access analysis | Automatic |
| Intune | Device compliance, policy analysis, troubleshooting | Automatic |
| Purview | Data classification, compliance posture | Automatic |
| Defender for Cloud | Cloud security posture, vulnerability management | Automatic |
| Defender TI | Threat actor profiles, indicator analysis, DNS/WHOIS datasets | Automatic |
| Azure Firewall | Traffic analysis, firewall rule recommendations | Automatic |
| NL to KQL | Natural language to Kusto Query Language translation | Automatic |
| Azure AI Search | Search index queries across your data | Per-user (search index config) |
Third-Party Plugins
Non-Microsoft plugins extend Security Copilot beyond the Microsoft stack. Each has its own authentication — typically an API key configured per user.
| Plugin | What It Does |
|---|---|
| ServiceNow | Synchronizes security incidents with ITSM ticketing |
| Shodan | Internet-facing asset data, open ports, vulnerabilities (free InternetDB or full API key) |
| CrowdSec | Malicious IP activity from global attacker network |
| Splunk | Cross-SIEM searches and alert retrieval |
| CyberArk | Privileged access management context |
| Jamf | Apple endpoint security and device management |
| Censys | External threat intelligence enrichment |
| CheckPhish | URL analysis for phishing, tech support scams, cryptojacking |
| Darktrace | Network anomaly detection and insights |
Custom Plugins
You can upload custom plugin definitions using YAML or JSON files. Custom plugins can be scoped to the uploading user only, or shared across the entire organization. Copilot Owners can restrict custom plugin uploads to Owners only or open them to all users.
Plugin availability control: Copilot Owners can restrict which plugins are available to all users. Navigate to Settings to configure whether plugins are available to Owners only or to all Copilot users. Review this setting before onboarding your team. Restricted plugins also affect embedded experiences — if Defender XDR is restricted, analysts lose Copilot in the Defender portal.
Source: Microsoft Learn: Manage plugins in Security Copilot.
Step 4: Configure Agents
Security Copilot supports autonomous agents that can run security workflows without manual prompting. These agents operate on a trigger-action model: a security event occurs, the agent processes it, takes defined actions, and escalates when conditions fall outside predefined parameters.
Available Microsoft-Built Agents
Microsoft introduced 12 autonomous agents at Ignite 2025, embedded across the security product suite. Over 30 partner-built agents are also available in the Microsoft Security Store.
| Product | Agent | What It Does |
|---|---|---|
| Defender | Phishing Triage | Semantic analysis of emails, URLs, and files to separate true threats from false alarms |
| Threat Intelligence Briefing | Tailored briefings based on your industry, geo, and attack surface | |
| Dynamic Threat Detection | Surfaces evolving threats by adapting to changing attacker behaviors | |
| Security Analyst | Multi-step investigations across Defender and Sentinel telemetry | |
| Threat-Hunting | Natural language threat hunting with KQL generation and visualizations | |
| Entra | Conditional Access Optimization | Detects gaps in zero-trust policies, recommends one-click remediations |
| Identity Risk Management | Investigates and remediates risky users | |
| App Lifecycle Management | Discovery, onboarding, monitoring of enterprise applications | |
| Access Review | Streamlines permission reviews, flags unusual access patterns | |
| Intune | Policy Configuration | Translates natural language requirements into device policies |
| Change Review | Analyzes change requests for risks and compliance before deployment | |
| Device Offboarding | Identifies inactive devices and provides secure offboarding workflow | |
| Purview | Data Security Triage | Triages DLP and insider risk alerts, initiates remediation with data owners |
| Data Security Posture | Discovers exposed sensitive data, recommends label updates |
Enabling and Configuring Agents
Copilot Owners enable or disable agent capabilities through the Security Copilot interface. For each agent workflow, set whether the agent acts autonomously or requires human review before execution. High-risk actions (isolating endpoints, blocking network traffic) should require explicit approval. Lower-risk actions (gathering context on an alert, enriching threat data) can run without intervention.
Agent SCU Consumption
All agent usage consumes SCUs dynamically based on computational effort. The Usage Monitoring dashboard includes a dedicated Agent category to distinguish autonomous agent activity from manual prompts and promptbooks. On E5, agent SCU consumption counts against your included allocation. Partner-built agents may require separate licensing from the partner, but the SCU costs are included in your capacity.
Start conservative: Enable agents for read-only operations first (data gathering, alert enrichment). Expand to write operations (isolation, blocking) only after validating agent accuracy against your team's existing runbooks. Monitor the Agent category in the usage dashboard to understand consumption patterns before scaling up.
Step 5: Verify and Test
Before onboarding your security team, validate that the configuration is working correctly across three dimensions.
Run Your First Prompt
Open the Security Copilot prompt bar and submit a test query against a product you have configured. Examples:
- "Show me the 5 most recent high-severity incidents from Defender XDR"
- "Summarize the sign-in risk events for the past 24 hours from Entra"
- "List active Sentinel analytics rules with high severity"
If the prompt returns data, the plugin connection is working. If it returns an error or empty results, check the plugin configuration (correct workspace name, subscription, and that the signed-in user has the required product-specific RBAC role).
