In This Article
Starting April 20, 2026, Microsoft is adding Security Copilot to every Microsoft 365 E5 license at no additional cost. The rollout runs through June 30, and your tenant gets a notification seven days before activation. Most IT directors at financial institutions have not heard about this yet.
This is not a minor feature toggle. Security Copilot brings AI-powered threat analysis, incident summarization, and agentic defense directly into Defender, Entra, Intune, and Purview. For credit unions, community banks, and mortgage companies running E5, this changes the security calculus overnight.
The catch: understanding how the compute allocation works, who actually gets access, and what costs might still appear on your Azure bill requires a closer look at the licensing model. We broke down the Microsoft Learn documentation, Message Center announcement MC1261596, and real-world deployment data so you can make informed decisions before your activation window opens.
What Security Copilot Actually Does
Security Copilot is Microsoft's AI-powered security assistant. It runs inside the tools your SOC team already uses: Microsoft Defender, Entra, Intune, and Purview. Instead of adding another dashboard to monitor, it layers AI directly into existing workflows.
At Ignite 2025, Microsoft introduced twelve purpose-built security agents that ship with the E5 inclusion. These agents handle tasks like phishing triage, incident summarization, Conditional Access optimization, vulnerability remediation, and access reviews. They operate within the permissions your team already has configured, never exceeding the scope of the user who invokes them.
The practical impact for a 200-seat credit union: your security analyst can ask Security Copilot to summarize a suspicious sign-in pattern, correlate it across Defender alerts, and generate a remediation plan. That used to require either deep Kusto query skills or a third-party SIEM consultant. Now it runs on natural language inside the tools you already pay for.
Why This Matters for Financial Institutions
The FFIEC Cybersecurity Assessment Tool expects institutions to demonstrate "automated threat detection and response capabilities" at the Evolving maturity level. Security Copilot's agentic features map directly to that requirement. For credit unions preparing for NCUA exams or community banks facing OCC scrutiny, having AI-assisted incident response built into your existing E5 license removes the "we can't afford it" objection from the conversation.
The SCU Pooling Model: How Microsoft Allocates Compute
Security Copilot runs on Security Compute Units (SCUs). Think of SCUs the way you think of SharePoint storage: your tenant gets a pool based on how many licenses you have, and everyone in the organization draws from that same pool.
The formula is straightforward: 400 SCUs per month for every 1,000 paid E5 licenses. The cap is 10,000 SCUs per month, which you hit at 25,000 users. For organizations with fewer than 1,000 licenses (that describes most ABT clients), the allocation scales proportionally.
Every query, every agent action, and every investigation consumes SCUs from that monthly pool. A typical prompt execution might use 3 SCUs over 40 seconds. An incident summarization might use 0.5 SCU over 10 seconds. Unlike the previous provisioned model where you paid $4 per SCU per hour whether you used it or not, the inclusion model only deducts what you actually consume.
"Customers with Microsoft 365 E5 and E7 will have 400 Security Compute Units (SCU) each month for every 1,000 paid user license, up to 10,000 SCUs each month at no additional cost. This amount scales by user license count, including for customers with fewer than 1,000 user licenses."
Two rules that matter for budget planning: SCU allocations reset monthly and do not roll over. Unused January SCUs disappear on February 1. Security workloads are spiky by nature, with quiet months followed by incident-heavy stretches, so plan accordingly.
Who Gets Access and How to Control It
The E5 inclusion is tenant-wide. Microsoft auto-provisions a "Default Security Copilot Capacity" in your tenant when activation happens. No Azure setup, no consent flows, no manual SCU provisioning required.
But "tenant-wide" does not mean "everyone gets it." Admins control who can use Security Copilot through Entra ID groups and security roles. When auto-provisioning completes, certain default roles inherit Security Copilot owner and contributor access: Global Administrator, Security Admin, Purview Compliance Admin, Intune Admin, and Message Center Reader.
For financial institutions, this granular access control matters. You probably do not want every employee running AI queries against your security data. The recommended approach: create a dedicated Entra ID security group for Security Copilot access, add your SOC analysts and security admins, and roll out incrementally.
