Get started with Microsoft 365 Copilot - admin guide
Microsoft 365 Copilot is an AI-powered productivity tool that uses large language models (LLMs). It integrates with your data, with Microsoft Graph, and with Microsoft 365 Apps.
It works alongside popular Microsoft 365 Apps, like Word, Excel, PowerPoint, Outlook, Teams, and more. Copilot provides real-time intelligent assistance, enabling users to enhance their creativity, productivity, and skills.
This article covers how IT admins can prepare their organization for Copilot.
Tip
If you're an end user, then the Copilot Lab is a good resource.
Before you begin
This section gives an overview of the prerequisites (licensing and admin centers access), and apps that can use Copilot. There might be more requirements at Microsoft Copilot 365 requirements.
Prerequisites
This article uses the following admin centers. These admin centers require a specific role to complete the tasks in the article.
Microsoft 365 admin center: There are different roles, depending on the task you need to complete. To learn more about roles, see Commonly used Microsoft 365 admin center roles.
SharePoint admin center: Sign in as the SharePoint administrator.
Microsoft Purview portal: There are different roles, depending on the task you need to complete. To learn more, see:
You must have an appropriate subscription plan to purchase Microsoft 365 Copilot.
You can purchase Microsoft 365 Copilot licenses through the Microsoft 365 admin center (Billing > Purchase services), Microsoft partners, or your Microsoft account team.
Microsoft 365 Copilot licenses are available as an add-on to other licensing plans. To learn more, see Understand licensing for Microsoft 365 Copilot.
More licenses might be required to use some of the features describes in this article, like Microsoft Purview and SharePoint Advanced Management.
To learn more, see:
App requirements
Microsoft 365 Apps - Including desktop applications, like Word, Excel, PowerPoint, Outlook, and Teams. Copilot is available in web versions of the apps when a license is assigned. To get started with the implementation process, see Deployment guide for Microsoft 365 Apps.
OneDrive Account - You need a OneDrive account for several features within Microsoft 365 Copilot, like saving and sharing your files. For more information, see Sign in or create an account for OneDrive.
Outlook for Windows - For seamless integration of Microsoft 365 Copilot with Outlook, new Outlook (Windows, Mac, Web, Mobile) is recommended. Copilot does support classic Outlook (Windows). You can switch to Outlook Mobile to access the new Outlook experience. For more information, see Getting started with the new Outlook for Windows.
Microsoft Teams - To use Microsoft 365 Copilot with Microsoft Teams, you must download the Teams desktop client or web client, or sign into the web app at https://teams.microsoft.com. Both the current and the new version of Teams are supported. For more information, see Microsoft Teams desktop client.
To enable Copilot in Teams to reference meeting content after the meeting end, transcription or meeting recording must be enabled. To learn more about configuring transcription and recording, see Configure transcription and captions for Teams meetings and Teams meeting recording.
Microsoft Loop - To use Copilot in Microsoft Loop, you must have Loop enabled for your tenant. For more information on enabling Loop, see Get started with Microsoft Loop.
Microsoft Whiteboard - To use Microsoft 365 Copilot with Microsoft Whiteboard, you must have Whiteboard enabled for your tenant. To learn more about Microsoft Whiteboard, see Manage access to Microsoft Whiteboard for your organization.
Step 1 - Optimize search in SharePoint
✅ Optimize your SharePoint content for search
When a user makes a request to Copilot, it processes the request and then generates a response with LLMs. LLMs leverage content from Microsoft Graph and web content (optional).
Content in Microsoft Graph includes emails, files, meetings, chats, calendars, and contacts. A significant portion of this data is stored in SharePoint. Copilot gathers SharePoint content in the same way SharePoint Search gathers content.
To get the most out of Copilot and get the best results, optimize your SharePoint content for search:
Microsoft 365 Copilot allows users to find and access their content through natural language prompting. Copilot ensures data security and privacy by following existing obligations and integrating with your organization's policies. It uses your Microsoft Graph content with the same access controls as other Microsoft 365 services.
To learn more about privacy with Microsoft 365 Copilot, see Data, Privacy, and Security for Microsoft 365 Copilot.
Step 2 - Apply principles of Just Enough Access
Prevent sharing and control access with SharePoint and OneDrive
To get ready for your organization’s Microsoft 365 Copilot adoption, there are a few highly recommended steps you can take with SharePoint and OneDrive.
To start, you can:
✅ Reduce accidental oversharing with SharePoint sharing settings
To minimize accidental content oversharing with Copilot results, implement sharing settings at the organization and site levels:
At the organization level:
Update sharing settings for SharePoint and OneDrive for your tenant from organization-wide sharing to specific people links.
