Grant partners access to Microsoft Copilot for Security

If you're working with a Microsoft Managed Security Solution Provider (MSSP), you can grant them access to your Microsoft Copilot for Security capabilities. When you grant an MSSP access, they're able to sign in and use Copilot for Security just like your security team.

There are two ways to allow a partner to manage your Microsoft Copilot for Security.

  1. GDAP
    Approve your partner to gain Security Copilot permissions for your tenant. They assign a security group the permissions needed using Granular Delegated Admin Privileges (GDAP).

  2. B2B collaboration
    Set up guest accounts for individuals from your MSSP to log into your tenant.

There are tradeoffs for both methods. Use the following table to help decide which method is best for your organization. It's possible to mix both methods for an overall partner strategy.

Consideration GDAP B2B collaboration
How is time-bound access implemented? Access is time-bound by default and built into the permission approval process. Privileged Identity Management (PIM) with time-bound access is possible, but must be maintained by the customer.
How is least-privileged access administered? GDAP requires security groups. A list of least-privileged roles needed guides the setup. Security groups are optional, and maintained by customer.
What plugins are supported? A partial set of plugins are supported. All plugins available for the customer are available to the partner.
What is the immersive login experience? The tenant ID must be manually added to the Security Copilot URL. Use the tenant switch selection from the user interface.
What is the embedded experience? Supported, with Service Management links to facilitate access. Supported normally.

GDAP

GDAP allows your partner to set up access with least-privileged and time-bound access explicitly granted by the Security Copilot customer. The access is assigned to a security group which reduces the administrative burden for both the customer and the partner.

For more information, see Introduction to GDAP.

Here's the current matrix of Security Copilot plugins that support GDAP:

Security Copilot plugin Supports GDAP
Defender External Attack Surface Management No
Entra Overall, no, but a few capabilities work.
Intune Yes
MDTI No
Microsoft 365 Defender Yes
NL2KQL Defender Yes
NL2KQL Sentinel No
Sentinel No

For more information, see Workloads supported by GDAP.

Step 1 - GDAP relationship

  1. The partner sends a GDAP request to their customer. Follow the instructions in this article, Obtain permissions to manage customer. Keep in mind the Entra roles required to access Security Copilot portal and plugins. For more information, see Understand authentication.

  2. The customer approves the GDAP request from the partner. Follow the instructions in this article, Customer approval.

Step 2 - Partner assigns security group permissions

The partner creates a security group and assigns the approved permissions to the group. Follow the instructions in this article, Assign Microsoft Entra roles.

Step 3 - Partner accesses Security Copilot

  1. The partner account with membership to the partner security group assigned the approved role must use a tenant-explicit URL. The tenant switch setting in the UI doesn't recognize GDAP credentials.

  2. Change the URL to match the customer tenant. For example, https://securitycopilot.microsoft.com/?tenantId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

B2B collaboration

This method of access invites individual partner accounts as guests to the customer tenant to operate Security Copilot.

Step 1 - Set up a guest account for your MSSP

Note

To perform the procedures described in this option, you must have an appropriate role, such as User Administrator, or Billing Administrator, assigned in Microsoft Entra.

  1. Go to the Microsoft Entra admin center and sign in.

  2. Go to Identity > Users > All users.

  3. Select New user > Invite external user, and then specify settings for the guest account.

    1. On the Basics tab, fill in the user's email address, display name, and a message if you want to include one. (You can optionally add a Cc recipient to receive a copy of the email invitation.)

    2. On the Properties tab, in the Identity section, fill in the user's first and last name. (You can optionally fill in any other fields you want to use.)

    3. On the Assignments tab, select + Add role. Scroll down, and select either Security Operator or Security Reader.

    4. On the Review + invite tab, review your settings. When you're ready, select Invite.

      The MSSP receives an email with a link to accept the invitation to join your tenant as a guest.

Tip

To learn more about setting up a guest account, see Invite an external user.

Step 2 - Notify your MSSP

After you have set up a guest account for your MSSP, you're ready to notify them that they can now use your Copilot for Security capabilities.

  1. Tell your MSSP to look for an email notification from Microsoft. The email contains details about their user account and includes a link they must select to accept the invitation.

  2. Your MSSP can access Copilot for Security by visiting securitycopilot.microsoft.com and signing in using their email account.

  3. Share the following articles to help your MSSP get started using Copilot for Security:

Technical support

Currently, if your MSSP has questions and needs technical support for Security Copilot, you (as an admin for your organization) should contact support on the MSSP's behalf.