Optional configuration for Copilot alignment to the ASD Blueprint
The Copilot for Microsoft 365 configuration and planning guide intended for Australia and New Zealand sensitive and regulated industry customers, and is in alignment with the Australian Signals Directorate (ASD) Blueprint for Secure Cloud configuration guidance for Microsoft 365.
This article refers to Optional elements are included to draw attention to additional features or configuration choices that aren't specific to Copilot. These help improve the user experience or increase the overall security and compliance posture of the environment.
Microsoft Edge browser
Microsoft Copilot is integrated into the Microsoft Edge web browser side bar. Depending on the Copilot experiences available to the user, different Copilot interactions are available.
If the user doesn't have any Copilot licenses applied, then the Microsoft Copilot consumer experience is presented. With a Microsoft Copilot with Commercial Data Protection license, the user finds this experience replaces the Microsoft Copilot consumer experience. When Copilot for Microsoft 365 is available, the user also can switch between a Work mode and a Web mode, where Work mode presents Copilot for Microsoft 365, and the Web mode presents the Microsoft Copilot experience (with or without Commercial Data Protection depending on what they enabled).
Microsoft Copilot in Microsoft Edge:
Microsoft Copilot with Commercial Data Protection in Microsoft Edge:
Copilot for Microsoft 365 in Microsoft Edge:
An organization can control whether the Microsoft Edge experience is available, and if so, what interaction it can have with content. Which Copilot experiences are presented to the end user depend on what licenses are applied and whether the organization is enforcing Commercial Data Protection or not.
Copilot integration in Microsoft Edge is controlled by system registry, group policy, or Microsoft Intune/Microsoft 365 policy.
To disable the Copilot integration with Microsoft Edge, the side bar control needs to be disabled completely. This can be achieved by setting the HubsSidebarEnabled policy to disabled.
If the Copilot integration is enabled, interaction with on-page content can be controlled with the DiscoverPageContextEnabled policy.
Tip
We recommend organisations enable Copilot integrations in Microsoft Edge, Windows, and Mobile progressively as staff are trained and build experience with these services.
Windows desktop
Microsoft Copilot is integrated into the Windows desktop to provide a wide range of Copilot experiences directly from the desktop.
The Windows desktop integration works in a similar way to the Microsoft Edge integration and provides access to the consumer Microsoft Copilot, the Microsoft Copilot with Commercial Data Protection, and Copilot for Microsoft 365 experiences in the same way.
If the user doesn't have any Copilot licenses applied, then the Microsoft Copilot consumer experience is presented. With a Microsoft Copilot with Commercial Data Protection license, the user finds this experience replaces the Microsoft Copilot consumer experience. And, when Copilot for Microsoft 365 is available, the user can switch between a Work mode and a Web mode, where Work mode presents Copilot for Microsoft 365, and the Web mode presents the Microsoft Copilot experience (with or without Commercial Data Protection depending on what they enabled).
The next three visuals demonstrate the visual differences between the three Windows Desktop Copilot modes.
Microsoft Copilot in Windows:
Microsoft Copilot with Commercial Data Protection in Windows:
Copilot for Microsoft 365 in Windows:
The availability of Copilot in Windows is managed by the TurnOffWindowsCopilot policy. The user experience provided depends on the user licensing applied to the authenticated user.
Tip
We recommend organisations enable Copilot integrations in Microsoft Edge, Windows, and Mobile progressively as staff are trained and build experience with these services.
Copilot mobile apps
A stand-alone mobile app experience for Copilot is available for iOS and Android devices.
If the user doesn't have any Copilot licenses applied, then the Microsoft Copilot consumer experience is presented. With a Microsoft Copilot with Commercial Data Protection license, the user finds this experience replaces the Microsoft Copilot consumer experience. And, when Copilot for Microsoft 365 is available, the user can switch between a Work mode and a Web mode, where Work mode presents Copilot for Microsoft 365, and the Web mode presents the Microsoft Copilot experience (with or without Commercial Data Protection depending on what they enabled).
The next three visuals demonstrate the visual differences between the three Copilot mobile app modes.
Microsoft Copilot on mobile:
Microsoft Copilot with Commercial Data Protection on mobile:
Copilot for Microsoft 365 on mobile:
It's recommended to control access to mobile apps through Microsoft Intune and app protection policies.
Tip
We recommend organisations enable Copilot integrations in Microsoft Edge, Windows, and Mobile progressively as staff are trained and build experience with these services.
Web-based Copilot experiences
A stand-alone web-based experience for Copilot is available in three locations:
| Location | Copilots available |
|---|---|
| copilot.microsoft.com | - Microsoft Copilot - Copilot for Microsoft 365 |
| <www.bing.com/chat> | - Microsoft Copilot - Copilot for Microsoft 365 |
| <www.microsoft365.com/chat> | - Copilot for Microsoft 365 |
Wherever Microsoft Copilot is available the ability to use Commercial Data Protection is always present. If the user doesn't have any Copilot licenses applied, then the Microsoft Copilot consumer experience is presented. With a Microsoft Copilot with Commercial Data Protection license, the user finds this experience replaces the Microsoft Copilot consumer experience.