Audit your Entra ID roles. Confirm who holds Global Admin, Security Admin, and Compliance Admin roles. These users will automatically receive Security Copilot access when your tenant activates. If any of those role assignments are stale or too broad, clean them up now.
Create a Security Copilot access group in Entra ID. Move beyond the default role assignments to explicit group membership. This gives you a single point of control for who can consume your SCU allocation, and it creates a clean audit trail for your next FFIEC or NCUA exam.
Scaling Examples for Financial Institutions
The proportional scaling makes Security Copilot viable even for small institutions. Here is how the allocation breaks down for typical ABT clients.
| Organization Size | E5 Licenses | Monthly SCU Allocation | Typical Use Case Coverage |
|---|---|---|---|
| Small credit union | 100 | 40 SCUs/month | Basic alert triage, occasional incident summaries |
| Mid-size credit union | 200 | 80 SCUs/month | Regular phishing triage, Conditional Access reviews |
| Community bank | 500 | 200 SCUs/month | Daily SOC workflows, vulnerability remediation |
| Regional bank | 1,000 | 400 SCUs/month | Full agentic defense across Defender, Entra, Purview |
| Large mortgage company | 2,000 | 800 SCUs/month | Heavy investigation workloads, custom agents, Sentinel scenarios |
Microsoft says the included capacity is "expected to support typical scenarios." For a 200-seat credit union, 80 SCUs per month should cover regular phishing triage and periodic incident investigation. Larger institutions with active SOC teams may find the allocation gets thin during heavy investigation periods.
Tier 1 Cloud Solution Provider (CSP) | ABT Partner Insight
Most of ABT's 750+ financial institution clients run E5 tenants with fewer than 500 seats. That 200-seat credit union getting 80 SCUs per month? We have already seen in early-access tenants that regular phishing triage and Conditional Access optimization agents consume roughly 30 to 50 SCUs per month at that scale. The allocation is sufficient for standard operations, but institutions should monitor usage through the Security Copilot dashboard during the first 60 days to establish a baseline.
Source: ABT internal deployment data from E5 early-access tenants, Q1 2026
What Is Not Included
Microsoft is clear about the boundaries. The E5 inclusion covers Security Copilot's core experiences: chat, promptbooks, and agentic scenarios across Defender, Entra, Intune, Purview, and the standalone portal. Developer tools like Agent Builder and Graph APIs are also included.
But several adjacent costs still apply.
Costs Not Covered by the E5 Inclusion
Microsoft Sentinel data lake compute and storage. If your Security Copilot workflows query Sentinel data, the SCU consumption is covered, but the underlying Sentinel ingestion and storage costs are billed separately through Azure.
Non-agentic Data Security Investigations in Purview. The standard agentic Purview experiences are included. The deeper, non-agentic investigation features require separate payment.
Azure Logic Apps triggered by Security Copilot. If you build automation workflows that Security Copilot agents kick off, the Logic Apps consumption appears on your Azure bill.
Third-party agent licensing. Partner-built agents from the Security Store may require a separate license from the partner. The SCU costs for running those agents are currently covered, but Microsoft notes this "might change in the future."
For most financial institutions running standard E5 workloads without Sentinel, the exclusion list is unlikely to create surprise bills. If you do run Sentinel, coordinate with your Azure administrator to track those costs separately.
Microsoft's official documentation describes the E5 inclusion as a tenant-level benefit. The SCU allocation is based on how many E5 licenses your organization owns. The default Security Copilot capacity is "shared across all users and experiences in the tenant." Access is controlled through Entra ID groups and security roles. Your admin assigns who can use Security Copilot by adding them to the appropriate group.
Security Copilot uses on-behalf-of authentication. It inherits the signed-in user's access scope, so the data Security Copilot can reach depends on what that user is authorized to see in Defender, Entra, Intune, and Purview. Think of it like SharePoint storage: your tenant gets a pool based on license count, and access is role-based.
