Ben WhitmoreYou’ve probably heard someone (maybe me) say something like:
“Admins should just learn KQL and Microsoft Graph, you don’t need AI for Intune.”
And honestly… I’m not wrong (side glances at my wife)
Learning KQL and Graph is still one of the best investments you can make as an Intune or security admin. But at the same time, Security Copilot has quietly arrived, plugged itself into all the places we live, like Intune, Entra, and Defender, and started doing things that feel like the beginning of something big.
We’re at that awkward stage where some people talk about Security Copilot like it’s magic, some are terrified of the potential cost (I got burned), and most of us are staring at an empty prompt bar thinking “What am I actually supposed to type in here and why wouldnt I just do this in the Intune Admin Centre instead of burning $9 for the privilege of using a prompt”.
In this post I’m not going to tell you what Security Copilot best practice looks like, heck I’m not even sure there is one. I’m also not here to say you must use Security Copilot tomorrow or that you’re falling behind. Instead, this is how I approached getting started and why there’s an Azure resource involved that you’ll need to watch like a hawk if you want to still be able to afford grandma’s present this Christmas.
What is Security Copilot?
Microsoft’s naming doesn’t help here. We’ve now got Copilot in Windows, M365, Edge, GitHub, Studio, the toaster and so on. Its the cool new product buzz word.
Security Copilot / Copilot for Security is a generative AI security product that sits on top of your existing security data from Defender, Entra, Intune and other sources. Bottom line is it lets you ask questions, investigate, and respond using natural language.
You get it in two main flavours. There’s the standalone portal at securitycopilot.microsoft.com, where you get a security centric prompt experience and plugins. Then there are the embedded experiences inside Intune, Entra and Defender portals where Copilot shows up contextually with obvious buttons and not so obvious embedded experiences.
What does Security Copilot Actually offer our Intune fanbase?
Before we get all excited and show you how to get started, you’ll want to know what you’re getting right? Lets touch briefly on the features you will get access to, but we’ll go a little deeper later on.
Explorer
Explorer is one of those embedded Copilot experiences I mentioned that lights up when you enable Security Copilot. At first glance, it looks like you use a natural language search box where you can ask questions about your Intune data. The interface shows you a bunch of pre-written example queries to get you started, things like finding devices with a specific app installed or checking compliance states for particular settings.
What’s interesting here is that these aren’t just static reports. Explorer is essentially giving you a friendlier way to query your Intune data without needing to write KQL yourself.
Think of Explorer as training wheels for querying Intune data. The pre-scripted prompts show you the kinds of questions you can ask, but you’re not limited to those templates. Now here’s the important bit that might not be obvious from the first screenshot. When you start typing in Explorer, you don’t get a completely open ChatGPT style experience where you can ask anything. Instead, Explorer shows you a dropdown of suggested prompts that match what you’re typing. In this example, typing “apps that failed” brings up pre-written queries like “Get devices that had application crashes or hangs in a 48 hour window in the last 30 days” or “Get failures by devices for managed app on platform.”
At the bottom you’ll see “Explorer might not know about your question yet. Submit your query to help us improve.” This tells us that Explorer is working from a library of known query patterns, not generating completely custom queries on the fly. You’re essentially picking from a menu of pre-built questions, even if the interface suggests you’re at an all you can eat buffet.
Explroer, in Intune, is different from the standalone Security Copilot portal or other embedded Copilot experiences, which we’ll come onto later, where you have more free-form prompting. It’s more like intelligent autocomplete for common Intune KQL queries. It’s still useful, especially if you’re not sure what questions you can even ask, but it’s not the same as having a conversation with an AI about your environment. You’re guided toward queries that Microsoft has already built and tested, which means you won’t accidentally ask something that returns garbage or burns through your SCU budget with a poorly formed request. And that’s an important point in my experience, I didnt see any usage of Explorer burn through my SCU’s on my Azure resource.
