Merge pull request #54434 from MicrosoftDocs/NEW-manage-plugins-agents-security-copilot

Request push to Main - New manage plugins agents security copilot

Author: Stacyrch140

learn-pr/wwl-sci/manage-plugins-agents-security-copilot/1-introduction.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-plugins-agents-security-copilot.introduction
+metadata:
+  title: Introduction
+  description: Introduction
+  ms.date: 04/23/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+title: Introduction
+durationInMinutes: 2
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/wwl-sci/manage-plugins-agents-security-copilot/2-configure-plug-in-settings.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-plugins-agents-security-copilot.configure-plug-in-settings
+metadata:
+  title: Configure plugin settings in Security Copilot
+  description: Learn how to use the Plugin Settings page to govern who can add and manage custom plugins. Explore restricting preinstalled plugin access, and adding custom plugins to extend Security Copilot capabilities.
+  ms.date: 04/23/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+title: Configure plugin settings in Security Copilot
+durationInMinutes: 5
+content: |
+  [!include[](includes/2-configure-plug-in-settings.md)]

learn-pr/wwl-sci/manage-plugins-agents-security-copilot/3-discover-set-up-microsoft-agents.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-plugins-agents-security-copilot.discover-set-up-microsoft-agents
+metadata:
+  title: Discover and set up Microsoft-built agents
+  description: Learn how to browse the Security Copilot agent library, understand the difference between Microsoft and partner agents. Then complete the full setup flow for a Microsoft-built agent including identity selection and trigger configuration.
+  ms.date: 04/23/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+title: Discover and set up Microsoft-built agents
+durationInMinutes: 4
+content: |
+  [!include[](includes/3-discover-set-up-microsoft-agents.md)]

learn-pr/wwl-sci/manage-plugins-agents-security-copilot/4-acquire-configure-partner-agents.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-plugins-agents-security-copilot.acquire-configure-partner-agents
+metadata:
+  title: Acquire and configure partner agents from Security Store
+  description: Learn how to discover and acquire partner-built agents through the Security Store integrated in Security Copilot. Explore the billing model, and complete the Global Administrator approval workflow for agents that access Microsoft product data.
+  ms.date: 04/23/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+title: Acquire and configure partner agents from Security Store
+durationInMinutes: 4
+content: |
+  [!include[](includes/4-acquire-configure-partner-agents.md)]

learn-pr/wwl-sci/manage-plugins-agents-security-copilot/5-manage-agents.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-plugins-agents-security-copilot.manage-agents
+metadata:
+  title: Manage Security Copilot agents
+  description: Learn how to control agent execution by running or pausing agents, edit agent configuration, provide targeted feedback to improve agent performance. Explore managing agent memory to refine outputs over time.
+  ms.date: 04/23/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+title: Manage Security Copilot agents
+durationInMinutes: 4
+content: |
+  [!include[](includes/5-manage-agents.md)]

