This chapter covers Microsoft Copilot for Microsoft 365 administration, a critical topic for the MS-102 exam. Copilot for M365 integrates large language models with your organization’s data through Microsoft Graph, enabling AI-powered assistance across Word, Excel, PowerPoint, Outlook, Teams, and more. As a Microsoft 365 administrator, you must understand how to deploy, configure, and secure Copilot, including licensing, data residency, and compliance. This topic typically appears in 10-15% of exam questions, often in scenario-based items about permissions, data boundaries, and policy configuration.
Jump to a section
Imagine you work in a large office building with hundreds of filing cabinets, each containing documents, emails, calendars, and meeting notes. Your personal assistant, Copilot, has a master key to every cabinet and can read any document instantly. However, Copilot does not memorize everything; instead, when you ask a question, Copilot goes to the relevant cabinets, retrieves the specific documents, reads them, and synthesizes an answer. Crucially, Copilot only accesses cabinets you have permission to open—if a cabinet is locked (e.g., a document with restricted permissions), Copilot cannot see inside. Copilot also respects ‘do not disturb’ signs: if a document is marked as confidential or has sensitivity labels, Copilot will treat it accordingly, sometimes refusing to summarize it. Copilot’s ability to combine information from multiple cabinets (e.g., your calendar and emails to suggest a meeting time) is like cross-referencing different sources. The key point: Copilot never stores the documents themselves; it only reads them on demand to answer your query, and it forgets the content after the conversation. This mirrors Microsoft 365’s grounding and processing architecture where Copilot uses the Microsoft Graph to access data in real time, applies your existing permissions, and does not retain data beyond the session.
What is Microsoft Copilot for M365?
Microsoft Copilot for Microsoft 365 is an AI-powered productivity tool that combines large language models (LLMs) with your organization’s data via Microsoft Graph and Microsoft 365 services. It works across apps like Word, Excel, PowerPoint, Outlook, Teams, and more. Unlike the public Microsoft Copilot (Bing Chat), Copilot for M365 is grounded in your tenant’s data and respects your existing security, compliance, and identity policies.
Architecture Overview
Copilot for M365 uses a multi-layered architecture: 1. Orchestrator: Receives user prompts and processes them via Microsoft Graph to retrieve relevant data (emails, documents, calendar items, chats, etc.). 2. Grounding: The orchestrator retrieves only data the user has permission to access. It uses semantic search and ranking to find the most relevant information. 3. LLM: The retrieved data (plus the prompt) is sent to a large language model (like GPT-4) hosted in Microsoft’s Azure OpenAI service. The model generates a response based on the grounded data. 4. Post-processing: The response is checked for compliance (e.g., sensitive information detection) and then delivered to the user.
Key Components and Defaults
Licensing: Copilot for M365 requires a separate subscription: Microsoft 365 Copilot (add-on) priced at $30/user/month (as of 2025). Each user must have one of the following base licenses: Microsoft 365 E3, E5, Business Standard, Business Premium, or equivalent.
Data Residency: Copilot processes data in the same geographic region as your tenant’s default data location (e.g., United States, Europe). However, the LLM processing may occur in Microsoft’s Azure OpenAI regions (e.g., East US, West Europe). For EU data, Microsoft offers the EU Data Boundary for Copilot.
Permissions: Copilot never overrides user permissions. If a user cannot access a file via SharePoint, Copilot cannot access it either. This is enforced via Microsoft Graph permissions and Azure AD tokens.
Sensitivity Labels: Copilot respects sensitivity labels and retention policies. For example, if a document is labeled "Highly Confidential", Copilot may restrict summarization or redact certain content.
Audit Logging: All Copilot interactions are logged in the Microsoft 365 Purview compliance portal and can be searched via Audit Log. This includes the prompt, the data retrieved, and the response.
Configuration and Management
As an admin, you manage Copilot via:
- Microsoft 365 Admin Center: Under Settings > Org settings > Microsoft Copilot, you can enable/disable Copilot for the entire tenant or specific users.
- PowerShell: Use Set-CsTeamsClientConfiguration for Teams-specific Copilot settings. For broader control, use Set-MgBetaPolicy cmdlets.
- Copilot Page in Admin Center: Provides settings for data security, such as allowing Copilot to access web content (by default, it can access the public web to enhance responses; you can disable this).