Consider hiding broad-scope permissions from your end users. For example, use the SharePoint
Set-SPOTenant
PowerShell cmdlet to hide "Everyone Except External Users" in the People Picker control so end users can't use it.Use Restricted SharePoint Search (RSS) to temporarily restrict Copilot results up to 100 selected SharePoint sites. Child sites of Hub sites aren't counted toward the 100 limit.
RSS gives you time to review & audit site permissions. It should be used only as a temporary solution to give your organization time to adopt Copilot.
Reduce accidental oversharing at the site level:
- Educate site admins on the site-level controls they can use to restrict members from sharing.
- Make sure that Site Owners receive a request to access the site.
- Change the external sharing setting for a user's OneDrive. When a user saves a file to OneDrive, it's in the end user's personal storage. The user has full control over the file and can share it with others. To ensure data security, review OneDrive sharing features.
✅ Check permissions and site access in SharePoint admin center
To ensure data is secure, review SharePoint site access and permissions. Prioritize sites that contain sensitive information.
In the SharePoint admin center, see Active Sites > select a site > Edit > Settings.
Private means that only users in your organization with access to the site can find it. Public (default) means anyone in your organization can find the site and access its content.
In the Membership tab, review access to site owners, members, and visitors. Ensure that only the necessary users have access to the site.
✅ Identify sites with potentially overshared content and control access
Use the following SharePoint Advanced Management (SAM) activity-based reports to quickly identify the most actively overshared sites:
Initiate a Site Access Review for site owners to confirm overshared content and take remediation steps. SharePoint admins can use the Restricted Access Control Policy to restrict access to a site with overshared content.
For business-critical sites, there are features in SharePoint Advanced Management and Microsoft Purview you can use:
- Use Restricted Access Control (RAC) to proactively protect against oversharing. When you create new sites, configure a RAC policy as part of your custom site provisioning process. This step proactively avoids oversharing.
- Consider blocking downloads from selected sites using a block download policy. For example, block the download of Teams meeting recordings and transcripts.
- Apply encryption with "extract rights" enforced on business-critical office documents. To learn more, see Microsoft Purview data security and compliance protections for generative AI apps.
Note
SharePoint Advanced Management has more features to help you get ready for Copilot fast and at scale. To learn more, see Get ready for Copilot for Microsoft 365 with SharePoint Advanced Management (SAM).
Sensitivity labels from Microsoft Purview
✅ Use sensitivity labels to protect your data
In the Microsoft Purview portal, you can create sensitivity labels (Information protection > Sensitivity labels). Use these labels to identify how sensitive the data is in your organization. When they're applied to items like documents and emails, the labels add an extra layer of protection and can affect Copilot results.
The extra later of protection includes:
Copilot Business Chat can reference data from different types of items. The sensitivity label with the highest priority is visible to users.
If the label applies encryption, Copilot checks the usage rights for the user. For Copilot to return data from that item, the user must be granted permissions to copy from it.
With sensitivity labels, you can:
Create labels or activate default labels: If you don't already have sensitivity labels, you might be eligible to have some default labels automatically created for you, like Public, General, and Confidential. The default labels are suitable for items like files, emails, and meetings. You can modify the default labels and always create your own labels.
To learn more, see:
Define the data sensitivity requirements and review your SharePoint sites & files in OneDrive. Focus on the most critical repositories and determine the sensitivity of the data on these sites.
If you're piloting Copilot, deploy Copilot licenses to users who have access to these critical sites. Then, iterate through the rest of your repositories and expand your user base.
For a more detailed strategy to deploy and drive adoption, see Step 7 - Deploy to some users and measure adoption (in this article).
Enable and apply sensitivity labels: Enable sensitivity labels for files in SharePoint and OneDrive. Then, with a publishing label policy, you can configure a default label and users can manually apply your labels. To label at scale, use autolabeling to automatically apply labels based on sensitive information detected.
For more information about the different ways that you can apply sensitivity labels, see Common scenarios for sensitivity labels.
One of the available labeling methods is to apply sensitivity labels based on content found in documents when you use data loss prevention (DLP) policies. DLP policies can automatically apply sensitivity labels when specific types of information are identified in a document, like personal data that includes addresses, tax information, or passport numbers.
With DLP policies, you can also:
- Use the trainable classifier tool to identify categories of content, like source code, financial documents, and HR.
- Set up endpoint DLP policies that restrict users from specific actions, like copying content to clipboard or removable USB devices, or printing.
Once applied, the sensitivity labels enforce your protection settings.
To learn more about sensitivity labels, see Learn about sensitivity labels.
Copilot activity and Microsoft Purview
✅ Audit Copilot activity, create retention policies, and use eDiscovery and communication compliance
In the Microsoft Purview portal, you can use the following features to search for specific content and activities that include Copilot prompts and responses.
Audit
You can search for specific activities, activities performed by specific users, and activities that occurred with a date range. To learn more, see Learn about auditing solutions in Microsoft Purview.
