Service components for Copilot alignment to the ASD Blueprint
The Copilot for Microsoft 365 configuration and planning guide intended for Australia and New Zealand sensitive and regulated industry customers, and is in alignment with the Australian Signals Directorate (ASD) Blueprint for Secure Cloud configuration guidance for Microsoft 365.
This article examines service components and the service boundary, which is essential for understanding Copilot in term of the ASD Blueprint.
Service components
The following diagram is designed to assist Copilot for Microsoft 365 customers to gain a better understanding of the service architecture and serves as context for this page. Each element of this architecture is described in the following sections.
Microsoft 365 service boundary
Microsoft 365 has a service boundary that encompasses the various Microsoft 365 services within it, ensuring they adhere to Microsoft 365’s architectural, software engineering, security, compliance, and privacy standards and controls. This boundary delineates the scope of the Microsoft 365 service from the wider Microsoft Cloud offerings and maintains a consistent standard across its components. Systems inside the boundary are subject to Microsoft 365’s rigorous compliance activity.
Copilot for Microsoft 365 operates within the Microsoft 365 service boundary, making it an integral part of the Microsoft 365 suite alongside other services such as SharePoint, Exchange, Teams, Planner, Microsoft 365 Search, and others. Copilot for Microsoft 365 is a core online service, which makes it subject to the strongest set of security and compliance contractual commitments within the Microsoft Product Terms.
Customer Microsoft 365 tenant
Microsoft 365 is a multi-tenanted public cloud Software-as-a-Service (SaaS) offering. Within Microsoft 365 the customer tenant is defined as the logical container for the organization’s content. It contains identifiers and encryption keys that are unique to each customer, and which secure their data and content.
There's a data-at-rest storage commitment for core services based on the sign-up location of the customer. This is where data accessed and generated by Copilot for Microsoft 365 is stored.
Copilot Orchestrator
The Copilot Orchestrator manages all interactions with Copilot for Microsoft 365. The Copilot Orchestrator isn't an AI, but a coordinator across AI models, data sources, and plugins that comprise the Copilot experience.
The Copilot Orchestrator receives the interaction from the end user and initiates a Retrieval-Augmented-Generation (RAG) process to generate a natural language response, which is processed through several steps before being delivered back to the user.
For more information about the Retrieval-Augmented-Generation process, see Microsoft’s Azure OpenAI Service online documentation.
Large language models
Large language models (LLMs) are advanced AI tools capable of interpreting and generating text in a way that resembles natural human language. They're trained on vast amounts of text data, learning statistical relationships that enable them to perform a wide range of language-related tasks. LLMs can generate coherent, and contextually relevant text, translate languages, summarize content, answer questions, and even help creative writing or code generation.
Copilot for Microsoft 365 utilizes a combination of large language models, where each model is tuned to perform different tasks. Over time, Microsoft will continue to update and replace these models on behalf of customers to improve the performance, accuracy, energy efficiency, speed, and other characteristics of the Copilot service.
The large language models used by Copilot for Microsoft 365 are hosted by Microsoft in an instance of the Azure OpenAI Service exclusively for Microsoft 365. Microsoft doesn't train the large language models on customer data, nor is customer data retained by the Azure OpenAI Service. Copilot for Microsoft 365 automatically inherits your organization’s security, compliance, and privacy policies set in Microsoft 365 along with the content access permissions of the end user that initiates the interaction.
Microsoft Graph
The Graph is an integral part of every organization’s Microsoft 365 tenancy. It's where the search index resides, and it's the mechanism by which access to customer content is controlled. The Graph is the gatekeeper to content and plays an integral role in all Microsoft 365 interactions. It enforces the security permissions present on a customer’s content and provides secure, compliant, auditable access to that content.
Copilot for Microsoft 365 accesses content through this same mechanism that users interact with when they access their files or perform a search on a day-to-day basis.
In this way, Copilot for Microsoft 365 can only access content the end user themselves already has access to. Therefore, the Large Language Model can't decide to access content the user doesn't have access to, as it's constrained by the same mechanism that constrains the user in other scenarios outside of Copilot.