Copilot (Embedded)
When you move past Explorer and start clicking the actual Copilot buttons inside Intune, you’re entering a different experience entirely. Microsoft explains the experience pretty well (but the grammar in the docs is awful), so im not going to re-wordsmith it too much:-
The Copilot prompts and their output are in the context of your Intune and Windows 365 Cloud PC data. They can help you manage your policies and settings, understand your security posture, and troubleshoot device issues, including Windows 365 Cloud PCs
Security Copilot in Intune features overview – Microsoft Intune | Microsoft Learn
Copilot takes whatever object you’re focused on…a device, a policy, an app, an error message and will try to give you context. It summarises what the thing does, who it’s targeting, what’s unusual, what’s failing, and where you should look next. It’s quite helpful to the busy admin when you’re staring at a messy configuration profile and thinking, “I swear this made sense when I created it thirty years ago in Group Policy and migrated it to Intune (sic).
What Copilot is really doing here is filling in some cognitive gaps. It looks at data like configurations, assignments, recent success/failure states, and the telemetry around the object, then turns that into something a human might tell you. This is the layer that explains why a device might be out of compliance, what setting is conflicting with another, or which assignment is actually responsible for the behaviour you’re seeing. Explorer will show you what is happening. Copilot tries to tell you why.
One interesting behaviour i’ve seen is that Copilot doesn’t pretend to be the oracle (hat tilt to the Matrix) to every question. If you ask for something that should come from a structured query, like “show me devices with this app installed” or “list compliance states for these groups”, Copilot will straight-up suggest using Explorer instead. That is not a failure. It is Copilot nudging you toward the right tool for the job. And honestly, I actually appreciate that behaviour. If you ask a question that really belongs in the documentation, especially configuration steps or anything that needs an exact, authoritative answer, Copilot will point you to the Microsoft Docs page instead of pretending to be the ultimate source of truth.
lets take a moment to breath and reflect on that for a moment…
Yes. There should still be a place in your admin-forged heart for going to the docs, understanding how something works, and learning the real mechanics behind it. I do not buy into the idea that AI should replace thinking or become the only place we go for answers. AI only knows what we teach it, and since we are imperfect, AI will always inherit that imperfection. If we can be wrong, so can it.
So when Copilot suggests using Explorer instead of answering directly, or when it sends you to Microsoft Docs for configuration steps, that is not Copilot being awkward. It is Copilot recognising what it should answer, what it should explain, and when it should let the official documentation take the lead. This element I can get on board with and kinda love.
The point is, the embedded Copilot experience in Intune isn’t trying to replace Explorer or the documentation. It acts more like the guide between them. It handles the interpretation, the summaries, the “what’s actually going on here?” questions, and the troubleshooting paths that Explorer can’t provide. Then, when necessary, it sends you to the exact tool or reference that will actually answer your question.
You sound like you drank the Copilot kool-aide Ben!
Wait… it is growing on me, I admit. But here is the one thing that still wrangles me about the embedded Copilot experience. This is the very part of Intune that quietly eats away at your hard earned money. It is helpful, it is clever, it is genuinely useful, but it’s also the feature that dips into your Security Copilot capacity every time you use it. So while Explorer is, air quotes, “free” to poke and prod all day long, the embedded Copilot experience is the one you need to keep an eye on if you don’t have daddies credit card to hand.
Security Compute Units (SCU’s)
Before we walk through any setup steps, we need to talk about the thing that quietly ambushes us mere mortals who enable Security Copilot for the first time. SCU’s. The tiny unit of compute that Security Copilot eats like a hungry town fox who just found a bin full of yesterdays donner meat.
Think of SCU’s as the Microsoft Copilot equivalent of AI tokens. Other models tend to charge you per prompt or per token. Microsoft wraps that compute into hourly capacity instead.
A SCU is simply the amount of compute you are renting so Copilot can respond quickly and consistently. If you want Security Copilot to run prompts, summarise devices, analyse errors, and generally act smart, you need SCUs in the tank. No SCUs means no Copilot…well…Explorer in the Intune Admin Centre seems like a freebie at least, but you still need to show your credit card before Explorer can be enabled. More on that later.
Security Copilot works with two types of capacity. The first is your provisioned capacity. This is the predictable, always-on amount of compute you choose to rent every hour. You pick how many SCUs you want to run, and Azure bills you by the hour for them. Even if you only used them for part of an hour, you still pay for the entire block.
