Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Introduction
Microsoft Copilot is a strategic suite of AI-powered capabilities embedded within Microsoft’s Modern Work solutions, designed to support the evolving needs of public sector and other regulated organizations. At the forefront is Microsoft 365 Copilot, which integrates generative AI into core productivity tools such as Word, Excel, PowerPoint, Outlook, and Teams. These tools enable users to streamline document creation, enhance data analysis, and improve communication workflows, freeing up time for higher-value, citizen-focused work. Complementing this capability is Microsoft 365 Copilot Chat (Copilot Chat), a secure, conversational interface that allows users to interact with their data and systems using natural language. Copilot Chat offers an exceptional method for searching the Internet and analyzing web-based information utilizing the secure framework of Microsoft 365 Copilot. Together, these tools empower agencies to deliver more responsive, efficient, and transparent public services.
This configuration planning guide is dedicated to addressing the considerations necessary for the successful deployment of Microsoft 365 Copilot within a sensitive operational framework. It offers a comprehensive overview of the service architecture and essential integration considerations for a sensitive environment. This guidance assumes access to Microsoft 365 Copilot subscription licensing and Microsoft 365 Enterprise E5, in alignment with the Australian Signals Directorate (ASD) Blueprint for Secure Cloud configuration guidance for Microsoft 365.
Microsoft 365 Copilot
Microsoft 365 Copilot provides users with a generative AI powered assistant that interacts in natural language to streamline your workflow. Examples include:
- Summarizing emails and documents,
- Providing recaps of meetings,
- Creating new content, and
- Answering questions, among other capabilities, integrated directly into the everyday Microsoft 365 applications (Office) such as Word, Excel, and Outlook. Copilot provides a natural language interface onto a sophisticated AI assistant within Office, built within the constraints of Microsoft’s AI Principles.
Microsoft 365 Copilot Chat (Copilot Chat)
Complementing Microsoft 365 Copilot is Copilot Chat, a secure, conversational interface that allows users to interact with their data and systems using natural language. Copilot Chat offers a transformative alternative to traditional web searching in the federal government context by enabling staff to retrieve information, insights, and guidance through secure, natural language interactions. Unlike conventional search engines, it can synthesize documents, policies, and datasets - providing tailored, context-aware answers without leaving the workflow and without the need for extensive navigating of search links, which can expose staff to misinformation and disinformation and can take significant time. The ability to ask specific questions and get the answer with the required references to validate better aligns with government’s need to know principles, especially when performing web searches. Copilot Chat uses the same architectural components of the Microsoft 365 Copilot service, adhering to the highest security standards. Copilot Chat operates within a robust security framework, safeguarding sensitive data while providing powerful AI-driven assistance, all in the context of Microsoft’s AI Principles.
IRAP assessed productivity service
An Australian Government Protected Infosec Registered Assessors Program (IRAP) assessment of Microsoft 365 with Microsoft 365 Copilot is in the scope of assessed services and is available at Microsoft Service Trust Portal. Microsoft 365 (Copilot included) assessed to store information at the Protected level and is the highest level of security assessment applicable to a public cloud service in Australia. However, as with any new service deployed into a sensitive environment, introducing Copilot requires some specific configuration. Copilot Chat is a subset of the Microsoft 365 Copilot service, as described in the architecture, and is also covered by the same IRAP assessment.
AI Service responsibility model for sensitive & regulated agencies
Copilot enhances productivity by offering intelligent, context-aware assistance within the familiar Office environment. However, Copilot isn't a replacement for human judgment or expertise. It's a tool to augment and support users, not to make decisions independently. It also doesn't operate outside the secure and compliant framework established by Microsoft 365, ensuring that all interactions remain within the bounds of organizational policies and data protection standards.
| Copilot is… | Copilot is not… |
|---|---|
| Your AI assistant | Your AI replacement |
| Human controlled | An independent coworker |
| Boosting your productivity | Eliminating your role |
| Drafting content | Selecting Send or Save, without your explicit instruction |
| Helping you to find answers | Automated decision making |
| Enriched by your content | Trained on your data |
| Ready-to-go | An app dev component |
| An AI system | An AI model |
When considering the integration of Microsoft 365 Copilot, it's useful to evaluate Microsoft 365 Copilot within the context of the Microsoft AI Shared Responsibility Model and covers:
- Customer responsibility: These items are solely addressed by the customer. Microsoft doesn't have a responsibility to address these components.
- Microsoft responsibility: These items are solely addressed by Microsoft. The customer doesn't have a responsibility to address these components.
- Shared responsibility: Within the items of shared responsibility in this model, customers are responsible for configuring the service to meet their specific needs, while Microsoft ensures the platform’s integrity and enforces the customer configured controls. Customers are responsible for nontechnical aspects of these items, such as adopting and adapting policies and procedures, establishing recurring patterns & practices, and making decisions about the configurations to apply.
