Skip to content

Control 3.8: Copilot Hub and Governance Dashboard

Overview

Control ID: 3.8 Control Name: Copilot Hub and Governance Dashboard Regulatory Reference: FINRA 4511, SEC 17a-3/4, GLBA 501(b), SOX 404 Setup Time: 30-45 minutes

Purpose

The Copilot Hub provides a unified governance interface for managing Microsoft 365 Copilot, Copilot Studio agents, and AI-powered features across the enterprise. This control enables financial institutions to establish centralized oversight of AI capabilities, ensuring consistent policy enforcement, usage monitoring, and regulatory compliance. By consolidating Copilot management across M365 Admin Center and Power Platform Admin Center, organizations can maintain comprehensive visibility into AI adoption while enforcing appropriate security and data governance controls.

Terminology

Microsoft officially refers to this feature as the "Copilot" area or "Copilot hub" in the Power Platform Admin Center (Source). The term "Copilot Command Center" is not used in official Microsoft documentation.

Description

The Microsoft 365 Admin Center provides Microsoft 365 Copilot management capabilities that complement Power Platform Admin Center controls. This unified dashboard enables governance of Microsoft 365 Copilot, Copilot Studio agents published to M365, and associated AI features across the organization.

See Manage Microsoft 365 Copilot for detailed capabilities.

Key Capabilities

Capability Description FSI Relevance
Copilot settings Organization-wide AI configuration Policy enforcement
Agent management Published agent governance Deployment control
Usage reporting Copilot adoption metrics ROI and compliance
License management Copilot license allocation Cost control

Prerequisites

Primary Owner Admin Role: Power Platform Admin Supporting Roles: None

Licenses Required

License Purpose Required
Microsoft 365 Copilot Access to Copilot features and settings management Yes
Microsoft 365 E5 or E5 Compliance Advanced compliance features, audit logging, DLP integration Recommended
Microsoft 365 E3 Basic M365 Admin Center access Minimum
Power Platform per-user or per-app Copilot Studio agent development and management For agent governance
Copilot Studio Agent creation and advanced Copilot Studio features For agent development

Permissions Required

Role Scope Purpose
Global Administrator Tenant Full Copilot settings management
Microsoft 365 Administrator Tenant Microsoft 365 Copilot configuration and user access
Power Platform Administrator Tenant Copilot Studio and PPAC settings
Compliance Administrator Tenant Access to compliance-related Copilot settings
Reports Reader Tenant View Copilot usage reports
Teams Administrator Tenant Copilot in Teams settings

Dependencies

Dependency Description Status Check
Microsoft 365 Admin Center access Required for Copilot settings management Verify admin portal access
Power Platform Admin Center access Required for Copilot Studio governance Verify PPAC access
Microsoft Graph API permissions Required for PowerShell automation Verify app registration
Audit logging enabled Required for compliance monitoring Check Purview audit settings
Microsoft Entra ID Agent identity and access management Verify Entra configuration

Pre-Setup Checklist

  • [ ] Verify Global Administrator or appropriate admin role assignment
  • [ ] Confirm Microsoft 365 Copilot licenses are assigned to pilot users
  • [ ] Ensure Microsoft 365 Admin Center access is available
  • [ ] Verify Power Platform Admin Center access for Copilot Studio governance
  • [ ] Confirm audit logging is enabled in Microsoft Purview
  • [ ] Document current Microsoft 365 Copilot settings baseline before making changes
  • [ ] Identify stakeholders for Microsoft 365 Copilot and agent governance decisions
  • [ ] Review organizational AI usage policies
  • [ ] Establish change management process for Microsoft 365 Copilot configuration

Governance Levels

Level 1 - Baseline

Requirement Configuration
Dashboard access M365 Admin Center Copilot section accessible
Basic settings Review default configurations
Agent visibility Know what agents are published

Minimum requirements:

  • Access Copilot management dashboard
  • Review published agents monthly
  • Document Microsoft 365 Copilot settings
Requirement Configuration
Settings review All Microsoft 365 Copilot settings reviewed and configured
Agent governance Approval process for published agents
Usage monitoring Monthly usage reports reviewed
Policy alignment Settings aligned with organizational policy

FSI recommendations:

  • Configure Microsoft 365 Copilot settings to align with data governance policies
  • Establish agent publication approval workflow
  • Review usage reports for compliance monitoring
  • Document all configuration decisions

Level 4 - Regulated/High-Risk

Requirement Configuration
Restrictive settings Conservative Microsoft 365 Copilot configurations
Agent certification Require certification for all agents
Comprehensive reporting Weekly usage reviews
Executive oversight Monthly reports to governance committee

FSI requirements:

  • Disable web search for compliance-sensitive environments
  • Require governance approval for all published agents
  • Weekly usage monitoring for anomaly detection
  • Quarterly executive reporting on Microsoft 365 Copilot governance

Setup & Configuration

M365 Admin Center - Copilot

Accessing Copilot Management

  1. Open Microsoft 365 Admin Center
  2. Navigate to Copilot in left navigation
  3. Access available management sections

Copilot Navigation Structure

Section Path Purpose
Overview Copilot → Overview Copilot Control System dashboard
Connectors Copilot → Connectors External data connections for Copilot
Search Copilot → Search Bookmarks and acronyms management
Billing & usage Copilot → Billing & usage Pay-as-you-go billing policies
Settings Copilot → Settings Comprehensive Copilot configuration

Copilot Control System (Overview)

The Overview page displays the "Copilot Control System" dashboard.

Overview Tabs

Tab Purpose
Overview Success metrics and adoption guidance
Security Security-related Copilot settings
Health Copilot health and status
Discover Feature discovery and guidance

Keys to Success Metrics

The Overview tab displays four success metric cards:

Card Metric Description
Optimize Copilot license assignment Active user rate License utilization percentage
Encourage users to make Copilot a daily habit AI adoption score Score out of 100
Highlight Copilot's business impact Copilot assisted hours Time savings metric
Leverage user feedback to increase delight Promoters User satisfaction metric

Connectors

Connectors enable Microsoft 365 Copilot to access external data sources.

Connectors Tabs

Tab Purpose
Gallery Available connector templates
Your Connections Configured connections

Connection Management

Action Description
+ Add Connection Create new data connection
Refresh Update connection list
Filter Filter connections
Search Search connections

Connection Table Columns

Column Description
Connection Name Unique identifier
Display Name Friendly name
Staged Rollout Rollout configuration
Connection state Draft, Ready, Failed
Last sync time Most recent synchronization

FSI Consideration

Review all external connections for data governance compliance. Connections to external systems may expose sensitive data to Microsoft 365 Copilot.

Manage organization-specific content that appears in Microsoft 365 Copilot search results.

Search Tabs

Tab Purpose
Bookmarks Promoted URLs for search results
Acronyms Organization-specific acronym definitions

Search Actions

Action Description
+ Add a bookmark Create promoted search result
Exclude a URL Block URL from search results
Import Bulk import bookmarks
Export Export bookmark list

Bookmark Table Columns

Column Description
Bookmark title Display name
URL Target URL
Modified Last update date
Modified By User who made changes
Keywords Search trigger keywords
Category Classification

Billing & Usage

Manage pay-as-you-go billing for Microsoft 365 Copilot and agents.

Billing Tabs

Tab Purpose
Billing policies Configure billing policies by group
Pay-as-you-go services View available metered services

Billing Policy Management

Action Description
+ Add a billing policy Create new billing policy

Billing Policy Columns

Column Description
Name Policy name
Users Assigned user group
Services Microsoft 365 Copilot Chat, SharePoint agents
Budget used Consumption against budget

FSI Consideration

Billing policies help control AI costs by department. Use for chargeback and cost allocation.

Copilot Settings

The Settings page provides comprehensive Microsoft 365 Copilot configuration with four tabs.

