Summary: To apply Zero Trust principles to Microsoft Copilot, you need to:

  1. Implement security protections for web-grounded prompts to the Internet.
  2. Add security protections for Microsoft Edge browser summarization.
  3. Complete recommended security protections for Copilot for Microsoft 365.
  4. Maintain security protections when using Microsoft Copilot and Copilot for Microsoft 365 together.

Introduction

Microsoft Copilot or Copilot is an AI companion in copilot.microsoft.com, Windows, Edge, Bing, and the Copilot mobile app. This article helps you implement security protections to keep your organization and data safe while using Copilot. By implementing these protections, you are building a foundation of Zero Trust.

Zero Trust security recommendations for Copilot focus on protection for user accounts, user devices, and the data that is in scope for the way you configure Copilot.

You can introduce Copilot in stages, from allowing Web-grounded prompts to the Internet to allowing both Web-grounded and Microsoft 365 Graph-grounded prompts to both the Internet and to your organization data. This article helps you understand the scope of each configuration and, consequently, the recommendations for preparing your environment with appropriate security protections.

How does Zero Trust help with AI?

Security, especially data protection, is often a top concern when introducing AI tools into an organization. Zero Trust is a security strategy that verifies every user, device, and resource request to ensure that each of these is allowed. The term ‘zero trust’ refers to the strategy of treating each connection and resource request as though it originated from an uncontrolled network and a bad actor. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.”

As a leader in security, Microsoft provides a practical roadmap and clear guidance for implementing Zero Trust. Microsoft’s set of Copilots are built on top of existing platforms, which inherit the protections applied to those platforms. For the details of applying Zero Trust to Microsoft’s platforms, see the Zero Trust Guidance Center. By implementing these protections, you are building a foundation of Zero Trust security.

This article draws from that guidance to prescribe the Zero Trust protections that relate to Copilot.

What’s included in this article

This article walks through the security recommendations that apply in four stages. This provides a path for you to introduce Copilot into your environment while you apply security protections for users, devices, and the data accessed by Copilot.

Stage Configuration Components to secure
1 Web-grounded prompts to the Internet Basic security hygiene for users and devices using identity and access policies.
2 Web-grounded prompts to the Internet with Edge browser page summarization enabled Your organization data on local, intranet, and cloud locations that Copilot in Edge can summarize.
3 Web-grounded prompts to the Internet and access to Copilot for Microsoft 365 All components affected by Copilot for Microsoft 365.
4 Web-grounded prompts to the Internet and access to Copilot for Microsoft 365 with Edge browser page summarization enabled All the components listed above.

Stage 1. Start with security recommendations for web-grounded prompts to the Internet

The simplest configuration of Copilot provides AI assistance with web-grounded prompts.

Diagram of Copilot for Microsoft and the processing of Web-grounded prompts.

In the illustration:

  • Users can interact with Copilot through copilot.microsoft.com, Windows, Bing, the Edge browser, and the Copilot mobile app.
  • Prompts are Web-grounded. Copilot only uses publicly available data to respond to prompts.

With this configuration, your organization data isn’t included in the scope of data that Copilot references.

Use this stage to implement identity and access policies for users and devices to prevent bad actors from using Copilot. At a minimum, you must configure Conditional Access policies that require:

Additional recommendations for Microsoft 365 E3

Additional recommendations for Microsoft 365 E5

Implement the recommendations for E3 and configure the following identity and access policies:

Stage 2. Add security protections for Edge browser summarization

From the Microsoft Edge sidebar, Microsoft Copilot helps you get answers and inspirations from across the web and, if enabled, from some types of information displayed in open browser tabs.

Diagram of Web-grounded prompts in Edge with browser tab summarization enabled.

Here are some examples of private or organization web pages and document types that Copilot in Edge can summarize:

  • Intranet sites such as SharePoint, except embedded Office documents
  • Outlook Web App
  • PDFs, including those stored on the local device
  • Sites not protected by Microsoft Purview DLP policies, Mobile Application Management (MAM) policies, or MDM policies

 Note

For the current list of document types supported by Copilot in Edge for analysis and summarization, see Copilot in Edge webpage summarization behavior.

Potentially sensitive organization sites and documents that Copilot in Edge can summarize could be stored in local, intranet, or cloud locations. This organization data can be exposed to an attacker who has access to the device and uses Copilot in Edge to quickly produce summarizations of documents and sites.

The organization data that can be summarized by Copilot in Edge can include:

  • Local resources on the user’s computer

    PDFs or information displayed in an Edge browser tab by local apps that are not protected with MAM policies

  • Intranet resources

    PDFs or sites for internal apps and services that are not protected by Microsoft Purview DLP policies, MAM policies, or MDM policies

  • Microsoft 365 sites that are not protected by Microsoft Purview DLP policies, MAM policies, or MDM policies

  • Microsoft Azure resources

    PDFs on virtual machines or sites for SaaS apps that are not protected by Microsoft Purview DLP policies, MAM policies, or MDM policies

  • Third-party cloud product sites for cloud-based SaaS apps and services that are not protected by Microsoft Purview DLP policies, MAM policies, or MDA policies

Use this stage to implement levels of security to prevent bad actors from using Copilot to more quickly discover and access sensitive data. At a minimum, you must:

For more information about Copilot in Edge, see:

This illustration shows the data sets available to Microsoft Copilot in Edge with browser summarization enabled.

Diagram of the data sets available to Microsoft Copilot in Edge.

Recommendations for E3 and E5

  • Implement Intune app protection policies (APP) for data protection. APP can prevent the inadvertent or intentional copying of Copilot-generated content to apps on a device that aren’t included in the list of permitted apps. APP can limit the blast radius of an attacker using a compromised device.

