Manage Copilot

  • Artikel

Commercial data protection eligibility

Microsoft Copilot (formerly Bing Chat Enterprise) includes commercial data protection for eligible users signed in with work or school accounts (Entra ID). Currently, commercial data protection is available in Copilot for users with an eligible license:

Enterprises

  • Microsoft 365 E3 or E5
  • Microsoft 365 F1 or F3
  • Microsoft 365 Business Standard, Premium, or Basic
  • Microsoft 365 Apps for enterprise or business
  • Office 365 E1, E1 Plus, E3, E5, or F3

Education faculty and higher ed students (18+)

  • Microsoft 365 A1, A3, or A5
  • Office 365 A1, A3, or A5

Eligibility for students includes Student Use Benefit licenses.

Office 365 A1 Plus licenses aren't eligible due to its retirement later this year. Learn more: Retirement Plan for the Office 365 A1 Plus | Microsoft Education.

The 'Commercial data protection for Microsoft Copilot' service plan allows IT admins to manage whether users receive commercial data protection while using Copilot. Commercial data protection is on by default for users with each of these licenses.

At this time, commercial data protection in Copilot isn't available for government cloud customers or for K-12 students. Copilot will add commercial data protection to more work and school accounts (Entra ID) over time.

Copilot is governed by the Universal License Terms for Online Services.

Managing commercial data protection using the service plan

To receive commercial data protection, users must sign in to Copilot with their eligible work or school account (Entra ID). Users signed in to Copilot with MSA accounts don't receive commercial data protection.

The 'Commercial data protection for Microsoft Copilot' service plan (part number: bing_chat_enterprise) must be enabled for your eligible users to receive commercial data protection when they're signed in to Copilot with their work or school account (Entra ID). The Copilot service plan is included with your eligible users' Microsoft 365 licenses. To help ensure that your users are using Copilot with commercial data protection, the service plan is enabled by default.

PowerShell allows you to bulk assign and remove licenses for your intended users. Learn more about how to assign Microsoft 365 licenses to user accounts with PowerShell or how to disable access to Microsoft 365 services with PowerShell.

Note

Changes can take up to 48 hours to go into effect.

Managing Copilot for Microsoft 365 E3/E5 Original subscriptions

Organizations with Microsoft 365 E3 or E5 Original subscriptions purchased through an Enterprise Agreement (EA) no longer need to use the Microsoft 365 E3 or E5 Extra Features license to manage Microsoft Copilot for their users. Because Copilot is now available at no additional charge to customers with a wide range of licenses, organizations with Original subscriptions can now use the 'Commercial data protection for Microsoft Copilot' service plan under their Office 365 license to manage Copilot for their users.

Require commercial data protection in Copilot

Copilot makes it clear that commercial data protection is turned on by featuring a unique design. Below the chat input, users see a message confirming 'Commercial data protection applies to this chat.' Additionally, users see a green shield next to their user profile icon and name at the top of the experience.

To ensure your eligible users have Copilot with commercial data protection, you must first enable the Copilot service plan for your eligible users:

Enable the Copilot service plan: Your organization must have the service plan enabled for your eligible users to access commercial data protection at any Copilot entry point when signed in with an Entra ID.

Action needed: In your M365 admin center, enable the 'Commercial data protection for Microsoft Copilot' service plan for your eligible users.

Prevent use of Copilot without commercial data protection: To prevent eligible users in your organization from accessing Copilot without commercial data protection (formerly Bing Chat) when signed in with their Entra ID, there are three possible solutions: 1) DNS configuration in Windows, 2) HTTP header, or 3) Zscaler firewall. Implement whichever solution below works best for your configuration.

Note

Do not attempt to manage Copilot by opening cdp.copilot.microsoft.com in a browser. It results in an error. Instead, follow the documentation below to do a DNS change, a header change, or a firewall change:

  1. DNS configuration in Windows:

    Action needed: Create DNS redirects for various Copilot entry points:

  • For Copilot in Bing, Copilot in Edge, and Copilot in Windows: Update your DNS configuration by setting the DNS entry for www.bing.com to be a CNAME for nochat.bing.com.
  • For copilot.microsoft.com and the Copilot mobile app: Update your DNS configuration by setting the DNS entry for copilot.microsoft.com to be a CNAME for cdp.copilot.microsoft.com.
  • For Active Directory Domain Services (AD DS): Deploy the DNS Role on a member server. On the newly deployed DNS server, create the following Forward Primary Zones:

Screenshot that shows DNS Primary Zone server settings.

Create the following CNAME records in the respective zones:

Screenshot that shows first CNAME record in DNS server settings. Screenshot that shows second CNAME record in DNS server settings.

On the AD DNS server, create the following Conditional Forwarders and make AD Integrated:

Screenshot that shows Conditional Forwarders in DNS server settings.

The Conditional Forwarders need to be set to use the member server DNS created at the start:

Screenshot that shows more Conditional Forwarders in DNS server settings. Screenshot that shows still more Conditional Forwarders in DNS server settings.

Note: These DNS configuration solutions aren't HTTPS redirects, but rather DNS redirects in Windows. For the first two approaches, use a CNAME rather than the nochat.bing.com IP because the CNAME continues to work even if the IP for nochat.bing.com changes.

  1. Header solution:

    Action needed: Append the following HTTP header to all outgoing requests to www.bing.com, edgeservices.bing.com, and copilot.microsoft.com:

    x-ms-entraonly-copilot: 1

  2. Zscaler firewall solution:

    Action needed: Use your corporate firewall to do Destination Network Address Translation (DNAT):

  • For Copilot in Bing, Copilot in Edge, and Copilot in Windows: Resolve www.bing.com and edgeservices.bing.com to DNAT IP address nochat.bing.com.
  • For copilot.microsoft.com and the Copilot mobile app: Resolve copilot.microsoft.com to DNAT IP address cdp.copilot.microsoft.com.

These configurations apply only when devices are connected to your corporate network. Copilot is a public service, like search, and remains available if accessed outside the corporate network.

To block access to Copilot in Edge only, see the Copilot in Edge documentation.

Note: Blocking the <www.bing.com> IP could also block other Microsoft domains.

Copilot in Edge and Windows

For information on how to manage Copilot in Edge, see the Copilot in Edge documentation.

For information on how to manage Copilot in Windows, see the Copilot in Windows documentation.