IMPORTANT
We will look at how we configure SCU’s later but absolutely read the thing you are clicking. You are charged per hour. Whether you use it or not. There are 24hrs in a day (I got a B in maths, I can count). It adds up…and if you use Copilot..it adds up even more.
Microsoft docs suggest you have to configure a minimum of 1 SCU to get started (not 100% true but more on that later). The docs also suggests 3 SCU’s + unlimited overage as a good “intro” size. Dude, with someone else’s credit card meaybe.
So again, for us mere mortals earning a modest 9-5 living, lets work out the cost of you “just going with that suggestion”:
- 1 SCU $4/hour, $4 × 24 hours = $96 per day
- 3 SCUs $4/hour x $12 × 24 hours = $288 per day
- That works out to roughly $8,640 per month ($288 × 30)
- And around $105,120 per year ($288 × 365)
The second type is overage capacity. Think of overage as Copilot’s emergency stash of compute. If your team runs more prompts than you expected, or if a workload spikes beyond what you provisioned, Copilot will dip into overage so the experience does not slow to a crawl. Overage is billed on actual usage, allbeit atthe higher hourly rate of $6 per hour, and it can be set to a maximum amount or left unlimited if you enjoy living dangerously.
There is also a wonderful little billing quirk. If you add or remove SCUs inside the same hour, Azure still charges you for each one. For example, if you provision an SCU at five past the hour, remove it at half past, and then add another one before the hour is over, you are billed for two SCU’s for that entire hour. It is not malicious. It is just how hourly billing windows work. But it does mean your timing matters when you tweak SCU provisioning.
One important thing to note is that SCU’s used for Security Copilot are completely separate from SCUs used in other Microsoft security products. They do not pool or mix. If you want Security Copilot, you need Security Copilot SCUs. Nothing else will power it.
The good news is that you can scale SCU’s up or down at any time, and the Security Copilot standlaone experience (up next) gives you a usage dashboard so you can see who or what is eating all your compute. The bad news is that the embedded Copilot experience in Intune and the standalone Copilot portal both rely on these SCU’s, so you will want to keep an eye on your usage if you do not want your Azure bill to look like a crime scene.
What is the Azure Security Compute Capacity resource?
If SCU’s are the kebab meat, then the Azure Security Compute Capacity resource is the rotating grill that keeps everything warm and ready to serve. This capacity resource is the Azure home for all the compute that Security Copilot needs. Without it, nothing runs. You cannot use the standalone Security Copilot portal, and you cannot light up the Copilot experiences in Intune.
Security Copilot does not magically appear in Intune the moment you click a toggle. It needs compute behind the scenes, and that compute lives inside this Azure capacity. Every prompt, every summary, and every analysis flows through it. It is the engine room that makes the whole thing work.
What you are looking at here is the Azure Security Compute Capacity resource, the same rotating kebab grill that keeps Security Copilot cooking. This is where you tell Azure how much compute you want to keep warmed up every hour, and how much extra Copilot is allowed to grab (overage) when things get busy.
The Provisioned security compute units per hour box in the image above is your always-on compute. Azure will not let you go below one, because Copilot needs at least one SCU to function. You pay for this every hour, whether Copilot is doing anything or not.
Even though the Azure portal forces you to enter a minimum of 1 SCU when you are editing the capacity there, the standalone Security Copilot portal actually lets you set your provisioned SCUs to 0 and run entirely on overage instead. This works more like a pay-as-you-go model. Overage costs more per hour, so you pay a higher rate when you use Copilot, but you avoid the fixed daily commitment of $96 (for 1 SCU). There are some limitations when you rely on overage only, and we will touch on those later.
Also shown is the Overage Capacity option. This is your safety buffer. If Copilot needs more compute than you provisioned, it dips into overage. You can allow unlimited overage or set a sensible cap. In this screenshot, overage is enabled with a limit of one extra SCU at the higher rate.
Once you understand that the configured SCU’s and overage facilitate how much you can overdress your kebab, the rest of the Security Copilot setup starts to make a lot more sense. We will look at this resource again later when we deep dive billing.