  • Turn on Microsoft Defender for Office 363 Plan 1, which include Exchange Online Protection (EOP) for Safe Attachments, Safe Links, advanced phishing thresholds and impersonation protection, and real-time detections.

Copilot for Microsoft 365 can use the following data sets to process Graph-grounded prompts:

  • Your Microsoft 365 tenant data
  • Internet data through Bing search (if enabled)
  • The data used by Copilot-enabled plug-ins and connectors

Diagram of Copilot for Microsoft 365 and the processing of Graph-grounded prompts.

For more information, see Apply principles of Zero Trust to Microsoft Copilot for Microsoft 365.

Recommendations for E3

Implement the following:

Recommendations for E5

Implement the recommendations for E3 and the following:

Stage 4. Maintain security protections while you use Microsoft Copilot and Copilot for Microsoft 365 together

With a license for Copilot for Microsoft 365, you will see a Work/Web toggle control in the Edge browser, Windows, and Bing search that allows you to switch between using:

  • Graph-grounded prompts that are sent to Copilot for Microsoft 365 (toggle set to Work).
  • Web-grounded prompts that primarily use internet data (toggle set to Web).

Here’s an example for copilot.microsoft.com.

Example screenshot of Microsoft Copilot for Microsoft Bing.

This illustration shows the flow of Graph- and Web-grounded prompts.

Diagram of the logical architecture of Microsoft Copilot showing Graph and web-grounded prompts.

In the diagram:

  • Users on devices with a license for Copilot for Microsoft 365 can choose Work or Web mode for Microsoft Copilot prompts.
  • If Work is chosen, Graph-grounded prompts are sent to Copilot for Microsoft 365 for processing.
  • If Web is chosen, Web-grounded prompts entered via Windows, Bing, or Edge use internet data in its processing.
  • In the case of Edge and when enabled, Windows Copilot includes some types of data in open Edge tabs in its processing.

If the user does not have a license for Copilot for Microsoft 365, the Work/Web toggle is not displayed and all prompts are Web-grounded.

Here are the sets of accessible organization data for Microsoft Copilot, which include both Graph- and Web-grounded prompts.

Diagram of the sets of accessible organization data for Microsoft Copilot for both Graph- and Web-grounded prompts.

In the illustration, the yellow shaded blocks are for your organization data that is accessible through Copilot. Access to this data by a user through Copilot depends on the permissions to the data assigned to the user account. It can also depend on the status of the user’s device if conditional access is configured for either the user or for access to the environment where the data resides. Following the principles of Zero Trust, this is data you want to protect in case an attacker compromises a user account or device.

  • For Graph-grounded prompts (toggle set to Work), this includes:

    • Your Microsoft 365 tenant data

    • Data for Copilot-enabled plug-ins and connectors

    • Internet data (if the web plug-in is enabled)

  • For Web-grounded prompts from the Edge browser with open browser tab summarization enabled (toggle set to Web), this can include organization data that can be summarized by Copilot in Edge from local, intranet, and cloud locations.

Use this stage to verify your implementation of the following levels of security to prevent bad actors from using Copilot to access your sensitive data:

Recommendations for E3

Recommendations for E5

Implement the recommendations for E3 and extend the XDR capabilities in your Microsoft 365 tenant:

Configuration summary

This figure summarizes Microsoft Copilot configurations and the resulting accessible data that Copilot uses to respond to prompts.

A table showing Microsoft Copilot configurations and the resulting accessible data for Web- and Grapg-grounded prompts.

This table includes Zero Trust recommendations for your chosen configuration.

Configuration Accessible data Zero Trust recommendations
Without Copilot for Microsoft 365 licenses (Work/Web toggle not available)

AND

Edge browser page summarization disabled
For Web-grounded prompts, internet data only None required, but highly recommended for overall security hygiene.
Without Copilot for Microsoft 365 licenses (Work/Web toggle not available)

AND

Edge browser page summarization enabled
For Web-grounded prompts:

- Internet data
- Organization data on local, intranet, and cloud locations that Copilot in Edge can summarize
For your Microsoft 365 tenant, see Zero Trust for Copilot for Microsoft 365 and apply Zero Trust protections.

For organization data on local, intranet, and cloud locations, see Manage devices with Intune Overview for MAM and MDM policies. Also see Manage data privacy and data protection with Microsoft Priva and Microsoft Purview for DLP policies.
With Copilot for Microsoft 365 licenses (Work/Web toggle available)

AND

Edge browser page summarization disabled
For Graph-grounded prompts:

- Microsoft 365 tenant data
- Internet data if the web plug-in is enabled
- Data for Copilot-enabled plug-ins and connectors

For Web-grounded prompts, only internet data
For your Microsoft 365 tenant, see Zero Trust for Copilot for Microsoft 365 and apply Zero Trust protections.
With Copilot for Microsoft 365 licenses (Work/Web toggle available)

AND

Edge browser page summarization enabled
For Graph-grounded prompts:

- Microsoft 365 tenant data
- Internet data if the web plug-in enabled
- Data for Copilot-enabled plug-ins and connectors

For Web-grounded prompts:

- Internet data
- Organization data that can be rendered in an Edge browser page, including local, cloud, and intranet resources
For your Microsoft 365 tenant, see Zero Trust for Copilot for Microsoft 365 and apply Zero Trust protections.

For organization data on local, intranet, and cloud locations, see Manage devices with Intune Overview for MAM and MDM policies. Also see Manage data privacy and data protection with Microsoft Priva and Microsoft Purview for DLP policies.

Next steps

See these additional articles for Zero Trust and Microsoft's Copilots:

References

Refer to these links to learn about the various services and technologies mentioned in this article.