With the July 2026 Microsoft 365 pricing update, Microsoft Security Copilot has moved from a separate, explicitly purchased product into something that all Microsoft 365 E5 customers now receive an allocation of as part of their subscription. From July 2026, E5 customers receive 400 Security Compute Units per 1,000 licensed users per month, with additional consumption billed separately through Azure. This is a genuinely significant product development, and it changes the commercial conversation around Security Copilot from whether to evaluate it to how to manage what has effectively become a default inclusion.
But the Security Compute Unit model is one of the more unusual commercial mechanisms in the Microsoft portfolio, and organisations that simply switch on Security Copilot without understanding how SCUs are consumed and what happens when the included allocation is exhausted are setting themselves up for billing surprises that arrive through Azure invoices rather than through their Microsoft 365 licensing structure. This blog explains how Security Copilot actually works commercially, what the 400 SCU allocation means in practice, and what governance organisations need to put in place before broad deployment.
What Microsoft Security Copilot Actually Does
Microsoft Security Copilot is a generative AI assistant built specifically for security and IT operations tasks. It is embedded within Microsoft’s security products, including Microsoft Defender XDR, Microsoft Sentinel, Microsoft Entra, Microsoft Intune, and Microsoft Purview, and is designed to help security analysts and IT administrators work faster and more effectively by surfacing relevant context, generating summaries, drafting investigation steps, and automating routine security workflow tasks.
In practice, Security Copilot is most useful for security operations teams handling incident response, threat hunting, and investigation workflows where the volume of alerts and the complexity of the contextual data involved creates genuine cognitive load. It can summarise an incident, correlate signals across multiple security products, generate a plain-language explanation of a technical finding, and suggest remediation steps, all within the security console the analyst is already working in. For security teams that are genuinely overwhelmed by alert volume and investigation complexity, this kind of AI-assisted triage support has real operational value.
The UK’s National Cyber Security Centre publishes guidance on AI deployment in enterprise security environments, covering the governance requirements that organisations need to address before deploying AI-assisted security tools at operational scale. Their NCSC guidance on AI in enterprise security environmentsaddress both the technical security implications of AI-assisted security tools and the organisational governance frameworks that responsible deployment requires, which is directly applicable to Security Copilot adoption planning.
The Security Compute Unit Model Explained
Security Copilot does not charge per user or per query in the conventional sense. It charges through Security Compute Units, a consumption metric that measures the computational resources used by each Security Copilot interaction. The amount of SCUs consumed by a given interaction depends on the complexity of the prompt, the size of the data being analysed, the number of security products being queried simultaneously, the length of the output generated, and whether the interaction involves automated workflows or plugin-driven enrichment.
This consumption variability is the source of the most significant commercial risk in Security Copilot deployments. A security analyst running a simple incident summary against a contained alert will consume significantly fewer SCUs than one running a complex multi-product investigation that correlates data from Defender XDR, Sentinel, and Entra simultaneously and generates a detailed remediation plan. The same analyst running the same type of investigation will consume different SCU quantities depending on the specific data volumes and complexity of each incident. SCU consumption is inherently variable, and that variability makes cost forecasting difficult without empirical usage data from a pilot deployment.
The 400 SCU allocation per 1,000 licensed E5 users per month that is now included in E5 subscriptions is a meaningful starting point for organisations evaluating how far the included allocation will stretch. At a rough approximation, assuming a typical mix of simple and complex Security Copilot tasks, an organisation with 1,000 E5 licences and a security operations team of twenty analysts might find that the included 400 SCUs per month supports moderate daily use by the security team. Organisations with larger, more active security operations, or those running automated Security Copilot workflows, will almost certainly exceed the included allocation and incur additional Azure charges.