Retention policies
Configure retention policies to retain the Copilot prompts and responses if this data is needed for compliance reasons, even if users delete their chat history. To learn more, see Learn about retention for Copilot.
eDiscovery and communication compliance
Use eDiscovery and communication compliance policies to analyze Copilot user prompts and responses. The policies can detect inappropriate or risky interactions, or sharing of confidential information.
To learn more, see Microsoft Purview eDiscovery solutions and Configure a communication compliance policy to detect for Copilot interactions.
Tip
To learn more about these Microsoft Purview security and compliance protections for Copilot, and how Microsoft Purview AI Hub can help you more quickly deploy them, see Microsoft Purview data security and compliance protections for generative AI apps.
Step 3 - Review app privacy
✅ Review your Microsoft 365 apps privacy settings
The privacy settings in your Microsoft 365 apps can affect the availability of Microsoft 365 Copilot features. To ensure that users can access Copilot features, review the privacy settings in your Microsoft 365 apps.
To learn more, see Microsoft 365 Copilot and privacy controls for connected experiences.
Step 4 - Update channels
✅ Use the Current Channel or Monthly Enterprise Channel to update apps
Microsoft 365 Copilot follows the Microsoft 365 Apps standard practice for deployment and updates. It's available in all update channels, except for Semi-Annual Enterprise Channel.
Your options:
Production channels include Current Channel and Monthly Enterprise Channel.
Current Channel provides your users with the newest Microsoft 365 app features as soon as they're ready. It provides the best experience for a fast-moving product, like Copilot.
Monthly Enterprise Channel gives more predictability of when these new Microsoft 365 app features are released each month. It's a good option for organizations that want to validate the new features before they're released to the Current Channel.
Preview channels include Current Channel (Preview) and Beta Channel.
Preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see Overview of update channels and Microsoft 365 Insider channels.
There are multiple ways you can manage channels for user devices. To learn more, see Change update channel of Microsoft 365 to enable Copilot.
Step 5 - Provision Microsoft 365 Copilot licenses
✅ Assign Copilot licenses using the Microsoft 365 admin center
The next step is to assign licenses so users can start using Copilot. You can manage Microsoft 365 Copilot licenses in the Microsoft 365 admin center. You can assign to individual users or to groups of users, and also reassign licenses to other users.
- To access license management in the Microsoft 365 admin center, select Billing > Licenses.
When licenses are assigned, Copilot shows up in the Microsoft 365 apps, like Word and Excel. To use Copilot, users sign into the app with their work or school account and the file must be editable (not read only).
To learn more, see:
- Enable Copilot in your organization at Enable users for Microsoft 365 Copilot.
- You can assign licenses in bulk to groups of users through the Azure admin center or assign licenses to users with PowerShell. For more information, see Assign Microsoft 365 licenses to users.
Step 6 - Configure settings for Copilot
✅ Configure more Copilot features
In the Microsoft 365 admin center > Copilot, there are more Copilot features that benefit admins and settings you can configure that benefit your organization.
You can:
- View the status of Copilot license assignments
- Access the latest information on Copilot
- Manage data security and compliance controls
- Submit feedback on behalf of users
- Configure plugins and permissions
- Enable the use of web data as grounding data in Copilot
To learn more, see Manage Microsoft 365 Copilot with the Copilot page.
Step 7 - Deploy to some users and measure adoption
✅ Create a group of early adopters
There are many uses of Microsoft 365 Copilot across the various Microsoft 365 productivity apps. And, there are opportunities for users to find value in different ways.
To help drive adoption, create a group of early adopters. This group can help you understand how users are using Copilot and how it's valuable to them.
Identify users across various business groups in your organization, ideally with high usage of existing Microsoft 365 features. You can identify these users by reviewing usage metrics in the Microsoft 365 admin center.
Assign these users Microsoft 365 Copilot licenses and onboard them using the resources available at the Microsoft 365 Copilot adoption hub, including the user onboarding kit.
As these users get more comfortable with using Copilot, they can speak to how they use it best, and where it's most valuable for them. This information provides you with product champions that can help other users adopt and use Copilot across your organization.
With your established community of early adopters or Champions, they can better speak to their peers within their organization and contextualize the value of Copilot to best suit their needs. This framework also provides IT departments with a scalable way to handle questions through Champions, developing a team of experts across your organization.
To learn more about driving adoption, visit the Microsoft 365 Copilot adoption hub.
✅ Get insights and user sentiment
To measure the impact of Copilot on your organization, use the Copilot Dashboard from Viva Insights. Viva Insights gives organizational leaders and IT decision makers insights into readiness, adoption, impact, and user sentiment.
To learn more, see:
- Open the Microsoft Copilot Dashboard (Preview) from Viva Insights
- Learn more about the Microsoft Copilot Dashboard (Preview) from Viva Insights