Configuring Security Copilot
Before we can go much further in the blog, we need to make sure our foundations are set. Getting the thing setup. Microsoft Security Copilot (which powers the already mentioned Intune-embedded features) has some minimum requirements and onboarding steps you should know about. Hold tight!
Here’s what we need:-
- An Azure subscription
Without that, you can’t purchase the compute units that let Security Copilot run. Onboarding to Security Copilot will require Azure resources, specifically “Microsoft Security compute capacity” Microsoft Learn - Security Compute Units (SCUs)
These are essentially the “fuel” for Security Copilot’s generative AI capabilities. We will learn more about these as we configure Security Copilot Microsoft Learn - Fresh Coffee
The documentation also notes that the Security Copilot solution is for “commercial clouds” and currently not designed for US Government clouds like GCC, GCC High or DoD. Microsoft Learn
This part is surprisingly simple on the surface, but like everything Microsoft-cloud-shaped, you want to pay attention to what you are clicking because the choices you make here control your cost, permissions, data location, and whether your accountant cries.
Navigate to https://securitycopilot.microsoft.com and click Get started.
Enter a workspace name and select your data storage location.
This creates the logical home for your Copilot experience. The name can be anything you like, but pick a data region that matches your organisation’s compliance and residency requirements. Next, click Continue.
Next, you decide which Azure subscription is paying for your new Copilot habit. You can drop the capacity into an existing resource group, but honestly, it is cleaner to create a dedicated one so you can see exactly what Copilot is costing you. The Capacity name you enter here will be the name of the resource created in the resource group.
As with any Azure resrouce, select an approporate region.
Crunch time. When you set this thing up you are going to want to play with it so I’d suggest setting 1 SCU (Microsoft suggest 3 – but they want your cash) foir the number of units you want to provision. For now, lets leave overage not configure.
We will look at provisioned SCU’s and overage a little later.
Save the rainforest, drink less coffee, and decide if you want to do these other things to help Microsoft improve the Security Copilot experience.
This next screen is a newer part of the setup flow. All it is doing is asking whether you want Security Copilot activity to be logged and stored in Microsoft Purview Audit, which is the same place Microsoft 365 already stores your audit logs.
If Purview Audit is already enabled in your tenant, there is nothing else to configure. Copilot will simply send its audit entries there so you have a proper trail of what was done and by whom.
The optional toggle for Purview DSPM for AI lets organisations add extra governance and oversight for Copilot prompts and responses, but it is not required to get started.
This final part of the setup decides who actually gets to use Security Copilot and at what level. The screen shows you the roles that Copilot automatically assigns to you as the creator. You become an Owner by default, along with any of the high-privilege roles you already hold in Entra or Purview. Owners can manage everything…settings, plugins, usage monitoring, and role assignments.
Below that you will see Microsoft recommending other roles that you might want to add as Owners, such as Billing Administrator, Intune Administrator, Security Administrator, or Purview governance roles. Adding them now is optional. You can always adjust access later in the role assignment page.
The lower section covers Contributors. Contributors can use Copilot, but their experience depends entirely on the permissions they already have across Microsoft Security products. Copilot will never give someone more access than they already hold elsewhere. You can choose to add contributors now or skip it and configure them later.
Once you have reviewd the roles, click Continue.
Relax, you are done. Wasn’t so bad right? Now dont forget that 1 SCU thats going to be burning $4 an hour until you go review your SCU provisioning.
SCU Billing
Before we look at the unicorns let loose after onboarding to Security Copilot, I want to focus on SCU provisioning a little more. When you finish onboarding, Security Copilot creates a workspace for you. This workspace is the logical home for everything Copilot does. It is where your settings live, where your plugins get added, where owners and contributors are managed, and where Copilot stores the context it needs for your prompts. The Security Capacity Azure resource that you created is assigned to this default workspace.
If you navigate to the Usage monitoring balde, you get a more detailed view of the capacity you configured. Remeber when we onboarded we created a capacity of 1 SCU.
Here is the same view on the Security compute capacity resource in Azure.
If you did nothing now, you are paying for the privilege of that SCU provisioning, whether you like it or not.
