
👋 Introduction ​
Now that Security Copilot was activated for M365 E5 licenses, more and more organizations get access to the great functions hinding behind this AI tool.

In this Article I will explain what Microsoft's Security Copilot actually is and how you can get started with it.
What is Microsoft Security Copilot? ​
Security Copilot is an AI-powered assistant that uses natural language to help IT with threat hunting, incident response, security posture or even managing there environment. It works as a standalone tool or integrates with Microsoft and third-party solutions. By combining OpenAI architecture with specialized plugins, global intelligence and organization-specific data, it delivers fast, highly contextual visibility into threats.
Integrated with Security Copilot:
- Microsoft Sentinel
- Microsoft Defender
- Microsoft Intune
- Microsoft Entra
- Microsoft Purview
- Microsoft Defender for Cloud
Use Cases ​
The platform is designed to simplify several critical IT and security tasks:
- Incident Response: Summarizes complex alerts and provides step-by-step guidance to fix threats quickly.
- Technical Support: Converts natural language into database queries (KQL) and explains suspicious scripts, reducing the need for manual coding.
- Posture & Risk Management: Identifies environmental risks to improve overall security and simplifies the creation and management of security policies.
- IT Troubleshooting & Workflows: Speeds up tech issue resolution and provides step-by-step guidance for setting up secure user workflows.
- Reporting & Customization: Generates clear, executive-ready reports for stakeholders and allows developers to build custom agents for the platform.
How Security Copilot Works ​
Security Copilot operates through a specialized workflow that combines language models with secure, real-time data:
- User Input: A user submits a prompt (question or command) or triggers an agent.
- Grounding (Preprocessing): The system refines the prompt using internal plugins to ensure the context is highly specific to the organization before sending it to the AI language model.
- Post-processing: The system reviews the language model's response and enriches it with additional threat intelligence and event logs.
- Final Output: The user receives an actionable, context-aware response based directly on their organization's data. When an agent is used, it leverages the available data to fulfill its purpose, either by executing a specific command or by combining that data with additional information and then providing feedback or results to the user.

Pricing:
Security Copilot uses an SCU (Security Compute Unit) per hour model. You can provision SCU's at a lower price (provisioned) or use pay-as-you-go SCU's (overage) at a higher price.
That means that everything you do with Security copilot consumes credits. The more compute power your chat request or agent needs, the more credits it costs. Until your provisioned SCU`s are consumed and then you pay for every credit after that a bit more with pay-as-you-go.
| SKU | Meter type | Price |
|---|---|---|
| Provisioned | 1 SCU/Hour | 4 $ |
| Overage | 1 SCU/Hour | 6 $ |
INFO
Microsoft 365 E5 included capacity provides 400 SCUs per month per 1,000 E5 licenses.
Unused SCUs don't roll over to the next month!
Experience ​
Set up a capacity ​
To get started with Security Copilot, open the Security Copilot portal.
If you don't have an E5 license you first need to provision a Security Copilot capacity.
Example Capacities
Scenario Provisioned SCUs Overage SCUs Rationale SOC operations (24/7) 10 5 High baseline for continuous threat hunting; overage handles incident surges Compliance audits (periodic) 5 3 Moderate baseline for ongoing monitoring; overage for quarterly audit peaks Sandbox testing (intermittent) 2 1 Low baseline for experimentation; minimal overage for POC demonstrations Select your Subscription, Resource Group, Name, Prompt locations and Capacity region.

- Select how many SCU's you want to provision.

- Select if you want Microsoft to collect a bit of Data.

Confirm the information that the Enterprise Copilot uses your company data to get context (The data stays in your estate). Then decide if you want Microsoft Purview to be able to check data from your Security Copilot (for Information protection for example).


Lastly you can choose to add more roles that can access Security Copilot (Global Administrator and Security Administrator are automatically owners for Security Copilot Worlspaces).

- After that you are done with the provisioning.

First Start ​
- In the portal you get a welcome screen where you can select to start assigning access, view usage data or discover pre-built agents.

