Commercial data protection eligibility
Microsoft Copilot (formerly Bing Chat Enterprise) adds commercial data protection for eligible users signed in with work or school accounts (Entra ID). Currently, commercial data protection is available in Copilot for users with an eligible Microsoft 365 license:
- Microsoft 365 E3
- Microsoft 365 E5
- Microsoft 365 F3
- Microsoft 365 Business Standard
- Microsoft 365 Business Premium
- Microsoft 365 A3 or A5 for faculty
Commercial data protection in Copilot isn't currently available for government cloud customers or for student use. Copilot will add commercial data protection to more work and school accounts (Entra ID) over time.
Copilot is governed by the Universal License Terms for Online Services.
Managing commercial data protection using the service plan
To receive commercial data protection, users must sign in to Copilot with their eligible work or school account (Entra ID). Users signed in to Copilot with MSA accounts don't receive commercial data protection.
The Copilot service plan (part number: bing_chat_enterprise) must be enabled for your eligible users to receive commercial data protection when they're signed in to Copilot with their work or school account (Entra ID). The Copilot service plan is included with your eligible users' Microsoft 365 licenses. To help ensure that your users are using Copilot with commercial data protection, the service plan is enabled by default.
PowerShell allows you to bulk assign and remove licenses for your intended users. Learn more about how to assign Microsoft 365 licenses to user accounts with PowerShell or how to disable access to Microsoft 365 services with PowerShell.
Changes can take up to 48 hours to go into effect.
Managing Copilot for Microsoft 365 E3/E5 Original subscriptions
Organizations with Microsoft 365 E3 or E5 Original subscriptions purchased through an Enterprise Agreement (EA) now also have subscriptions for Microsoft 365 E3 Extra Features, which include the Copilot (formerly Bing Chat Enterprise) service plan to assign to your users.
You first need to assign the Microsoft 365 Extra Features product to your users and enable the Copilot service plan. These steps allow your users to receive commercial data protection when they sign in to Copilot with their work or school account (Entra ID).
It may take up to 48 hours after assigning the Microsoft 365 Extra Features product for your users to receive commercial data protection when signed in to Copilot with their work or school account (Entra ID).
Require commercial data protection in Copilot
To ensure that your users have commercial data protection when they use Copilot, you need to:
- Enforce commercial data protection: Enable the Copilot service plan for your eligible users
- Prevent use of Copilot without commercial data protection: Update your DNS configuration by setting the DNS entry for www.bing.com to be a CNAME for nochat.bing.com
Note: Use a CNAME rather than the nochat.bing.com IP because the CNAME continues to work even if the IP for nochat.bing.com changes.
By taking these steps, you'll be requiring users to sign in to Copilot with their work or school account (Entra ID) so they receive commercial data protection. This configuration applies when accessing Copilot through copilot.microsoft.com, bing.com/chat, Copilot in Edge, and Copilot in Windows.
Copilot makes it clear that commercial data protection is turned on by featuring a unique design. Above the chat input box and on top of every chat answer, users see a message confirming 'Your personal and company data are protected in this chat.' Additionally, users see a green 'Protected' label next to their user profile icon and name at the top of the experience.
This configuration only applies when devices are connected to your corporate network. Copilot is a public service, like search, and remains available if accessed outside the corporate network.
The above solution is not supported on copilot.microsoft.com. We are planning to extend this capability to that entry point in the future.
To block access to Copilot in Edge only, see the Copilot in Edge documentation.
Note: Blocking the <www.bing.com> IP could also block other Microsoft domains.