Professional Documents
Culture Documents
Microsoft 365 Copilot Architecture
Microsoft 365 Copilot Architecture
Page 1
Microsoft Copilot for Microsoft 365
architecture & deployment
Copilot combines the power of large language models (LLMs) with your data in the
Microsoft Graph — your calendar, emails, chats, documents, meetings, and more —
and the Microsoft 365 apps to provide a powerful productivity tool.
Microsoft Graph
Organization data
(Example data)
OneDrive Exchange
Online
SharePoint
Teams Chat
November 2023 © 2023 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
This topic is 2 of 7
Page 2
Microsoft Copilot for Microsoft 365 service and tenant logical architecture
Semantic Index
Microsoft Graph
for Copilot Azure Open AI service
Copilot for
subscription for
Microsoft 365
Microsoft 365
Your customer data stays within the Microsoft 365 service Your tenant sits inside the Microsoft 365 service boundary,
boundary. Your prompts, responses, and data in the where Microsoft’s commitment to security, compliance,
Microsoft Graph is not used to train foundation LLMs that data location, and privacy are upheld.
Copilot leverages. Your data is secured based on existing
Copilot is a shared service just like many other services in
security, compliance, and privacy policies already deployed
Microsoft 365. Communication between your tenant and
by your organization.
Copilot components is encrypted.
For more information, see Data, Privacy, and Security for
Copilot for Microsoft 365.
November 2023 © 2023 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
This topic is 3 of 7
Page 3
November 2023 © 2023 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
This topic is 4 of 7
Page 4
November 2023 © 2023 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Prepare your environment for This topic is 5 of 7
Identity and access Configure common conditional access policies Configure recommended policies for Zero Trust
With Microsoft Entra ID P1, configure the following With Microsoft Entra ID P1, configure the following
policies to use multi-factor authentication (MFA): policies to use multi-factor authentication (MFA):
• Require MFA for administrators • Require MFA when sign-in risk is medium or
• Require MFA for all users high
See Common Conditional Access policies. Be sure • Require high risk users to change their
Microsoft 365 Services and your other SaaS apps password
are included in the scope of these policies. See Common security policies for Microsoft 365
organizations.
If your environment includes hybrid identities, also
enforce on-premises Microsoft Entra Password Also configure Privileged Identity Management.
Protection for Active Directory Domain Services.
Threat protection Configure Exchange Online Protection and Pilot and deploy Microsoft 365 Defender
endpoint protection For more comprehensive threat protection, pilot
Exchange Online Protection (EOP) helps protect and deploy Microsoft 365 Defender, including:
your email and collaboration tools from phishing, • Defender for Identity
impersonation, and other threats. You can rapidly
apply these protections by configuring preset • Defender for Office 365
security policies. • Defender for Endpoint
Microsoft Defender for Endpoint P1 includes • Defender for Cloud Apps
Attack surface reduction and Next generation See Evaluate and pilot Microsoft 365 Defender.
protection for antimalware and antivirus
protection. See Overview of Microsoft Defender for
Endpoint Plan 1.
Organization data Develop your classification schema and get Extend policies to more data and begin using
started with sensitivity labels and other policies automation with data protection policies
Sensitivity labels form the cornerstone of Sensitivity labeling expands to protecting more
protecting your data. Before you create the labels content and more labeling methods. For example,
to denote the sensitivity of items and the labeling SharePoint sites and Teams by using
protection actions to be applied, understand your container labels, and automatically labeling items
organization's existing classification taxonomy and in Microsoft 365 and beyond. For more
how it will map to labels that users will see and information, see a list of common labeling
apply in apps. scenarios and how they align to business goals.
Create data loss prevention policies
Create retention policies
Use context explorer (to review results)
November 2023 © 2023 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Set up secure file sharing and This topic is 6 of 7
First, identify Teams or projects that warrant highly sensitive protection. Configure protections for this level. Many
organizations don’t have data that requires this level of protection.
Next, identify Teams or projects that warrant sensitive protection and apply this protection.
Finally, ensure all Teams and projects are configured for baseline
protection, at a minimum.
Resources
Set up secure file sharing Compare levels of Configure Teams with
and collaboration with protection three tiers of protection
Microsoft Teams
Sharing with people outside your organization Collaborating with people outside your organization
You may need to share information of any sensitivity with Use these resources for setting up your environment for
people outside your organization. Use these resources: collaborating with people outside your organization:
• Apply best practices for sharing files and folders with • Collaborate on documents — share individual files or
unauthenticated users folders
• Limit accidental exposure to files when sharing with • Collaborate on a site — collaborate with guests in a
people outside your organization SharePoint site
• Collaborate as a team — collaborate with guests in a
• Create a secure guest sharing environment team
• Collaborate with external participants in a channel —
collaborate with people outside the organization in a
shared channel
November 2023 © 2023 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Pilot and deploy Microsoft Copilot for This topic is 7 of 7
Full deployment
Devices Test device Apply device Enroll the rest of the endpoints
protections with protections to the in larger increments
the same 50 users same users
Copilot Assign Copilot licenses to users AFTER their account and devices are
protected
November 2023 © 2023 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.