Edit

Share via

Grant partners access to Microsoft Security Copilot

  • Article

If you're working with a Microsoft Managed Security Solution Provider (MSSP), ensure they access your Security Copilot capabilities only when you grant them access. Configuring Granular Delegated Admin Privileges (GDAP) is the best way to secure partners to work with all the advantages Copilot for Security brings, just like your security team.

There are two ways to allow a partner to manage your Security Copilot.

  1. GDAP (recommended)
    Approve your MSSP to gain Security Copilot permissions for your tenant. They assign a security group the permissions needed using Granular Delegated Admin Privileges (GDAP).

  2. B2B collaboration
    Set up guest accounts for individuals from your partner to log into your tenant.

There are tradeoffs for both methods. Use the following table to help decide which method is best for your organization. It's possible to mix both methods for an overall partner strategy.

Consideration GDAP B2B collaboration
How is time-bound access implemented? Access is time-bound by default and built into the permission approval process. Privileged Identity Management (PIM) with time-bound access is possible, but must be maintained by the customer.
How is least-privileged access administered? GDAP requires security groups. A list of least-privileged roles needed guides the setup. Security groups are optional, and maintained by customer.
What plugins are supported? A partial set of plugins are supported. All plugins available for the customer are available to the partner.
What is the standalone login experience? The MSSP uses Service management to seamlessly log into Security Copilot for the appropriate tenant. Use the tenant switch selection from the Security Copilot setting.
What is the embedded experience? Supported, with Service management links to facilitate access. Supported normally.

GDAP

GDAP allows an MSSP to set up least-privileged and time-bound access explicitly granted by the Security Copilot customer. Only MSSPs registered as a Cloud Solution Partner (CSP) are allowed to manage Security Copilot. Access is assigned to an MSSP security group which reduces the administrative burden for both the customer and the partner. An MSSP user is assigned the appropriate role and security group to manage the customer.

For more information, see Introduction to GDAP.

Here's the current matrix of Security Copilot plugins that support GDAP:

Security Copilot plugin Supports GDAP
Defender External Attack Surface Management No
Entra Overall, no, but a few capabilities work.
Intune Yes
MDTI No
Defender XDR Yes
NL2KQL Defender Yes
NL2KQL Sentinel No
Purview Yes
Sentinel No

For more information, see Workloads supported by GDAP.

GDAP relationship

  1. The MSSP sends a GDAP request to their customer. Follow the instructions in this article, Obtain permissions to manage customer. For best results, the MSSP should request Security reader and Security operator roles to access Security Copilot platform and plugins. For more information, see Understand authentication.

  2. The customer approves the GDAP request from the partner. For more information, see Customer approval.

Security group permissions

  1. The MSSP creates a security group and assigns it the approved permissions. For more information, see Assign Microsoft Entra roles.

  2. The customer adds the roles the MSSP requested to the appropriate Security Copilot role (Copilot owner or copilot contributor). For example, if the MSSP requested Security operator permissions, the customer adds that role to the Copilot contributor role within Security Copilot. For more information, see Assigning Security Copilot roles.

MSSP Security Copilot access

  1. The MSSP user account needs membership to the partner security group assigned and an approved role to connect to a customer's Security Copilot.

  2. The MSSP has a Service management page that allows seamless connection to approved customer workloads. For example, the following image shows what an MSSP user can administer for their customer Tailspin Toys.

    Screenshot showing partner center service management screen highlighting Security Copilot link.

  3. Validate the URL matches the customer tenant. For example, https://securitycopilot.microsoft.com/?tenantId=aaaabbbb-0000-cccc-1111-dddd2222eeee.

B2B collaboration

This method of access invites individual partner accounts as guests to the customer tenant to operate Security Copilot.

Set up a guest account for your partner

Note

To perform the procedures described in this option, you must have an appropriate role, such as User Administrator, or Billing Administrator, assigned in Microsoft Entra.

  1. Go to the Microsoft Entra admin center and sign in.

  2. Go to Identity > Users > All users.

  3. Select New user > Invite external user, and then specify settings for the guest account.

    1. On the Basics tab, fill in the user's email address, display name, and a message if you want to include one. (You can optionally add a Cc recipient to receive a copy of the email invitation.)

    2. On the Properties tab, in the Identity section, fill in the user's first and last name. (You can optionally fill in any other fields you want to use.)

    3. On the Assignments tab, select + Add role. Scroll down, and select either Security Operator or Security Reader.

    4. On the Review + invite tab, review your settings. When you're ready, select Invite.

      The partner receives an email with a link to accept the invitation to join your tenant as a guest.

Tip

To learn more about setting up a guest account, see Invite an external user.

B2B Security Copilot access

After you have set up a guest account for your partner, you're ready to notify them that they can now use your Security Copilot capabilities.

  1. Tell your partner to look for an email notification from Microsoft. The email contains details about their user account and includes a link they must select to accept the invitation.

  2. Your partner accesses Security Copilot by visiting securitycopilot.microsoft.com and signing in using their email account.

  3. The partner uses the tenant switch feature to ensure they are accessing the appropriate customer. For example, the following image shows a partner from Fabrikam using their credentials to work in Security Copilot for their customer, Contoso.

    Screenshot showing tenant switch setting.
    Alternatively, set the tenant id directly in the URL, for example,
    https://securitycopilot.microsoft.com/?tenantId=aaaabbbb-0000-cccc-1111-dddd2222eeee.

  4. Share the following articles to help your MSSP get started using Security Copilot:

Technical support

Currently, if your MSSP or partner has questions and needs technical support for Security Copilot outside of the partner center, the customer organization should contact support on the MSSP's behalf.