Home

Published

- 3 min read

Security Copilot in M365 E5 Is Not a Gift

Microsoft Licensing Copilot
img of Security Copilot in M365 E5 Is Not a Gift

Microsoft announced at Ignite 2025 that Security Copilot would be included with Microsoft 365 E5 subscriptions, and the January 2026 Product Terms made it official. At no additional cost, apparently.

The allocation math

Microsoft’s documentation says E5 customers get 400 Security Compute Units per month for every 1,000 licensed users. Cap is 10,000 SCUs per month, which you’d hit at 25,000 users.

Their examples: 400 users gets you 160 SCUs monthly. 4,000 users gets you 1,600 SCUs.

An SCU is the billing unit for Security Copilot. Every query, every agent action, every investigation eats SCUs. Simple stuff might use a fraction of one. Complex investigations that pull from multiple tools chew through more. Microsoft hasn’t published detailed consumption tables. I’m sure that’s an oversight.

The overage trap

What happens when you blow through your allocation?

You pay $6 per SCU on a pay-as-you-go basis through Azure. At the time of writing, overage billing isn’t active yet, but it’s coming. Microsoft, generously, promises 30-day notice.

Six dollars per SCU.

Security Copilot launched in April 2024 with provisioned capacity at $4 per SCU per hour. Not a direct comparison since provisioned capacity bills hourly whether you use it or not, while overage is pure consumption. But the overage rate is 50% higher per unit. Microsoft is nudging you toward provisioning capacity rather than relying on the “free” allocation plus overage.

Generous, until it isn’t.

How long does 400 SCUs actually last?

Microsoft says the included capacity supports “typical scenarios.” How reassuring.

If you’re running a SOC with analysts actively using Security Copilot for incident investigation, alert triage, and threat hunting, 400 SCUs per 1,000 users might not survive the first week. I don’t have hard benchmarks because Microsoft hasn’t published them. But I’ve talked to enough security teams to know that AI assistants, once people actually use them, get used heavily. That’s the whole point of having them.

The E5 inclusion comes with twelve new agents across Defender, Entra, Intune, and Purview. Microsoft wants you deploying these for phishing triage, alert classification, access reviews, vulnerability remediation. All of this eats SCUs, and Microsoft has made adoption as frictionless as possible.

Then your allocation runs dry, the $6 per SCU kicks in, and that “free” inclusion starts costing real money.

The reset that stings

Easy to miss: allocations reset monthly and don’t roll over. Unused January SCUs don’t carry to February.

Security workloads are spiky. Quiet months where nothing major happens. Then an incident that demands intensive investigation. Quiet months, allocation goes unused. Crisis months, you blow through it and pay overage.

Rollover would smooth this out. Microsoft, curiously, chose otherwise.

What to do

Use Security Copilot. The capabilities are genuinely useful, so don’t leave it sitting there.

But monitor consumption from day one. Microsoft provides an in-product usage dashboard. Use it. Understand your baseline before you hit the ceiling.

Set alerts for consumption thresholds. Don’t wait for the 30-day notice that overage billing is activating.

When you’re budgeting for 2026, don’t count Security Copilot as “free.” Count the allocation, model realistic usage, budget for overage. The meter is running whether you see it or not.