Required configuration for Copilot alignment to the ASD Blueprint

Article
08/02/2024

The Copilot for Microsoft 365 configuration and planning guide intended for Australia and New Zealand sensitive and regulated industry customers, and is in alignment with the Australian Signals Directorate (ASD) Blueprint for Secure Cloud configuration guidance for Microsoft 365.

This section refers to a required configuration. Required elements have clear, specific configuration requirements that are mandatory for Copilot to function.

Network connectivity

A network configuration that complies with the supported Microsoft 365 networking practices detailed in the Microsoft online documentation is conducive to the effective operation of Copilot for Microsoft 365. We recommend that you configure networks in a way that ensures secure, direct connectivity to Microsoft 365 services.

The primary objective of Microsoft 365 networking is to enhance the user experience by providing the least restrictive access to the nearest Microsoft 365 endpoints. The user experience quality is closely linked to the application’s performance and responsiveness. The key aim in network design should be to minimize latency by reducing the round-trip time from client devices to the Microsoft Global Network.

To optimize Microsoft 365 network performance, consider these principles:

Identify Microsoft network traffic: Recognize and categorize network traffic associated with Microsoft 365 to manage it effectively.
Local branch egress: Allow Microsoft 365 network traffic to directly access the internet from user locations, bypassing central routing.
Bypass proxies and packet inspection: Enable Microsoft 365 traffic to avoid proxies and packet inspection as these can introduce latency and potentially interfere with data integrity and security.

A common failure mode observed for Copilot for Microsoft 365 occurs when a network blocks web sockets connectivity to the service. For more information about the latest Copilot-specific required network configurations, see network requirements.

Customers should consider the access to web content (Bing integration) of this guide before completing their network configuration. Bing labeled items are required for use of either the web content integration in Copilot for Microsoft 365, or the use of Microsoft Copilot with Commercial Data Protection.

The additional Copilot for Microsoft 365 network endpoint requirements are:

Standard connectivity

Common
- copilot.microsoft.com
- *.copilot.microsoft.com
- challenges.cloudflare.com
Bing
- *.bing.com
- *.bingapis.com

Web sockets connectivity

Common (Enterprise)
- *.cloud.microsoft
- *.office.com
- copilot.microsoft.com
- *.copilot.microsoft.com
Bing
- *.bing.com

Connected experiences

Copilot for Microsoft 365 requires the Analyzed Content connected experience category in Office to be enabled for Copilot to work in Excel, PowerPoint, OneNote, and Word.

While this can be configured with Group Policy in Active Directory Domain connected environments, it must be configured in the Cloud Policy of Microsoft 365 at a minimum, given the web experiences and modern apps are controlled exclusively by the Cloud Policy. Rich client Office applications (Win32 apps) are controlled by both Group Policy and Cloud Policy, with Group Policy taking precedence where both are in use. For organizations that use a combination of Group Policy and Cloud Policy it's recommended that these are kept in alignment with one another to avoid confusion.

It's recommended that Allow the use of additional optional connected experiences in Office should be disabled in sensitive environments as these services are covered by consumer product terms and don't offer the same contractual commitments or security and compliance features as enterprise Microsoft 365 services.
Copilot requires that both the general Allow the use of connected experiences in Office and the specific Allow the use of connected experiences in Office that analyze content settings are enabled.

Connected Experiences Cloud Policy.

For information on Connected experiences, including configuration documentation, see Copilot connected experiences.

Important

Feedback policy is also controlled by both the Group Policy and Cloud Policy mechanisms that control feedback.

Third party cookies

Note

The term third party in this article does not refer to a separate organisation or entity providing this functionality, it is a term to describe browser cookies that do not originate from the same service domain. This is presently required to facilitate authentication flow for Copilot.

To ensure full functionality of Copilot for Microsoft 365 within the web versions of Office apps, such as Word Online, Excel Online, and PowerPoint Online, it's necessary for the browser to have third-part cookies enabled. This allows the authentication tokens to be properly exchanged with the Microsoft services that power the Copilot experience.

Therefore, when using these applications, the browser settings on end-users’ devices must permit third-party cookies on sharepoint.com to facilitate this process.

Customers are encouraged to periodically check the requirements for Copilot for Microsoft 365 online documentation and actively monitor the Microsoft 365 Message Center for changes to this and other requirements over time.

License assignment

The Copilot for Microsoft 365 user subscription license (License ID: 639dec6b-bb19-468b-871c-c5c441c4b0cb) contains eight separate components, which can be enabled or disabled for individual users. Copilot is only available to users with a license assigned. If the license is removed from a user, the user loses access to Copilot.

Assigning Copilot user license components.

Copilot Studio in Copilot for Microsoft 365

License ID: fe6c28b3-d468-44ea-bbd0-a10a5167435c Copilot Studio is an extensibility feature that allows users to configure tailored Copilot experiences and create Power Platform plugins. This isn't a core feature required Copilot for Microsoft 365 and should be considered separately.

This license item is Optional and should be enabled if Copilot Studio is used.

Graph connectors in Microsoft 365 Copilot

License ID: 82d30987-df9b-4486-b146-198b21d164c7 Organizations that choose to enable Graph connectors need to enable this feature for users that access data from those connectors. For more information, see guidance on connectors and service architecture.

This license item is Optional and should be enabled if Graph Connectors are enabled.

Intelligent search

License ID: 931e4a88-a67f-48b5-814f-16a5f1e6028d These search enhancements are a core value inclusion in Copilot for Microsoft 365.

This license item should be Enabled.

Microsoft 365 Copilot for SharePoint

License ID: 0aedf20c-091d-420b-aadf-30c042609612 Integration with SharePoint in Microsoft 365 and OneDrive for work or school is a core feature in Copilot for Microsoft 365.

This license item should be Enabled unless SharePoint in Microsoft 365 and OneDrive for work or school are disabled.

Microsoft 365 Copilot for Microsoft Teams

License ID: b95945de-b3bd-46db-8437-f2beb6ea2347 Integration with Microsoft Teams is a core feature in Copilot for Microsoft 365.

This license item should be Enabled unless Microsoft Teams is disabled.

Microsoft 365 Copilot in productivity apps

License ID: a62f8878-de10-42f3-b68f-6149a25ceb97 Integration into the Office apps is a core feature of Copilot for Microsoft 365.

This license item should be Enabled unless Microsoft 365 Apps (Office) aren't used.

Microsoft Copilot with Graph-grounded chat

License ID: 3f30311c-6b1e-48a4-ab79-725b469da960 Graph-grounded chat connects Copilot Chat experiences with Microsoft 365 content through the Microsoft Graph. For more information, see Microsoft Graph service architecture.