learn-pr/wwl-sci/manage-plugins-agents-security-copilot/6-knowledge-check.yml

@@ -0,0 +1,86 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-plugins-agents-security-copilot.knowledge-check
+metadata:
+  title: Knowledge check
+  description: Check your knowledge of managing plugins and agents in Microsoft Security Copilot.
+  ms.date: 04/23/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+title: Knowledge check
+durationInMinutes: 3
+content: |
+  [!include[](includes/6-knowledge-check.md)]
+quiz:
+  title: Check your knowledge
+  questions:
+  - content: "A Security Copilot owner wants contributors to be able to publish custom plugins for use by everyone in the organization. What must the owner configure first?"
+    choices:
+    - content: "Set the organization-scope permission to **Owners and Contributors**."
+      isCorrect: false
+      explanation: "Incorrect. The organization-scope permission can only be enabled after the user-scope permission is set to **Owners and Contributors**. You must configure user-scope access first."
+    - content: "Set the user-scope permission to **Owners and Contributors**."
+      isCorrect: true
+      explanation: "Correct. Setting the user-scope permission to **Owners and Contributors** is required before the organization-scope permission becomes available. The two permissions work in sequence."
+    - content: "Restrict preinstalled plugins to Owners only."
+      isCorrect: false
+      explanation: "Incorrect. Restricting preinstalled plugins controls plugin availability to users, not who can add custom plugins. It has no effect on custom plugin governance permissions."
+    - content: "Enable all default preinstalled plugins for the workspace."
+      isCorrect: false
+      explanation: "Incorrect. Enabling preinstalled plugins makes them available to users but doesn't affect who can add or publish custom plugins."
+  - content: "You restrict the Microsoft Defender XDR plugin to Owners only in your Security Copilot workspace. Which statement best describes the result?"
+    choices:
+    - content: "The plugin is disabled only for new contributors added after the restriction is applied."
+      isCorrect: false
+      explanation: "Incorrect. Restricting access is an immediate change that affects all current users of Security Copilot and its embedded experiences at the moment it's applied."
+    - content: "Analysts using Security Copilot capabilities in the Microsoft Defender portal see a restricted or degraded embedded experience."
+      isCorrect: true
+      explanation: "Correct. Restricted plugins affect embedded experiences. When the Defender XDR plugin is restricted, analysts in the Defender portal encounter limited or unavailable Copilot capabilities inside that portal."
+    - content: "The plugin is removed from all workspaces in the tenant."
+      isCorrect: false
+      explanation: "Incorrect. Plugin restrictions apply within the configured scope and affect user access, but the plugin itself remains available to owners. It isn't removed from other workspaces."
+    - content: "Contributors must reconfigure their plugin settings to regain access."
+      isCorrect: false
+      explanation: "Incorrect. Contributors can't reconfigure preinstalled plugin access—that is an owner-only action. Restricting the plugin immediately prevents contributor access until an owner changes the setting."
+  - content: "When setting up a Microsoft-built Security Copilot agent, which identity approach does Microsoft recommend?"
+    choices:
+    - content: "Assign an existing user account to reuse established permissions."
+      isCorrect: false
+      explanation: "Incorrect. Assigning an existing user account is a valid option but not the recommended approach. Using a shared account reduces auditability and increases the issues if the account is compromised."
+    - content: "Create a dedicated agent identity."
+      isCorrect: true
+      explanation: "Correct. Microsoft recommends creating a dedicated agent identity. A dedicated agent identity improves auditability—agent actions are clearly attributed to the agent, not a human user—and limits the blast radius if the identity is ever compromised."
+    - content: "Use a service principal created in the Azure portal."
+      isCorrect: false
+      explanation: "Incorrect. Agent identity configuration is handled within the Security Copilot setup flow, not the Azure portal. The two options presented are a new agent identity or an existing user account."
+    - content: "Assign the Security Copilot Owner role to the agent."
+      isCorrect: false
+      explanation: "Incorrect. Agent identity is separate from Security Copilot role assignments. Selecting an identity type is part of the agent setup; it doesn't involve assigning a workspace role to the agent."
+  - content: "A Security Copilot owner begins setting up a partner-built agent that requires access to Microsoft Defender data. The Setup button is disabled and a banner is displayed. What should the owner do?"
+    choices:
+    - content: "Configure the agent's dependent plugins first, then return to complete setup."
+      isCorrect: false
+      explanation: "Incorrect. Dependent plugin configuration occurs after setup is complete, not before. The grayed-out Setup button indicates Global Administrator approval is required, not a plugin configuration issue."
+    - content: "Copy the approval link and share it with a Global Administrator."
+      isCorrect: true
+      explanation: "Correct. When a partner agent requires access to Microsoft product data, a Global Administrator must approve access before setup can proceed. The owner copies the link from the banner and shares it with their Global Administrator to initiate the approval workflow."
+    - content: "Increase workspace capacity, then retry the setup."
+      isCorrect: false
+      explanation: "Incorrect. Capacity has no relation to the grayed-out Setup button. The banner specifically indicates that Global Administrator consent is required before the owner can complete agent setup."
+    - content: "Select Browse more agents in Security Store to find an equivalent agent that doesn't require approval."
+      isCorrect: false
+      explanation: "Incorrect. The approval requirement exists because the agent accesses Microsoft product data, which requires explicit administrator consent. Switching agents doesn't remove the need for approval if a replacement agent requires the same access."
+  - content: "An organization removes a partner agent from Security Copilot after purchasing a subscription in Security Store. What happens to the Security Store subscription?"
+    choices:
+    - content: "The subscription is automatically canceled when the agent is removed."
+      isCorrect: false
+      explanation: "Incorrect. Removing an agent from Security Copilot doesn't cancel the Security Store subscription. Billing and agent operations are managed in separate systems."
+    - content: "The subscription remains active; billing must be managed separately in Security Store."
+      isCorrect: true
+      explanation: "Correct. Security Store subscriptions and Security Copilot agent operations are separate. Removing an agent from Security Copilot stops it from running but doesn't end the subscription. Subscription management and cancellation must be handled in Security Store."
+    - content: "The subscription is paused and resumes if the agent is added back."
+      isCorrect: false
+      explanation: "Incorrect. Security Store doesn't automatically pause subscriptions based on agent activity in Security Copilot. The two systems are independent, and billing continues regardless of agent state in Security Copilot."
+    - content: "Microsoft issues a prorated refund for the unused subscription period."
+      isCorrect: false
+      explanation: "Incorrect. Microsoft doesn't manage partner subscription billing. Refund policies align to the individual partner and managed through Security Store, not Security Copilot."

