Control 4.1: Copilot Admin Settings and Feature Management

Control ID: 4.1 Pillar: Operations & Monitoring Regulatory Reference: SOX Section 404, FFIEC IT Examination Handbook, GLBA 501(b) Last Verified: 2026-03-22 Governance Levels: Baseline / Recommended / Regulated

Objective

Establish centralized governance over Microsoft 365 Copilot administrative settings, role assignments, feature availability, and adjacent billing or cloud-policy decisions. This control helps organizations manage Copilot consistently across Microsoft 365 without relying on ad hoc administrator judgment or overly privileged roles.

Why This Matters for FSI

Financial institutions operate under internal control frameworks that require documented, auditable, and role-separated management of technology configuration changes. SOX Section 404 expects management to maintain and test IT general controls where technology affects regulated reporting and operational processes. The FFIEC IT Examination Handbook similarly emphasizes access governance, change control, and ongoing monitoring for enterprise technology platforms.

For Copilot, those expectations apply to more than one settings page. Administrators now work across the Copilot overview, Copilot settings tabs, Agents administration, billing controls, and Cloud Policy. If these surfaces are managed inconsistently, firms can end up with unauthorized feature rollouts, unmanaged agent exposure, or unexpected spend paths that weaken governance evidence and change control discipline.

Least-privilege administration also matters. Microsoft now supports AI Administrator as the primary low-privilege role for Copilot scenario management in the Microsoft 365 admin center, while Global Reader supports read-only review. Overuse of broad administrator roles creates unnecessary risk in regulated environments.

Disclaimer

This control is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. See full disclaimer.

Control Description

Microsoft 365 Copilot administration now spans a small set of connected governance surfaces:

Surface	Primary Path	Governance Use
Copilot overview	M365 Admin Center > Copilot > Overview	Readiness, usage trends, security links, and recommended actions
Copilot settings	M365 Admin Center > Copilot > Settings	Tenant controls grouped under User access, Data access, Copilot actions, and Other settings
Agents administration	M365 Admin Center > Agents > Overview / All agents / Settings	Agent inventory, lifecycle, user access, allowed types, and sharing
Billing and PAYG	M365 Admin Center > Billing > Pay-as-you-go services / Cost Management	Billing policies, budgets, and metered usage monitoring
Cloud Policy	`https://config.office.com` > Customization > Policy Management	Copilot Pages / Notebooks and code preview policy decisions
Baseline Security Mode	M365 Admin Center > Settings > Org settings > Security & privacy	Foundational Microsoft 365 security baseline that complements Copilot-specific controls

Role Separation

Administrative Area	Recommended Role	Why
Copilot scenario and settings review	AI Administrator	Least-privilege role for Copilot and agent administration in the Microsoft 365 admin center
Read-only evidence collection	Global Reader	Supports oversight without configuration rights
Org-wide exception handling	M365 Global Admin	Reserve for emergency or broader tenant changes that require elevated privilege
Teams-specific Copilot controls	Teams Admin	Owns meeting and messaging policy surfaces
Outlook-specific Copilot controls	Exchange Online Admin	Owns mailbox and Exchange-related settings
SharePoint / SharePoint Embedded review	SharePoint Admin	Owns storage, sharing, and container administration
Cloud Policy for Copilot app experiences	Office Apps admin or approved equivalent	Manages Pages/Notebooks and other app-level cloud policies

What Should Be Governed Together

This control treats the following decisions as part of one operational governance process:

who can access Microsoft 365 Copilot
whether web search and other data-access features are enabled
whether agents are allowed, restricted, or limited to approved groups
whether PAYG billing is enabled for approved users or departments
whether Copilot Pages and Copilot Notebooks are available through Cloud Policy
whether change evidence exists for each configuration adjustment

Baseline Security Mode

Baseline Security Mode is relevant to Copilot governance, but it should not be documented as if it were a Copilot-specific tab. Microsoft documents it as an organization-wide Microsoft 365 security baseline under Settings > Org settings > Security & privacy. For FSI teams, it is best treated as a complementary control surface that informs the broader Copilot security posture rather than replacing workload-specific Purview, SharePoint, or agent governance decisions.

