Reading time:
10 minute(s)
-
22 December 2025
As cyber threats continue to evolve, IT teams must analyze a growing volume of alerts across hybrid and cloud environments.
Organizations running Microsoft 365 E5 already benefit from rich security signals generated by Microsoft Defender, Microsoft Entra, Microsoft Intune, Microsoft Purview, and Microsoft Sentinel. However, manually correlating this information remains time‑consuming and operationally demanding.
Security Copilot is now included for Microsoft 365 E5 customers, with a monthly allocation of Security Compute Units (SCUs) per tenant.
This marks an important step in embedding AI directly into day to day security operations.
Security Copilot enables organizations to leverage existing security data in a structured way to accelerate investigations, reduce operational noise, and strengthen cyber resiliency. With the introduction of a dozen new agents integrated directly into workflows through Microsoft Defender, Microsoft Entra, Microsoft Intune, and Microsoft Purview, Security Copilot becomes a true strategic enabler for IT teams.
Among the announced agents are the Triage Agent (Defender XDR), Threat Hunting Agent, Conditional Access Optimization Agent (Microsoft Entra), Sensitive Information Remediation Agent (Microsoft Purview), and the Intune Change Review Assistant. Each provides focused capabilities to automate alert triage, guide threat hunting, optimize conditional access, remediate sensitive data exposure, and govern Intune changes.
The rollout of these new capabilities began on November 18, 2025, for organizations already using Security Copilot with Microsoft 365 E5 and will continue progressively for all E5 customers. Each activation is preceded by a 30 day notice. Microsoft 365 E5 also includes a monthly compute capacity, expressed as Security Compute Units (SCUs), designed to support common Security Copilot usage scenarios.
Security Copilot can only access data and signals permitted by the roles and permissions already defined in your Microsoft 365 E5 environment. Inclusion therefore represents the exact scope made available through your existing Microsoft 365 governance. It encompasses identities, security alerts, activities, configurations, and authorized content.
Security Copilot never exceeds the permissions of the user invoking it.
Access to Security Copilot can also be controlled granularly using Microsoft Entra ID groups. This approach supports a progressive and controlled rollout by enabling access for targeted user groups, validating usage in pilot scenarios, and refining governance before broader deployment.
A well structured inclusion model delivers several benefits:
contextualized analysis of security signals;
improved alert correlation;
reduced operational noise;
strict adherence to the principle of least privilege.
In a Microsoft 365 E5 environment, inclusion is based on three core elements:
accessible data, including Microsoft Defender alerts, Microsoft Sentinel incidents, Microsoft Entra signals, Microsoft SharePoint and Microsoft Exchange content, and security configurations;
roles and access scopes, which precisely define what each analyst can see and what Security Copilot can leverage;
connectors, including Microsoft Defender, Microsoft Sentinel, Microsoft Entra, and Microsoft Intune, which are essential to enrich analysis and provide full operational context.
By combining these elements, Security Copilot delivers a coherent, enriched, and secure view of activities aligned with each user’s actual access scope.
Security Copilot helps interpret complex scenarios, automatically correlates signals, and proposes actions to contain threats.
By reducing operational noise, teams can focus their efforts on higher‑impact incidents.
Security Copilot generates KQL queries, incident summaries, and contextual analysis, accelerating decision‑making.
All analysis respects Microsoft 365 governance, supporting traceability and consistency.
Optimizing Security Copilot inclusion means clearly defining what the tool can use within your Microsoft 365 E5 environment. A well designed inclusion model improves analysis quality, operational consistency, and cyber resiliency while remaining aligned with internal governance.
The goal is not to over‑restrict, but to allow Security Copilot to operate within a clear, consistent framework that reflects real IT team needs.
Without clear governance, AI adds complexity. With a well managed inclusion model, Security Copilot becomes a true accelerator.
relevant and secure use of accessible data;
more complete, contextualized, and actionable analysis;
greater consistency across analysts through harmonized roles;
alignment between internal governance and Microsoft 365 permissions;
stronger cyber resiliency through better information control.
Activating Baseline Security Mode (BSM) helps quickly elevate Microsoft 365 security posture by applying advanced protections consistently.
With Purview DLP for Copilot, organizations gain increased control over prompts and interactions, protecting sensitive data throughout AI usage. Adding SharePoint Advanced Management (SAM) strengthens audit and governance capabilities to detect and prevent information oversharing.
Audit Microsoft 365 access and roles prior to activation.
Define a clear model for roles and responsibilities related to Security Copilot.