Settings Tabs Overview

Tab Description FSI Focus
User access Control who can use Microsoft 365 Copilot features Access governance
Data access Control how Microsoft 365 Copilot retrieves data Data protection
Copilot actions Control Microsoft 365 Copilot output capabilities Content governance
Other settings Additional configuration options Support settings

User Access Settings

"Manage user access to Copilot in different products and services."

Setting Description Applies To
Pin Microsoft 365 Copilot Chat Pin Copilot Chat across experiences M365 Copilot Chat, Copilot app
Pin Microsoft 365 Copilot apps to Windows taskbar Pin Copilot apps to taskbar Windows, People, File Search, Calendar
Opal (Frontier) Access to Opal (Frontier) Microsoft 365 Copilot
Microsoft Copilot for Security Security Copilot settings Copilot for Security
Microsoft 365 Copilot self-service purchases Control trial/purchase by users Microsoft 365 Copilot
Microsoft 365 Copilot in admin centers Admin access to Copilot Microsoft 365 Copilot
Copilot pay-as-you-go billing Enable metered billing M365 Copilot Chat
Copilot in Edge Edge browser Copilot Microsoft Edge
Copilot in Bing, Edge, and Windows Consumer Copilot access Bing, Edge, Windows
Copilot Frontier Early access program Microsoft 365 Copilot

Data Access Settings

"Manage how Copilot securely retrieves and handles information."

Setting Description Applies To FSI Impact
Web search for M365 Copilot Allow web search M365 Copilot, Copilot Chat Disable for compliance
Recommendations for M365 Copilot licensing Admin license recommendations Microsoft 365 Copilot Informational
People Skills in Microsoft 365 Copilot People data access Microsoft 365 Copilot Review for privacy
Data security and compliance Links to Microsoft Purview Microsoft 365 Copilot Critical
Copilot in Power Platform and Dynamics 365 Power Platform integration Microsoft 365 Copilot Cross-platform
AI providers operating as Microsoft subprocessors External AI providers (Microsoft managed) Copilot Studio, M365 Copilot Review third-party
AI providers for other large language models Third-party LLM access Copilot Studio, M365 Copilot Security review required
Agents Control agent creation and use Microsoft 365 Copilot Agent governance

Copilot Actions Settings

"Choose how Copilot responds to user prompts to comply with organizational policies."

Setting Description Applies To FSI Consideration
Copilot video generation AI video creation Video content across M365 Content governance
Copilot in Teams meetings Meeting Copilot features Copilot in Microsoft Teams Meeting compliance
Copilot image generation AI image creation Designer integrations Content governance

Other Settings

"Find more settings that can assist your organization's use of Copilot."

Setting Description Applies To
Copilot diagnostic logs Send diagnostic data for troubleshooting Microsoft 365 Copilot
Copilot Custom Dictionary Custom terminology definitions Copilot in Teams

Agent Management (Integrated Apps)

In addition to the Copilot section, agents published to M365 appear in Integrated Apps:

  1. Navigate to Settings → Integrated apps
  2. Filter for Copilot agents
  3. Review agent details and permissions
  4. Manage availability and access

See Manage Copilot agents in Integrated Apps for details.

Agent Governance

Aspect Management Action Documentation
Availability Control who can access agents Access policy
Permissions Review data access permissions Permission audit
Certification Check publisher attestation Vendor assessment
Lifecycle Enable/disable/remove agents Change records

Usage Reporting

Usage reports are available in the M365 Admin Center Reports section:

  1. Navigate to Reports → Usage
  2. Select Copilot-related reports
  3. Configure date range
  4. Export for compliance documentation

See Copilot usage reports for available metrics.

PPAC Copilot Section

The Power Platform Admin Center also provides a Copilot section for managing Copilot Studio and Power Platform AI features.

