Seamless Offboarding from Microsoft Security Copilot: Your Complete Guide

Offboarding from Microsoft Security Copilot: A Step-by-Step Guide

In the first part of this series, we explored how to set up Microsoft Security Copilot. In this installment, we’ll focus on the offboarding process for Microsoft Security Copilot.

Microsoft Security Copilot has empowered your organization to tackle cyber threats with the speed and precision of AI. However, there may come a time when you need to offboard from Security Copilot, whether for financial reasons, a shift in your security strategy, or other organizational changes. Offboarding is not just about canceling a service—it’s about ensuring a seamless transition, retaining essential data, and avoiding unnecessary charges.

In this guide, we’ll walk you through the steps required to successfully offboard from Security Copilot and stop billing when you’re no longer using it.

Why Proper Offboarding Matters

Improperly offboarding from Microsoft Security Copilot can lead to:

• Continued billing despite no active usage.
• Loss of critical audit or operational data stored in Microsoft Purview.
• Security gaps if integrations or configurations are left active, such as lingering access permissions or unused plugins connected to sensitive resources.

For example, failing to disconnect a plugin like Microsoft Sentinel could result in unnecessary data flow, while leaving user roles assigned may create operational confusion or unintended access.

Taking the right steps ensures you retain control of your data, minimize costs, and maintain compliance with your organization’s security policies.

Improperly offboarding from Microsoft Security Copilot can lead to:

• Continued billing despite no active usage.
• Loss of critical audit or operational data stored in Microsoft Purview.
• Security gaps if integrations or configurations are left active.

Taking the right steps ensures you retain control of your data, minimize costs, and maintain compliance with your organization’s security policies.

Key Considerations Before Offboarding

1. Data Retention: Ensure any critical data stored within Security Copilot, such as logs or reports, is exported or retained. You may need to contact Microsoft Support for this process.
2. Integration Management: Review and disconnect any integrations with other Microsoft products (e.g., Sentinel, Defender) to avoid unexpected interactions.
3. User Communication: Notify relevant stakeholders about the offboarding process to ensure operational continuity.

Steps for a Successful Offboarding

Step 1: Disable Access to Security Copilot

Before deleting capacity, revoke access to Security Copilot to prevent new sessions or configurations.

1. Sign in to Security Copilot.
2. Navigate to the Role Assignment section under Settings.

Remove all user roles (e.g., Contributors, Owners).

• • Use security groups for faster bulk updates.

Confirm that no users have access. Only Default security groups remain.

Pro Tip: Inform your IT and security teams in advance to ensure no disruptions during this step.

Step 2: Export Critical Data

Microsoft Security Copilot stores customer data in Microsoft Purview. To retain important logs, audit trails, or operational reports before offboarding:

1. Contact Microsoft Support: Request data export assistance. The time required for data export may vary based on data size and complexity, so plan accordingly.
2. Review Data Limitations: Be aware that certain data types may have export restrictions or require specific permissions. Confirm these details with your IT team or Microsoft Support to avoid surprises.
3. Verify Data Storage: Ensure the exported data is securely stored within your organization in a format that aligns with your compliance and operational needs (e.g., JSON, CSV).
4. Confirm Retention Policies: Validate that the data export complies with your organization’s data retention and security policies.

Important: Data may only remain accessible for export within a specific time frame (e.g., 30 days after initiating the offboarding process). Be sure to act promptly to avoid losing access.

Step 3: Delete Provisioned Capacity

Provisioned capacity is billed hourly until it is deleted. To stop billing, you must remove all Security Compute Units (SCUs).

Steps to Delete SCUs

Before deleting SCUs, ensure all critical data has been exported and that no active dependencies or integrations remain linked to Security Copilot. This helps prevent data loss and ensures a clean offboarding process.

1. Sign in to the Azure Portal.
2. Navigate to the Resource Groups section.
3. Locate the resource group where your Security Copilot capacity is provisioned.
4. Select the provisioned capacity resource (e.g., SecurityCopilotCapacity).

1. Click Delete and confirm the deletion.
   • Ensure you have the appropriate Azure RBAC role (e.g., Owner or Contributor) to perform this action.

Verify in the Usage Monitoring dashboard that no active SCUs remain.

Important: Deleting capacity is a permanent action and cannot be undone. Be sure to confirm that all dependencies have been removed before proceeding.:

Step 4: Disconnect Plugins and Integrations

Security Copilot integrates with multiple Microsoft security services. Ensure all plugins and integrations are disabled to avoid lingering connections.

1. Navigate to the Plugins section in Security Copilot.
2. Disable any active Microsoft or third-party plugins.
   • Examples include Microsoft Sentinel, Intune, or Defender integrations.
3. Review your Azure environment for any dependencies linked to Security Copilot and remove them.

Step 5: Monitor Billing

To ensure billing stops after offboarding:

1. Go to the Azure Cost Management section in the Azure Portal.
2. Filter for charges related to Security Copilot or associated SCUs.
3. Confirm that no new charges appear after deleting capacity.

Pro Tip: Set up a budget alert in Azure Cost Management to notify you of any unexpected charges. Note that billing records remain accessible for auditing purposes for up to 90 days after the capacity is deleted, depending on your Azure subscription settings.

To ensure billing stops after offboarding:

1. Go to the Azure Cost Management section in the Azure Portal.
2. Filter for charges related to Security Copilot or associated SCUs.
3. Confirm that no new charges appear after deleting capacity.

Pro Tip: Set up a budget alert in Azure Cost Management to notify you of any unexpected charges.

Post-Offboarding Best Practices

• Audit Logs: Review and archive logs from Microsoft Purview to retain a record of activities. This ensures compliance with your organization’s data retention policies and provides a reference for any future audits.
• Review Integrations: Double-check that all integrations and dependencies have been removed from your Azure environment. Leaving unused integrations active can lead to unnecessary costs or potential security vulnerabilities.
• Communicate with Teams: Notify all relevant stakeholders, including IT and security teams, about the offboarding process and its completion. This helps prevent operational disruptions and ensures that everyone is aligned with the updated security configurations and workflows.
• Audit Logs: Review and archive logs from Microsoft Purview to retain a record of activities.
• Review Integrations: Double-check that all integrations and dependencies have been removed from your Azure environment.
• Communicate with Teams: Notify stakeholders that Security Copilot is no longer active to avoid confusion.

Wrapping Up

Offboarding from Microsoft Security Copilot is a structured process that ensures your organization transitions smoothly while avoiding unnecessary charges. By following the steps outlined above, you can confidently deactivate Security Copilot without losing critical data or leaving behind security gaps.

If you’re looking to explore new security solutions or revisit Security Copilot in the future, stay tuned for our upcoming posts in this series. Until then, safe offboarding, Pilots! ✈️

Part 1: Master the basics how to get started with microsoft security copilot

About the Author

This blog post was created by Shaun Hardneck, a Microsoft Security Architect and Consultant with extensive expertise in Microsoft 365, Azure, and Entra ID. Shaun specializes in crafting innovative security solutions and guiding organizations through their digital transformation journey. As the founder of the blog ‘ThatLazyAdmin,’ Shaun shares practical insights and technical tips to empower IT professionals and enhance organizational security.

Sharing is caring!