Challenge 48: Security Copilot – Workspace, Permissions, and Plugins
Exam skills covered
- Configure Security Copilot workspace and capacity units
- Manage RBAC roles (Copilot owner, Copilot contributor)
- Enable and configure plugins (Sentinel, Defender XDR, Intune, Entra, NaturalLanguageToKQL)
- Configure promptbooks and sharing settings
- Understand Security Copilot data processing and privacy boundaries
Scenario
Contoso Ltd has purchased Security Copilot compute units and wants to deploy the service for their SOC team. As the security administrator, you must configure the workspace capacity, set up appropriate RBAC permissions so that Tier 1 analysts can use Copilot but not modify settings, enable the relevant plugins for Contoso's environment, and configure promptbooks for common investigation workflows.
Prerequisites
- Azure subscription with Owner or Contributor role
- 🔒 License required: Security Copilot compute units (SCU) provisioned in your tenant
- Microsoft Entra ID P2 (for role assignments)
- Microsoft Sentinel workspace with active data
- Microsoft Defender XDR enabled
- Microsoft Intune environment (optional, for Intune plugin)
- Global Administrator or Security Administrator role in Entra ID
Task 1: Provision Security Copilot capacity
Configure the Security Copilot workspace with appropriate compute capacity for Contoso's SOC team of 12 analysts.
Portal Steps:
- Navigate to the Azure portal
- Search for "Microsoft Security Copilot" in the search bar
- Select Security Copilot → Settings → Capacity management
- Click + Add capacity
- Configure the capacity unit:
| Setting | Value |
|---|---|
| Subscription | Contoso-Production |
| Resource group | rg-contoso-seccopilot |
| Region | East US |
| Capacity name | scu-contoso-soc |
| Compute units | 3 SCUs |
| Cross-geo evaluation | Disabled |
- Click Review + Create → Create
- Wait for provisioning to complete (typically 2-5 minutes)
Verify the capacity:
- Navigate to Security Copilot → Settings → Capacity management
- Confirm status shows Active
- Note the capacity units allocated and region
💡 Exam tip: Each SCU provides approximately 30 prompts per hour across all users. Plan capacity based on team size and expected usage patterns.
Task 2: Configure RBAC roles for the SOC team
Set up role-based access so that SOC leads can manage Copilot settings while analysts can only use the service.
Portal Steps:
- Navigate to Security Copilot → Settings → Role assignments
- Click + Add role assignment
- Assign Copilot owner role:
| Setting | Value |
|---|---|
| Role | Microsoft Security Copilot Owner |
| Assign to | SOC-Leads (security group) |
| Scope | Entire workspace |
- Click Add
- Assign Copilot contributor role:
| Setting | Value |
|---|---|
| Role | Microsoft Security Copilot Contributor |
| Assign to | SOC-Analysts-Tier1 (security group) |
| Scope | Entire workspace |
- Click Add
Understanding the roles:
| Role | Capabilities |
|---|---|
| Copilot Owner | Full access: manage settings, plugins, capacity, view all sessions, create/share promptbooks |
| Copilot Contributor | Use Copilot, create personal sessions, run shared promptbooks, cannot modify global settings |
Verify role assignments:
- Sign in as a user in the SOC-Analysts-Tier1 group
- Navigate to Security Copilot
- Confirm the user can create sessions and run prompts
- Confirm the user cannot access Settings → Capacity management
- Sign in as a SOC-Leads member and verify full settings access
💡 Exam tip: Copilot Owner maps to managing the service; Copilot Contributor maps to using it. This is separate from Azure RBAC—these are Security Copilot-specific roles.
Task 3: Enable and configure plugins
Enable the security plugins that Contoso needs for their environment.
Portal Steps:
- Navigate to Security Copilot → Settings → Plugins
- Enable the following Microsoft plugins:
Microsoft Sentinel Plugin
| Setting | Value |
|---|---|
| Status | Enabled |
| Workspace | law-contoso-sentinel |
| Subscription | Contoso-Production |
| Resource group | rg-contoso-sentinel |
| Default time range | Last 7 days |
- Click Save
Microsoft Defender XDR Plugin
| Setting | Value |
|---|---|
| Status | Enabled |
| Scope | All Defender workloads |
| Include advanced hunting | Yes |
- Click Save
Microsoft Entra Plugin
| Setting | Value |
|---|---|
| Status | Enabled |
| Include sign-in logs | Yes |
| Include audit logs | Yes |
| Include risky users | Yes |
- Click Save
Microsoft Intune Plugin
| Setting | Value |
|---|---|
| Status | Enabled |
| Include device compliance | Yes |
| Include app protection | Yes |
- Click Save
Natural Language to KQL Plugin
| Setting | Value |
|---|---|
| Status | Enabled |
| Target workspace | law-contoso-sentinel |
| Allow query execution | Yes |
| Maximum query results | 100 |
- Click Save
Verify plugins are working:
- Open a new Security Copilot session
- Test each plugin with sample prompts:
# Test Sentinel plugin
"Show me the top 10 security alerts from Sentinel in the last 24 hours"
# Test Defender XDR plugin
"List active incidents in Defender XDR with high severity"
# Test Entra plugin
"Show users flagged as risky in the last 7 days"
# Test Intune plugin
"List non-compliant devices in Intune"
# Test NL2KQL plugin
"Write a KQL query to find failed sign-in attempts from outside the US"
- Verify each prompt returns relevant results from the respective service
Task 4: Configure promptbooks and sharing settings
Create reusable promptbooks for common SOC investigation workflows.
