Understand authentication in Microsoft Copilot for Security
Copilot uses on-behalf-of authentication to access security-related data through active Microsoft plugins. Specific Copilot for Security roles must be assigned in order for a group or individual to access the Copilot for Security platform. After you're authenticated to the platform, your data access determines what plugins are available in prompts. Your role controls what other activities you have access to, such as configuring settings, assigning permissions, and performing tasks.
Copilot for Security roles are not Entra roles. They're defined and managed within Copilot and only grant access to Copilot for Security features.
Microsoft Entra roles grant access to multiple products across the Microsoft portfolio of products. These roles are managed through the Microsoft Entra admin center. For more information, see Assign Microsoft Entra roles to users.
Azure IAM roles control access to Azure resources like Security Capacity Units (SCU) in a resource group as part of a subscription. For more information, see Assign Azure roles.
Access Copilot for Security platform
After Copilot for Security is onboarded for your organization, the following roles determine a user's access to the Copilot for Security platform.
Copilot for Security roles
Copilot for Security introduces two roles that function like access groups but aren't Microsoft Entra ID roles. Instead, they only control access to the capabilities of the Copilot for Security platform.
- Copilot owner
- Copilot contributor
By default, all users in the Microsoft Entra tenant are given Copilot contributor access.
Microsoft Entra roles
The following Microsoft Entra roles automatically inherit Copilot owner access.
- Security Administrator
- Global Administrator
Access the capabilities of Microsoft plugins
Copilot for Security doesn't go beyond the access you have. Each Microsoft plugin has its own role requirements for calling the plugin's service and its data. Verify that you have the proper service roles and licenses assigned to use the capabilities of the Microsoft plugins that are activated.
Consider these examples:
Copilot contributor
As an analyst, you're assigned Copilot contributor access, which gives you access to the Copilot platform with the ability to create sessions. Following the least privilege model, you don't have any Microsoft Entra roles like Security Administrator. However, in order to utilize the Microsoft Sentinel plugin, you still need an appropriate role like Microsoft Sentinel Reader for Copilot to access incidents in the Microsoft Sentinel workspace. You need another service-specific role like the Endpoint Security Manager for Copilot to access the devices, privileges, policies, and postures available through the Intune plugin. For Microsoft Defender XDR, you're assigned a custom role that gives you access to the embedded Copilot for Security experience and Copilot access to Microsoft Defender XDR data.
For more information on Defender XDR custom roles, see Microsoft Defender XDR Unified RBAC.
Microsoft Entra security group
Although the Security Administrator role inherits access to Copilot and certain plugin capabilities, this role includes
permissions. Assigning this role purely for Copilot access isn't recommended. Instead, create a security group and add that group to the appropriate Copilot role (Owner or Contributor).For more information, see Best practices for Microsoft Entra roles.
Access embedded experiences
In addition to the Copilot contributor role, verify the requirements for each Copilot for Security embedded experience to understand what extra roles and licenses are required.
For more information, see Copilot for Security experiences.
Shared sessions
Copilot contributor role is the only requirement for sharing a session link or viewing it from that tenant.
When you share a session link, consider these access implications:
- Copilot for Security needs to access a plugin's service and data to generate a response, but that same access isn't evaluated when viewing the shared session. For example, if you have access to devices and policies in Intune, and the Intune plugin is utilized to generate a response that you share, the recipient of the shared session link doesn't need Intune access to view the full results of the session.
- A shared session contains all the prompts and responses included in the session, whether it was shared after the first prompt or the last.
- Only the user that creates a session controls which Copilot users can access that session. If you receive a link for a shared session from the session creator, you have access. If you forward that link to someone else, it doesn't grant them access.
- Shared sessions are read-only.
- Sessions can only be shared with users in the same tenant that have access to Copilot.
- Some regions don't support session sharing via email.
SouthAfricaNorthUAENorth
For more information on shared sessions, see Navigating Copilot for Security.
Assign roles
The following table illustrates the default access granted to starting roles.
Note
By default, Everyone has Copilot contributor access. Consider replacing this broad access with specific users or groups.
| Capability | Copilot owner | Copilot contributor |
|---|---|---|
| Create sessions | Yes | Yes |
| Manage personal custom plugins | Yes | Default No |
| Allow contributors to manage personal custom plugins | Yes | No |
| Allow contributors to publish custom plugins for the tenant | Yes | No |
| Upload files | Yes | Yes |
| Run promptbooks | Yes | Yes |
| Manage personal promptbooks | Yes | Yes |
| Share promptbooks with tenant | Yes | Yes |
| Update data sharing and feedback options | Yes | No |
| Capacity management | Yes* | No |
| View usage dashboard | Yes | No |
| Select language | Yes | Yes |
Assign Copilot for Security access
Assign Copilot roles within Copilot for Security settings.
- Select the
home menu. - Select Role assignment > Add members.
- Start typing the name of the person or group in the Add members dialog box.
- Select the person or group.
- Select the Copilot for Security role to assign (Copilot owner or Copilot contributor).
- Select Add.
Tip
We recommend using security groups to assign Copilot for Security roles instead of individual users. This reduces administrative complexity.
Global Administrator and Security Administrator roles can't be removed from Owner access, but the Everyone group is removable from Contributor access. It's also a valid group to add back if you want to.
Entra role membership is only manageable from the Microsoft Entra admin center. For more information, see Manage Microsoft Entra user roles.
Multitenant
If your organization has multiple tenants, Copilot for Security can accommodate authentication across them to access security data where Copilot for Security is provisioned. The tenant that is provisioned for Copilot for Security doesn't need to be the tenant that your security analyst logs in from. For more information, see Navigating Copilot for Security tenant switching.
Cross tenant sign-in example
Contoso recently merged with Fabrikam. Both tenants have security analysts, but only Contoso purchased and provisioned Copilot for Security. Angus MacGregor, an analyst from Fabrikam wants to use their Fabrikam credential to use Copilot for Security. Here are the steps to accomplish this access:
Ensure Angus MacGregor's Fabrikam account has an external member account in the Contoso tenant.
Assign the external member account the necessary roles to access Copilot for Security and the desired Microsoft plugins.
Sign in to the Copilot for Security portal with the Fabrikam account.
Switch tenants to Contoso.
For more information, see Grant MSSP access.