Understand authentication in Security Copilot

Security Copilot uses on-behalf of authentication to access security related data through active Microsoft plugins. Specific Microsoft Entra roles must be assigned in order for a group or individual to access the Security Copilot platform. Once you're logged into the portal, your access determines what plugins are available to utilize.

Important

The information in this article only applies to the Microsoft Security Copilot Early Access Program, an invite-only paid preview program for commercial customers. Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Access Security Copilot portal

Review the roles that provide access to the Security Copilot portal and its features. For more information, see Assign roles

Role Access
Global administrator (also referred to as global admins)

As best practice, limit the number of global administrators.
Global admins can perform all kinds of tasks. The person who signed up your organization for Microsoft Security Copilot is a global administrator by default.

Global admins have access to the following administrative, and session creation functionalities:

- Run prompts

- Run promptbooks

- Manage plugins

- Configure settings

- Opt-in or opt-out on product improvements and model improvements
Global reader A Global reader role is the read-only version of the Global administrator role.

Users in this role can read settings and administrative information but can't take management actions.

This role has access to the following functionalities:

- Run prompts

- Run promptbooks
Security administrator Security administrators have access to the following administrative and session creation functionalities:

- Run prompts

- Run promptbooks

- Manage plugins

- Configure settings

- Opt-in or opt-out on product improvements and model improvements
Security operator or Security reader Security operators or readers have access to session creation functionality such as asking questions and invoking prompts.

This role has access to the following functionalities:

- Run prompts

- Run promptbooks

Access the capabilities of Microsoft plugins

Security Copilot doesn't go beyond the access you have. Each Microsoft plugin has its own role requirements for accessing the service and data it represents. Verify you have the proper roles assigned in order to use the capabilities of the Microsoft plugins activated.

Consider these examples:

  1. Security Reader

    As an analyst I've been assigned the Security Reader role which gives me access to the Security Copilot portal and follows the least privilege model. However, in order to utilize the Microsoft Sentinel plugin, I still need an appropriate role like Microsoft Sentinel Reader to access incidents in the workspace. I need another service-specific role like the Intune Endpoint Security Manager to access the devices, privileges, policies, and postures available through the Intune plugin. The cross-service Security Reader role already provides the access to the capabilities of the Microsoft Entra ID and Microsoft Defender XDR plugins.

  2. Global reader

    Assigning the Global Reader role is a quick way to give a user access to Security Copilot and all the capabilities of the Microsoft plugins. However, this role includes permissions and roles.

    For more information on best practices, see Privileged roles and permissions.

Access other plugins

Other plugins available to Security Copilot, like ServiceNow, require additional setup. The setup includes authentication. The type of authentication required is determined by the plugin provider.

Access websites

The website plugins are all accessed using anonymous authentication.

Shared sessions

Access to your tenant's Security Copilot portal is the only role required to view a shared session link from that tenant.

Keep in mind two important considerations when you share a session link.

  1. Security Copilot needs to access a plugin's service and data to generate a response, but that same access is not evaluated when viewing the shared session. For example if you have access to devices and policies in Intune, and the Intune plugin is utilized to generate a response you share, the recipient of the shared session link doesn't need Intune access to view the full results of the session.
  2. A shared session contains all the prompts and responses included in the session, whether it was shared after the first prompt, or the last.

Multi-tenant

If your organization has multiple tenants, Security Copilot can accommodate authentication across them to access security data where Security Copilot is provisioned. The tenant that is provisioned for Security Copilot does not need to be the tenant your security analyst logs in from. For more information, see Navigating Security Copilot tenant switching.

Cross tenant login example

Contoso has recently merged with Fabrikam. Both tenants have security analysts, but only Contoso purchased and provisioned Security Copilot. Angus MacGregor, an analyst from Fabrikam wants to use their Fabrikam credential to use Security Copilot. Here are the steps to accomplish this access:

  1. Ensure Angus MacGregor's Fabrikam account has an external member account in the Contoso tenant.

  2. Assign the external member account the necessary roles to access Security Copilot and the desired Microsoft plugins.

  3. Log into the Security Copilot portal with the Fabrikam account.

  4. Switch tenants to Contoso.

    Screenshot showing Fabrikam account switched to the Contoso tenant.