Troubleshoot Conditional Access policies for Microsoft Security Copilot

Generative artificial intelligence (AI) services like Microsoft Security Copilot can bring value to your organization when used appropriately.

Apply Conditional Access policy to these generative AI services by following our recommendation to target all resources. These policies might include those for all users, risky users, sign-ins, device compliance, and users with insider risk.

Some organizations target these services directly by using the underlying service principals and custom security attributes in their Conditional Access policies:

• 43d7b169-1d9e-4d32-8cd8-06c5974ed90c - Security Copilot Agent Management
• bb5ffd56-39eb-458c-a53a-775ba21277da - Security Copilot Portal
• bb3d68c2-d09e-4455-94a0-e323996dbaa3 - Security Copilot API
• b0cf1501-8e0f-4fbb-b70a-52ca5ea7bda6 - Security Copilot Logic Apps Connector

In these cases, admins create, assign, and target these underlying service principals with custom security attributes.

Required roles

Custom security attributes are security sensitive and only delegated users can manage them. Assign one or more of the following roles to the user who manages or reports on these attributes.

Assign the appropriate role to the users who manage or report on these attributes at the directory scope. For detailed steps, see Assign Microsoft Entra roles.

Create custom security attributes

Follow the instructions in the article Add or deactivate custom security attributes in Microsoft Entra ID to add the following Attribute set and New attributes.

• Create an Attribute set named SecurityCopilotAttributeSet.
• Create New attributes named SecurityCopilotAttribute with Allow multiple values to be assigned set to No and Only allow predefined values to be assigned set to Yes. Add the following predefined value:
  • MFARequired

Assign custom security attributes to applications

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator and Attribute Assignment Administrator.
2. Browse to Entra ID > Enterprise apps.
3. Select the apps to apply a custom security attribute to:
   1. 43d7b169-1d9e-4d32-8cd8-06c5974ed90c - Security Copilot Agent Management
   2. bb5ffd56-39eb-458c-a53a-775ba21277da - Security Copilot Portal
   3. bb3d68c2-d09e-4455-94a0-e323996dbaa3 - Security Copilot API
   4. b0cf1501-8e0f-4fbb-b70a-52ca5ea7bda6 - Security Copilot Logic Apps Connector
4. Under Manage > Custom security attributes, select Add assignment.
5. Under Attribute set, select the attribute set you created.
6. Under Attribute name, select the attribute you created.
7. Under Assigned values, select Add values, choose the value you created from the list, then select Done.
8. Select Save.

Targeting custom security attributes in Conditional Access policy

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator and Attribute Definition Reader.
2. Browse to Entra ID > Conditional Access.
3. Select New policy or select an existing policy to update.
4. When configuring your Target resources, select the following options:
   1. Select what this policy applies to Cloud apps.
   2. Include Select resources.
   3. Select Edit filter.
   4. Set Configure to Yes.
   5. Select the Attribute you created.
   6. Set Operator to Contains.
   7. Set Value to one of your custom attributes.
   8. Select Done.

Which policy is causing issues?

It's sometimes hard for an admin to check which policy to update when there's an issue. Use the guidance in Troubleshooting sign-in problems with Conditional Access to check which policies apply, which policies don't apply, and run sign-in diagnostics to avoid ongoing issues.

Next steps

Understand authentication in Microsoft Security Copilot