How to Activate Before April 20
If your tenant was already using Security Copilot with E5 as of November 18, 2025, you may already have access. For everyone else, the phased rollout runs from April 20 through June 30, 2026, per Message Center announcement MC1261596.
You receive a notification seven days before your tenant activates, then a second notification on the activation date. After that, Security Copilot is live with zero-click activation.
Go to security.microsoft.com, then Settings, then Security Copilot. Check whether your tenant has received the activation notification. Also check the Microsoft 365 admin center Message Center.
Review who holds Global Admin, Security Admin, Purview Compliance Admin, and Intune Admin roles. These roles receive Security Copilot access by default. Clean up stale assignments.
Create a dedicated Entra ID security group for Security Copilot users. Start with your SOC team and security leads. Expand access after the first 30-day usage review.
Security Copilot accesses data permitted by existing roles and permissions. If your data governance policies have gaps, fix them before activation. Security Copilot never exceeds the invoking user's permissions, but broad permissions mean broad AI access.
After activation, track consumption through the in-product usage dashboard at the Security Copilot standalone portal. Establish a baseline during the first 60 days before making decisions about additional capacity.
How ABT's Guardian Stack Benefits
For ABT clients running Guardian's monitoring and hardening stack, Security Copilot adds a new layer to the security operations workflow.
Guardian already monitors 160+ Microsoft Secure Score controls across your tenant, with continuous compliance drift detection and zero-tolerance threat response that revokes sign-in sessions on any risk detection. Security Copilot complements this by giving analysts a natural language interface to investigate the alerts Guardian generates.
When Guardian flags a risky sign-in and automatically revokes the user's sessions, your analyst can then ask Security Copilot to summarize the incident, correlate it with other Defender alerts from the same time window, and draft a remediation report for your compliance team. That investigation workflow used to take 45 minutes of manual log correlation. With Security Copilot, it takes a prompt and a follow-up question.
The E7 connection is worth noting here. Microsoft 365 E7, which goes generally available on May 1, 2026, bundles E5 with Microsoft 365 Copilot, Agent 365, and the Entra Suite at $99 per user per month. E7 customers automatically get Security Copilot through the E5 component. For institutions evaluating the full Frontier Transformation stack, the security AI capabilities are already included.
Frequently Asked Questions
The phased rollout runs from April 20 through June 30, 2026, per Microsoft Message Center announcement MC1261596. Your tenant receives a notification seven days before activation and another on the activation date. No action is required on your end. E5 customers who were already using Security Copilot as of November 18, 2025, may already have access.
You receive 400 Security Compute Units per month for every 1,000 paid E5 licenses, up to 10,000 SCUs per month. The allocation scales proportionally for organizations with fewer than 1,000 licenses. A 200-seat credit union gets 80 SCUs per month. A 500-seat community bank gets 200 SCUs per month. Unused SCUs do not roll over to the next month.
As of April 2026, usage beyond the allocated SCUs is throttled. Analysts see an error message stating Security Copilot cannot respond due to high usage. Microsoft plans to offer pay-as-you-go overage at $6 per SCU, with 30-day advance notice before that option becomes available. Overage billing is not yet active for the E5 inclusion model.
No. Security Copilot works with Defender, Entra, Intune, and Purview without Sentinel. If you do use Sentinel, Security Copilot can run scenarios against your Sentinel data using your included SCU allocation. However, the Sentinel data lake compute and storage costs are billed separately through Azure.
Yes. Microsoft's documentation explicitly addresses Managed Service Providers. If an MSP is an E5 customer using Security Copilot to manage the security of a client, that client no longer needs separate Security Copilot billing. ABT, as a Tier 1 CSP, can help configure, monitor, and optimize Security Copilot as part of your managed services relationship.
Get Security Copilot Configured Before Your Activation Window Opens
ABT's Security Copilot readiness review includes:
- E5 license verification and SCU allocation confirmation
- Entra ID role audit and Security Copilot access group setup
- Data governance review to ensure AI access aligns with compliance requirements
- 60-day SCU usage monitoring plan with baseline reporting
