Domain 3 of 4 · Chapter 5 of 5

Implement and Use Microsoft Security Copilot

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Security Operations Analyst Associate premium course — no separate purchase.

Included in this chapter:

  • How Copilot reaches your data: plugins, files, and OBO
  • Connectors and custom plugins: extending Copilot
  • Promptbooks: built-in, custom, and how they run
  • Roles, permissions, capacity, and cost
  • Identify threats and investigate incidents with Copilot
  • Exam-pattern recognition

Security Copilot capabilities and the role plus permission each needs

CapabilityCopilot role neededExtra requirement
Create a session and promptContributor or ownerProduct RBAC for any plugin data you query
Run a built-in or shared promptbookContributor or ownerThe plugin and role the promptbook's prompts use
Author and publish a promptbook to the tenantContributor or ownerNone beyond session access
Add a personal custom pluginContributor (if owner allows) or ownerOwner must enable contributor plugin management
Restrict or publish plugins for the tenantOwnerNone
Manage capacity (provision or delete SCUs)OwnerAzure Contributor or Owner on the capacity, plus Security Administrator to delete
View the usage monitoring dashboardOwnerNone

Decision tree

Analyst gets no data back?missing results, not an errorGrant product RBACe.g. Sentinel Reader (OBO)YesRepeatable investigation?same steps every timeNoPromptbookbuilt-in or custom, input-drivenYesOne product or many?scope of the sessionNoEmbedded panelDefender portal: summarize,guided responseOne productStandalone portalchain plugins across productsManyBuild a custom pluginOpenAPI / OpenAI / KQL / Logic Appoutside dataOwner-only: control plugin availability,manage capacity (SCUs), read the usage dashboardcontributor role never sets these

Cheat sheet

  • Security Copilot authenticates on-behalf-of the user, so a Copilot role never grants data
  • Security Copilot has exactly two roles, owner and contributor, and they are not Entra roles
  • Security Copilot always keeps at least two owners
  • Do not assign a privileged Entra role just for Copilot access; use a security group
  • Capacity is measured in Security Compute Units, provisioned at a minimum of one SCU
  • Provisioned SCUs bill by the whole hour; overage bills to one decimal of actual use
  • Only owners read the usage monitoring dashboard, which holds 90 days of session data
  • Provisioning capacity needs an Azure role plus Security Administrator; deleting it is permanent
  • A promptbook is a saved sequence of prompts where each builds on the last
  • Match the built-in promptbook to its required input
  • Any role can create and publish a promptbook, including to the tenant
  • Extend Copilot with a custom plugin when data lives outside the preinstalled set
  • Every Copilot plugin is defined by a YAML or JSON manifest with Descriptor and SkillGroups
  • Write verbose skill descriptions and consolidate inputs to avoid skill collisions
  • Contributors can add custom plugins only when an owner enables it
  • Restricting a preinstalled plugin is an owner action that also hits embedded experiences
  • Use the embedded Copilot panel for in-context work in one product
  • Use the standalone portal to investigate across multiple products in one session
  • Generate KQL from natural language instead of writing hunting queries by hand
  • Pick the threat-intelligence promptbook for proactive threat and risk work
  • SCUs are charged for GA and public-preview capabilities, not private preview
  • The Security Copilot Sentinel plugin is configured per user, not once for the tenant
  • Sentinel exposes two Copilot plugins; Natural language to KQL is the hunting one
  • Usage-dashboard filters change the table, not the bar chart

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. https://learn.microsoft.com/en-us/copilot/security/authentication
  2. https://learn.microsoft.com/en-us/copilot/security/manage-plugins
  3. https://learn.microsoft.com/en-us/copilot/security/custom-plugins
  4. https://learn.microsoft.com/en-us/copilot/security/using-promptbooks
  5. https://learn.microsoft.com/en-us/copilot/security/security-compute-units-capacity
  6. https://learn.microsoft.com/en-us/copilot/security/manage-usage
  7. https://learn.microsoft.com/en-us/copilot/security/experiences-security-copilot