Adjust Capacity for Copilot for Security
Copilot for Security debuted to the public on April 1. There have been so many articles and questions being published an asked, but I don’t think anything has raised more questions than how to adjust the number of SCUs (if you don’t know what an SCU is you can read about it here). I decided it would be fun use some Azure Automation to increase and lower the amount of SCUs programmatically.
The first thing we need to do is create an Azure Automation Account. If you’ve never used an Automation Account before, you may need to follow these instructions to enable automation in Azure. Once, you have that enabled find the Automation Accounts in Azure and select +Create to create a new one.
After hitting next, you’ll fill out the Basics information including the Subscription, Resource group and Region. You’ll also need to give the Automation Account a name.
Select Next and confirm that the System assigned check box is checked. If you want to change the Networking settings (I change mine to Private access) or add Tags, do so. And then press Review + Create.
Now that the account is created, we need to give it permissions to make the SCU change. In another browser tab, locate your Copilot for Security Resource and select Access Control (IAM). Select the +Add button and choose Add role assignment.
Select the Privileged administrator roles tab and select Contributor.
You may be thinking - “Whoa! I’m giving Contributor rights to this account.” But managed identities are the preferred method for runbooks because they allow your runbook to easily access other Microsoft Entra protected resources. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. If you need more information, find it here.
Now let’s pop back to our other tab and create the Runbook. Find Runbooks in the Process Automation section. Select +Create a runbook.
Give it a name, select PowerShell as the Runbook type and 7.2 as the Runtime version. Then press Review + Create.
You should now be at the Edit PowerShell Runbook page. Paste this code in the window. This code will change the number of SCUs from your current setting to one SCU.
Connect-AzAccount -Identity
Set-AzContext -Subscription "your subscription"
$Resource = Get-AzResource -ResourceGroupName YourResourceGroup -ResourceName TheNameofYourCoilotResource -ResourceType microsoft.securitycopilot/capacities
$Resource.Properties.numberOfUnits = 1
$Resource | Set-AzResource -ForceYou can test it if you like in the Test pane. This will show you if there are any errors. Save the runbook.
Now, we’re going to set it so that this runbook kicks off every night at 10 p.m. Make your way back to the Azure Automation page and select Schedules in the Shared Resources section. Select +Add a schedule. Give the schedule a Name and select the date you want it to start. Select Recurring in the Recurrence section. And set Recur every to 1 Day. Set the expiration if you want to. Now select Create.
Now you’re all finished! You can duplicate these steps to create another Automation that increases the SCUs at 7 am or whatever time your team starts their day.
And remember, if you are working an incident at 2 a.m. and need more SCUs, you can manually change this in the Azure portal at any time.