Copilot for Security became Generally Available on the 1st of April 2024 and now everyone is able to spin up an instance of the AI that is designed from the ground up to be used for security tasks!
There are two ways that an administrator can provision and setup Copilot for Security ( CfS ):
- The setup process can be initiated from the CfS admin portal and all setting specified if the admin has the required permissions. This includes creating the required Azure resources which are the Security Compute Units (SCU) and all of the CfS configuration
- The Security Compute Unit (SCU) resource can be pre-created in the Azure portal, then the CfS admin portal is used to finalise Copilot for Security Setup Experience
In this post we will focus on option number 1. There is a separate post that will discuss the other setup option.
Please also ensure that all of the necessary security precautions have been taken to secure access to CfS. This is NOT just assigning the correct CfS role, it must also include applying all of the zero trust principles to your environment to ensure that privilege access is fully secured.
Copilot for Security Admin Portal
The CfS main administrative portal is also called the standalone experience and can be access at:
https://securitycopilot.microsoft.com
Copilot for Security Setup URL
Note that if an administrator tries to access the standalone portal and CfS is not deployed, they will be automatically be redirected a slightly different URL.
This is the setup URL and is show below:
https://securitycopilot.microsoft.com/tour/admin
This is the URL that you will see in the screenshots below.
Without further ado, let's walk through the setup process and look at the various options.
Copilot for Security Minimum Requirements
There are several requirements that must be met:
- Access is controlled via Entra ID
- You must have an Azure subscription
- Security Compute Units (SCU) are required and they will be created in the Azure subscription. There is a cost to provisioning SCUs
- The absolute minimum is 1 SCU with a maximum of 100. Note that you will need more than one. Sizing discussions will be a separate post
- You must have Azure subscription owner or contributor permissions to create the SCU resource
- You must have either Global Admin or Security Admin Entra ID role
Copilot for Security Recommended Setup Experience
I'll call this the recommended experience as it is the one that most people will use. Admins will typically have the required permissions to create the SCU resouces in Azure and to also configure CfS itself.
If we navigate to the CfS portal, note that the URL is changed to /tour/admin - you can see this in the address bar below.
Clicking Get Started will then start the spinning doughnut, and we wait for a few seconds.
In this setup experience we are able to configure everything in one pass. Note that we are prompted to enter the details for:
- Azure subscription
- Resource Group
- Capacity Name – ignore the [Suggested Default name] and type in what you want
- Prompt Evaluation location
- Permit out or region prompt processing
- Number of SCU resources to create
As an example from one of my labs, the details below were filled in.
Note - You will need to enter something for the capacity name.
At GA there are four options for where the CfS prompts can be processed. You can see the options in the prompt evaluation location dropdown.
At the time of writing these locations are:
- Australia
- Europe
- UK
- US
Where in each of those locations are the Azure resources?
Below you can see the capacity region is then automatically populated when the location is filled in.
You have an additional control to allow or deny out of region prompt processing. This is a design decision. Note that if not enabled and if the selected region is unable to process the prompt then your prompts will be stalled until capacity is available.
Finally you need to define how many SCU units are to be created, and accept the license terms.
Read more about security compute units and the recommended number based on your organization’s size and probable usage.
Then click Continue, and setup will progress.
The SCU resources and CfS configuration will be created and configured. This should take a few minutes.
When complete, the data storage location is displayed. This location is based upon your tenant’s location.
Read about how Microsoft protects your data
Location information can be viewed the the standalone portal after setup completes.
You are then asked to review the sharing settings for usage data.
Please review the details as discussed in Customer Data Sharing Preferences.
Copilot for Security follows Microsoft’s responsible AI principles and protects your Customer Data with some of the most comprehensive compliance and security controls in the industry. As noted above, read more about this in Copilot for Security privacy and data security and also Responsible AI FAQ.
The default access permissions are then displayed. Note there are two roles:
- Copilot for Security Owner
- Copilot for Security Contributor
These default assignments are just that – a default. You will likely want to remove the Everyone group and add in your own Entra ID groups that are already present for your security team members.
Note that the Everyone assignment does NOT allow everyone in your organisation to view all of the security data. Since CfS uses the On Behalf of access model, access must be granted separately to the actual data. While a regular user could access the CfS portal, their access to data is restricted.
Learn more about Copilot access
Initial Setup is now complete, and the setup summary is displayed. Note - The Azure subscription GUID is redacted on purpose.
The Grand Tour
Clicking finish will take you to the standalone experience at https://securitycopilot.microsoft.com and you will see the links to some initial promptbooks, training and the documentation.
You will also be prompted to setup your profile, to select dark mode etc. This can be changed after the fact via Settings menu.
Cheers,
Rhoderick
