Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Effective discovery and planning are the foundation of a successful governance and security strategy for Copilot agents. Phase 1 focuses on aligning stakeholders, defining compliance requirements, and establishing key objectives to ensure secure and efficient operations.
Initial governance requirements
Stakeholder alignment: Ensure the involvement of IT, security, compliance, and legal departments from the outset. Establish and document data residency, retention, and privacy policies that guide the necessary governance and security features to configure in your organization.
Compliance review: Outline and document necessary regulations for your organization (for example, General Data Protection Regulation or GDPR, Health Insurance Portability and Accountability Act or HIPAA) and detail your organization's data and transcript retention requirements.
Key objectives, business scenarios, and data protection
Business alignment: Identify the business scenarios and tasks the Copilot agent handles (for example, responding to customer order inquiries) and determine the required systems and data integration to address risks and ensure security.
Restricting data sources: Document the existing knowledge and data sources within your organization that might be used by the Copilot agent. Include compliance requirements and integration points such as SharePoint, Teams, and Dataverse, in alignment with the business requirements, specifying if agents are permitted to use their own AI general knowledge
Data protection and risk assessment: Classify the sensitivity of all documented data sources (general, confidential, and so on), evaluate the potential risks of data leakage associated with these data sources, and establish the necessary security and privacy policies to protect this data (for example, blocking certain data source connectors and data sources). Specify data masking requirements in your organization to create and manage Power Platform masking rules accordingly.
Naming and general guidelines
Copilot agent naming: Implement agent naming conventions (for example, "Contoso-CustomerServiceAgent") to facilitate the identification of various Copilot agents within your organization.
Solution naming standard: Implement a consistent naming convention for your Copilot agent solution (for example, "ContosoCopilot") to ensure proper encapsulation and deployment through your ALM (application lifecycle management) pipeline, avoiding the accidental deployment of nonproduction solutions into the production environment.
Disclaimer guidelines: Document and share the conversation disclaimers and warnings template that must be included for each Copilot agent; for example, in the conversation start topic to ensure consistency and compliance with organizational standards.
Shared components: Identify any mandatory shared entities or reusable components (for example, knowledge sources or topics) to be used by all Copilot agents in your organization to ensure consistency and where you can use Copilot Studio component collections.
Licensing and budget
License assessment and assignments: Evaluate the Microsoft 365, Power Platform, Dynamics 365, Copilot, or Azure licenses held by the organization to understand current entitlements, as this could potentially have implications on the type of additional licenses required to use premium features such as Enhanced search results and Managed Environments. Establish a policy within your organization to assign Copilot user licenses and manage access to Copilot Studio.
Cost estimates: Consider the cost implications of using Gen AI and premium features such as premium connectors and Managed environments. Determine the billing model that best suits your organization (for example, pay as you go vs. capacity licensing).
Allocate message capacity: Assign capacity at an environment level by allocating add-ons to ensure that users within the designated environment have access to the specified Copilot Studio messaging capacity.
Related information
- Microsoft Copilot Studio security and governance
- Microsoft Power Platform licensing overview
- Managed Environments overview