Microsoft has announced the inclusion of Security Copilot, its AI-powered cybersecurity assistant, at no additional cost for all Microsoft 365 E5 customers.
This strategic initiative is designed to:
- broaden access to AI-driven security solutions
- improve operational efficiency
- help address the global shortage of cybersecurity professionals.
While this integration offers great benefits such as predictable costs and streamlined workflows, it also raises important considerations regarding governance and capacity constraints.
This article examines the features, implications, expert perspectives, and the respective advantages and disadvantages of this development.
Microsoft’s big move
At Microsoft Ignite 2025, Microsoft announced that Security Copilot will now be included at no extra cost for all Microsoft 365 E5 customers. What is Security Copilot? This AI-powered security tool is integrated into Defender, Entra, Intune, and Purview, providing ‘agentic defense’ across enterprise operations.
The rollout started on November 18, 2025, for current users and will expand to all E5 tenants in the coming months, with organisations receiving a 30-day advance notice before activation.
What’s included (features and capacity)
Microsoft’s Security Copilot extends generative AI into security operations through agent workflows that integrate across Microsoft Defender, Microsoft Entra, Microsoft Intune and Microsoft Purview.
Key capabilities Microsoft highlights include:
AI-assisted incident investigation and triage: Accelerate analysis by surfacing related alerts, evidence, and likely root causes.
Agent-driven automation: Prebuilt agents that can run routine workflows (phishing triage, threat intelligence enrichment, device containment).
Integrated playbooks and guided response : Prescriptive steps produced by Copilot, linked to the customer’s telemetry and controls.
Context-aware threat hunting and summarisation: Natural-language summaries, timelines, and recommended remediation actions.
Integration with Entra ID to support Zero Trust posture: Proactive remediation of risky users, optimisation of Conditional Access policies, streamlining access reviews, and managing application lifecycles to enhance Zero Trust posture.
Capacity allocation for E5 tenants: To bridge the gap between the per-user licensing of Microsoft 365 E5 and the consumption-based model of Security Copilot, Microsoft is providing an allotment of Security Compute Units (SCUs) as part of the E5 entitlement.
Each Microsoft 365 E5 subscription receives 400 Security Compute Units (SCU) per month per 1,000 paid user licenses, scaled up to a maximum allocation of 10,000 SCUs per month at no additional cost. If an organisation exceeds this monthly capacity, they will have the option to pay for scaling beyond the allocated amount on a pay-as-you-go basis, priced at an estimated rate of $6 per SCU.
In addition, Microsoft is also expanding the ecosystem with 12 new Microsoft-built agents and 30+ partner agents, covering tasks from phishing triage to identity cleanup and data risk remediation.
What does this mean for existing E5 customers and customers who already purchased Security Copilot?
If you have Microsoft 365 E5, Security Copilot will be gradually added to your tenant through phased activation. Customers with E5 who were already using Security Copilot were prioritised and began getting access on November 18, 2025.
Those who previously bought Security Copilot as an add-on will receive the same benefit, according to Microsoft’s guidance, but may need to handle their licensing and usage entitlements separately. Paid capacity and billing agreements will remain in place until Microsoft finishes adjusting the tenant level. Admins can control agent access by managing Entra ID group memberships.
Why Microsoft is making this move
To Counter AI-Driven Adversaries, Microsoft is directly addressing the escalating threat landscape where attackers leverage AI to automate sophisticated threats. By embedding AI defense deep into the platform, they position the Microsoft Security stack as the only platform capable of defending "at the speed and scale of AI."
Bolstering the E5 Ecosystem: The inclusion significantly enhances the perceived and actual value of the M365 E5 suite. This move makes the E5 license a near-mandatory investment for large enterprises seeking maximum security and compliance coverage, making it harder for competitors to displace.
Solving the talent Gap: With over four million cybersecurity roles unfilled globally, Copilot acts as an AI force multiplier. Early data supports this: SOC analysts using Copilot have reported detecting phishing attempts up to 550% faster, allowing human teams to shift focus from manual "firefighting" to strategic resilience.
Expert reactions and market context
Independent analyst commentary has been mixed but leans positive on the potential ROI of Copilot style tools while warning about operational readiness and governance.
Forrester and other research groups have signaled the opportunity for Copilot and Copilot for Security to drive partner-led growth and efficiency gains in SOC operations, while Gartner and anecdotal surveys have highlighted concerns about deployment delays, oversharing risk, and measurement of real-world ROI.