When both the Microsoft Copilot and Copilot for Microsoft 365 experiences are available, the user can switch between a Work mode and a Web mode, where Work mode presents Copilot for Microsoft 365, and the Web mode presents the Microsoft Copilot experience (with or without Commercial Data Protection depending on what they enabled).
Microsoft Copilot unauthenticated consumer experience:
Microsoft Copilot authenticated consumer experience:
Microsoft Copilot authenticated and licensed Commercial Data Protection experience:
Copilot for Microsoft 365 experience:
Sensitivity labels
Organizations that use Microsoft Purview Information Protection to label content such as emails and files find that Copilot for Microsoft 365 is able to read these labels and reflect them both in the user interface and in content that is derived from labeled source material. For example, if content carrying a Protected label is used by Copilot to generate new material, that content automatically carries the Protected label.
If multiple pieces of content are referenced in the creation of new content, the highest classification label applied to any of the source materials is applied to the new content Copilot creates. For example, if two source documents are labeled Official, and a third is Official:Sensitive, the new content is automatically labeled as Official:Sensitive by Copilot and the user is advised through the presence of a policy tip popup.
While labeling decisions remain within the control of the end user, this mechanism creates an additional safety net for sensitive material to avoid accidental under-classification.
Additionally, encrypted labels can be configured to block Copilot from accessing their material by removing the EXTRACT usage right from the label encryption policy. This may be appropriate for the most sensitive of content where even though the label would be carried to any derivative work, merely replicating the information into a new file may need to be prevented.
The requirement for encryption is removed in a future update through a new ability to exclude content based on any label, encrypted or not.
For more information on deploying Microsoft Purview Information Protection marking and labels to support the Australian Government Protected Security Policy Framework (PSPF) requirements, see the Microsoft PSPF Guide.
Search optimization
Copilot for Microsoft 365 relies on Microsoft 365 Search via the Microsoft Graph to locate content in the Retrieval Augmented Generation process. Therefore, anything that improves search for users also improves Copilot’s ability to locate and collect the most relevant and correct information. Conversely, anything that excludes content from search prevents Copilot for Microsoft 365 from locating this content also.
Good data management practices, such as retention and disposal, records management, archiving of stale content, good metadata, and permissions management all lead to better search and Copilot experiences. Customers are encouraged to make parallel efforts to improve configuration in each of these areas.
Excluding content from search
Some customers choose to remove particularly sensitive content from search due to a potential for consequences if it's inadvertently accessed or utilized in the creation of new content.
For example, sensitive files that are stored within a secure SharePoint document library by the Human Resources team are readily accessible to those team members in a known location, so removing them from search poses a low negative impact for the team. However, inadvertently revealing the existence of, or content from, one of these files during a routine search that is displayed on the user’s monitor in the presence of another user that doesn’t have access to this content may have potentially damaging consequences. A performance improvement plan, redundancy, legal matter, or branch restructuring plan could have negative consequences if its existence is revealed in this way.
Copilot for Microsoft 365 uses Microsoft 365 Search, via the Microsoft Graph, to locate content. Unlike when a user performs a search elsewhere in Microsoft 365, Copilot doesn't present all potential matches, but instead determines the most relevant content based on the user query. Not presenting all results to the user means that Copilot doesn't have the same exposure risks as search does, but it does rely on the quality of search results more heavily.
It's possible to exclude SharePoint in Microsoft 365 Sites or individual SharePoint in Microsoft 365 Document Libraries from Microsoft 365 Search, and stops Copilot being able to find them, using the following methods. However, it's important to note the user experience impact is broader than Copilot when excluding content and locations from search as it prevents users from finding the content in search.
Site settings
Removing a SharePoint in Microsoft 365 Site from search results in all information about that site and the contained within it being removed from the search index and therefore unable to be found within search or by Copilot for Microsoft 365.
Document library settings
Removing a SharePoint in Microsoft 365 Document Library from search results in all of the content of that specific Document Library being removed from the search index and therefore unable to be found within search or by Copilot for Microsoft 365.
Restricted SharePoint Search
Restricted SharePoint Search is available to all Copilot for Microsoft 365 customers and offers a way for organizations that have identified critical information management issues to apply a temporary treatment while they perform more lengthy remediation work. This feature isn't intended for widespread usage and isn't a requirement for a sensitive environment. Only organizations that need an emergency fix for systemic information access management failings should use this search. When used, Restricted SharePoint Search affects both Microsoft 365 Search and Copilot for Microsoft 365 content discoverability.
Communication Compliance
Copilot for Microsoft 365 customers can use Communication Compliance to analyze the interaction and response interactions between an end user and Copilot to detect unwanted behavior that may be in breach of corporate or legal policies and obligations.
It isn't a requirement to configure Communication Compliance when using Copilot for Microsoft 365 in a sensitive environment, but it's a powerful compliance measure that some organizations should consider.