Microsoft 365 Copilot connects large language models, organizational content in Microsoft Graph, and Microsoft 365 productivity apps to provide Artificial Intelligence-powered productivity capabilities. Copilot only accesses content and context that an individual user has permission to view and combines that information with the user’s working context to generate responses. Prompts, retrieved data, and generated responses remain within the Microsoft 365 service boundary and are processed using Azure OpenAI services rather than OpenAI’s public services. Microsoft states that Azure OpenAI does not cache customer content or Copilot-modified prompts for Microsoft 365 Copilot, and prompts, responses, and data accessed through Microsoft Graph are not used to train foundation large language models.
The service stores user interaction data, including prompts, Copilot responses, and citations, as part of a Copilot activity history. That data is encrypted at rest and in transit and handled in alignment with existing contractual commitments for Microsoft 365 content. Administrators can view and manage stored interactions through Content search and Microsoft Purview and can set retention policies. Users can delete their activity history via the My Account portal. Microsoft also notes that while Azure OpenAI offers abuse monitoring with human review, Microsoft 365 Copilot has opted out of that feature. Customer feedback may be used to improve Copilot but is not used to train foundation models.
Microsoft describes regional processing and data residency commitments. Calls to models are routed to nearby data centers but may be routed to other regions when capacity requires it. EU customers benefit from additional EU Data Boundary safeguards, and Microsoft added Microsoft 365 Copilot to its data residency commitments and Advanced Data Residency and Multi-Geo offerings effective March 1, 2024. The platform supports extensibility through Microsoft Graph connectors and agents, with admins controlling which agents are allowed. Multiple protections are applied, including Azure OpenAI content filtering, workplace-harm restrictions, protected material detection, and proprietary classifiers to help block jailbreak and prompt-injection attacks. Microsoft highlights compliance with standards such as GDPR, ISO 27001, HIPAA, and ISO 42001 and reiterates its commitment to meeting evolving Artificial Intelligence regulatory requirements, including the EU AI Act, while maintaining existing privacy and security commitments for Microsoft 365 customers.