SCU Caution
As any good admin, I clicked through the setup screens like a caffeine-fuelled speedrunner, nodded at the warnings without actually reading them, and then went off to live my life for a few days. When I came back, Azure had lovingly transformed those clicks into a bill that looked like a Halloween jump scare. Those tall green bars you see are not performance metrics. They are the direct result of leaving provisioned SCU’s running twenty-four hours a day and letting overage kick in whenever Copilot felt a little energetic.
You can see from the chart that I enabled Security Copilot on Sunday (no rest for the wicked) 5th of October, in the afternoon, so I did not get hit with the full 24 hour charge on day one. This is what 1SCU at $4 per hour actually looks like in UK money. It works out to roughly £73 per day. For 1 SCU. Doing absolutely nothing while you sleep.
If it is not your credit card tied to the Azure subscription, who cares, right? But if you are testing this in your own lab, or you are spinning it up for a customer and the billing lands on your card, a more conservative approach suddenly becomes very sensible.
The standalone Security Copilot portal does show you your SCU usage, but for some reason the cost never really landed for me until I looked at it in Azure. Azure is the source of billing truth, and seeing the numbers there made everything click. In this example, I had my Security Compute Capacity set to 1 overage SCU, which didn’t get me far.
Overage. A better pay-as-you-go model
There is a small but important trick here. In the Azure portal you cannot set provisioned SCUs to 0, but in the Security Copilot standalone portal you can. That means you can run Copilot with no hourly baseline cost, and instead rely only on overage, which works more like pay-as-you-go.
Overage costs a bit more per hour, $6 per hour compared with $4 for a provisioned SCU, but you only pay when Copilot actually runs something. For anyone testing or learning, this is far safer than leaving a provisioned SCU quietly burning through seventy-plus pounds a day – if its your own credit card.
A sensible starting point is to kick the tyres, might look like:
- Provisioned SCUs: 0
- Overage limit: 3 SCU
It will not be fast, and it will not give you many prompts before it needs a break, but it keeps your costs predictable and lets you experiment without worrying about surprise bills.
If you are just trying Copilot out, or helping a customer evaluate it, running on a small overage cap is a perfectly reasonable approach until you understand what your real workload looks like.
Finding Balance Between Provisioned and Overage SCU
When you rely only on overage, Copilot feels slower because there is no compute running until the moment you ask for something. Azure has to spin up that capacity on demand, I assume (I’ve not gone down the rabbit hole on this yet), which adds a noticeable pause. Provisioned SCU’s avoid that because they are always warm and ready, so responses feel much faster and more consistent.
This is why overage-only works fine for testing in my opinion, but it is not great for daily use. If someone plans to use Copilot every day, even casually, having at least 1 provisioned SCU makes a huge difference. It gives you a stable baseline of performance and a predictable daily cost. You can then set a small overage limit to handle any occasional spikes in activity without letting things run wild.
The trade-off is cost. 1 provisioned SCU comes out to roughly £73 / $96 a day, which adds up quickly if you run it nonstop. Microsoft recommends 3 SCUs for teams or heavier workloads, and that pushes the daily cost into the hundreds. It is expensive, but you get smoother performance and the ability for more than one person to use Copilot at the same time.
Overage is billed at a higher hourly rate ($6 vs $4), but you only pay when Copilot actually needs it. You get far fewer prompts out of a single overage SCU, perhaps 4/5, in my experience, in the standalone portal, but it keeps things safe while you are learning. For a test tenant, 0 provisioned SCUs with a tiny overage cap seems a sensible, or at least less stressfu,l option. For real daily usage, at least 1 provisioned SCU strikes a better balance.
Ultimately it comes down to choosing between low cost with slower performance, or higher cost with a smoother experience. You can change the mix at any time, but remember that Azure bills SCU’s in full hourly blocks. If you adjust your capacity mid-hour, you will still be charged for the hour you are already in, so timing your changes is part of the game.
Using Security Copilot
Now that we have safely navigated onboarding, hopefully avoided the billing traps, and found a sensible provisioning model, we can now look at the standalone Security Copilot portal.
Owner Settings
Not to be overlooked quickly is the owner settings blade. Here you can choose which workspace each product’s built-in Copilot experience should use.
This matters because you can create multiple workspaces, each with different plugins, permissions, or SCU capacity behind them. The dropdowns here let you say, for example, “Intune should use this workspace, Defender should use that one.”
