Apply principles of Zero Trust to Microsoft Copilot
Article
Summary: To apply Zero Trust principles to Microsoft Copilot, you need to:
Implement security protections for web-grounded prompts to the Internet.
Add security protections for Microsoft Edge browser summarization.
Complete recommended security protections for Microsoft 365 Copilot.
Maintain security protections when using Microsoft Copilot and Microsoft 365 Copilot together.
Introduction
Microsoft Copilot or Copilot is an AI companion in copilot.microsoft.com, Windows, Edge, Bing, and the Copilot mobile app. This article helps you implement security protections to keep your organization and data safe while using Copilot. By implementing these protections, you are building a foundation of Zero Trust.
Zero Trust security recommendations for Copilot focus on protection for user accounts, user devices, and the data that is in scope for the way you configure Copilot.
You can introduce Copilot in stages, from allowing Web-grounded prompts to the Internet to allowing both Web-grounded and Microsoft 365 Graph-grounded prompts to both the Internet and to your organization data. This article helps you understand the scope of each configuration and, consequently, the recommendations for preparing your environment with appropriate security protections.
How does Zero Trust help with AI?
Security, especially data protection, is often a top concern when introducing AI tools into an organization. Zero Trust is a security strategy that verifies every user, device, and resource request to ensure that each of these is allowed. The term ‘zero trust’ refers to the strategy of treating each connection and resource request as though it originated from an uncontrolled network and a bad actor. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.”
As a leader in security, Microsoft provides a practical roadmap and clear guidance for implementing Zero Trust. Microsoft’s set of Copilots are built on top of existing platforms, which inherit the protections applied to those platforms. For the details of applying Zero Trust to Microsoft’s platforms, see the Zero Trust Guidance Center. By implementing these protections, you are building a foundation of Zero Trust security.
This article draws from that guidance to prescribe the Zero Trust protections that relate to Copilot.
What’s included in this article
This article walks through the security recommendations that apply in four stages. This provides a path for you to introduce Copilot into your environment while you apply security protections for users, devices, and the data accessed by Copilot.
Stage
Configuration
Components to secure
1
Web-grounded prompts to the Internet
Basic security hygiene for users and devices using identity and access policies.
2
Web-grounded prompts to the Internet with Edge browser page summarization enabled
Your organization data on local, intranet, and cloud locations that Copilot in Edge can summarize.
3
Web-grounded prompts to the Internet and access to Microsoft 365 Copilot
All components affected by Microsoft 365 Copilot.
4
Web-grounded prompts to the Internet and access to Microsoft 365 Copilot with Edge browser page summarization enabled
All the components listed above.
Stage 1. Start with security recommendations for web-grounded prompts to the Internet
The simplest configuration of Copilot provides AI assistance with web-grounded prompts.
In the illustration:
Users can interact with Copilot through copilot.microsoft.com, Windows, Bing, the Edge browser, and the Copilot mobile app.
Prompts are Web-grounded. Copilot only uses publicly available data to respond to prompts.
With this configuration, your organization data isn’t included in the scope of data that Copilot references.
Use this stage to implement identity and access policies for users and devices to prevent bad actors from using Copilot. At a minimum, you must configure Conditional Access policies that require:
Stage 2. Add security protections for Edge browser summarization
From the Microsoft Edge sidebar, Microsoft Copilot helps you get answers and inspirations from across the web and, if enabled, from some types of information displayed in open browser tabs.
Here are some examples of private or organization web pages and document types that Copilot in Edge can summarize:
Intranet sites such as SharePoint, except embedded Office documents
Outlook Web App
PDFs, including those stored on the local device
Sites not protected by Microsoft Purview DLP policies, Mobile Application Management (MAM) policies, or MDM policies
Potentially sensitive organization sites and documents that Copilot in Edge can summarize could be stored in local, intranet, or cloud locations. This organization data can be exposed to an attacker who has access to the device and uses Copilot in Edge to quickly produce summarizations of documents and sites.