Many partners welcome the bundling as it lowers the barrier to trial and should expand the installed base that partners can service.
Advantages for customers
- Reduced incremental cost: E5 customers gain access without an extra per-seat SKU for baseline capacity.
- Faster time-to-value: Prebuilt agents and integrations reduce the configuration and pilot lift for SOCs.
- Seamless integration: Agents work across Defender, Entra, Intune and Purview, reducing data friction.
- Partner enablement: System integrators and MSSPs can more easily include Copilot workflows in managed services
Disadvantages and considerations
- Capacity limits: The included SCUs are finite (400 SCU per 1,000 users up to 10,000 SCU) and may not meet large or high-throughput environments without additional purchases.
- Governance and control: Organisations must ensure sensitivity labels, permissions and retention policies are correctly applied to avoid oversharing or inaccurate outputs.
- Operational maturity: SOCs must adapt playbooks, staff skills and change management to fully benefit from agentic automation.
- Lock-in and ecosystem reliance: Deeper dependence on Microsoft telemetry and tooling could make multi-vendor strategies more difficult.
Practical advice for customers
Inventory current usage: Measure Defender and Entra telemetry volumes and estimate Security Compute Unit consumption against expected agent usage.
Pilot with representative workloads: Use the included SCUs on lower-risk tenants or a proof-of concept before broad enablement.
Review governance controls: Confirm sensitivity labels, data access, and retention are in place to reduce oversharing risks.
Engage partners: Leverage MSSPs and SI partners to configure agents and manage scale if internal skills are limited.
What this integration represents
The integration of Security Copilot into Microsoft 365 E5 represents a strategic enhancement to baseline security automation for large enterprise clients. While this inclusion lowers barriers to adoption, organisations must assess the provided capacity in relation to their operational requirements and governance frameworks.
For numerous organisations, this advancement is expected to enhance AI-driven threat detection and response capabilities. However, maximising these benefits will necessitate comprehensive planning, pilot testing, and assessment of possible increases in resource consumption
References
Licensing FAQ: Security Copilot and Microsoft 365 E5
1. Is Security Copilot now automatically included with Microsoft 365 E5?
Yes. Microsoft announced that Security Copilot is being added to Microsoft 365 E5 at no additional seat based cost. The rollout is phased, and tenants receive a 30‑day notification before activation.
2. Do I need to purchase a separate Security Copilot license if I already have Microsoft 365 E5?
No. Baseline Security Copilot access and compute capacity are included with Microsoft 365 E5. However, tenants that exceed their included SCU allocation may still need to purchase additional capacity.
3. What is the included capacity for Security Copilot under M365 E5?
Microsoft provides 400 Security Compute Units (SCU) per 1,000 paid Microsoft 365 E5 users, up to a maximum of 10,000 SCU per tenant per month.
4. What happens if my organisation exceeds its included SCU capacity?
You can purchase additional SCU as consumption-based add‑ons. This allows larger SOCs or high volume investigation environments to scale beyond the included capacity.
5. I already purchased the Security Copilot add‑on SKU. What happens to my existing subscription?
Your existing paid SKU remains valid. Microsoft indicates customers will retain existing entitlements, and any paid capacity will continue to apply. As tenant-level adjustments roll out, your licensing provider may advise you on reconciliations or transitions.
6. Do GCC, GCC High, or DoD tenants receive Security Copilot as part of E5?
According to the latest Microsoft communications, sovereign clouds (Government Community Cloud (GCC), GCC High (US Federal agencies and contractor handling controlled unclassified information), Department of Defense Cloud (DoD)) have different timelines and may not yet have Security Copilot included. Microsoft has indicated that availability for these environments will be announced later, as compliance and regulatory requirements often delay feature parity.
7. Do I need to enable anything manually to begin using Security Copilot?
Admins must assign Security Copilot access via Entra ID groups. Agent features may also require configuration depending on the Defender, Entra, Intune, or Purview integration.
8. Does this change affect Microsoft 365 E3 customers?
No. Security Copilot is included only with Microsoft 365 E5. E3 customers may still access Security Copilot through separate paid consumption or upgrades.
9. Will Copilot for Security replace existing Defender or Sentinel licensing?
No. Security Copilot is an AI layer that enhances investigation and response. It does not replace Defender plans, Sentinel billing, or underlying telemetry ingestion models.
10. How can customers estimate their SCU needs?
Microsoft recommends reviewing historic incident volumes, alert investigations, threat hunting activity, and expected use of automated agents. Pilot testing is the most accurate method to project capacity requirements.