Sdílet prostřednictvím


Manage Copilot

Microsoft Copilot for Microsoft Entra account users

For users signed in with a Microsoft Entra account, Microsoft Copilot offers enterprise data protection (EDP) and a new, simplified, ad-free user interface designed for work and education.

Note

US government cloud customers and students under 18 are not yet eligible.

Microsoft Copilot service plan is now retired

Commercial data protection in Microsoft Copilot was previously managed with a service plan called the 'Commercial data protection for Microsoft Copilot' service plan. This service plan no longer applies and is now retired as indicated by "RETIRED" being added to the service plan name.

Microsoft Copilot now offers enterprise data protection (EDP) to users who sign in with a Microsoft Entra account without the need to manage a service plan. IT admins aren't required to take any action for Microsoft Entra account users to receive EDP in Microsoft Copilot—users simply need to sign in to Microsoft Copilot with their Microsoft Entra account.

How to pin Microsoft Copilot in the Microsoft 365 app, Microsoft Teams, and Outlook

To ensure people across your organization have easy access to Microsoft Copilot and can benefit from the security and experience updates to Copilot, we recommend you enable in-app access by pinning Microsoft Copilot.

If you choose to pin Microsoft Copilot for your users, it appears in the Microsoft 365 app (web, Windows, and mobile). Copilot in other Microsoft 365 apps like Word, Excel, and PowerPoint requires a Microsoft 365 Copilot subscription.

Note

Copilot in Microsoft Teams and Outlook is coming soon. Once available, Copilot will be pinned in Teams and Outlook if you choose to pin Copilot.

The option to pin Copilot can be found under Settings on the Copilot page in the Microsoft 365 admin center. (Global Admin permissions required).

Get more details on how to pin Microsoft Copilot for your users.

Note

Copilot is pinned by default for users with a Microsoft 365 Copilot license.

Managing web search queries in Microsoft Copilot

To help improve the quality of responses, Copilot can use web search queries sent to the Bing search service to ground responses in the latest information from the web. Learn more about how generated web search queries work in Copilot. Web search is managed in Microsoft Copilot as part of optional connected experiences for Microsoft 365. Optional connected experiences can be managed at the user- and group-level. To manage, use the privacy settings for optional connected experiences for Microsoft 365. Changing the settings for optional connected experiences also manages web search in both work and web modes in Microsoft 365 Copilot for users with that license.

Note

  • If you turn off web search, web queries will not be sent to the Bing search service in both Microsoft Copilot and Microsoft 365 Copilot. For Microsoft Copilot, no web search means Copilot will only use the underlying large language model (LLM) to generate responses. For Microsoft 365 Copilot, no web search means Copilot will only use the LLM to generate graph-grounded responses.
  • Turning off optional connected experiences restricts Microsoft Copilot, Microsoft 365 Copilot, and multiple experiences across Microsoft 365.
  • If you don't have a subscription plan that includes Microsoft 365 apps, the privacy setting for optional connected experiences doesn't apply. In this case, there's no way to manage web search.
  • In November 2024, we'll add a new policy to provide you with more control for making web search available to your users. The policy will be called "Allow web search in Copilot" and will be available only in the Cloud Policy service for Microsoft 365. We'll update this section with more details once the new policy is available.

Learn more about data, privacy, and security for web queries in Copilot.

Network requirements

Copilot enables AI scenarios that access the web, so it may need to connect to specific network endpoints (domains). For Copilot to work, you need to allowlist the following IPs:

  • *.cloud.microsoft
  • *.office.net
  • *.office.com
  • *.microsoft365.com
  • admin.microsoft.com
  • browser.events.data.microsoft.com
  • browser.pipe.aria.microsoft.com
  • login.microsoftonline.com
  • config.edge.skype.com
  • graph.microsoft.com
  • designer.microsoft.com (needed for creating images)
  • allow WebSocket connections to substrate.office.com:443

For Copilot in Edge to work, you need to allowlist the following IPs:

  • *.bing.com
  • *.bing.net
  • login.live.com
  • challenges.cloudflare.com

Microsoft 365 Copilot adds generative AI capabilities when using Microsoft 365 applications. It therefore must use the same network connections and endpoints that Microsoft 365 apps use.

See the full documentation of network requirements for Microsoft 365 Copilot, which provides a complete list of domains and WebSockets (WSS) that an organization's network shouldn't block.

How to ensure users access Microsoft Copilot for work and education with enterprise data protection

Previously, the Microsoft Copilot experiences for both personal use and for work and education were accessible from the same shared locations. These locations included copilot.microsoft.com and bing.com/chat. Users saw either the personal experience or the work and education experience depending on how they had signed in.

With the recent updates to Microsoft Copilot, the personal experience and the work and education experience are now separate—they're no longer accessible from the same shared locations. Now, each experience can only be accessed from locations specific to each.