This approach mirrors the considerations made for other cloud services across Infrastructure, Platform, and Software as a Service models. AI services have a similar distinction, and the due considerations and focus of a consumer of such services should be similarly informed.
Microsoft compliance with these requirements is demonstrated by the Microsoft 365 IRAP assessment report, ensuring that Microsoft 365 Copilot operates within the established data security and compliance parameters of the Microsoft 365 environment.
The specific architecture of Microsoft 365 Copilot and Copilot Chat can be more easily understood in this context, as Microsoft 365 Copilot is a Software-as-a-Service (SaaS) product seamlessly embedded within Microsoft 365.
Customer responsibilities
Customer user enablement and training accountability
Within the AI Shared Responsibility Model, customers have full responsibility for user enablement and training accountability.
As with any new technology, effective training is essential to enable users to understand and confidently apply generative AI in the flow of their work, reducing the chance of errors or inappropriate user behavior and ensuring the AI-assisted outputs are fit for purpose. Microsoft has developed the Microsoft 365 Copilot Skilling Center to assist with user training needs.
For more information about initiating the appropriate change management, adoption, and user training for IT professionals, see the various courses available at Microsoft Training and Product documentation. Agents can also transform the productivity landscape with a department and extensibility should be an integral part of every IT enablement conversation.
For information on how to plan a Microsoft 365 Copilot rollout, consider adoption guidance for Leaders. Success Kits for both Microsoft 365 Copilot and Copilot Chat are available, with specific guidance on how to drive agent adoption. Guidance on the use of Copilot Scenario Framework (CSF) using the Modern Collaboration Architecture (MOCA) can guide alignment to the agency’s use of the Microsoft 365 tools.
Usage policy, admin controls
Within the AI Shared Responsibility Model, customers have full responsibility for usage policy and the application of admin controls.
The establishment of a usage policy is a matter for individual organizations to consider in the context of their legal, contractual, and regulatory frameworks, own work patterns, and stakeholder expectations, such as:
- Internal use expectations versus guests
- Use in the creation of external communications
- Acceptance of AI involvement in personalized interactions
- Stakeholder demographics
The predominant focus of this configuration planning guide is on admin controls, which are detailed in the recommended configuration article.
Shared responsibility
Identity, device, and access management
Within the AI Shared Responsibility Model, identity, device, and access management are shared responsibilities.
Microsoft 365 Copilot is designed to integrate seamlessly with the existing identity, device, and access management configurations within a customer’s Microsoft 365 environment. This guide focuses on additional controls specific to Microsoft 365 Copilot and highlights existing controls that are relevant for organizations implementing Microsoft 365 Copilot.
For further configuration guidance in the deployment of a sensitive Microsoft 365 environment, consult the ASD Blueprint for Secure Cloud that offers comprehensive recommendations, and protocols for secure configuration.
Data governance
Within the AI Shared Responsibility Model, data governance is a shared responsibility. Effective data governance is essential for managing knowledge and information, enhancing discoverability and boosting productivity within any organization that is undergoing digital transformation. This document outlines the crucial data governance mechanisms, and practices that are integral to the successful implementation of Microsoft 365 Copilot.
For more information on data governance within the broader Microsoft 365 ecosystem, see:
- Microsoft Purview Information Protection Guide for Australian Government compliance with PSPF
- SharePoint Advanced Management (SAM) and features in Microsoft 365 Copilot licenses
Copilot extensibility
AI plugin and data connections
Within the AI Shared Responsibility Model, plugins and data connections are a shared responsibility. Connectors and Plugins enable customers to broaden the capabilities of Microsoft 365 Copilot, allowing it to interface with systems and data beyond their Microsoft 365 environment. Therefore, customers need to consider both the responsibility to manage the risks with using external data and systems, and the integration itself, as these might be Microsoft developed, customer developed, or non-Microsoft in origin. Customers are responsible for any non-Microsoft or custom developed connectors and plugins.
IT professionals are encouraged to become acquainted with Microsoft 365 Copilot extensibility options and architectures.
Plugins, such as Bing, differ from connectors in that they operate in real-time to augment Copilot with new abilities and insights. For a more detailed description of plugins and connectors, see Service components.
Agents
Within the AI Shared Responsibility Model, agents are a shared responsibility. Copilot agents are specialized AI assistants that enhance the capabilities of Copilot by adding specialized skills and knowledge while automating specific tasks. These agents can handle a wide range of tasks, from simple, mundane activities to complex, multi-step business processes. They're designed to work seamlessly with Microsoft 365 applications, providing users with real-time information and insights, and helping to streamline business processes and can interact with external data sources, both in the cloud and on-premises with the help of connectors.