Get started with Opal in Microsoft 365 Copilot

  • Applies to: ✅ Microsoft 365 Copilot

Important

Opal is currently available only in the Microsoft Frontier program with a Microsoft 365 Copilot subscription. Frontier includes early access to experimental features, which means features might change as Microsoft improves them. For more information, see Get started with the Microsoft Frontier program.

Note

We've introduced updates to the default Opal configuration. Tenants who onboarded to Opal before April must manually make changes in the Opal Admin Center. There are new supported capabilities for admins and users. For more information, see the sections Default website access behavior and File interaction support on Windows 365 Cloud PC.

Common use cases include:

  • Collecting evidence for audit reviews

  • Submitting timesheets for your team

  • Onboarding a new employee onto multiple platforms

Opal helps users complete jobs with CUA on a secure, Entra-joined, and Intune-enrolled Windows 365 for Agents Cloud PC. The agent operates within a Microsoft Edge browser, and users can supervise the agent to complete the job, intervening when necessary.

This article provides guidance for administrators on how to set up and manage Opal.

Prerequisites

  • An Intune license for your organization

  • Microsoft 365 Copilot licenses for individual users

Setting up Opal

Opal isn't available by default. Users with an AI admin role or an Intune admin role can complete the setup steps. However, if neither role is available, a Global administrator needs to complete the following steps to enable and configure Opal.

Important

Use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that you should limit to emergency scenarios when you can't use an existing role. To learn more, see About admin roles in the Microsoft 365 admin center.

  1. Go to the Microsoft 365 admin center.

  2. Go to Copilot and then Settings.

  3. Locate the user access setting titled Opal (Frontier).

  4. Select the group of users who should have access to Opal.

After you enable Opal in the Microsoft 365 admin center, complete more setup in the Opal Admin Portal by using the following steps:

  1. Initial Setup

    • Complete the initial setup steps by getting your tenant ready for Opal.
    • This setup process creates a device group, device policy, and assigns the policy to your group. You can find these resources in Intune and they apply to the Cloud PCs created by Opal. Don't delete or adjust these resources. Any changes you make to these resources might cause the Opal app to not function as expected or break entirely.

  2. Cloud PC Setup

    • Create the group of Cloud PCs needed for Opal. Choose the number of Cloud PCs and the region where they should be provisioned. You can return to this page at any time to make edits to the group of Cloud PCs.
    • Manage the website Allow list for the Cloud PCs. By default, everything is blocked.

  3. Custom Instructions

    • Write instructions for Opal. Opal remembers the instructions for every job in your organization. Include information such as your organization name, preferred websites, and so on.

  4. Prompt starters

    • Configure starters for the Opal home page. Everyone in your organization sees these starters; they help users understand the types of jobs that Opal can accomplish.
    • These starters are tied to the website Allow list from step 1.

Accessing Opal

Users can find Opal in the Microsoft 365 Copilot app under Frontier. When accessed, it opens in an external new tab.

For more information, see Get started with Opal in Microsoft 365 Copilot.

Managing Opal

Admins can use the Opal Admin Portal to manage the Cloud PC Pool, update the website allow list, and update instructions. Set up prompt starters for users in your organization, so they can get started from the Opal home page easily.

Default website access behavior

Opal now allows access to all websites by default. Administrators can block specific URLs as needed by using Opal policies.

Previously, Opal blocked access to all websites by default. Administrators had to manually allow list individual URLs for Opal to interact with them.

If your organization prefers the previous behavior, re-enable the block-by-default model by using the toggle in the Opal Admin Center.

File interaction support on Windows 365 Cloud PC

Opal now supports interaction with files stored on Windows 365 Cloud PC. Following internal security reviews, Opal can download and upload files when the appropriate policies are enabled.

To enable file interaction capabilities for existing tenants, administrators must manually update the following Microsoft Intune policies within Opal App Device Policy, using Intune.

  1. Go to Microsoft Intune.

  2. Go to Devices > configuration and find Opal App Device Policy.

  3. In the policy:

  4. Select Enabled for Control use of the File System API for reading.

  5. Select Allow sites to ask the user to grant read access to files and directories for Control use of the File System API for reading (Device).

  6. Select Enabled for Control use of the File System API for writing.

  7. Select Allow sites to ask the user to grant write access to files and directories for Control use of the File System API for writing (Device).

    Screenshot of Opal device policy.

  8. Select Enabled for Allow download restrictions.

    Screenshot of allow download instructions.

  9. Select Block for Download restrictions (Device).

  • Last updated on