learn-pr/wwl-sci/manage-plugins-agents-security-copilot/7-summary.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-plugins-agents-security-copilot.summary
+metadata:
+  title: Summary
+  description: Summary of managing plugins and agents in Microsoft Security Copilot.
+  ms.date: 04/23/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+title: Summary
+durationInMinutes: 2
+content: |
+  [!include[](includes/7-summary.md)]

learn-pr/wwl-sci/manage-plugins-agents-security-copilot/includes/1-introduction.md

@@ -0,0 +1,21 @@
+Microsoft Security Copilot uses workspaces to organize capacity, access, and data residency settings for a team or use case. In this module, Contoso previously provisioned three workspaces to support different security functions. The SOC workspace handles threat detection, the compliance workspace meets EU data residency requirements, and the sandbox workspace gives the architecture team room to experiment. The Security Architect's next task is to govern how plugins are added across those workspaces and to deploy the first agents that automate security workflows.
+
+You're the Cloud and AI Security Engineer responsible for configuring plugin governance settings organization-wide and deploying both Microsoft-built and partner-built agents. Some agents require procurement through the Security Store before setup can begin, and one partner agent accesses Defender data—a scenario that requires Global Administrator approval before the Security Architect can complete setup. Once deployed, those agents need ongoing management: controlling when they run, providing feedback to improve their outputs, and maintaining the memory that shapes their behavior.
+
+In this module, you learn how to configure owner-level plugin settings to control who can add and publish custom plugins. Then you explore how to restrict preinstalled plugin access and understand its effect on embedded experiences. Finally, learn to discover, acquire, set up, and manage both Microsoft-built and Security Store partner agents.
+
+## Learning objectives
+
+By the end of this module, you're able to:
+
+- Configure plugin settings to govern who can add and manage custom plugins at user and organization scope
+- Restrict preinstalled plugin access to manage availability across embedded and standalone experiences
+- Discover and set up Microsoft-built agents using the Security Copilot agent library
+- Acquire and configure partner-built agents using Security Store, including the Global Administrator approval workflow
+- Manage agents by controlling run state, editing configuration, and maintaining agent memory
+
+## Prerequisites
+
+- Completion of [Configure workspaces for Microsoft Security Copilot](/training/modules/configure-security-copilot-workspaces/) is recommended
+- Familiarity with Microsoft Security Copilot Owner and Contributor roles
+- Basic knowledge of Microsoft Entra roles

learn-pr/wwl-sci/manage-plugins-agents-security-copilot/includes/2-configure-plug-in-settings.md