- Conditional Access: You can require MFA or compliant devices for Copilot access. Copilot uses Azure AD authentication.
Interaction with Related Technologies
Microsoft Graph: Copilot relies on Graph APIs to retrieve user data. Graph permissions are delegated (user context) or application (admin context). For Copilot, delegated permissions are used.
Microsoft Purview: Copilot respects data lifecycle policies (retention, deletion) and eDiscovery holds. Content under litigation hold is still accessible if the user has permissions, but Copilot may be limited.
Azure OpenAI Service: The LLM processing is done in Azure OpenAI, which is SOC 2, ISO 27001, and HIPAA compliant. Customer data is not used to train the underlying models.
Step-by-Step Deployment
Assign Licenses: In Microsoft 365 Admin Center > Billing > Licenses, assign the Microsoft 365 Copilot add-on to users. Ensure base license is present.
Enable Copilot: Go to Settings > Org settings > Microsoft Copilot and toggle "Allow users to use Copilot" on. Optionally, restrict to specific groups.
Configure Data Boundaries: If you need EU data boundary, enable it in the admin center under Data Residency options (requires tenant in EU).
Set Conditional Access Policies: Create a Conditional Access policy targeting the "Microsoft Copilot" cloud app. Require MFA and compliant device.
Verify Audit Logging: Ensure unified audit log is enabled (it is by default for E5; for E3, you may need to enable it).
Verification Commands
Check license assignment: Get-MgUserLicenseDetail -UserId user@domain.com | Where-Object {$_.SkuPartNumber -eq "COPLIAR"} (Note: actual SKU may vary; use Get-MgSubscribedSku to list all SKUs).
Check Copilot settings: Get-MgBetaPolicy (requires Microsoft Graph PowerShell SDK).
View audit logs: Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) -Operations CopilotInteraction (in Exchange Online PowerShell).
Common Pitfalls
Licensing Mismatch: Users must have both base license and Copilot add-on. If only one is assigned, Copilot will not appear.
Permissions: Users may think Copilot can access all data; it cannot. It strictly follows user permissions.
Web Content Access: By default, Copilot can search the web. If you disable it, responses may be less informative but more secure.
Data Residency: If your tenant is in the US but you want EU data boundary, you must move the tenant (complex) or use multi-geo capabilities.
Assign Licenses
Go to Microsoft 365 Admin Center > Billing > Licenses > Select Microsoft 365 Copilot > Assign to users. Ensure each user also has a qualifying base license (E3, E5, Business Standard, etc.). You can assign via PowerShell using `Set-MgUserLicense -UserId user@domain.com -AddLicenses @{SkuId = "c42b9cae-ea4f-4ab7-9717-81576235cc45"}` (SkuId may vary; get it via `Get-MgSubscribedSku`). Without both licenses, Copilot won't activate.
Enable Copilot in Org Settings
In Admin Center > Settings > Org settings > Microsoft Copilot, toggle 'Allow users to use Microsoft Copilot' to On. You can restrict to specific security groups. This setting controls whether the Copilot icon appears in M365 apps. Disable for pilot groups initially. Also configure 'Allow Copilot to access web content' – default is On; disable if you want to limit external data.
Configure Conditional Access
Create a Conditional Access policy in Azure AD targeting the 'Microsoft Copilot' cloud app. Require MFA and compliant device (e.g., Intune managed). This ensures only authorized users access Copilot. Also consider session controls like 'App enforced restrictions' to prevent data exfiltration. Test with a small group before broad rollout.
Set Data Boundaries and Compliance
If you need data to stay within a specific region (e.g., EU), enable the EU Data Boundary for Copilot in Admin Center > Settings > Org settings > Data Residency. This ensures LLM processing occurs in EU data centers. Also configure sensitivity labels to restrict Copilot actions on labeled content (e.g., prevent summarization of 'Highly Confidential' documents).
Monitor and Audit Usage
Enable unified audit log (if not default). Search for 'CopilotInteraction' events to see prompts and responses. Use Purview Compliance Portal > Audit > Search. You can also use PowerShell: `Search-UnifiedAuditLog -Operations CopilotInteraction -StartDate (Get-Date).AddDays(-7)`. Review for policy violations or data leakage. Optionally, use Data Loss Prevention (DLP) policies to block sensitive data from being used in prompts.