Validate Plugin Connectivity
Test each configured plugin individually. A successful first prompt against one plugin does not confirm that all plugins are correctly wired. Sentinel, Entra, Defender XDR, Intune, and any third-party plugins each have independent authentication and configuration requirements.
Check SCU Consumption
Navigate to the Usage dashboard (available to Copilot Owners). Confirm that your test prompts registered SCU consumption. This validates that capacity is provisioned and billing is active. Review the consumption rate to estimate how your team's actual usage will compare to provisioned capacity.
Pre-Onboarding Verification Checklist
Run through this before inviting your team. Every item should pass before you assign Copilot Contributor roles to analysts.
| Check | How to Verify | What Breaks If Skipped |
|---|---|---|
| Test prompt returns data | Submit a Defender/Sentinel/Entra query in the prompt bar | Analysts get empty results and lose confidence in the tool |
| Each plugin works independently | Test one prompt per enabled plugin | Silent failures — one plugin works, others don't |
| SCU consumption registers | Usage dashboard shows entries for test prompts | Capacity may not be provisioned; billing may not be active |
| "Everyone" group replaced | Role assignments show a scoped security group, not Everyone | Every user in the tenant can access Security Copilot |
| Overage limit configured | Owner settings shows a defined overage cap (or $0 for hard limit) | Unexpected overage charges at $6/SCU/hour during peak usage |
| Agent policies set | High-risk agent actions require human review; read-only agents enabled | Agents take autonomous actions without oversight |
Prompt discipline matters from day one. A well-structured prompt (goal, data source, scope, output format) costs ~1 SCU. A vague prompt can cost 5–8 SCU for the same result. Share the 4-element prompt format with your team before they start: goal, data source, scope, and output format. Your bill depends on it.
Security and Compliance Considerations
On-Behalf-Of Authentication
Security Copilot uses On-Behalf-Of (OBO) authentication. This means the system inherits the signed-in user's access scope across all connected Microsoft security products. If a user has Sentinel Reader access, Copilot queries Sentinel with Sentinel Reader permissions. If they have no Sentinel role, Copilot cannot query Sentinel data on their behalf.
The implication: a Copilot Contributor role alone does not grant access to underlying security data. Users need product-specific RBAC in addition to their Copilot role. Assign the minimum necessary product roles based on each analyst's operational scope.
Audit Logging
Security Copilot logs session activity and prompt history. Copilot Owners can access the usage dashboard for consumption metrics. For deeper audit requirements, connect Security Copilot telemetry to Microsoft Sentinel or a third-party SIEM to correlate Copilot activity with your broader security monitoring.
Source: Microsoft Learn: Security Copilot roles and authentication.
Frequently Asked Questions
Provisioned SCUs cost $4 per SCU per hour. Overage SCUs cost $6 per SCU per hour. Running 1 SCU continuously costs approximately $2,920 per month. E5/E7 Security customers receive 400 SCUs per month per 1,000 licensed users at no additional charge and do not need an Azure subscription.
For standalone Security Copilot, yes. An Azure subscription is required to provision SCU capacity. For organizations with E5 or E7 Security licenses, no Azure subscription is needed because capacity is auto-provisioned to the tenant.
Copilot Owner has full control: capacity management, settings, custom plugins, and usage dashboard access. Copilot Contributor can create sessions, run promptbooks, and upload files if permitted by an Owner. Both roles are separate from Entra RBAC; users need both a Copilot role and product-specific RBAC for full data access.
Security Copilot uses On-Behalf-Of authentication, meaning it inherits the signed-in user's access permissions. Users need product-specific RBAC (like Sentinel Reader or Intune Endpoint Security Manager) in addition to their Copilot role. A Copilot Contributor role alone does not grant access to underlying security data.
Yes. Non-Microsoft plugins include ServiceNow, Jamf, CyberArk, Shodan, CrowdSec, Splunk, Censys, CheckPhish, and Darktrace. Over 30 partner-built agents are also available in the Microsoft Security Store. Custom plugins can be uploaded using YAML or JSON definitions, scoped to individual users or the entire organization.
There is no pause or suspend option. To stop billing, delete your capacity: Owner settings → Change → overflow menu (…) → Delete capacity. This is permanent — all data is destroyed. Contact Microsoft Support to export data first. Billing stops at the end of the current hourly block. You need at minimum the Security Administrator role.
The two capacity models are independent — they do not merge. After purchasing E5, wait for the 30-day auto-provisioning notification. Do not delete standalone capacity before E5 is fully active. Once confirmed, contact Microsoft Support to export data, then delete standalone. Deleting standalone has no effect on E5 eligibility.
Video Resources
Go Deeper
Resources from across Tech Jacks Solutions
Security Hub
Enterprise security frameworks and defense strategies
Threat Intelligence
This week's AI and cybersecurity threat briefings
Agent Threat Landscape
Security risks specific to autonomous AI agents
FREENIST AI RMF Self-Assessment
Self-assess against the NIST AI Risk Management Framework
CISSP Certification
The gold standard for enterprise security leadership