- When selecting
Assign access and roles(The actual blade is called Role assignments) you can add user, groups or roles as Owner or Contributor.
To be an Owner, you also need at least the Azure Contributor role in Entra ID.- When selecting
View usage and capacity(The actual blade is called Usage monitoring) you get a great overview of all Security Copilot activity happening in your tenant how many units where actually used for each agent run or admin query.Additionally you can also add new cpacities here by clicking
➕ New capacity. This works in the same way as already described above (🔗 Set up a Capacity).- Selecting the 3rd option
Discover and set up agentsbrings you directly to the Security Store, where you can find and provision 3rd Party and Microsoft owned agents for Security Copilot.
Agents ​
- A better way to find and provision Microsoft's own agents comes up as soon as you close the welcome screen.
After that, you start directly in the Agents blade, where you can see all your current in-use Agents and underneath that, all available Microsoft Agents.
INFO
Security Copilot Agents are AI-powered systems designed to act on behalf of someone or something else to execute and orchestrate security related tasks.
- These can be set-up with just a few clicks by clicking
Set up.

Promptbooks ​
- Additional Security Copilot blades are Promptbooks, Build, History, Owner and the previously mentioned Security Store.

- Promptbooks are prebuilt sequences of prompts to handle specific security tasks. These workflows are curated by Microsoft to help with incident response or investigations.

- To get started with a promptbook you click
Get startedon the corresponding tile and enter the prerequisiste information.- Before you click
Submit, you can also add additional custom prompts to the promptbook.- After starting the workflow, Copilot will do it's thing and you can follow the different steps it does and explore the resoning behind it. In addition you can also interject additional prompts into Copilot, even when it's already running.
- In the end you will get a Summary, in this case a threat actor profile about Midnight Blizzard.
Build ​
In the Build blade (still in preview as of June 2026), you can create your own security agents and see the ones you already created.

To create your own agent you got different possebilities.
- Describing the agent you want in natural language to the AI and let the agent be build for you.
- Start from Scratch and create everything yourself.
- Import a YAML file with the nessecary information for an agent.



History ​
In the History section you can simply see and view past prompt sessions and their results.
Owner settings ​
Owner settings
In the Owner settings blade, you can configure the following options:
- Workspaces for Microsoft Security Copilot agents: Here you can set up, which workspace and with that, which capacity should be used for Security Copilot usage in specific portals.
- Help improve Copilot: You can allowe Microsoft to capture data to improve Security Copilot.
- Logging audit data in Microsoft Purview: Decide if you want Microsoft Purview to be able to check data from your Security Copilot.
- Files: Choose who can upload files. (Everyone or no one)

Plugin settings
In the Plugin settings blade, you can configure the following options:
- Control whether contributors can add custom plugins for their sessions
- Control whether contributors can publish custom plugins for everyone in the organization


Role assignments
Security Copilot acts on your behalf when accessing security data. Security Copilot roles grant access to the Security Copilot platform, while Entra and Azure RBAC determine available plugin access. Your Copilot role defines what actions you can perform on the platform itself.
Security Copilot RBAC roles are separate from Entra or Azure roles. They are defined and managed within Copilot and only grant access to Security Copilot features.
| Role Type | Example Role | Scope | Required For |
|---|---|---|---|
| Security Copilot | Owner | Per workspace | Configure workspace settings, assign roles |
| Security Copilot | Contributor | Per workspace | Use Security Copilot features |
| Microsoft Entra | Security Administrator | Tenant | Create workspaces, enable audit logging |
| Azure RBAC | Owner or Contributor | Subscription/Resource Group | Configure capacity resources |

Manage workspaces
Organizations create Security Copilot workspaces to separate teams, compliance or operations. Each workspace is a tenant-scoped environment with its own history, capacity, roles, and settings. Using multiple workspaces gives each team dedicated resources and independent configuration, unlike a single shared workspace.

In the Manage workspaces blade, you can see your configured workspaces, their capacity and their users.
You can add additional workspaces when selecting Workspaces in the top right corner of your window and clicking âž• New workspace.

After that you can select the capacity (or create a new one), the data storage region for the new workspace and if you want to allow Microsoft to capture data for this workspace.

Usage monitoring
The Usage monitoring dashboard shows you how many SCU's you have used and for what. This will help you keep track of the overall usage in your different workspaces and help you plan your capacity better. The data goes back 90 days.

Approaching and exceeding the SCU limit
When usage nears the provisioned capacity limit, you will see a notification after submitting a prompt or in the Security Copilot portal.
When SCU limits are exceeded, Copilot will stop responding until the capacity refreshes or an owner increases SCUs.
💡 Conclusion ​
Security Copilot is a practical way to make security and IT administration faster, more guided, and easier to scale across Microsoft 365. With its built-in agents, promptbooks, and deep integration with Microsoft Defender, Sentinel, Entra, Intune, and Purview, it can help teams investigate threats, streamline workflows and act on insights more quickly.
So if you get the included capacity in your M365 E5 license, I would recommend to give it a try and see how it can make your daily work easier.
References