Accessing PPAC Copilot

  1. Open Power Platform Admin Center
  2. Navigate to Copilot in left navigation

PPAC Copilot Navigation Structure

Section Path Purpose
Overview Copilot → Overview Quick start resources, What's new, Recommendations
Get started Copilot → Get started Onboarding and setup guidance
What's new Copilot → What's new Feature announcements
Settings Copilot → Settings Power Platform and Copilot Studio settings
Copilot Studio Copilot → Copilot in Power Platform → Copilot Studio Usage metrics, Agent performance
Power Apps Copilot → Copilot in Power Platform → Power Apps Power Apps AI features
Power Pages Copilot → Copilot in Power Platform → Power Pages Power Pages AI features

PPAC Copilot Settings

The Settings page contains two sections:

Power Platform Settings: | Setting | Description | |---------|-------------| | Copilot feedback | Control feedback submission to Microsoft | | Generative AI Settings | Allow AI usage in Power Platform products | | Preview and experimental AI models | Control access to preview AI features | | AI prompts | Control prebuilt and custom prompts |

Copilot Studio Settings: | Setting | Description | |---------|-------------| | Computer Use | Enable automated interactions (security consideration) | | Entra Agent Identity | Enable agent identity (Preview) | | Code generation and execution | Enable code generation in agents | | Connected Agents | Enable agent-to-agent invocation (Preview) | | Hosted Browser | Enable browser automation (Preview) | | Enable External Models | Allow external AI models (Preview) | | Knowledge sources for agents | Control which knowledge sources agents can use | | Channel access for published agents | Control agent publication channels | | Skills in agents | Enable agent skill usage | | Client application access control | Prevent data exfiltration | | Authentication for agents | Control agent authentication | | Sharing | Control sharing scope |

Copilot Studio Dashboard

Navigate to Copilot → Copilot in Power Platform → Copilot Studio to view:

Metric Description
Security Link to review security recommendations
Monitor Link to review health status
Settings Link to configure agents
Billed messages Message consumption metrics
Active agents Count of active agents
Agent session success rate Performance percentage
Capacity consumption Pre-paid and pay-as-you-go credits
Recommendations Take action to improve Copilot and agents
Agent table List of top agents by monthly sessions

M365 Admin Center - Agents

The M365 Admin Center now includes a dedicated Agents section for comprehensive agent governance.

Accessing Agents Management

  1. Open Microsoft 365 Admin Center
  2. Navigate to Agents in left navigation
  3. Access available management sections

Agents Navigation Structure

Section Path Purpose
Overview Agents → Overview Agent analytics and governance dashboard
All agents Agents → All agents Complete agent registry with 5 tabs
Tools Agents → Tools MCP Server management
Settings Agents → Settings Agent governance policies

Agent Overview Dashboard

The Overview page provides comprehensive agent analytics and governance actions.

Agent Overview Description

"Track agent usage across your org and take steps to improve impact. Adjust settings, manage access, and help teams unlock more value while staying aligned with governance goals."

Summary Metrics

Card Metric Description
Agent registry Total agents count All agents in organization
Active users Unique users Users interacting with agents

Agent Analytics

Chart Categories FSI Use
Agent publishers Created by your organization (Shared by creator, Published by org), Created by external partners (Microsoft, Other) Identify agent sources
Agent platforms Other, M365 Copilot Agent Builder, M365 Copilot Platform distribution
Active users over time Usage trend line chart Adoption monitoring

Top Actions for You

Action Card Metric Description FSI Action
Pending requests for agents Count of open requests Agents awaiting approval Review and approve/deny
Ownerless agents Count without owner Agents missing business owner Assign owners immediately

FSI Critical

Monitor "Pending requests" and "Ownerless agents" regularly. Unowned agents and stale requests represent governance gaps.

All Agents (Agent Registry)

The "All agents" page provides a complete registry with 5 tabs.

Page Description

"Monitor and control all the agents in your organization powered by Microsoft Entra."

