Scheduling the Provisioning of Capacity (SCUs) for Copilot for Security - Step-by-Step Guide
Update Dec. 17, 2024 - The deployment procedure for this Logic App has been greately improved to minimize the steps needed for the setup. Please refer to the simplified instruction steps described directly in the readme page cfs/cfs-set-X-SCUs/ in GitHub. Most of the manual deployment instructions described in this article are no longer needed. The operating mechanism of the Logic App remains the same as described here.
Hello,
this is a simple step by step guide to implement an automated provisioning of Security Compute Unites (SCUs) for Security Copilot by using Azure Logic Apps, so without writing code. While the article may seem lengthy, it’s simply because I aim to provide comprehensive details for those unfamiliar with Logic Apps. The process I’m outlining is quite straightforward and can be completed in under two minutes.
Similar but slightly different implementations have already been proposed recently by Aaron Hoffmann (see Scheduling Microsoft Copilot for Security Capacities, where he is also using Logic Apps but with json template and parameters in a Storage Account) and Andrea Fisher (see Adjust Capacity for Copilot for Security, where she propose to use Automation Accounts and PowerShell).
[Added on Apr. 18] Other recently suggested methods include the use of Bicep and GitHub Actions (see Deploy and destroy Copilot for Security with Bicep and GitHub Actions - Thoor.tech by Pierre Thoor Thoor) and Bicep, Deployment Stacks and Azure DevOps Pipelines (see Automatic Provisioning and Deprovisioning of Copilot for Security Capacity Unit | GoToGuy Blog by Jan Vidar Elven ).
In this article I will not discuss why this type of automation may be useful or necessary. For these considerations, please refer to the articles cited above.
So, let's imagine that you want to have 9 SCUs from 9am to 5pm (9 hours per day) from Monday to Friday and only 1 SCU during extra-time, and in Saturday and Sunday.
NOTE - A question that frequently comes up is: “Is it possible to set 0 SCU during specific time slots?” The answer is yes. However, it requires the total removal of the Copilot capacity. This involves creating a new Logic App that employs the “Delete a resource” action, as opposed to the “Create or update a resource” action utilized in the Logic App discussed in this article. The process is quite straightforward and simple, and I won’t delve into further details here. Please note that if you cancel the capacity during a specific time slot, access to Copilot for Security will be unavailable during that period, both in the standalone portal and in the embedded experience on other Microsoft security portals. Once you restore the capacity, all historical data and configurations, including previuos sessions and custom promptbooks, will become accessible again.
Let's start by creating the automation that provisions the 9 SCUs at 9 am every day from Monday to Friday. Simply create a new Azure Logic App, add it to a Resource Group, give it a meaningful name and select a Region (not relevant what you select here for Copilot). I recommend selecting the Consumption model for the Logic App.
NOTE: in the Logic App’s name, I used the acronym “sku” when the correct term for abbreviating “Security Compute Unit” is “SCU”. Please disregard this naming mistake and ensure not to replicate it in your own environments...
Before designing the flow, create the System Assigned Managed Identity associated to this new Logic App:
Then go to the Resource Group that will be hosting your Copilot capacity and assign Contribute permission to the Managed Identity just created and associated to the Logic App. You may need to create this Resource Group if not already existing.
Complete the role assignment wizard.
Then go back to the new Logic App, open the designer, click on "Add a trigger", search for the word "Recurrence" and click on the name of the "Recurrence" activity.
Set the parameters for the recurrence. For example, every day at 9.01 am in my time zone:
Now, let's add a condition to check if the current day is Saturday or Sunday.
NOTE: you may not need to add this condition. For example, the Logic App that reset the number of SCUs to the lowest value (e.g. 1) can run everyday.