@@ -0,0 +1,58 @@
+Contoso has three Security Copilot workspaces supporting different security functions. The Security Architect's next task is to govern how custom plugins are added across the organization. The Plugin Settings page provides owner-level controls that determine who can introduce new plugins and how broadly those plugins can be shared—decisions that have direct security implications for every workspace.
+
+## Understand plugin governance scope
+
+Plugin governance operates at two distinct levels: user scope and organization scope.
+
+**User scope** controls who can add and manage custom plugins for their own sessions—a personal catalog of tools accessible only to the person who added them. **Organization scope** controls who can publish custom plugins that become available to all Security Copilot users in the organization.
+
+By default, only owners can manage custom plugins at either scope. To change the default behavior, navigate to **Owner** > **Plugin settings** in the left navigation.
+
+:::image type="content" source="../media/plug-in-permission-dependency.png" alt-text="Diagram of the Security Copilot plugin permission dependency: user-scope must be set to Owners and Contributors before organization-scope permissions become available." lightbox="../media/plug-in-permission-dependency.png":::
+
+## Configure user-scope permissions
+
+The first permission you configure is who can add custom plugins for themselves:
+
+- **Owners only**: only owners can add and manage their own custom plugins
+- **Owners and Contributors**: owners and contributors can both add and manage custom plugins for their own sessions
+
+For the Contoso sandbox workspace, the Security Architect sets who can add plugins to **Owners and Contributors**—giving the security architecture team the ability to test custom plugins during sessions without waiting for owner involvement. For the SOC and compliance workspaces, plugin setting remains set to **Owners only** to keep tighter control over production environments.
+
+Changing the user-scope setting to **Owners and Contributors** also unlocks the second permission.
+
+:::image type="content" source="../media/plug-in-control-options-update.png" alt-text="Screenshot of the user-scope and organization-scope plugin permissions configuration in Security Copilot." lightbox="../media/plug-in-control-options-update.png":::
+
+## Configure organization-scope permissions
+
+Setting user-scope permissions to **Owners and Contributors** unlocks a second control. Now you can configure who can publish custom plugins for everyone in the organization:
+
+- **Owners only**: only owners can make custom plugins available organization-wide
+- **Owners and Contributors**: contributors can also publish plugins to the organization
+
+For the sandbox workspace, the Security Architect sets organization scope to **Owners only** as well—even though contributors can add plugins for their own sessions, only the Security Architect decides which plugins graduate to organization-wide availability after successful testing.
+
+## Restrict preinstalled plugin availability
+
+Beyond custom plugins, owners can also restrict which preinstalled plugins users can access. By default, all owners and contributors have access to preinstalled Microsoft and non-Microsoft plugins. Owners can change individual plugins to **Owners only** access. After you restrict any plugin, Microsoft restricts newly added preinstalled plugins to Owners only by default.
+
+> [!WARNING]
+> Restricting access is an immediate change that affects all current users of Security Copilot and its embedded experiences. Notify users before restricting plugins.
+
+Restricted plugins affect embedded experiences. If the Microsoft Defender XDR or Natural Language to Kusto Query Language (KQL) plugins are restricted, analysts working in the Defender portal see a degraded or unavailable Copilot experience within that portal. Plan restrictions carefully and communicate changes to affected teams before applying them.
+
+When you set up a Security Copilot agent, the required plugins for that agent are automatically enabled—solely for the agent's use. This automatic enablement doesn't change the availability status of those plugins for your users. You can disable the agent at any time to stop those automatic enablements.
+
+## See plugin governance in action
+
+With permissions configured, contributors can now add custom plugins within the boundaries you set. Here's what the process looks like from the contributor's perspective—and what the owner controls at each step.
+
+1. Select the **Security Copilot sources** icon from the prompt bar.
+2. In **Manage plugins**, scroll to the **Custom** section and select **Upload plugin**.
+3. From the dropdown, choose the scope: available only to yourself (private) or available to everyone in the organization.
+4. Select the plugin type:
+   - **Security Copilot plugin**: upload a `.yaml` or `.json` manifest file, or provide a link to the manifest
+   - **OpenAI plugin**: provide a link to the OpenAI plugin manifest
+5. Complete any required setup fields, then select **Setup**.
+
+After setup, the plugin appears in the Custom section with a toggle to turn it on or off. Private plugins display a **Private** tag. Only the owner who added an organization-scope plugin can modify or delete it—contributors can toggle it on or off but can't change its definition.