Microsoft has given Security Copilot away with E5. Not a trial, not a teaser — the actual thing, agents and all, folded into a licence you already own. For a product that until recently metered you by the hour like a particularly ambitious car park, this is a genuine shift. Here’s what the agents actually do, how the “free” is costed, and the two or three places where the small print earns its keep.
What just happened
Announced at Ignite 2025 and rolled out to E5 tenants through the spring of 2026, Microsoft Security Copilot is now included with Microsoft 365 E5 (and E7, which contains E5) at no additional cost. Previously this was a standalone purchase billed in Security Compute Units — SCUs — at four dollars an hour, which concentrated the mind wonderfully every time you asked it a question. Now eligible tenants are provisioned automatically, zero-click, with no Azure setup and no capacity to wrangle. If your tenant’s been activated, it’s simply there, waiting in Defender, Entra, Intune and Purview like a keen new starter who’s read all the documentation.
The allocation is the part to write down: 400 SCUs per month for every 1,000 paid E5 users, capped at 10,000 SCUs a month across the tenant. It’s “expected to support typical scenarios,” which is corporate for “fine until it isn’t.” More on that ceiling shortly.
The agents, and what they actually do
The headline isn’t the chat box — Security Copilot has had one of those for a while, and very useful it is for turning “summarise the last phishing incident involving this user and show me lateral movement” into an answer rather than an afternoon. The headline is the agents: purpose-built, semi-autonomous things that run on a schedule or a trigger and actually complete a task rather than just narrating one. A round dozen were announced; these are the ones you’ll meet first.
The Security Alert Triage Agent (formerly, and still, the Phishing Triage Agent) lives in Defender and does the job every SOC quietly loathes: sifting the flood of user-reported “is this phishing?” emails to separate genuine threats from the cautious soul who forwards every newsletter to security. It now stretches to identity and cloud alerts, and — crucially — shows its working, giving a transparent verdict rather than an oracular shrug. St. Luke’s University Health Network reportedly claws back nearly 200 hours a month with it. That’s not nothing; that’s most of an FTE freed from reading the same benign marketing email forty times.
The Conditional Access Optimization Agent in Entra is the one that’ll make identity teams sit up. It runs daily, watches for new users and apps that have slipped outside your Conditional Access policies, flags the gaps — users without MFA, apps with excessive permissions — and proposes fixes you can often apply with a single click. In Microsoft’s own productivity study, admins completed policy tasks 43% faster and 48% more accurately. Take the vendor’s numbers with the usual pinch, but the underlying job — stopping your CA policy from silently rotting as the estate changes around it — is exactly the sort of continuous, tedious vigilance humans are bad at and agents are built for.
The Vulnerability Remediation Agent in Intune continuously spots emerging vulnerabilities, builds a patching group, and expedites Windows patches — with, and this is the reassuring bit, admin approval before anything actually happens. Note carefully what it does not do: it does not apply patches to your environment on its own initiative. It builds the plan; you pull the trigger. Anyone who’s watched an automated patch tool enthusiastically reboot a production fleet will appreciate the restraint.
Over in Purview, the Data Security Triage Agents chew through Data Loss Prevention and Insider Risk alerts — the ones that arrive in their thousands and get triaged approximately never. One telecoms outfit ran 40,000 DLP alerts through it in ninety days and surfaced the critical 10% that actually warranted a human. If you’ve ever watched a DLP queue scroll past like the credits of a very long film nobody enjoyed, you’ll understand the appeal.
And the Threat Intelligence Briefing Agent assembles a tailored threat brief from Microsoft’s intelligence and your own environment’s exposure, on a schedule, in minutes rather than the hours-to-days a human analyst needs — by which point, as Microsoft rightly notes, the threat landscape has often moved on and the briefing is describing history. There’s also an Access Review Agent that lets reviewers approve or revoke access through natural language right inside Teams, which is either the future of access governance or the moment access reviews finally stop being ignored entirely. Possibly both.