Copilot Surface Coverage

Surface	Coverage	Notes
Microsoft 365 Copilot Chat	Full	User access, web search, agents, and Cloud Policy dependencies
Word / Excel / PowerPoint / Outlook	Full	Covered through Copilot access decisions plus workload-specific controls where applicable
Teams	Partial	Copilot rollout aligns with Teams meeting and messaging policies
Copilot Pages / Notebooks	Full	Governed through Cloud Policy plus SharePoint/Purview controls
Agents	Full	Managed through the Agents control plane and related agent settings

Governance Levels

Baseline

Assign Copilot administration to designated AI Administrators
Document current Copilot settings across Copilot > Overview, Copilot > Settings, Agents, and Cloud Policy
Review self-service purchase and PAYG status before broad rollout
Require documented approval before enabling Copilot for new populations or feature sets
Maintain a current inventory of agent access, Copilot Pages policy scope, and tenant-level Copilot availability

Implement segregation of duties so approval and implementation are not performed by the same person
Use group-scoped access for Copilot, agents, PAYG, and Copilot Pages policy decisions
Review Copilot settings monthly and compare against the approved baseline
Monitor Copilot and agent configuration changes through audit searches and governance reporting
Include Cloud Policy and billing policy decisions in the same change register as Copilot settings

Regulated

Require dual approval (technology + compliance) for new Copilot features, agent availability changes, or metered billing enablement
Restrict Copilot administration with PIM or equivalent time-bound privilege activation
Preserve configuration evidence and approval records for examination-ready retention periods
Include Copilot administration in SOX ITGC or equivalent control testing where relevant
Maintain a documented exception register for any setting that deviates from the approved baseline

Setup & Configuration

Step 1: Review Copilot Overview

Navigate to M365 Admin Center > Copilot > Overview and capture:

readiness and adoption indicators
recommended actions
security links to Purview and related controls
evidence of which governance team members review this dashboard

Step 2: Review Copilot Settings

Navigate to M365 Admin Center > Copilot > Settings and review the current settings model:

User access
Data access
Copilot actions
Other settings

Document which settings are enabled, who approved them, and which user groups are affected.

Step 3: Review Agent Governance Settings

Navigate to M365 Admin Center > Agents > Settings and confirm:

allowed agent types
sharing configuration
user access scope
any templates or defaults applied to agent publication workflows

Step 4: Review Copilot Pages / Notebooks Policy

Navigate to https://config.office.com > Customization > Policy Management and document:

whether Create and view Copilot Pages and Copilot Notebooks is enabled
whether code previews are enabled
which users or groups the policy targets

Step 5: Review Billing and Self-Service Controls

Review:

Settings > Org settings > Self-service trials and purchases
Billing > Pay-as-you-go services
Cost Management

Document whether self-service purchases are blocked and whether any PAYG billing policies are active.

Step 6: Review Baseline Security Mode

Navigate to M365 Admin Center > Settings > Org settings > Security & privacy and confirm how Baseline Security Mode is being used as a complementary foundation for Copilot governance.

Financial Sector Considerations

Broker-dealers: Changes to Copilot access, web search, agents, or Pages should be evaluated alongside supervision, communication review, and books-and-records obligations before broad rollout.

Banking institutions: Copilot administration should be reflected in enterprise technology governance and change control records, especially where agent access or metered billing introduces new operational risk.

SOX-reporting entities: If Copilot is used in finance, reporting, or control-support workflows, configuration evidence and approval records should be retained in a form that supports internal and external audit review.

Privacy-sensitive environments: Read-only review roles such as Global Reader help governance teams collect evidence without granting unnecessary ability to change settings.

Verification Criteria

#	Verification Step	Expected Result
1	Access Copilot overview	Dashboard accessible to designated admins and reviewers
2	Review Copilot settings tabs	Settings documented across User access, Data access, Copilot actions, and Other settings
3	Verify role assignments	AI Administrator used as primary admin role; broader roles limited appropriately
4	Review agent settings	Allowed types, sharing, and user access reflect approved policy
5	Review Cloud Policy scope	Copilot Pages / Notebooks policy matches intended user population
6	Review billing controls	Self-service purchases and PAYG status are documented and approved
7	Search audit logs for recent changes	Changes have corresponding approvals and evidence
8	Confirm baseline review cadence	Governance team has a documented review frequency