Copilot for Microsoft 365 introduces an additional search indexing method to embed semantic understanding of concepts and language into the Microsoft Graph and enable Copilot and Microsoft 365 Search to better understand natural language expressions. This significantly improves the ability for Copilot to locate and use the most relevant content. This additional natural language data is called the Semantic Index.
Connectors and plugins
Both connectors and plugins create access to data and systems outside of Microsoft 365. By design that means they can connect outside the Microsoft 365 service boundary.
| Connectors | Plugins |
|---|---|
| Access external data | Add new skills |
| Run on a schedule | Run in real-time |
| One way data flow (read) | Can support two-way data flow (read and write) |
| Great for static data sets, like file shares, intranets, and knowledge bases | Great for unconstrained data sets like web search, and app integrations like travel booking, or case management |
Copilot Studio provides a low-code/no-code toolset for developing custom connectors and plugins for Copilot. Copilot Studio is included with Copilot for Microsoft 365 subscriptions and can be enabled or disabled on a per-user basis. For more information, see license assignment.
Connectors
Connectors run on a schedule to index external data, into the Microsoft Graph. By indexing external content into the Graph, Copilot can then access that content. Connectors also improve the Microsoft 365 Search experience for users.
Connectors are useful for connecting large external repositories of business content. Some common examples of Connectors include File Shares, on-premises Intranets, knowledge bases, and an organization’s own public web site. These are relatively static, constrained sets of data. They're static in the sense that the data isn't generated in response to the specific interaction or the user context.
By indexing these data sources into the Microsoft Graph, users can access their content with Copilot (and Microsoft 365 Search) without needing to have a real-time connection to the source system.
There are a wide variety of existing Connectors available to customers to start bringing external sources of data into Microsoft 365 and into scope for Copilot. Connectors don't facilitate sending customer data outside the Microsoft 365 service boundary, but do bring data from outside the service boundary in.
For more information on connectors and their security, see Copilot connectors and Connector security model.
Plugins
Plugins (Bing, etc.) are distinct from Connectors in that they run in real-time during the interaction execution to provide new skills and knowledge to Copilot. For example, the included Access to web content (Bing integration) Plugin allows real-time integration of public web content to enrich the knowledge available to Copilot.
The web content plugin enables a new real-time query source for Copilot to include. It enables Copilot to search not only content from inside the Microsoft 365 tenant (via the Microsoft Graph) but also web content (via Bing) in parallel. This can be useful for integrating public content on a subject with private knowledge contained within the Microsoft Graph. Knowledge of current and recent events, up to date industry news and developments, and other quality online sources can greatly improve the quality of Copilot generated content and responses.
Another example would be a plugin to a travel booking system that Copilot can provide a natural language interface to, such that a user could search for and organize flights from within a Copilot Chat experience. This can provide new, integrated, and streamlined user experiences on top of non-Microsoft systems.
It's also possible for customers to create their own plugins to provide new skills and integrate other line of business applications with Copilot, enhancing the knowledge and skill set of Copilot for the organization’s staff.
For more information on Copilot plugins, see the online extensibility guide.
There are five plugin types that customers can add, build, or purchase for Copilot to use:
- Access to web content (Bing integration) plugin: This is a preincluded plugin for integrating web content from the Bing search engine. For more information, see Access to web content (Bing integration)..
- Teams message extensions: These operate across Microsoft Teams, Outlook, and Copilot Chat. They support sophisticated interactions with other systems through a message card interface.
- Power Platform connector plugins: These run in the Microsoft Power Platform and provide connectivity to common platforms like FreshDesk, GitHub, MailChimp, MSN Weather, Salesforce, ServiceNow, Twilio, and Zendesk. Power Platform Connector Plugins are read-only.
- Power Automate Flow plugins: These provide connection between Copilot and your Power Automate Flows to be able to run a Flow and return its results back to Copilot. This provides a powerful no-code extensibility option that customers can use to develop their own skills and integrations for Copilot with relatively little effort. Power Automate Flow Plugins are read-only.
- Dynamics 365 plugins: These are Microsoft provided plugins to the Dynamics 365 business applications including Sales, Customer Service, Field Service, and Supply Chain.