What Happens When You Exceed the Included Allocation
When an organisation exceeds its included 400 SCUs per 1,000 users per month, additional SCU consumption is billed through Azure at the pay-as-you-go rate. This is the mechanism that catches organisations off guard, because the Security Copilot usage is controlled within the Microsoft security console environment, but the billing arrives on the Azure invoice. Organisations that do not actively monitor Azure consumption for Security Copilot-specific charges may not connect the Azure cost to the Security Copilot activity that generated it until the invoice arrives.
The practical governance requirement is to establish monitoring for Security Copilot SCU consumption before broad deployment begins. Azure Cost Management provides the visibility needed to track Security Copilot consumption against the included allocation and to set budget alerts that trigger when consumption approaches or exceeds the threshold. Without this monitoring, an organisation deploying Security Copilot across a large security team has no mechanism to detect overconsumption until the Azure bill reflects it.
The FinOps Foundation’s frameworks for managing consumption-based cloud service costs provide directly applicable governance methodologies for Security Copilot SCU management. Their FinOps Foundation consumption-based cloud service cost governance frameworks address the monitoring, accountability, and optimisation disciplines that organisations need to apply to any Azure consumption-based service, including the specific challenges of forecasting and controlling AI service consumption where per-unit cost is variable rather than fixed.
Which E5 Customers Should Prioritise Security Copilot
Not every E5 customer is an equally compelling candidate for Security Copilot deployment. The organisations that are most likely to realise genuine value from the included SCU allocation are those with dedicated security operations centres or security teams that handle significant alert volume, those running Microsoft Defender XDR and Microsoft Sentinel as their primary security operations platforms, those dealing with complex, multi-stage incidents where correlating data across multiple security products is a routine and time-consuming activity, and those in regulated industries where the speed of incident investigation and response is a compliance requirement as well as an operational priority.
Organisations with smaller IT teams, simpler security environments, or primary security tooling from non-Microsoft platforms will likely find the included SCU allocation adequate for limited exploratory use but will not necessarily build the kind of regular, high-volume usage that justifies investing significantly in Security Copilot governance infrastructure.
The practical starting point for all E5 customers is to identify whether the included allocation has been activated, understand which security team members currently have access to Security Copilot features, and establish the basic monitoring infrastructure needed to track SCU consumption before any broader promotion of the capability within the security function.
Data Security and Governance Before Deployment
Security Copilot operates on security data that can be among the most sensitive information in any organisation: threat intelligence, incident details, user activity logs, identity data, and network telemetry. Before enabling Security Copilot for broad use within a security team, organisations should confirm that the data access configuration is correctly scoped, that security analysts accessing Security Copilot have appropriate permissions and that those permissions do not expose data from security tools beyond what each analyst should access in their normal role, and that the prompts and outputs generated through Security Copilot interactions are subject to appropriate retention and audit logging.
The SANS Institute publishes research on enterprise security operations technology governance, including the deployment and access control requirements that apply to AI-assisted security tools in production security operations environments. Their SANS Institute security operations and AI tool governance research provide the security architecture and governance frameworks that organisations need to put in place before deploying Security Copilot at operational scale, covering access control, data scoping, and audit requirements.
Conclusion
Microsoft Security Copilot is now part of the E5 subscription for the first time, and for organisations already running E5, the included 400 SCU allocation per 1,000 users is available to activate. But activating it without understanding the SCU consumption model, establishing monitoring for overage charges, and putting in place the data governance and access control configuration that Security Copilot requires is a recipe for either commercial surprise or security governance exposure. The technology is genuinely useful for the right security operations contexts. The commercial and governance preparation that responsible deployment requires is the more demanding part, and it should happen before any broad rollout rather than in response to the first unexpected Azure invoice.
IDC research on enterprise security technology investment and AI-driven security operations platform adoption provides benchmarking context on how organisations are approaching Security Copilot deployment and what the commercial and operational outcomes of early adopters look like. Their IDC enterprise security AI and Security Copilot adoption research offer evidence-based frameworks for evaluating the commercial case for expanding beyond the included E5 SCU allocation based on the specific security operations context and workload of each organisation.