Administer and manage

Completed

Microsoft Copilot Studio gives you the flexibility to administer analytics and manage security of the copilots.

Analytics

The analytics section is divided into numerous pages to give you multiple ways to understand copilot performance.

The Summary tab provides a detailed overview of how many total copilot sessions were run over the period that you selected. Information such as total number of sessions, engagement rate, resolution rate, escalation rate, and abandon rate can help you to understand how effective the copilot is and to determine the areas that need improvement.

Analytics section showing the Summary tab for the last seven days.

The Customer Satisfaction report helps identify which topics are having the most impact and where analysts go to stay informed.

Monitoring Microsoft Power Platform: Microsoft Copilot Studio Analytics.

The Sessions tab gives you the flexibility to download raw data from all copilot sessions. This offering includes a complete transcript of the sessions and the outcome.

Sessions csv file in Microsoft Excel showing session data.

The Billing tab shows the billable interaction between a customer and a copilot and represents one unit of consumption. The billed session begins when a user topic is triggered.

A session ends for one of the following reasons:

  • The user ends the chat session. When the copilot doesn't receive a new message for more than 30 minutes, the session is considered closed.

  • The session is longer than 60 minutes. The first message that occurs after 60 minutes starts a new session.

  • The session has more than 100 turns. A turn is defined as one exchange between a user and the copilot. The one-hundred-and-first turn starts a new session.

Analytics with the Billing tab selected showing billed sessions for the last seven days.

Security

You can set up other security measures for your copilot and your users. Security is accessed by going to Settings > Security. There are two security options available.

  • Authentication: Used to Identify the user’s identity during a chat.

  • Web channel security: Provides the ability to configure enhanced security options for your copilot.

Security showing tiles for Sharing, Access, Authentication, and Web channel security.

Sharing

You can share your copilot with other users so that multiple users can edit, manage, and collaborate on a copilot. You can stop sharing with individual users anytime. You don't need to share a copilot with another user for them to chat with the copilot.

You can view the current access that a user has for your environment, and you can assign security roles to the selected user.

Screenshot of Share your copilot page with message displayed in the Environment security roles section.

Bot author, Bot contributor, and Bot transcript viewer are the three security roles for Microsoft Copilot Studio that you can manage at Microsoft Power Platform admin center.

You can assign the Environment maker security role when sharing a copilot with a user who doesn't have sufficient environment permissions to run Microsoft Copilot Studio.

When you're sharing the copilot, if the specified user doesn't have sufficient permissions to use Microsoft Copilot Studio in the environment, you're notified that the Environment maker security role is assigned to the person so that they can use the copilot.

The Access and Authentication options control who can access your copilot. You can select one of two groups:

  • All bot managers - This selection allows only bot managers to chat with the copilot. You can share your copilot so that other bot managers can access it.

  • Everyone in my organization (Organization name) - This selection allows everyone in the organization to access and chat with your copilot. Users who are outside of the organization see an error when chatting with the copilot.

The Authentication setting impacts how you can manage access to the copilot.

Select Manage on the side navigation pane and then go to the Security tab and select Authentication.

Three options for authentication are:

  • No authentication - Any user who has a link to the copilot (or can find it, for example, on your website) can chat with it. Therefore, the Access setting options are disabled.

  • Authenticate with Microsoft - The copilot is available in Microsoft Teams, and Power Apps. Because it uses Microsoft Entra ID, it requires users to sign in. This is the default setting for all newly created copilots.

  • Authenticate manually - This option has the following parameters:

    • If your authentication setting is configured to Manual, and the service provider is Microsoft Entra ID you can turn off the Require users to sign in option and change the access settings for the copilot.

    • If your authentication provider is set as Generic OAuth 2, you can turn off the Require users to sign in option, but you can't control which users can access the copilot. That option is only available when you use Microsoft Entra ID authentication.

Web channel security

When you create a Microsoft Copilot Studio copilot, it's immediately available in the Demo website and Custom website channels to anyone who knows the copilot ID. These channels are available by default, and no configuration is needed.

Users can find the copilot ID directly from within Microsoft Copilot Studio or by receiving it from someone. Depending on the copilot's capability and sensitivity, that scenario might not be desirable.

With Direct Line-based security, you can enable access to only the locations that you control by enabling secured access with Direct Line secrets or tokens. You can enforce the use of secrets and tokens for each individual copilot. After this option is enabled, channels need the client to authenticate their requests by using a secret or a token generated by using the secret, which is obtained at runtime. Any access to the copilot that doesn't provide this security measure doesn't work.

To access got to Settings > Security and then select Web channel security.

Web channel security dialog box with Require secured access showing as Disabled.

If you need to disable the Web channel security option, you can do so by switching Require secured access to Disabled. Disabling secured access can take up to two hours to propagate.

Enable require secured access dialog box showing "This action renders the Demo website unavailable, as well as any Direct Line channel not using a secret or token. This action can take up to two hours to take effect."