Links: Manage in Entra | Learn more about managing agents

Registry Tabs

Tab Purpose FSI Governance Use
Map Visual agent relationship map Understand agent ecosystem
Frontier Frontier program agents (Preview) Track preview agents
Registry Complete agent inventory Primary governance view
Requests Pending agent requests Approval workflow
Catalog Available agent catalog Discover approved agents

Registry Summary Metrics

Metric Description FSI Action
Total agents All agents in org Track growth
Missing an owner Agents without owner Assign owners
Blocked agents Disabled/blocked agents Review block reasons

Registry Actions

Action Description
Refresh Update agent list
Export to Excel Export registry for compliance
Upload custom agent Add custom agent
Manage pinned agents Configure pinned agents

Registry Filters

Filter Options
Publisher Microsoft, External partners, Your organization
Availability All users, Some users
Channel Copilot, Teams, Outlook, Microsoft 365
Platform M365 Copilot, M365 Copilot Agent Builder, Other

Registry Table Columns

Column Description
Name Agent name and sub-label
Publisher Microsoft, External partners, Shared by creator
Availability All users, Some users
Channel Copilot, Teams, Outlook, Microsoft 365
Date created Creation timestamp

Requests Tab

Manage agent requests awaiting approval.

Column Description
Name Agent name
State Request status
Last modified Last update date
Supported in Supported channels
Owner Request owner
Publisher Agent publisher

Catalog Tab

Browse and add approved agents.

Built by Microsoft: Pre-built agents from Microsoft including Files, Sales, Microsoft 365 Admin.

Tools (MCP Servers)

The Tools page manages Model Context Protocol (MCP) Servers that define agent capabilities.

Tools Description

"Tools define how an AI model interacts with user data, tools, and workflows. It ensures requests, responses, and actions are handled consistently, safely, and transparently."

Link: Learn more about model context protocol

Tools Summary Metrics

Metric Description
MCP Servers Total server count
Available Active servers
Blocked Disabled servers

Tools Filters

Filter Options
Status Available, Blocked
Publisher Microsoft Corporation, etc.

Tools Table Columns

Column Description
Name MCP Server name
Status Available, Blocked
Type MCP Server
Publisher Server publisher

Available MCP Servers (Microsoft)

Server Type Purpose
Microsoft SharePoint Lists MCP Server (Frontier) MCP Server SharePoint Lists access
Microsoft 365 Copilot (Search) MCP Server (Frontier) MCP Server Search capabilities
Microsoft SharePoint and OneDrive MCP Server (Frontier) MCP Server File access
Microsoft Teams MCP Server (Frontier) MCP Server Teams integration
Microsoft Outlook Mail MCP Server (Frontier) MCP Server Email access
Microsoft 365 Admin Center MCP Server (Frontier) MCP Server Admin operations
Microsoft Outlook Calendar MCP Server (Frontier) MCP Server Calendar access
Microsoft 365 User Profile MCP Server (Frontier) MCP Server User data access
Microsoft Word MCP Server (Frontier) MCP Server Document access

FSI Consideration

MCP Servers control what data and actions agents can access. Review and block servers that shouldn't be available in your compliance environment.

Agent Settings

The Settings page provides comprehensive agent governance policies.

Settings Description

"Manage everything related to Agents. These settings include controls for data access, user permissions, integration policies, and customization of agent behavior to align with enterprise standards."

Agent Settings

Setting Description FSI Impact
Allowed agent types Specify which categories of AI agents (shared, external) are permitted Critical - Control agent sources
Sharing Manage who can share AI agents and sharing methods Control agent distribution
Templates Create pre-set policies, rules, and allowlists for new agents Standardize governance
User access Control which users or groups can interact with AI agents Access control

FSI Recommendation

Configure all four settings to establish baseline agent governance. Start with "Allowed agent types" to control which agent sources are permitted.