Enterprise Scenario 1: Global Law Firm
A law firm with 5,000 users in the US and EU deploys Copilot to help lawyers draft contracts and summarize emails. The firm must comply with GDPR and attorney-client privilege. The administrator configures EU Data Boundary for the EU tenant and disables web content access to prevent confidential data from leaving the tenant. Sensitivity labels are applied to all client documents (e.g., 'Attorney-Client Privileged'), and Copilot is configured to block summarization of these documents. Conditional Access policies require MFA and device compliance. The firm uses audit logs to monitor all Copilot interactions, and DLP policies prevent prompts containing personally identifiable information (PII).
Scenario 2: Retail Company with Global Teams
A retail company with 20,000 users across 50 countries uses Copilot to generate sales reports in Excel and meeting summaries in Teams. The administrator faces challenges with data residency: some countries require data to stay within their borders. The company uses Microsoft 365 Multi-Geo to store data in specific regions, but Copilot’s LLM processing still occurs in the tenant’s default region. To address this, they enable the EU Data Boundary for EU users and accept that non-EU users’ data may be processed elsewhere. They also configure web content access to On so Copilot can fetch market trends. Performance is generally good, but latency increases when Copilot processes large datasets (e.g., >100MB Excel files). The administrator monitors usage via the Copilot dashboard and adjusts licensing for high-demand users.
Common Misconfigurations
Overly Permissive Access: Granting all users Copilot licenses without first testing with a pilot group leads to unexpected data exposure. Always start with a small group and use Conditional Access to restrict.
Ignoring Sensitivity Labels: If labels are not applied, Copilot will treat all content as equal, potentially exposing confidential information. Ensure labels are deployed and Copilot policies are configured.
Not Auditing: Many organizations forget to enable audit logging, missing visibility into how Copilot is used. Always enable unified audit log and regularly review CopilotInteraction events.
What MS-102 Tests on Copilot for M365
MS-102 objective 1.2 (Tenant Management) includes deploying and managing Copilot. Specific sub-objectives:
Configure Copilot settings (enable/disable, web access)
Manage Copilot licenses and assignments
Implement data security and compliance for Copilot (sensitivity labels, DLP, audit)
Understand data residency and processing locations
Common Wrong Answers and Why
"Copilot uses customer data to train its models" – This is false. Microsoft explicitly states that Copilot for M365 does not use your tenant data to train the underlying AI models. The exam tests this as a compliance point.
"Copilot can access all data in the tenant regardless of user permissions" – Wrong. Copilot strictly respects user permissions via Microsoft Graph. If a user cannot access a file, Copilot cannot. The exam often presents a scenario where an admin thinks Copilot can bypass permissions.
"You must enable Copilot separately in each app (Word, Excel, etc.)" – No. Enabling Copilot in the admin center makes it available across all M365 apps. Individual app settings are not required.
"Copilot stores user prompts and responses indefinitely" – False. Copilot retains data only for the duration of the session (up to 24 hours) for diagnostic purposes, but it is not stored permanently. Audit logs retain interaction metadata for up to 90 days (default) or longer if configured.
Specific Numbers and Terms
License SKU: Microsoft 365 Copilot add-on (SKU part number: COPLIAR or similar; always check current SKU list)
Price: $30/user/month (as of 2025)
Default web access: On
Audit retention: 90 days (default), extendable to 1 year with E5
Data processing regions: US, Europe, Asia Pacific (based on tenant location)
Edge Cases the Exam Loves
User without base license: If a user has only Copilot add-on but no E3/E5/Business license, Copilot won't work. The exam may ask you to troubleshoot.
Guest users: Copilot is not available for guest users (external B2B). Only internal licensed users can use Copilot.
Multi-Geo tenants: Copilot uses the tenant’s default geography for LLM processing, not the user’s preferred data location. This is a common trick question.
How to Eliminate Wrong Answers
If an answer says Copilot can access data the user cannot, eliminate it.
If an answer says Copilot uses data for training, eliminate it.
If an answer suggests per-app configuration, eliminate it.
Look for answers that mention "Microsoft Graph" and "permissions" – that is almost always correct.
Copilot for M365 requires both a qualifying base license (E3, E5, Business Standard, or Premium) and the Copilot add-on ($30/user/month).
Copilot respects user permissions exactly; it cannot access data the user cannot access.
