Grant partners access to Microsoft Copilot for Security
If you're working with a Microsoft Managed Security Solution Provider (MSSP), you can grant them access to your Microsoft Copilot for Security capabilities. When you grant an MSSP access, they're able to sign in and use Copilot for Security just like your security team.
There are two ways to allow a partner to manage your Microsoft Copilot for Security.
GDAP
Approve your partner to gain Copilot for Security permissions for your tenant. They assign a security group the permissions needed using Granular Delegated Admin Privileges (GDAP).B2B collaboration
Set up guest accounts for individuals from your MSSP to log into your tenant.
There are tradeoffs for both methods. Use the following table to help decide which method is best for your organization. It's possible to mix both methods for an overall partner strategy.
Consideration | GDAP | B2B collaboration |
---|---|---|
How is time-bound access implemented? | Access is time-bound by default and built into the permission approval process. | Privileged Identity Management (PIM) with time-bound access is possible, but must be maintained by the customer. |
How is least-privileged access administered? | GDAP requires security groups. A list of least-privileged roles needed guides the setup. | Security groups are optional, and maintained by customer. |
What plugins are supported? | A partial set of plugins are supported. | All plugins available for the customer are available to the partner. |
What is the immersive login experience? | The tenant ID must be manually added to the Copilot for Security URL. | Use the tenant switch selection from the user interface. |
What is the embedded experience? | Supported, with Service Management links to facilitate access. | Supported normally. |
GDAP
GDAP allows your partner to set up access with least-privileged and time-bound access explicitly granted by the Copilot for Security customer. The access is assigned to a security group which reduces the administrative burden for both the customer and the partner.
For more information, see Introduction to GDAP.
Here's the current matrix of Copilot for Security plugins that support GDAP:
Copilot for Security plugin | Supports GDAP |
---|---|
Defender External Attack Surface Management | No |
Entra | Overall, no, but a few capabilities work. |
Intune | Yes |
MDTI | No |
Microsoft 365 Defender | Yes |
NL2KQL Defender | Yes |
NL2KQL Sentinel | No |
Sentinel | No |
For more information, see Workloads supported by GDAP.
Step 1 - GDAP relationship
The partner sends a GDAP request to their customer. Follow the instructions in this article, Obtain permissions to manage customer. Keep in mind the Entra roles required to access Copilot for Security portal and plugins. For more information, see Understand authentication.
The customer approves the GDAP request from the partner. Follow the instructions in this article, Customer approval.
Step 2 - Partner assigns security group permissions
The partner creates a security group and assigns the approved permissions to the group. Follow the instructions in this article, Assign Microsoft Entra roles.
Step 3 - Partner accesses Copilot for Security
The partner account with membership to the partner security group assigned the approved role must use a tenant-explicit URL. The tenant switch setting in the UI doesn't recognize GDAP credentials.
Change the URL to match the customer tenant. For example,
https://securitycopilot.microsoft.com/?tenantId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
.
B2B collaboration
This method of access invites individual partner accounts as guests to the customer tenant to operate Copilot for Security.
Step 1 - Set up a guest account for your MSSP
Note
To perform the procedures described in this option, you must have an appropriate role, such as User Administrator, or Billing Administrator, assigned in Microsoft Entra.
Go to the Microsoft Entra admin center and sign in.
Go to Identity > Users > All users.
Select New user > Invite external user, and then specify settings for the guest account.
On the Basics tab, fill in the user's email address, display name, and a message if you want to include one. (You can optionally add a Cc recipient to receive a copy of the email invitation.)
On the Properties tab, in the Identity section, fill in the user's first and last name. (You can optionally fill in any other fields you want to use.)
On the Assignments tab, select + Add role. Scroll down, and select either Security Operator or Security Reader.
On the Review + invite tab, review your settings. When you're ready, select Invite.
The MSSP receives an email with a link to accept the invitation to join your tenant as a guest.
Tip
To learn more about setting up a guest account, see Invite an external user.
Step 2 - Notify your MSSP
After you have set up a guest account for your MSSP, you're ready to notify them that they can now use your Copilot for Security capabilities.
Tell your MSSP to look for an email notification from Microsoft. The email contains details about their user account and includes a link they must select to accept the invitation.
Your MSSP can access Copilot for Security by visiting securitycopilot.microsoft.com and signing in using their email account.
Share the following articles to help your MSSP get started using Copilot for Security:
Technical support
Currently, if your MSSP has questions and needs technical support for Copilot for Security, you (as an admin for your organization) should contact support on the MSSP's behalf.