The governance, which is better than you’d fear
Credit to Microsoft here, because the obvious nightmare — autonomous AI with a firehose of permissions, cheerfully changing things — has been thought about. Each agent runs under either a managed identity or a captured user, and it operates on-behalf-of: it inherits the permissions of whoever it’s acting as and cannot reach past that boundary. If the analyst can’t see a data source, neither can the agent. That’s the right design, though it does mean an over-permissioned service account behind an agent is now an over-permissioned autonomous account, which is a slightly larger thing to get wrong. Configure with care.
None of the six core agents takes an action that can’t be undone — they change incident and alert statuses, build plans, make recommendations. The reversible-by-design principle is genuinely reassuring. The agents also learn from feedback, storing it in memory to apply on future runs, and — because someone at Microsoft has clearly read a threat model — the administrator governs exactly who may feed that memory, precisely to stop a malicious or careless “actually, emails from this domain are always fine” from poisoning the well. That’s a thoughtful control, and it’s nice to report one without a caveat attached.
Now the small print, because there’s always small print
Return to that allocation: 400 SCUs per 1,000 users, capped at 10,000 a month. Here’s the sharp edge — the SCUs do not roll over. Use them or lose them, every month, like a gym membership you feel guilty about. And for now the inclusion is a hard cap: exhaust the monthly allowance and your analysts get throttled until the reset. This matters most at exactly the wrong moment. During a major incident, when you’re running agents hard and asking Copilot everything, you can burn through a month’s allocation faster than you’d like to discover. The tool that’s meant to help you in a crisis can quietly run out of road mid-crisis. Plan capacity for your worst week, not your average one.
Microsoft has signalled a future overage option at $6 per SCU on pay-as-you-go, with thirty days’ notice before it switches on. Which means the current “no overage billing” state is a temporary kindness, not a permanent feature. Enjoy the hard cap while it lasts, but budget as though the meter is coming — because it is.
A couple of further footnotes for the diligent. Partner-built agents from the Security Store may carry their own licensing from the partner, separate from your SCU allocation. Some agents have prerequisites that live outside E5 and aren’t covered by the inclusion. And Azure Logic Apps usage invoked from Copilot flows is billed as Logic Apps, not conjured free. The core Microsoft agentic experiences are the included bit; the ecosystem around them can still ring the till.
One more, for the already-committed: if you’re on E5 and still paying for separately provisioned SCUs, you’re very likely paying for something you now own. Don’t cancel that capacity before your tenant’s inclusion is actually activated — eligibility and activation are not the same event — but once it’s live, that standalone SCU line is a candidate for the chop.
The verdict from the security desk
This is, straightforwardly, a good deal — and it’s rare to type that about a licensing change without three qualifications. Removing the per-hour cost barrier is the single biggest thing holding most teams back from Security Copilot, and Microsoft has removed it. The agents target genuinely miserable, genuinely high-volume work — phishing triage, DLP queues, CA drift, vulnerability chasing — where “an AI that does the boring 90% and hands you the 10% that matters” is exactly the right division of labour. The governance model is more considered than the marketing gives it credit for, with reversible actions, on-behalf-of permissions and memory that can’t be trivially poisoned.
The honest cautions are three, and none of them is a dealbreaker: the SCU cap can bite hardest during an incident, the “free” has a metered future already scheduled, and — as with the Intune changes riding the same July price rise — a capability you’re entitled to but never configure is just a more expensive way of achieving nothing. Provisioned is not deployed. An agent that hasn’t been set up, scoped and pointed at a real workflow is a very clever thing doing absolutely nothing on your behalf.
So: turn it on, scope the agents properly, watch your SCU burn like you’d watch any other budget, and treat the autonomous identities with the respect you’d give any account that can change things while you sleep. Do that, and Security Copilot in E5 is one of the more useful things Microsoft has bundled in years. Which, from a security desk, is about as warm as the praise gets.
Gary Clarke is a CISO and the founder of IAM SME LTD. He remains professionally suspicious of anything described as “expected to support typical scenarios.”