Portal Steps:
- Navigate to Security Copilot → Promptbook library
- Click + Create promptbook
- Create the Incident Triage promptbook:
| Setting | Value |
|---|---|
| Name | Incident Triage - Initial Assessment |
| Description | Standard triage workflow for new security incidents |
| Sharing | Shared with SOC-Analysts-Tier1 group |
- Add the following prompts in sequence:
Prompt 1: "Summarize incident {incident_id} including affected entities, timeline, and severity justification"
Prompt 2: "What MITRE ATT&CK techniques are associated with this incident?"
Prompt 3: "Are there any related incidents or alerts in the last 30 days involving the same entities?"
Prompt 4: "What remediation steps do you recommend based on this incident type?"
Prompt 5: "Generate an executive summary of this incident suitable for management notification"
- Set input parameters:
{incident_id}— Type: String, Required: Yes
- Click Save promptbook
Create a second promptbook for User Investigation:
- Click + Create promptbook
- Configure:
| Setting | Value |
|---|---|
| Name | User Compromise Investigation |
| Description | Deep-dive investigation for potentially compromised user accounts |
| Sharing | Shared with SOC-Leads group |
- Add prompts:
Prompt 1: "Show all sign-in activity for user {user_upn} in the last 14 days including locations and devices"
Prompt 2: "Has this user had any impossible travel detections or sign-ins from anonymous IP addresses?"
Prompt 3: "What Azure resources has this user accessed in the last 7 days?"
Prompt 4: "Check if this user's credentials appear in any known breach databases"
Prompt 5: "Generate a timeline of suspicious activities for this user and recommend containment actions"
- Click Save promptbook
Configure sharing settings:
- Navigate to Settings → Sharing & privacy
- Configure:
| Setting | Value |
|---|---|
| Allow session sharing | Yes - within organization |
| Allow promptbook sharing | Yes - with security groups |
| Data sharing with Microsoft | Opt-out (for compliance) |
| Session history retention | 90 days |
| Audit logging | Enabled |
- Click Save
Task 5: Configure data boundaries and compliance settings
Ensure Security Copilot data processing meets Contoso's compliance requirements.
Portal Steps:
- Navigate to Security Copilot → Settings → Data and privacy
- Configure data boundaries:
| Setting | Value |
|---|---|
| Data processing region | United States |
| Cross-geo processing | Disabled |
| Customer data storage | Tenant boundary only |
| Prompt logging for improvement | Disabled |
- Navigate to Settings → Audit and compliance
- Enable audit logging:
| Setting | Value |
|---|---|
| Audit log destination | law-contoso-sentinel |
| Log all user prompts | Yes |
| Log plugin invocations | Yes |
| Log session metadata | Yes |
- Click Save
Verify audit logging:
- Run a test prompt in Security Copilot
- Wait 5-10 minutes for log ingestion
- In Sentinel, query the audit logs:
SecurityCopilotAudit_CL
| where TimeGenerated > ago(1h)
| project TimeGenerated, UserPrincipalName, OperationType, PluginUsed, PromptText
| sort by TimeGenerated desc
Break & Fix
Scenario 1: Plugin returns "No data available"
A Tier 1 analyst reports that the Sentinel plugin always returns "No data available" even though data exists in the workspace.
Show solution
Root cause: The analyst's Entra ID account lacks the Microsoft Sentinel Reader role on the workspace.
Fix:
- Navigate to the Sentinel workspace → Access control (IAM)
- Add role assignment: Microsoft Sentinel Reader → assign to the analyst's account or their security group
- Wait 5-10 minutes for permissions to propagate
- Test the plugin again
Security Copilot plugins respect the underlying service permissions. Even with Copilot Contributor role, users need appropriate RBAC on the data sources.
Scenario 2: Promptbook execution fails with capacity error
SOC leads report that promptbook execution fails intermittently with "Insufficient capacity" errors during peak hours.
Show solution
Root cause: The provisioned SCUs (3) are insufficient for 12 analysts running promptbooks simultaneously.
Fix:
- Navigate to Security Copilot → Settings → Capacity management
- Select the existing capacity unit → Edit
- Increase compute units from 3 to 6 SCUs
- Enable burst capacity if available
- Consider implementing usage policies:
- Limit concurrent sessions per user
- Schedule intensive promptbooks during off-peak hours
- Monitor usage patterns in the capacity dashboard
Each SCU supports approximately 30 prompts/hour. For 12 analysts, plan for 5-8 SCUs depending on usage patterns.
Scenario 3: Cross-geo data processing alert
Compliance team flags that Security Copilot is processing data in a European region despite the tenant being configured for US-only processing.
Show solution
Root cause: Cross-geo evaluation was accidentally enabled, or a third-party plugin is routing data through another region.
Fix:
- Navigate to Security Copilot → Settings → Data and privacy
- Verify Cross-geo processing is set to Disabled
- Check Settings → Plugins for any third-party plugins
- Disable any plugins that may process data outside the US boundary
- Review audit logs for processing region information:
SecurityCopilotAudit_CL
| where ProcessingRegion != "US"
| project TimeGenerated, UserPrincipalName, PluginUsed, ProcessingRegion
- If the issue persists, contact Microsoft Support with the audit evidence
Knowledge check
1. What is the minimum role required for a SOC analyst to use Security Copilot without modifying settings?
2. A Security Copilot plugin returns no data even though the underlying service has data. What is the most likely cause?
3. Which setting must be disabled to prevent Security Copilot from processing prompts in regions outside your designated geography?
4. How many prompts per hour does one Security Copilot compute unit (SCU) approximately support?
Cleanup
Since this challenge involves portal-only configuration, cleanup involves removing the Security Copilot resources:
- Navigate to Security Copilot → Settings → Capacity management
- Select the capacity unit → Delete
- Remove role assignments from Settings → Role assignments
- Delete promptbooks from the Promptbook library
⚠️ Cost warning: Security Copilot compute units are billed hourly. Delete capacity when not actively studying to avoid charges.