All Copilot interactions are auditable via Purview Audit log (CopilotInteraction operation).
Web content access is enabled by default; can be disabled in admin settings for security.
Copilot does not use tenant data to train AI models; data is processed in real time and not stored permanently.
Conditional Access policies can be applied to the 'Microsoft Copilot' cloud app for added security.
Multi-Geo tenants: Copilot processing occurs in the tenant’s default geography, not user’s preferred data location.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Copilot for M365
Accesses tenant data via Microsoft Graph with user permissions.
Requires separate $30/user/month license.
Respects sensitivity labels, DLP, and retention policies.
Audit logging available in Purview.
Data processing within tenant’s geographic boundary.
Public Microsoft Copilot (Bing Chat)
Uses public web data only.
Free with Microsoft account (or included with some subscriptions).
No organizational compliance controls.
Limited audit (only chat history if signed in).
Data may be processed anywhere globally.
Mistake
Copilot for M365 is the same as the public Microsoft Copilot (Bing Chat).
Correct
Copilot for M365 is a separate service that uses your tenant’s data and respects your policies. The public Copilot (Bing Chat) uses public web data and does not have access to your organization’s data. They are different products with different licensing and security models.
Mistake
Copilot can access all files in SharePoint and OneDrive regardless of user permissions.
Correct
Copilot only accesses data the user has permission to view. It uses the user’s Azure AD token to query Microsoft Graph, which enforces the same permissions as if the user accessed the data directly. If a file is shared only with specific people, Copilot cannot access it for others.
Mistake
You need to install additional software to use Copilot.
Correct
No installation is required. Copilot is integrated into existing M365 apps (Word, Excel, etc.) and appears as a sidebar or button. The only requirement is the license and a supported browser or Office client (version 2312 or later for Windows, Mac, or web).
Mistake
Copilot stores all prompts and responses indefinitely for training.
Correct
Microsoft does not use customer data to train its models. Prompts and responses are stored temporarily (up to 24 hours) for diagnostic and abuse monitoring purposes. Audit logs store metadata (user, time, action) for up to 90 days by default.
Mistake
You can use Copilot without an internet connection.
Correct
Copilot requires an internet connection because the LLM processing happens in Microsoft’s cloud. Offline use is not supported. The user must be signed into their M365 account with an active internet connection.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Each user must have a qualifying base license (Microsoft 365 E3, E5, Business Standard, Business Premium, or equivalent) plus the Microsoft 365 Copilot add-on license. The add-on costs $30/user/month as of 2025. Without the base license, Copilot will not activate. You can assign licenses via the Microsoft 365 Admin Center or PowerShell.
Yes. Copilot respects sensitivity labels applied to documents and emails. For example, if a document is labeled 'Highly Confidential', Copilot may restrict actions such as summarization or content generation. Admins can configure these restrictions in the Microsoft Purview compliance portal under sensitivity label policies.
By default, Copilot can access the public web to enhance responses (e.g., to find current information). This setting is configurable in the Microsoft 365 Admin Center under Settings > Org settings > Microsoft Copilot > 'Allow Copilot to access web content'. Disabling this prevents external data from being used, which may reduce response quality but improves data security.
Enable unified audit logging in the Microsoft 365 Purview compliance portal (if not already enabled). Then search for 'CopilotInteraction' operations in the audit log. You can use the Purview portal or PowerShell with the `Search-UnifiedAuditLog` cmdlet. Audit logs include the user, prompt, data sources accessed, and response. Retention is 90 days by default, extendable with an E5 license.
No. Copilot for M365 is only available for internal licensed users. Guest users (B2B collaboration) cannot use Copilot even if they have a license. This is by design to prevent data access by external parties.
Copilot processes data in the same geographic region as your tenant’s default data location (e.g., United States, Europe). The LLM processing occurs in Microsoft’s Azure OpenAI regions. For EU tenants, you can enable the EU Data Boundary to ensure all processing stays within the EU. Data is not stored permanently; it is deleted after the session (up to 24 hours).
Yes. You can use the Microsoft Graph PowerShell SDK to manage Copilot settings. For example, `Get-MgBetaPolicy` retrieves current policies. To enable Copilot for a user, assign the license via `Set-MgUserLicense`. However, most settings are configured via the admin center, and PowerShell support is limited for some options like web content access.
You've just covered Microsoft Copilot for M365 Administration — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?