Share via

Manage Copilot

  • Article

Microsoft Copilot for Microsoft Entra account users

For users signed in with a Microsoft Entra account, Microsoft Copilot offers enterprise data protection (EDP) and a new, simplified, ad-free user interface designed for work and education.

Note

Government cloud customers and students under 18 are not yet eligible.

Microsoft Copilot service plan is now retired

Commercial data protection in Microsoft Copilot was previously managed with a service plan called the 'Commercial data protection for Microsoft Copilot' service plan. This service plan no longer applies and is now retired as indicated by "RETIRED" being added to the service plan name.

Microsoft Copilot now offers enterprise data protection (EDP) to users who sign in with a Microsoft Entra account without the need to manage a service plan. IT admins aren't required to take any action for Microsoft Entra account users to receive EDP in Microsoft Copilot—users simply need to sign in to Microsoft Copilot with their Microsoft Entra account.

How to pin Microsoft Copilot in the Microsoft 365 app, Microsoft Teams, and Outlook

To ensure people across your organization have easy access to Microsoft Copilot and can benefit from the security and experience updates to Copilot, we recommend you enable in-app access by pinning Microsoft Copilot.

If you choose to pin Microsoft Copilot for your users, it appears in the Microsoft 365 app (web, Windows, and mobile). Copilot in other Microsoft 365 apps like Word, Excel, and PowerPoint requires a Microsoft 365 Copilot subscription.

Note

Copilot in Microsoft Teams and Outlook is coming soon. Once available, Copilot will be pinned in Teams and Outlook if you choose to pin Copilot.

The option to pin Copilot can be found under Settings on the Copilot page in the Microsoft 365 admin center. (Global Admin permissions required).

Get more details on how to pin Microsoft Copilot for your users.

Note

Copilot is pinned by default for users with a Microsoft 365 Copilot license.

Managing web search queries in Microsoft Copilot

To help improve the quality of responses, Copilot can use web search queries sent to the Bing search service to ground responses in the latest information from the web. Learn more about how generated web search queries work in Copilot. Web search is managed in Microsoft Copilot as part of optional connected experiences for Microsoft 365. Optional connected experiences can be managed at the user- and group-level. To manage, use the privacy settings for optional connected experiences for Microsoft 365. Changing the settings for optional connected experiences also manages web search in both work and web modes in Microsoft 365 Copilot for users with that license.

Note

  • If you turn off web search, web queries will not be sent to the Bing search service in both Microsoft Copilot and Microsoft 365 Copilot. For Microsoft Copilot, no web search means Copilot will only use the underlying large language model (LLM) to generate responses. For Microsoft 365 Copilot, no web search means Copilot will only use the LLM to generate graph-grounded responses.
  • Turning off optional connected experiences restricts Microsoft Copilot, Microsoft 365 Copilot, and multiple experiences across Microsoft 365.
  • If you don’t have a subscription plan that includes Microsoft 365 apps, the privacy setting for optional connected experiences doesn’t apply. In this case, there's no way to manage web search.

Learn more about data, privacy, and security for web queries in Copilot.

Network requirements

Copilot enables AI scenarios that access the web, so it may need to connect to specific network endpoints (domains). For Copilot to work, you need to allowlist the following IPs:

  • *.cloud.microsoft
  • *.office.net
  • *.office.com
  • *.microsoft365.com
  • admin.microsoft.com
  • browser.events.data.microsoft.com
  • browser.pipe.aria.microsoft.com
  • login.microsoftonline.com
  • config.edge.skype.com
  • graph.microsoft.com
  • designer.microsoft.com (needed for creating images)
  • allow WebSocket connections to substrate.office.com:443

For Copilot in Edge to work, you need to allowlist the following IPs:

  • *.bing.com
  • *.bing.net
  • login.live.com
  • challenges.cloudflare.com

Microsoft 365 Copilot adds generative AI capabilities when using Microsoft 365 applications. It therefore must use the same network connections and endpoints that Microsoft 365 apps use.

See the full documentation of network requirements for Microsoft 365 Copilot, which provides a complete list of domains and WebSockets (WSS) that an organization's network shouldn't block.

How to access Microsoft Copilot with enterprise data protection using a Microsoft Entra account

Previously, admins had to enable the "Commercial data protection in Microsoft Copilot" service plan to ensure your users signed in to Copilot with a Microsoft Entra account. Enabling the service plan was how admins made sure their users received commercial data protection when using Copilot. If you previously used DNS redirects or HTTP header injections in the service plan, you don't need to remove or alter them.