Apply the principle of least privilege consistently.
Validate and optimize key connectors (Microsoft Defender, Microsoft Sentinel, Microsoft Entra, Microsoft Intune).
Govern data classification and sensitivity.
Roll out Security Copilot progressively to manage adoption.
Continuously monitor and adjust access and inclusion scopes.
Microsoft has introduced a dozen specialized agents that strengthen an agentic defense approach. These agents automate tasks, enrich data, and validate configurations. They are integrated directly into security workflows through Microsoft Defender, Microsoft Entra, Microsoft Intune, and Microsoft Purview, supporting a more proactive and coordinated security posture.
They help accelerate investigations, reduce operational workload, and improve analytical consistency.
With agents, Security Copilot becomes part of a more proactive, integrated, and coordinated defense approach.
Deployment of the new agents began on November 18, 2025, for organizations already using Security Copilot with Microsoft 365 E5 and will expand progressively to all E5 customers in the following months. Each activation includes a 30‑day advance notice, giving IT teams time to validate governance and access controls.
Microsoft 365 E5 includes a monthly compute capacity dedicated to running Security Copilot workloads. This capacity, measured in Security Compute Units (SCUs), supports common usage scenarios at no additional cost.
SCUs represent the compute power required for Security Copilot AI capabilities, both in its standalone experience and its integrations with Defender, Sentinel, Entra, Intune, and Purview. SCUs are shared across all workspaces within the same tenant and reset monthly.
For full details on the consumption model and included capacity, refer to Microsoft’s official documentation: learn.microsoft.com/.
Integrating Security Copilot into Microsoft 365 E5 requires clear governance. Precicom supports organizations with:
access and role assessments;
inclusion configuration;
connector optimization;
secure adoption by IT teams.
It refers to the set of data Security Copilot can use based on existing permissions.
No. It only accesses data visible to the user invoking it.
No. Internal data is not used for model training, though it may be logged for audit, traceability, and Responsible AI requirements.
Yes. Inclusion applies to Microsoft 365 E5 (and E5 Security). Non E5 customers can access Copilot for Security through a consumption‑based SCU model.
By strictly applying the principle of least privilege.
Because their roles and permissions differ.
Review Microsoft 365 roles, access policies, admin groups, and data classification.
An SCU is a unit of compute used to run Security Copilot workloads across both the standalone experience and embedded integrations.
For Microsoft 365 E5 inclusion, capacity is allocated monthly per tenant and resets each month. Microsoft states this included capacity scales with your paid user licences (for example, 400 SCUs per 1,000 paid user licences, up to 10,000 SCUs per month). SCUs are usable across all workspaces in the same tenant. Unused SCUs do not roll over to the next month.
For full details on the included capacity and consumption model, refer to Microsoft’s official documentation: learn.microsoft.com/
Security Copilot is now included in Microsoft 365 E5, with monthly SCU capacity supporting common usage.
Inclusion relies entirely on existing Microsoft 365 governance, including roles, permissions, and Microsoft Entra groups.
A dozen new agents extend agentic defense directly into Microsoft Defender, Microsoft Entra, Microsoft Intune, and Microsoft Purview workflows.
A well‑structured inclusion model improves security, performance, and operational consistency while reducing noise.
Governance and progressive deployment are critical to realizing full value.
With the arrival of new agents and the progressive rollout across Microsoft 365 E5, Security Copilot represents a major step forward. When properly structured and aligned with internal policies, it becomes a powerful operational amplifier for IT teams and a key contributor to cyber resiliency.
Organizations that anticipate this transition will strengthen their security posture, optimize operational performance, and improve their ability to adapt.
Microsoft Learn – Security Copilot inclusion with Microsoft 365 E5:
learn.microsoft.com/…/security-copilot-inclusion
Microsoft Learn – What is Copilot for Security:
learn.microsoft.com/…/security
Microsoft Learn – Security Compute Units (SCU) and billing model:
learn.microsoft.com/…/pricing
Microsoft Learn – Responsible AI and data handling for Copilot:
learn.microsoft.com/…/privacy-security
Nidhal Ferchichi is a Senior Cybersecurity Consultant at Precicom with over 15 years of experience in information technology. Specializing in cloud security, managed security services, and IT infrastructure, Nidhal combines deep technical expertise, project management, and secure solution design aligned with organizations’ operational realities. Holding several industry-recognized certifications, he actively contributes to strengthening Precicom clients’ security posture and digital resilience.
