Microsoft Security Copilot · Bootstrap & Entry-Point Roles
Security Administrator (Bootstrap)
The Entra ID Security Administrator role is the bootstrap entry point for Security Copilot — it provisions Copilot capacity and assigns the first Copilot Owner. Cross-listed from Entra ID for discoverability.
Scope: Tenant-wide security administration, including Copilot capacity provisioning
Permissions
- Capacity provisioning - Create Security Copilot capacity in Azure
- Initial Owner assignment - Assign the first Copilot Owner role
- All other Entra Security Administrator permissions (see Entra ID map)
Common use cases
- Initial Copilot rollout
- Adding capacity for growing SOC usage
Best practices
- Provision capacity in a dedicated resource group for cost tracking
- Hand off to Copilot Owner immediately after provisioning
- Document the provisioned capacity and its tier
Security considerations
- Security Administrator is highly privileged - already governed in Entra
- Copilot capacity provisioning is a billed action - cost governance matters
Common questions
When should I assign the Security Administrator (Bootstrap) role?
Assign Security Administrator (Bootstrap) when you need to: Initial Copilot rollout; and Adding capacity for growing SOC usage. It is part of Microsoft Security Copilot and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Security Administrator (Bootstrap) role do?
The Security Administrator (Bootstrap) role grants permissions including: Capacity provisioning - Create Security Copilot capacity in Azure; Initial Owner assignment - Assign the first Copilot Owner role; and All other Entra Security Administrator permissions (see Entra ID map). See the Permissions section above for the full list.
What are the security risks of the Security Administrator (Bootstrap) role?
Key considerations when assigning Security Administrator (Bootstrap): Security Administrator is highly privileged - already governed in Entra; and Copilot capacity provisioning is a billed action - cost governance matters. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.