With the updates to Microsoft Copilot, users can now access the Copilot experience designed for work or education from dedicated access points. These access points include:

  • The Microsoft 365 app (web, desktop, mobile)

    The user or admin must elect to pin Copilot for it to show up in the Microsoft 365 app.

    Note

    Coming soon, Copilot will also be pinned in Microsoft Teams and Outlook if the user or admin chooses to pin Copilot.

  • Copilot.cloud.microsoft

    If the user or admin chooses to pin Copilot, or if the user has a Microsoft 365 Copilot license, they're redirected to the experience in the Microsoft 365 app (m365.cloud.microsoft/chat).

  • Copilot in the Microsoft Edge sidebar

    We recommend that users sign in to Edge with their Microsoft Entra account. Doing so ensures they're signed in to Copilot in the Edge sidebar and receive enterprise data protection.

Personal use of Copilot, outside work or education scenarios, is now accessed primarily through copilot.microsoft.com and bing.com/chat. These access points redirect to the dedicated work and education access points listed above if a user signs in with a Microsoft Entra account. Users who are not signed in or who sign in with a personal account receive the personal Copilot experience. To ensure that users access Copilot with enterprise data protection for work and education, you can manage your environment so users only access Copilot from one of the dedicated access points that are listed in the bullets above.

Manage Copilot in Edge

Users can modify this permission by going to Microsoft Edge > Settings > Sidebar > App and notification settings > App specific settings > Copilot, and then turning on or off the 'Allow Microsoft to access page content' toggle.

Admins can use multiple group policy settings to manage the behavior of the Copilot in Edge sidebar:

  • To allow or block Copilot in Edge from using browsing context, use the DiscoverPageContextEnabled policy. This policy can prevent Copilot from using webpage or PDF content from being used to respond to prompts.
  • To disable Copilot in Edge entirely, use the HubsSidebarEnabled policy. Blocking Copilot in Edge automatically blocks all Edge sidebar apps from being enabled.

Managing Microsoft Copilot in the Microsoft 365 mobile app

Microsoft Copilot is also available in the Microsoft 365 mobile app when eligible users are signed in with their Microsoft Entra accounts. Users get the same data security, privacy, and compliance standards and Copilot functionality—such as the ability to upload documents, craft and polish content, and create stunning images—directly within the Microsoft 365 app.

To manage Copilot in the Microsoft 365 (Office) app, admins can use the Microsoft Intune policy, group policy, or the Microsoft 365 admin center. Refer to documentation found here: Manage Microsoft 365 (Office) for iOS and Android with Intune.

Removing access to Microsoft Copilot

Microsoft Copilot enhances data security, privacy, and compliance by offering enterprise data protection (EDP).

If you wish to prevent access to Microsoft Copilot with enterprise data protection for your users, follow these steps:

  • Don't pin Microsoft Copilot to the Microsoft 365 app, Teams, and Outlook: Using the control found under Settings on the Copilot page in the Microsoft 365 admin center, select "Do not pin Microsoft Copilot to the navigation bar." Then uncheck "Allow users to be asked whether they want to pin it." Learn more about pinning Microsoft Copilot.

  • Web: Block copilot.cloud.microsoft using a corporate proxy.

    Note

    Blocking copilot.cloud.microsoft also blocks this URL for users with a Microsoft 365 Copilot license.

  • Microsoft Edge: Use the EdgeSidebarAppUrlHostBlockList policy to control which sidebar apps, including Copilot, are blocked (except the Search app).

    • You can find these URLs at edge://sidebar-internals. The sidebar internals JSON file includes a manifest for built-in sidebar apps, including a "target": {"url": "xyz"} parameter for each app. You can use these values to configure the policy.

  • Microsoft 365 mobile app: Use Intune app protection and configuration policies with Microsoft 365 (Office) for iOS and Android to ensure collaboration experiences are always accessed with safeguards in place.

    • Key: com.microsoft.office.officemobile.BingChatEnterprise.IsAllowed
    • Value
      • True (default): Copilot is enabled for the tenant
      • False: Copilot is disabled for the tenant

    Note

    This also blocks Copilot in the Microsoft 365 mobile app for users with a Microsoft 365 Copilot license.