By default everything points to your initial workspace, but larger orgs might separate them so each platform has its own Copilot configuration and compute budget. Using different workspaces makes it much easier to track how Copilot is being used across the embedded experiences and, more importantly, simplifies billing visibility. If each platform points to its own workspace, you can quickly see which area is consuming the most SCU’s and adjust accordingly.
Prompts
Instead of staring at a blank prompt box wondering what on earth to type, Microsoft provides a selection of pre-built prompts you can click and run instantly.
Each prompt is basically a starting point. It already knows the question it wants to ask, and all you do is fill in the blanks. The prompts tell you exactly what they need to supply.
When you run a prompt, you get to see the steps the prompt is walking to get you an answer.
Prompts are not perfect. I guess this is because im relying on overage and the Security compute capacity is still spinning up.
I could have got this from the Intune Admin center, mouse dexterity permitting, in 10 seconds. The results are in…and…
No data found. But…that app(s) is there with an assignment.
Ok, I was a little unfair. Or was I? This prompt seems to be unable to handle an array, at least if there are multiple results this prompt cannot handle that. If I retry again, fo an app that only exists once, I get a result.
It’s intersting that the “All Users” group has null user count. More importantly, what did it cost me to run those 2/3 prompts?
0.366 overage units. Lets do math. Overage SCU’s are billed at $6 per full SCU per hour, but we only consumed a fraction of that one SCU.
0.366 x $6 = $2.196…about $2.20
And look, I am not anti-SCU. Prompts are can be useful, especially for a non-Intune admin trying to understand or interpret Intune data. But moments like this are a good reminder that Copilot is not magic, and every prompt has a cost attached to it. If you already know how to get the same data through the Intune admin centre, Graph, or a simple KQL query, it is worth asking yourself whether you really need to burn compute for it.
More information on prompts can be found at Prompting in Microsoft Security Copilot | Microsoft Learn
Promptbooks
If prompts are considered one-off questions, promptbooks are the equivialnt to “run this investigation the same way every time” button.
Under the hood, a promptbook is simply multiple prompts stitched together in a predefined workflow. Supply whatever input it needs like a CVE ID, a script, an app name, a threat actor name, whatever the author intended, and Copilot walks through each step behind the scenes, building on the previous answer until the workflow is complete.
Microsoft describes promptbooks as security playbooks in miniature. They are ready-to-use workflows designed for common security tasks such as incident triage, threat analysis, or investigation steps. Instead of clicking through half a dozen prompts manually, the promptbook keeps everything consistent and repeatable.
You still pay in SCUs, of course. A complex promptbook costs more than a single ad-hoc prompt because it is effectively running several prompts in sequence. But at least the cost is going toward a predictable, repeatable process instead of a collection of slightly different manual prompts you typed in a hurry.
It becomes obvious pretty quickly that promptbooks aren’t just pulling from Intune. Most of them rely on data from other security services like Defender and Purview. I’m going to run a simple prompt book, Microsoft User Analysis.
When I submit this, the promptbook gets going. The results are quite intersting and colorful actually.
Im not sure how it identified gender, but it foudn associated devices for the user.
and authentication methods.
and more. I wont list the whole output but that prompt book output was very cool, I can see a good use case for these for adhoc investigations. But I know you are itching to find out, what did that promptbook run cost?
You know that feeling when you confidently order a bottle of Château du Pont thinking you’re treating yourself? Suddenly you’re mentally preparing to wash dishes out back to pay for it.
Yeah…that.
3.6 overage units! In wallet terms, that’s $21.60 it cost me that to show you this example. Send small violins and comiserations to [email protected]
More information on promptbooks can be found at Use promptbooks in Microsoft Security Copilot | Microsoft Learn
Agents
If prompts are quick questions and promptbooks are repeatable workflows, agents are where it gets serious. Microsoft describes Security Copilot agents as “AI-powered systems that act on behalf of a person or team to carry out security or IT tasks across areas like SecOps, compliance, identity and IT admin”.
Unlike prompts or promptbooks, agents don’t just wait for you to type something, they can react to things happening in the environment from triggers. They use SCU’s just like everything else in Copilot, so yes, they still nibble at your wallet.
The Security Store is where you will find agents built by Microsoft, partners and community heros.
Here we can see agents filtered by partner and Intune.
Shoutout to Ugur Koc and colleagues at Glueckkanja AG for jumping feet first into the agentic world. If you want to read Ugur’s blog and see all the cool tools he is building these days, head over to https://ugurkoc.de Le’ts take a look at the teams Device Troubleshooter Intune agent for a quick spin.
Clicking Get Agent will send you off to the Microsoft Security Store.
Choose the resource group and resource name where you want this to land in your Azure subscription.
Review the order details and pricing. This agent is free but dont forget it will consume SCU’s when used. Click Place Order.
Wait for the thing to cook.
If you navigate to the Azure portal you will see the resource was created.
You can navigate back to the Security Copilot portal to begin the agent setup task.
This should not be “shock horror”. The agent is going to need permissions to get you the kool-aide you are looking for in your data. You are going to have to authorise it access your resources.
We need to select the identity the agent will use. Click Sign in.
Lets tailor the results. Im going to suggest a couple of data points for this agent to use.
The agent should now be ready to play with.
I’m going to run it once, manually, but you can invoke this thing on a trigger.
Nail biting stuff.
This particular invocation resulted in an error.
But thats OK, ill dig into that later. The point here was to show you how to find and run Agents that are being added to the Microsoft Security Store. Even though this agent run wasn’t succesful, it was insightful to see all the prompts it aws running through. Clearly alot of work goes into building an agent!
Its not easy to undersatnd the SCU compute for this agent. It cost 0.03 units for this invocation.
Under Plans and Pricing in the Microsoft Security Store for this agent, there is a suggestion that its between 0 and 2 SCU’s. So a max of $12 if you are using only overage.
Build (an Agent)
All the cool kids are doing this. In the standalone portal, it all starts on the Build page.
I think we will save agent building for another blog, it get’s a little too complex for this beginners introduction to Security Copilot.
Closing Thoughts
If you take anything away from this post, let it be this. Security Copilot is not just another shiny button in the Intune blade. It is an Azure-backed, SCU-chewing service that you have to treat like any other cloud workload. The decisions you make around provisioned SCUs and overage are not dismissive settings you click during onboarding. They determine whether your Azure subscription becomes frighteningly expensive very quickly, or stays completely manageable and predictable while you explore, test, and learn how this thing actually behaves.
For labs and first contact, I still like the idea of running with zero provisioned SCU’s and a tiny overage cap. It is slower but it keeps the cost guard rails nice and tight while you figure out what actually helps you. When you are ready to use this thing every day, that is when at least one provisioned SCU starts to make sense, with overage acting as a safety net rather than the main event. The trick is to move from overage only to a small but predictable base line, not to blindly accept 3 SCU’s and unlimited overage just because the docs say so.
At the same time, it is hard to shake the feeling that we are at the beginning of something interesting. The Intune Explorer experience, the embedded Copilot views, promptbooks and agents all hint at a future where a lot of our noisy, repetitive admin work gets front loaded into automation. You can already see glimpses of that with vulnerability agents, phishing triage and conditional access optimisation.
I’ll still maintain that learning, and improving, the basic skills any Intune administrator should have should not be avoided. KQL and Microsoft Graph are still the tools that really unlock Intune and the wider Microsoft 365 stack. Copilot sits on top of those signals. If you know how the data is shaped and how the API’s work, you are in a much better position to spot when Copilot might be helpful vs just unecesssary compute expense. Think of Security Copilot as a very smart pappa smurf sitting next to you, not a replacement for the skills that got you here.
So yeah, play with it! Light up Explorer (this didn’t seem to use an SCU’s at all), try a few prompts, run a promptbook, maybe adopt an agent for CHristmas. Watch your SCU provisioning, treat overage with respect, and keep one hand on Graph and KQL at all times. If you can balance those pieces, Security Copilot stops being a scary line item on the bill and starts to look like what it was supposed to be in the first place, a useful extra brain sat on top of the tools you already know and love.
Anders Ahl
Jose Schenardie
Add comment