In a previous post the recommended Copilot for Security setup process was covered. While that is the generally the recommended method, there will be scenarios where the second option will be required. This could be applicable at intial setup and also post-deployment. For example, if the Security Compute Units (SCU) were to be recreated in a different Azure subscription, they can be pre-created and then switch the capacity settings over to the new SCU resource. This may also be required due to how Azure is managed in a given customer environment. The Azure admins may wish to pre-create the SCU resource to ensure that the Resource Group and SCU all meet the require naming standards.
There are two ways that an administrator can provision and setup Copilot for Security ( CfS ):
-
-
The setup process can be initiated from the CfS admin portal and all setting specified if the admin has the required permissions. This includes creating the required Azure resources which are the Security Compute Units (SCU) and all of the CfS configuration
-
The Security Compute Unit (SCU) resource can be pre-created in the Azure portal, then the CfS admin portal is used to finalise Copilot for Security setup
-
Option #1 is outline here: Copilot for Security Setup–Recommend Option Using Standalone Experience
In this post we will focus upon the differences between these options. Please refer to the first post for background material and additional links etc.
Creating Copilot for Security Azure Resource
This is a separate tenant from the one shown in the other setup post. This environment is greenfield and has never had CfS deployed.
We start by navigating the regular Azure Portal, and to show that we are starting from scratch we search for “Copilot” or “Microsoft Copilot for Security compute capacities” resources - note that none are present.
Since we searched for Microsoft Copilot for Security compute capacities, clicking create will simply start the provisioning process for that resource type.
Enter all of the required information. Note that the same notes as mentioned in the first post will apply.
Once all details have been entered, click Next to review. Confirm the details then Create the resource.
Azure will then create the SCU resource.
This will take a couple of minutes.
Post Deployment Azure Resource View
Once the resource has been deployed, it can be viewed in the Azure portal.
Note that we do need to complete the setup in the CfS portal – more on that later.
The Overview does a good job of summarising what was deployed showing the SCU count, prompt processing location and if out of region prompt processing was allowed.
While we can see some of the resource details on the Overview, the Properties can be expanded to see the details there.
We can also update the SCU resource count via the resource’s object.
Now that we have the SCU resource deployed, we need to complete setup in the CfS portal.
Complete Setup Via Security Copilot Console
The SCU resource is now created and is good to go! We must then go to the CfS standalone experience to complete setup. This is what we call the portal at:
https://securitycopliot.microsoft.com
Since we are running setup note that the URL changes slightly and /tour/admin is added automatically.
Click Get Started to complete the setup.
The CfS configuration is starting up.
More spinning doughnuts!
Since the SCU resource was already created we can select that from the drop down.
The name is what was created above in the Azure portal – CFS-Compute-SCU
The prompt processing location was chosen when you created the SCU. The data storage though is separate, and setup will state what your location is.
You will also need to review and confirm the data sharing options.
Please review the details as discussed in Customer Data Sharing Preferences.
Copilot for Security follows Microsoft’s responsible AI principles and protects your Customer Data with some of the most comprehensive compliance and security controls in the industry. As noted above, read more about this in Copilot for Security privacy and data security and also Responsible AI FAQ.
The default access permissions are then displayed. Note there are two roles:
- Copilot for Security Owner
- Copilot for Security Contributor
These default assignments are just that – a default. You will likely want to remove the Everyone group and add in your own Entra ID groups that are already present for your security team members.
Note that the Everyone assignment does NOT allow everyone in your organisation to view all of the security data. Since CfS uses the On Behalf of access model, access must be granted separately to the actual data. While a regular user could access the CfS portal, their access to data is restricted.
Learn more about Copilot access
Setup is now complete! You are reminded that the CfS portal can be accessed at:
https://securitycopilot.microsoft.com
Copilot for Security Tour
Now that setup has been completed, you can then use the CfS standalone experience to check out the product!
If you select the Training option this will take you to:
https://securitycopilot.microsoft.com/tour/welcome
Here you can select your preferences:
The privacy and responsible AI links are provided.
And all done!
All done – time to bust out your mad prompting skills!
Cheers,
Rhoderick