Integration Between Portals

The Copilot Hub spans multiple admin centers:

Function M365 Admin Center - Copilot M365 Admin Center - Agents PPAC
M365 Copilot settings Primary N/A N/A
Agent registry/inventory Via Integrated Apps Primary Source
Agent analytics N/A Primary Secondary
Agent approval workflow N/A Primary (Requests tab) N/A
MCP Server governance N/A Primary (Tools) N/A
Agent access policies N/A Primary (Settings) N/A
Copilot Studio settings N/A N/A Primary
Agent development N/A N/A Primary
DLP policies N/A N/A Primary
Usage reporting (M365 Copilot) Primary N/A N/A
Usage reporting (agents) N/A Primary Secondary

Best Practice: Use all three sections together:

  • M365 Admin Center → Copilot: M365 Copilot feature governance, connectors, settings
  • M365 Admin Center → Agents: Agent inventory, approval workflow, MCP Servers, agent policies
  • PPAC: Agent development governance, Copilot Studio settings, DLP policies

PowerShell Configuration

Connect to Microsoft Graph for Copilot Settings

# Install Microsoft Graph PowerShell SDK if not already installed
Install-Module Microsoft.Graph -Scope CurrentUser -Force

# Connect with required scopes for Copilot management
Connect-MgGraph -Scopes @(
    "Organization.Read.All",
    "Policy.Read.All",
    "Policy.ReadWrite.All",
    "Reports.Read.All",
    "AuditLog.Read.All",
    "User.Read.All"
)

# Verify connection
Get-MgContext | Select-Object Account, TenantId, Scopes

Get Copilot Configuration

# Get organization settings related to Copilot
$orgSettings = Get-MgOrganization
Write-Host "Organization: $($orgSettings.DisplayName)"

# Get service principal for Microsoft 365 Copilot
$copilotSP = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft 365 Copilot'"
if ($copilotSP) {
    Write-Host "Copilot Service Principal ID: $($copilotSP.Id)"
    Write-Host "Copilot App ID: $($copilotSP.AppId)"
}

# Get policies that may affect Copilot
$policies = Get-MgPolicyAuthorizationPolicy
Write-Host "Authorization Policy: $($policies.DisplayName)"

# Get Copilot-related app consent policies
Get-MgPolicyPermissionGrantPolicy | Format-Table DisplayName, Id

Export Copilot Settings

# Create export directory
$exportPath = "C:\CopilotGovernance\Exports"
if (!(Test-Path $exportPath)) {
    New-Item -ItemType Directory -Path $exportPath -Force
}

$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"

# Export service principals related to Copilot
$copilotApps = Get-MgServicePrincipal -Filter "startswith(displayName, 'Copilot') or startswith(displayName, 'Microsoft 365 Copilot')"
$copilotApps | Select-Object DisplayName, AppId, Id, AccountEnabled |
    Export-Csv -Path "$exportPath\CopilotServicePrincipals_$timestamp.csv" -NoTypeInformation

# Export Copilot-related enterprise applications
$copilotEntApps = Get-MgServicePrincipal -All | Where-Object {
    $_.Tags -contains "WindowsAzureActiveDirectoryIntegratedApp" -and
    ($_.DisplayName -like "*Copilot*" -or $_.DisplayName -like "*Agent*")
}
$copilotEntApps | Export-Csv -Path "$exportPath\CopilotEnterpriseApps_$timestamp.csv" -NoTypeInformation

Write-Host "Export completed to: $exportPath"

Audit Copilot Configuration Changes

# Search for Copilot-related audit events
$startDate = (Get-Date).AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ssZ")
$endDate = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")

# Get audit logs for application changes
$auditLogs = Get-MgAuditLogDirectoryAudit -Filter "activityDateTime ge $startDate and activityDateTime le $endDate" -All

# Filter for Copilot-related activities
$copilotAuditEvents = $auditLogs | Where-Object {
    $_.TargetResources.DisplayName -like "*Copilot*" -or
    $_.ActivityDisplayName -like "*Copilot*" -or
    $_.ActivityDisplayName -like "*consent*" -or
    $_.ActivityDisplayName -like "*policy*"
}

# Display results
$copilotAuditEvents | Select-Object ActivityDateTime, ActivityDisplayName, InitiatedBy, Result |
    Format-Table -AutoSize

