Authentication in Microsoft Security Copilot

By Ashwin Venugopal -

 




Introduction

Copilot uses active Microsoft plugins to access security-related data on behalf of authentication. To access the Security Copilot platform, a group or individual must be assigned specific Security Copilot roles. 
  • Security Copilot RBAC roles are not Microsoft Entra roles. Security Copilot roles are defined and managed within Copilot and only grant access to Security Copilot features.

  • Microsoft Entra RBAC grants access across Microsoft portfolio of products including services that contain security data. These roles are managed through the Microsoft Entra admin center. 

  • Azure RBAC controls access to Azure resources like Security Capacity Units (SCU) in a resource group, or Microsoft Sentinel enabled workspaces. 

Access Security Copilot platform

Configure Security Copilot RBAC to control user access to the Security Copilot platform once Security Copilot has been onboarded. Next, use conditional access policies to further strengthen the security coverage. 
  • Security Copilot roles- Security Copilot introduces two role that aren't Microsoft Entra ID roles but work similarly to access groups. Rather, they do not grant access to security data on their own; they only manage access to the Security Copilot platform's capabilities. These roles are Copilot owner and Copilot contributor. 

  • Microsoft Entra roles- The Microsoft Entra roles called Security Administrator and Global Administrator automatically inherit Copilot owner access ensuring Security Copilot always has at least one owner. Global Administrator has built-in protections against removal. 

  • Recommended roles- The recommended Microsoft Security roles group, which employs a balanced approach to security and administrative efficiency, can grant access to Security Copilot. This bundle grants contributor access to the Security Copilot platform to users who already have security permissions via Microsoft Entra roles. Before adding the suggested security roles, remove the Everyone group if it is assigned. 

Access the capabilities of Microsoft plugins

Security Copilot adheres to Microsoft's Security and Privacy RAI principle by not extending one's access. Every Microsoft plugin has unique role requirements that must be met in order to access the service and data of the plugin. To utilize the features of the activated Microsoft plugins, ensure that the appropriate roles and licenses assigned. 

Access embedded experiences

Besides the Copilot contributor role, verify the requirements for each Security Copilot embedded experience to understand what extra roles and licenses are required. 

Multitenant

Security Copilot can support authentication across tenants if a company has more than one tenant. This allows tenants to access security data where Security Copilot is installed. The security analyst does not have to log in from the same tenant as the one that is provisioned for Security Copilot. 

Preinstalled plugin authentication

More setup is needed for preinstalled plugins like Azure AI Search and Microsoft Sentinel. The type of authentication is decided by the plugin provider. Every plugin that has a gear or Set up button is customized for each user. All users who have access to a preinstalled plugin set it up for themselves, regardless of whether it is restricted. 

Conclusion 

The process of authentication in Microsoft Security Copilot is understood with the help of above points.

 








































Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide featu...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more