So, let's add an Initialize Variable activity which will hold the day of the week. Rename it appropriately, set is as string, click on Value and select the icon of the Expression Builder
Create (or simply copy) the following expression (use your time zone):
int(dayOfWeek(convertFromUtc(utcNow(),'W. Europe Standard Time')))
Now add a new action by clicking on the "+" button, search for the word "Condition" and click on the "Condition" action:
Select the "Choose a value" field and click on the thunderbolt symbol to open the object selection:
Here click on the name given to the previously defined variable containing the numeric value of the day of the week:
Set the operator to "is not equal to" and write 0 (=Sunday) as value. Click on the "+ New item" button and then "Add row". Here repeat the selection of the variable, set again the operator to "is not equal to" and write 6 (=Saturday) as value. Leave "AND" as logical operator. You should have something like this:
NOTE: if you created the variable DayOfTheWeek as a string instead of as an Integer, here you have to add the values 0 and 6 within double quotes (so, "0" and "6"). It works but, if you then reopen the condition, the double quotes will disappear - even if they are there - and this will cause uncertaininty about the correct configuration of the condition. If the type of the values inserted in this condition does not match the type of the DayOfTheWeek variable, the condition will fail to apply the desired logic.
Now, click on Parameters and, then, "Create parameter"
Add these 4 parameters:
NOTE: while setting the name of the capacity be consistent with what you have possibly set in other Logic Apps that need to make changes to this same capacity
Let' finally add the creation of the capacity. Click the "+" sign under the "True" branch, to add a new activity there. Search for "Create or update a resource" and select the corresponding activity of the connector "Azure Resource Manager".
NOTE: in some Azure environments, I found that some of these activities appear with their localized names (even if the rest of the portal appears in English) so you won't find it if you search the activity name in English. In that case, search for the connector name "Azure Resource Manager"
The first time that you use an action of the connector "Azure Resource Manager" you are asked to authenticate using OAuth. That authentication will create a connection that will be used by the actions of that connector. Proceed with the authentication.
When the OAuth authentication is completed, start setting the different parameters of the action. In particular, there are places where you need to select the "Insert Dynamic Content" option to get the value of the corresponding workflow parameter created above. For example:
As "Advanced parameters" select Location and Properties.
These are the values that must be set:
NOTE: while setting the name of the Resource Group be consistent with what you have possibly set in other Logic Apps that need to make changes to this same capacity
capacities/@{parameters('capacityName')}
As of today, the valid location for this kind of capacity are: australiaeast, eastus, uksouth, westeurope
{
"numberOfUnits": @{parameters('numberOfSCUs')},
"crossGeoCompute": "@{parameters('crossGeoCompute')}",
"geo": "@{parameters('geo')}"
}
In this way, the numberOfUnits, crossGeoCompute and geo properties are read from the homonym workflow parameters created above.
You should end up with something like this:
Save the Logic App.
Now, it is useful to force manually a first run, to check if everything was properly configured. Go to Overview, ensure that the Logic App is "Enabled" and click on Run:
Goto to Run History and, after a few seconds, check the result. Hopefully it succeded.
You can check the details of the flow by clicking on the row related to the last execution:
If it ran successfully with this forced execution, you can expect that it will run successfully when the execution will be triggered automatically by the Recurrence.
Finally, go to Copilot for Security and check if the capacity was properly provisioned:
Open it to check the number of "Capacity Units Provided".
Until now we have created the first Logic App to provision a capacity of X (e.g. 9) SCUs every day from Monday to Friday at a specific time (e.g. at 9.01 am).
You must repeat the steps described above to create a Logic App to provision a capacity of a lower number of SCUs (e.g. 1 SCU) during the extra time of the day and in the weekends. The Recurrence trigger, in that case, must be set to the correct value (e.g. everyday, at 4.55 pm). You may want to avoid setting the condition on the day of the week for this Logic App considering that it can run identically also on Saturday and Sunday (its execution will not vary the number of SCUs in these 2 days of the week).
NOTE: please note, in theory, you could use the previously created Logic App as a template and redeploy it to generate other instances. Regrettably, on the new Logic App instances created from the template derived from the initial Logic App, the ‘Create or update a resource’ action seems to be faulty and needs to be recreated. I haven’t had the opportunity to delve into this issue yet. It’s likely that either I or someone else will soon discover a more efficient method to deploy multiple instances of Logic Apps similar to the one outlined above starting from a template.
I hope these steps may be useful to you.
CIO | CISO | CTO | Global | Digital Transformation | CISSP ITIL PMP Agile Scrum TOGAF AWS Azure AI/ML GCP OCI Cloud Certified | IT Leader
1yThanks for sharing! 👍
Senior Cybersecurity Lead ex-Microsoft - keep it simple = Get Security Deployed
1yThanks for sharing Stefano Pescosolido
Security Specialist @ Microsoft
1yFionn Condren