The organization data that can be summarized by Copilot in Edge can include:
Local resources on the user’s computer
PDFs or information displayed in an Edge browser tab by local apps that are not protected with MAM policies
Intranet resources
PDFs or sites for internal apps and services that are not protected by Microsoft Purview DLP policies, MAM policies, or MDM policies
Microsoft 365 sites that are not protected by Microsoft Purview DLP policies, MAM policies, or MDM policies
Microsoft Azure resources
PDFs on virtual machines or sites for SaaS apps that are not protected by Microsoft Purview DLP policies, MAM policies, or MDM policies
Third-party cloud product sites for cloud-based SaaS apps and services that are not protected by Microsoft Purview DLP policies, MAM policies, or MDA policies
Use this stage to implement levels of security to prevent bad actors from using Copilot to more quickly discover and access sensitive data. At a minimum, you must:
This illustration shows the data sets available to Microsoft Copilot in Edge with browser summarization enabled.
Recommendations for E3 and E5
Implement Intune app protection policies (APP) for data protection. APP can prevent the inadvertent or intentional copying of Copilot-generated content to apps on a device that aren’t included in the list of permitted apps. APP can limit the blast radius of an attacker using a compromised device.
Turn on Microsoft Defender for Office 363 Plan 1, which include Exchange Online Protection (EOP) for Safe Attachments, Safe Links, advanced phishing thresholds and impersonation protection, and real-time detections.
Stage 3. Complete security protections recommended for Microsoft 365 Copilot
Microsoft 365 Copilot can use the following data sets to process Graph-grounded prompts:
Stage 4. Maintain security protections while you use Microsoft Copilot and Microsoft 365 Copilot together
With a license for Microsoft 365 Copilot, you will see a Work/Web toggle control in the Edge browser, Windows, and Bing search that allows you to switch between using:
Graph-grounded prompts that are sent to Microsoft 365 Copilot (toggle set to Work).
Web-grounded prompts that primarily use internet data (toggle set to Web).
Here’s an example for copilot.microsoft.com.
This illustration shows the flow of Graph- and Web-grounded prompts.
In the diagram:
Users on devices with a license for Microsoft 365 Copilot can choose Work or Web mode for Microsoft Copilot prompts.
If Work is chosen, Graph-grounded prompts are sent to Microsoft 365 Copilot for processing.
If Web is chosen, Web-grounded prompts entered via Windows, Bing, or Edge use internet data in its processing.
In the case of Edge and when enabled, Windows Copilot includes some types of data in open Edge tabs in its processing.
If the user does not have a license for Microsoft 365 Copilot, the Work/Web toggle is not displayed and all prompts are Web-grounded.
Here are the sets of accessible organization data for Microsoft Copilot, which include both Graph- and Web-grounded prompts.
In the illustration, the yellow shaded blocks are for your organization data that is accessible through Copilot. Access to this data by a user through Copilot depends on the permissions to the data assigned to the user account. It can also depend on the status of the user’s device if conditional access is configured for either the user or for access to the environment where the data resides. Following the principles of Zero Trust, this is data you want to protect in case an attacker compromises a user account or device.
For Graph-grounded prompts (toggle set to Work), this includes:
Your Microsoft 365 tenant data
Data for Copilot-enabled plug-ins and connectors
Internet data (if the web plug-in is enabled)
For Web-grounded prompts from the Edge browser with open browser tab summarization enabled (toggle set to Web), this can include organization data that can be summarized by Copilot in Edge from local, intranet, and cloud locations.
Use this stage to verify your implementation of the following levels of security to prevent bad actors from using Copilot to access your sensitive data:
Review your configuration and implement additional capabilities as needed to increase your threat protection with the full Microsoft Defender XDR suite:
This module equips learners with the knowledge and skills necessary to implement a robust Zero Trust security framework for their Microsoft 365 Copilot deployments.