# Export audit trail for compliance
$copilotAuditEvents | Export-Csv -Path "$exportPath\CopilotAuditLog_$timestamp.csv" -NoTypeInformation

Write-Host "Found $($copilotAuditEvents.Count) Copilot-related audit events"

Financial Sector Considerations

Regulatory Context

Primary Regulations: FINRA 4511, SEC 17a-3/4, GLBA 501(b), SOX 404

Regulation Copilot Hub Support
FINRA 4511 Usage records for books and records
SEC 17a-3/4 Agent activity documentation
GLBA 501(b) Access control for customer data
SOX 404 IT controls for AI systems

Examination Considerations

Regulators may request:

  • Copilot configuration settings
  • List of published agents and approval records
  • Usage reports showing AI adoption
  • Evidence of ongoing governance

Regulatory Mapping

Regulation Requirement Copilot Hub Control
FINRA 4511 Books and records retention Usage reports, agent activity logs, configuration change records
SEC AI Priorities AI governance and risk management Centralized Copilot settings, agent approval workflows, data access controls
GLBA 501(b) Safeguards for customer information Data access settings, web search restrictions, connector governance
SOX 404 Internal controls over financial reporting Agent certification, access controls, audit trail maintenance
FFIEC AI Guidance Model risk management Agent registry, usage monitoring, configuration documentation
OCC SR 11-7 Model validation and governance Agent approval process, performance monitoring, change management

Example Environment Tier Configuration (Not Agent Governance)

This table is an environment-tier example (Production/Development/Sandbox) and is not the Agent Governance tier model. Use the governance tier section below (Tier 1-3).

Setting Production Development Sandbox
Web search for M365 Copilot Disabled Disabled Enabled (with monitoring)
AI providers (subprocessors) Restricted Restricted Allowed with review
Third-party LLM access Blocked Blocked Allowed for testing
Agent creation Approved users only Development teams All licensed users
MCP Servers Approved list only Extended list All available
Copilot image generation Disabled Disabled Enabled
Copilot video generation Disabled Disabled Enabled
External connectors Approved list only Limited Allowed for testing
Agent sharing scope Internal only Team scope Broad sharing

FSI Example Configuration

# Copilot Hub - FSI Production Configuration
# Environment tier: Production
# Classification: Regulatory Environment

copilot_settings:
  data_access:
    web_search_enabled: false
    web_search_reason: "FINRA 4511 - Prevent external data leakage"
    external_ai_providers: "blocked"
    third_party_llm: "blocked"

  user_access:
    self_service_purchases: "disabled"
    copilot_in_edge: "managed_users_only"
    consumer_copilot: "disabled"

  copilot_actions:
    image_generation: "disabled"
    video_generation: "disabled"
    teams_meeting_copilot: "enabled_with_retention"

  agent_governance:
    allowed_agent_types:
      - "organizational_shared"
      - "microsoft_verified"
    external_agents: "blocked"
    agent_approval_required: true
    owner_assignment_mandatory: true

  mcp_servers:
    approval_required: true
    blocked_servers:
      - "preview_servers"
      - "frontier_unverified"

  connectors:
    external_connections: "approval_required"
    data_governance_review: "mandatory"

  monitoring:
    usage_reports: "weekly"
    audit_log_retention: "7_years"
    anomaly_detection: "enabled"
    executive_reporting: "monthly"

Zone-Specific Configuration

Zone 1 (Personal Productivity):

  • Apply a baseline minimum of Copilot Hub controls that impacts tenant-wide safety (where applicable), and document any exceptions for personal agents.
  • Avoid expanding scope beyond the user’s own data unless explicitly justified.
  • Rationale: reduces risk from personal use while keeping friction low; legal/compliance can tighten later.

Zone 2 (Team Collaboration):

  • Apply the control for shared agents and shared data sources; require an identified owner and an approval trail.
  • Validate configuration in a pilot environment before broader rollout; retain evidence (screenshots/exports/logs).
  • Rationale: shared agents increase blast radius; controls must be consistently applied and provable.

