Microsoft has introduced Copilot, as an AI-powered productivity booster. It comes in two flavors: Microsoft Copilot and Copilot for Microsoft 365.

Microsoft Copilot

Microsoft Copilot acts as your research partner, answering complex questions with clear summaries and reliable sources. It can also generate images based on your request. Press the ‘Windows Key + C’ (on Windows 11) keyboard shortcut to start discovering.

The implementation strategy should include the following considerations:

  • Organizations seeking data security for Microsoft Copilot should activate the “Commercial data protection” service plan if not activated by default. This plan safeguards user and company information from work accounts when using Copilot. A green “Protected” icon confirms this enhanced protection. With commercial data protection, user and company data remain confidential, preventing leaks. Chat history is not stored, and Microsoft cannot access your data, ensuring complete privacy. Moreover, your data is not used to improve the underlying AI models.
  • Infrastructure engineers need to ensure users are signed in with their corporate accounts when using Microsoft Copilot for commercial data protection to be enforced. This requires two key steps: secure routing of Copilot traffic through adjusted DNS configurations and implementing firewall rules aligned with your organization’s security policies. Refer here for detailed instructions. Importantly, these configurations should be applied across all corporate devices, including laptops and handheld devices. While enforcing Copilot usage restrictions on laptops is currently achievable, managing mobile devices remains a work in progress.
  • Educating users on responsible use of Copilot is paramount. This involves creating comprehensive user guides and conducting training sessions that cover essential topics such as data security, privacy, and compliance. Users should be made aware of the importance of using their corporate credentials when accessing Copilot and the potential risks associated with non-compliance. Regular updates and reminders can reinforce these guidelines, promoting a culture of security and responsible use within the organization.

More on Zero Trust for Microsoft Copilot can be found here.

Copilot for Microsoft 365

Copilot for Microsoft 365 is specifically designed to supercharge Microsoft 365 applications with enterprise and web data sources. It brings AI from within the Microsoft 365 suite. It works across applications like Word, Excel, PowerPoint, Outlook, and Teams. Copilot also collaborates with other clients, including Edge for Business, and can leverage web and M365 data sources such as SharePoint and Exchange (or any other third-party integrations) with the use of MS Graph and M365/Azure AI Search. By default, Copilot for M365 would have access to content in Microsoft Graph, such as emails, chats, and documents that the user has permission to access. It accesses content and context through Microsoft Graph.

Microsoft Graph

Microsoft Graphis theAPIforMicrosoft 365. It provides aunified programmability modelthat allows developers to access an extensive amount of data across various Microsoft services. A preliminary overview of MS Graph can be found here.

The following diagram shows the logical architecture components of what data Copilot for M365 will have access to respond to a prompt.

Source: MS documentation

Considerations for Copilot Use

With the comprehensive integration and discovery features provided, it’s crucial to lay a solid security groundwork rooted in the Zero Trust model before deploying Copilot successfully. To optimize the utility of Copilot without compromising data security and protection, enterprises should concentrate their efforts on the following Zero Trust strategies:

  • Data Protection: The importance of safeguarding data within the Microsoft 365 environment using Microsoft Purview’s capabilities is stressed. Detailed guidelines for their creation, publication, and user instruction are strongly recommended.
  • Identity and Access Management: To enhance security, particularly for hybrid environments with on-premises Active Directory Domain Services, it is recommended to implement Conditional Access policies. These policies help control access based on specific conditions and ensure that only trusted users and devices can access your resources. Additionally, deploying Microsoft Entra Password Protection helps detect and block the use of weak passwords.
  • Device Management: To safeguard against compromised devices, Microsoft Intune is recommended for device management and compliance, as well as Microsoft Defender for Endpoint for enhanced insights and protection.
  • Threat Protection: Leverage services such as Defender for Office 365 and Defender for Endpoint for robust threat protection. These tools are designed to identify and thwart potential threats, preventing unauthorized actors from accessing the Microsoft 365 infrastructure.

AIS Solution Director Meredith Dost provides an overview of Zero Trust here.

  • Adopt Purview: Embrace the use of Microsoft Purview for a unified data governance service that facilitates the management and governance of on-premises, multi-cloud, and software-as-a-service data. It can automatically and continuously discover data security risks for Microsoft Copilot for Microsoft 365 and provide organizations with an aggregated view of the total prompts being sent to Copilot and the sensitive information included in those prompts. Admins can also use Microsoft Purview to set retention policies for the data related to chat interactions with Copilot. More about this here.
  • Classify Data and Enable Encryption: Implement a comprehensive data classification strategy. This allows Copilot for M365 to understand the sensitivity of the content it interacts with, ensuring appropriate handling of data based on its classification. Use Office Message Encryption (OME) and sensitivity labels wherever encryption is needed.
  • Leverage the Admin Center: Utilize the M365 Copilot Admin Center, a centralized platform that provides tools for managing and fine-tuning governance rules. This can help tailor the use of M365 Copilot to your organization’s specific needs and policies. here
  • Regular Audits: Keep up with the latest on Copilot for Microsoft 365 and tweak your security game plan as things evolve. Regularly review and update your security measures, data classification, and governance rules to keep up with evolving threats and organizational changes. Purview provides a unified audit log, searchable audit events, and options for audit log retention. These features enable organizations to effectively respond to security events, investigations, and compliance obligations.
  • Continuous Monitoring and Improvement: Regularly review and update your security measures, data classification, and governance rules to keep up with evolving threats and organizational changes. Continuous improvement is key to maintaining a secure and efficient environment.

Comments and considerations for data on SharePoint and OneDrive

Some of the recommendations here are just functionality that Microsoft has made available for data governance with Copilot for M365. These may not be effective for most organizations, depending on the level of maturity of M365 use.

  • Access Control Audits: Access control reports for SharePoint Online can be generated using the Data Access Governance reports feature. This tool allows the creation of two distinct types of reports: ‘Sharing Links’ and ‘Sensitivity Labels Applied to Files’. Please note, that certain features may necessitate the use of the Microsoft Syntex – SharePoint Advanced Management add-on. Read more here and here.
  • Sharing Policies: Evaluate existing internal and external sharing policies. Apply sharing and repository creation restrictions as needed. Disabling the “Everyone Except External Users” access on SharePoint is also an Industry expert’s consideration.
  • Restricted SharePoint Search: You can also use the Restricted SharePoint Search feature to disable organization-wide search and restrict both Enterprise Search and Copilot experiences to a curated set of SharePoint sites of your choice. More about this here. This functionality is being rolled out in April 2024. This functionality does affect SharePoint’s native searchability.

It is important to remember, the goal is to maximize the utility of using Copilot for M365 without sacrificing data security and protection. These recommendations provide a roadmap to achieve that balance.


Copilot for M365 is gaining traction among organizations of all sizes to enhance productivity and automate processes. However, successful adoption requires careful planning to ensure the current M365 implementation is compatible, data security is robust, and there is adherence to governance and compliance regulations.

Organizations can boost their productivity by folds by implementing a roadmap for Copilot for M365 and AIS practical steps.

How AIS Can Help

If you want to explore our implementation guide or determine your eligibility for a complimentary “Copilot for M365 Readiness Assessment” of your Microsoft Cloud Environment, contact AIS today. We are here to provide further information and support your AI initiatives.