To understand the locations where users can access each distinct experience, see this table:

Location Personal use experience Work or education experience
Microsoft Copilot (unauthenticated/ signed in with personal account) Microsoft Copilot (signed in with Entra account) or Microsoft 365 Copilot
Copilot.microsoft.com Yes No
Bing.com/chat Yes No
Copilot app (mobile, desktop/Windows) Yes No
Copilot.cloud.microsoft No Yes
Microsoft 365 app (web, desktop/Windows, mobile) No Yes
Microsoft Edge Yes Yes

Note

The Copilot experience in the Windows sidebar is being replaced by the Copilot app (for personal use) and the Microsoft 365 app (for work and education). To access the work or education experience, use the Microsoft 365 app.

If a user visits a location specific to one experience, they're only able to sign in to that experience. For example, if a user visits copilot.microsoft.com, they're only able access the personal experience, either in an unauthenticated state or by signing in with a personal account. If a user tries to sign in to copilot.microsoft.com with an Entra account, they're not able to do so. Instead, they're either redirected to one of the locations specific to work and education or notified that they should visit a different location to access Copilot for work and education.

To ensure your users access the Microsoft Copilot experience for work and education with enterprise data protection, you can educate or guide your users to one of the locations specific to it:

You can also manage the specific locations where users may access the Copilot experience for personal use:

Additionally, you can manage whether your users can sign in to the Microsoft 365 apps using a personal account (MSA). For this, use tenant restriction V2.

Manage Copilot in Edge

Users can modify this permission by going to Microsoft Edge > Settings > Sidebar > Copilot, and then turning on or off the 'Allow Microsoft to access page content' toggle.

Admins can use multiple group policy settings to manage the behavior of the Copilot in Edge sidebar:

  • To allow or block Copilot in Edge from using browsing context, use the EdgeEntraCopilotPageContext policy. This policy can prevent Copilot with enterprise data protection from using webpage or PDF content when it formulates responses to prompts.
  • To disable Copilot in Edge entirely, use the HubsSidebarEnabled policy. Blocking Copilot in Edge automatically blocks all Edge sidebar apps from being enabled.
  • To allow or block Copilot in Edge from using browsing context when users are signed in with their personal MSA Bing account while in the Edge work profile, use the CopilotPageContext policy. This policy prevents the personal Copilot version without enterprise data protection from using webpage or PDF content when it formulates responses to prompts.

Managing Microsoft Copilot in the Microsoft 365 mobile app

Microsoft Copilot is also available in the Microsoft 365 mobile app when eligible users are signed in with their Microsoft Entra accounts. Users get the same data security, privacy, and compliance standards and Copilot functionality—such as the ability to upload documents, craft and polish content, and create stunning images—directly within the Microsoft 365 app.

To manage Copilot in the Microsoft 365 (Office) app, admins can use the Microsoft Intune policy, group policy, or the Microsoft 365 admin center. Refer to documentation found here: Manage Microsoft 365 (Office) for iOS and Android with Intune.

Removing access to Microsoft Copilot

Microsoft Copilot enhances data security, privacy, and compliance by offering enterprise data protection (EDP).

If you wish to prevent access to Microsoft Copilot with enterprise data protection for your users, follow these steps:

  • Don't pin Microsoft Copilot to the Microsoft 365 app, Teams, and Outlook: Using the control found under Settings on the Copilot page in the Microsoft 365 admin center, select "Do not pin Microsoft Copilot to the navigation bar." Then uncheck "Allow users to be asked whether they want to pin it." Learn more about pinning Microsoft Copilot.

    Note

    This only applies to Microsoft Copilot users. Copilot will still be pinned in the Microsoft 365 app for users who are assigned a Microsoft 365 Copilot license.

  • Web: Block copilot.cloud.microsoft using a corporate proxy.

    Note

    Microsoft 365 Copilot users cannot access Copilot from copilot.cloud.microsoft—if they visit copilot.cloud.microsoft, they're redirected to the Microsoft 365 app (m365.cloud.microsoft/chat). If you block copilot.cloud.microsoft, please direct your Microsoft 365 Copilot users to access Copilot in the Microsoft 365 app (m365.cloud.microsoft/chat).

  • Microsoft Edge: Use the EdgeSidebarAppUrlHostBlockList policy to control which sidebar apps, including Copilot, are blocked (except the Search app).

    • You can find these URLs at edge://sidebar-internals. The sidebar internals JSON file includes a manifest for built-in sidebar apps, including a "target": {"url": "xyz"} parameter for each app. You can use these values to configure the policy.
  • Microsoft 365 mobile app: Use Intune app protection and configuration policies with Microsoft 365 (Office) for iOS and Android to ensure collaboration experiences are always accessed with safeguards in place.

    • Key: com.microsoft.office.officemobile.BingChatEnterprise.IsAllowed
    • Value
      • True (default): Copilot is enabled for the tenant
      • False: Copilot is disabled for the tenant

    Note

    This also blocks Copilot in the Microsoft 365 mobile app for users with a Microsoft 365 Copilot license.