Zone 3 (Enterprise Managed):

  • Require the strictest configuration for Copilot Hub controls and enforce it via policy where possible (not manual-only).
  • Treat changes as controlled (change ticket + documented testing); retain evidence (screenshots/exports/logs).
  • Rationale: enterprise agents handle the most sensitive content and are the highest audit/regulatory risk.

Verification & Testing

Step Action Expected Result
1 Navigate to M365 Admin Center → Copilot Copilot dashboard displayed
2 Review Settings section Configuration options visible
3 Check Integrated apps for agents Published agents listed
4 Access usage reports Report data available
5 Verify setting changes Changes applied successfully

Compliance Documentation

Required Documentation

Document Content Retention
Settings inventory Current Copilot configuration Update on change
Agent registry Published agents and approvals Continuous
Usage reports Monthly usage summaries Per retention policy
Change records Configuration change history Per retention policy

Examination Evidence

For regulatory examinations, maintain:

  • Copilot settings configuration export
  • Agent publication approval records
  • Usage reports demonstrating monitoring
  • Change management documentation

Troubleshooting & Validation

Common Issues and Solutions

Issue Symptoms Solution
Copilot section not visible in M365 Admin Center Navigation menu doesn't show Copilot option Verify Microsoft 365 Copilot licenses are assigned in tenant. Ensure user has Global Admin or appropriate admin role. Clear browser cache and refresh.
Settings changes not applying Configuration updates don't reflect for users Allow 24-48 hours for policy propagation. For immediate effect, have users sign out and back in. Check for conflicting policies in Conditional Access or Group Policy.
Agent registry showing incomplete data Missing agents or incorrect counts Verify Entra ID sync is current. Check that agents are properly registered with Microsoft Entra. Use the Refresh button and wait for data population.
Usage reports showing no data Empty or missing metrics in reports Confirm Copilot has been actively used (minimum 72 hours for data). Verify audit logging is enabled. Check that report date range includes active usage period.
PowerShell scripts failing to connect Authentication or permission errors Verify Microsoft.Graph module is updated to latest version. Confirm required scopes are consented. Check for Conditional Access policies blocking PowerShell access.
MCP Servers not appearing in Tools Tools page shows no servers or blocked servers Verify Frontier program enrollment if using preview features. Check agent settings for MCP Server policies. Contact Microsoft support if servers should be available.
Connector sync failures Connections showing "Failed" state Review connector configuration for authentication issues. Verify external system availability. Check data source permissions and firewall rules.

Diagnostic Commands

# Verify Copilot license assignment
Get-MgUser -Filter "assignedLicenses/any(x:x/skuId eq '<Copilot-SKU-ID>')" -All |
    Select-Object DisplayName, UserPrincipalName | Format-Table

# Check service health for Copilot
Get-MgServiceAnnouncementHealthOverview | Where-Object { $_.Service -like "*Copilot*" }

# Verify admin role assignments
Get-MgDirectoryRole | Where-Object { $_.DisplayName -like "*Admin*" } |
    ForEach-Object { Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id }

Additional Resources

Resource Description URL
Manage Microsoft 365 Copilot Official Copilot management documentation learn.microsoft.com
Copilot Usage Reports Understanding Copilot adoption metrics learn.microsoft.com
Manage Copilot Agents in Integrated Apps Agent lifecycle and governance learn.microsoft.com
Microsoft 365 Copilot Data Residency Data handling and compliance learn.microsoft.com
Copilot Studio Governance Power Platform Copilot Studio controls learn.microsoft.com
Microsoft 365 Admin Center Overview Admin portal navigation and features learn.microsoft.com

Pillar 1 - Security

Pillar 2 - Management

Pillar 3 - Reporting

Pillar 4 - SharePoint

Support & Questions

For implementation support or questions about this control, contact:

  • AI Governance Lead (governance direction)
  • M365 Administrator (technical setup)
  • Compliance Officer (regulatory requirements)

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification