How to Connect Microsoft Security Agents to Security Copilot
Microsoft Security Copilot uses advanced security agents that analyze threats, correlate signals, and automate investigation tasks. To use it effectively, you must install the required components and configure permissions, data sources, and plugins. Follow the steps below for a complete setup.
Table of contents
How to install Microsoft Security Copilot
Check subscription requirements
Before setting up Security Copilot, confirm that your tenant meets all licensing and role requirements.
- Sign in to the Microsoft 365 Admin Center.

- Confirm that your tenant has Security Copilot licensing.
- Verify that you have Global Admin or Security Admin permissions.
- Ensure your tenant uses Entra ID and that Defender services are active.
You can review how Microsoft security components work here: Windows 11 security overview
Enable Security Copilot in the admin portal
After verifying requirements, activate Security Copilot inside the Microsoft Security portal.
- Go to security.microsoft.com.
- Open Settings.
- Select Security Copilot.
- Enable Security Copilot for the tenant.
- Assign access to the users or groups who will use it.
Install Security Copilot plugin tools
Install the Copilot interface tools to access the service from your browser.
- Open the Microsoft 365 Apps portal.
- Install the Security Copilot extension for Edge or a supported browser.
- Sign in with your work account.
- Verify that the Copilot icon appears in the Microsoft Security portal.
Connect Defender and Sentinel signals
Security Copilot relies on incoming security signals for analysis and guidance.
- Open the Microsoft Security portal.

- Select Settings.
- Open Data connectors.
- Connect Microsoft Defender XDR, Microsoft Sentinel, and Entra ID logs.
- Confirm that log ingestion is active.
For deeper configuration details, check: Windows Defender settings explained
How to configure Microsoft Security Copilot
Configure access control
Role based access ensures only approved users manage or use Copilot features.
- Go to the Entra ID admin center.

- Open Roles and administrators.
- Assign Global Administrator, Security Administrator, or Security Reader.
- Apply Conditional Access policies if needed.
Configure Security Copilot plugins
Plugins allow Copilot to access Defender, Sentinel, Purview, and Intune data.
- Open the Microsoft Security portal.
- Select Copilot.
- Open Plugin settings.

- Enable the plugins required for your workflows.
- Save changes.
Set up incident response automations
Automations help Copilot guide investigations and apply recommended actions.
- Open Microsoft Defender XDR.
- Select Automation.
- Create a new automation rule.
- Add actions such as device isolation or email remediation.
- Enable AI assisted guidance.
- Save the rule.
Configure security agent telemetry
Telemetry ensures Copilot receives complete endpoint data for analysis.
- Open the Microsoft 365 Defender portal.
- Select Settings.
- Open Device configuration.
- Enable advanced telemetry.
- Verify that devices report correctly.
General device security settings can also be reviewed here: How to use Windows Security
Customize Security Copilot scenarios
Scenario Builder helps teams standardize investigations and responses.
- Open Security Copilot in the Microsoft Security portal.
- Select Scenario builder.
- Create scenarios such as phishing or identity compromise.
- Add required data sources and investigation steps.
- Save the scenario for team use.
FAQs
They gather signals from Defender, Sentinel, and Entra ID, then feed the AI engine for analysis and guidance.
No. Copilot is cloud based and only requires licensing and portal access.
No. Copilot enhances Defender by adding AI supported investigation and response.
No, but Sentinel improves the quality of signals used for AI analysis.
When fully installed and configured, Microsoft Security Copilot becomes a powerful AI driven tool for threat investigation, detection, and automated response. By enabling the correct plugins, connecting Defender and Sentinel telemetry, and assigning proper access roles, your organization gains faster insights and stronger protection across all endpoints.
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
User forum
0 messages