Month: July 2025

Unlocking the Power of Microsoft Loop: Overcoming Limitations with External Users

Video URL = https://www.youtube.com/watch?v=YQym9vUc684

Hey everyone! In this video, I dive deep into the world of Microsoft Loop and explore its capabilities within Microsoft Teams. I’ll show you how to seamlessly integrate Loop components into your workflow and highlight some of the challenges faced when working with external Azure B2B users. You’ll learn practical tips on how to navigate these limitations and ensure your team can access and collaborate effectively. Whether you’re a creator or an external user, this video will provide valuable insights to enhance your Microsoft Loop experience. Don’t miss out on these essential strategies to optimize your team’s productivity!

Impact of Microsoft 365 Copilot Licensing on Copilot Studio Agent Responses in Microsoft Teams

bp1

 

Executive Summary

The deployment of Copilot Studio agents within Microsoft Teams introduces a nuanced dynamic concerning data access and response completeness, particularly when interacting with users holding varying Microsoft 365 Copilot licenses. This report provides a comprehensive analysis of these interactions, focusing on the differential access to work data and the agent’s notification behavior regarding partial answers.

A primary finding is that a user possessing a Microsoft 365 Copilot license will indeed receive more comprehensive and contextually relevant responses from a Copilot Studio agent. This enhanced completeness is directly attributable to Microsoft 365 Copilot’s inherent capability to leverage the Microsoft Graph, enabling access to a user’s authorized organizational data, including content from SharePoint, OneDrive, and Exchange.1 Conversely, users without this license will experience limitations in accessing such personalized work data, resulting in responses that are less complete, more generic, or exclusively derived from publicly available information or pre-defined knowledge sources.3

A critical observation is that Copilot Studio agents are not designed to explicitly notify users when a response is partial or incomplete due to licensing constraints or insufficient data access permissions. Instead, the agent’s operational model involves silently omitting any content from knowledge sources that the querying user is not authorized to access.4 In situations where the agent cannot retrieve pertinent information, it typically defaults to generic fallback messages, such as “I’m sorry. I’m not sure how to help with that. Can you try rephrasing?”.5 This absence of explicit, context-specific notification poses a notable challenge for managing user expectations and ensuring a transparent user experience.

Furthermore, while it is technically feasible to make Copilot Studio agents accessible to users without a full Microsoft 365 Copilot license, interactions that involve accessing shared tenant data (e.g., content from SharePoint or via Copilot connectors) will incur metered consumption charges. These charges are typically billed through Copilot Studio’s pay-as-you-go model.3 In stark contrast, users with a Microsoft 365 Copilot license benefit from “zero-rated usage” for these types of interactions when conducted within Microsoft 365 services, eliminating additional costs for accessing internal organizational data.6 These findings underscore the importance of strategic licensing, robust governance, and clear user communication for effective AI agent deployment.

Introduction

The integration of artificial intelligence (AI) agents into enterprise workflows is rapidly transforming how organizations operate, particularly within collaborative platforms like Microsoft Teams. Platforms such as Microsoft Copilot Studio empower businesses to develop and deploy intelligent conversational agents that enhance employee productivity, streamline information retrieval, and automate routine tasks. As these AI capabilities become increasingly central to organizational efficiency, a thorough understanding of their operational characteristics, especially concerning data interaction and user experience, becomes paramount.

This report is specifically designed to provide a definitive and comprehensive analysis of how Copilot Studio agents behave when deployed within Microsoft Teams. The central inquiry revolves around the impact of varying Microsoft 365 Copilot licensing statuses on an agent’s ability to access and utilize enterprise work data. A key objective is to clarify whether a licensed user receives a more complete response compared to a non-licensed user and, crucially, if the agent provides any notification when a response is partial due to data access limitations. This detailed examination aims to equip IT administrators and decision-makers with the necessary insights for strategic planning, deployment, and governance of AI solutions within their enterprise environments.

Understanding Copilot Studio Agents and Data Grounding

Microsoft Copilot Studio is a robust, low-code graphical tool engineered for the creation of sophisticated conversational AI agents and their underlying automated processes, known as agent flows.7 These agents are highly adaptable, capable of interacting with users across numerous digital channels, with Microsoft Teams being a prominent deployment environment.7 Beyond simple question-and-answer functionalities, these agents can be configured to execute complex tasks, address common organizational inquiries, and significantly enhance productivity by integrating with diverse data sources. This integration is facilitated through a range of prebuilt connectors or custom plugins, allowing for tailored access to specific datasets.7 A notable capability of Copilot Studio agents is their ability to extend the functionalities of Microsoft 365 Copilot, enabling the delivery of customized responses and actions that are deeply rooted in specific enterprise data and scenarios.7

How Agents Access Data: The Principle of User-Based Permissions and the Role of Microsoft Graph

A fundamental principle governing how Copilot agents, including those developed within Copilot Studio and deployed through Microsoft 365 Copilot, access information is their strict adherence to the end-user’s existing permissions. This means that the agent operates within the security context of the individual user who is interacting with it.4 Consequently, the agent will only retrieve and present data that the user initiating the query is explicitly authorized to access.1 This design choice is a deliberate architectural decision to embed security and data privacy at the core of the Copilot framework, ensuring that the system is engineered to prevent unauthorized data access by design, leveraging existing Microsoft 365 security models. This robust, security-by-design approach significantly mitigates the critical risk of unintended data exfiltration, a paramount concern for enterprises adopting AI solutions. For IT administrators, this implies a reliance on established Microsoft 365 permission structures for data security when deploying Copilot Studio agents, rather than needing to implement entirely new, AI-specific permission layers for content accessed via the Microsoft Graph. This establishes a strong foundation of trust in the platform’s ability to handle sensitive organizational data.

Microsoft 365 Copilot achieves this secure data grounding by leveraging the Microsoft Graph, which acts as the gateway to a user’s personalized work data. This encompasses a broad spectrum of information, including emails, chat histories, and documents stored within the Microsoft 365 ecosystem.1 This grounding mechanism ensures that organizational data boundaries, security protocols, compliance requirements, and privacy standards are meticulously preserved throughout the interaction.1 The agent respects the end user’s information and sensitivity privileges, meaning if the user lacks access to a particular knowledge source, the agent will not include content from it when generating a response.4

Distinction between Public/Web Data and Enterprise Work Data

Copilot Studio agents can be configured to draw knowledge from publicly available websites, serving as a broad knowledge base.10 When web search is enabled, the agent can fetch information from services like Bing, thereby enhancing the quality and breadth of responses grounded in public web content.11 This allows agents to provide general information or answers based on external, non-proprietary sources.

In contrast, enterprise work data, which includes sensitive and proprietary information residing in SharePoint, OneDrive, and Exchange, is accessed exclusively through the Microsoft Graph. Access to this internal data is strictly governed by the individual user’s explicit permissions, creating a clear delineation between publicly available information and internal organizational knowledge.1 This distinction is fundamental to understanding the varying levels of response completeness based on licensing. The agent’s ability to access and synthesize information from these disparate sources is contingent upon the user’s permissions and, as will be discussed, their specific Microsoft 365 Copilot licensing.

Impact of Microsoft 365 Copilot Licensing on Agent Responses

The licensing structure for Microsoft Copilot profoundly influences the depth and completeness of responses provided by Copilot Studio agents, particularly when those agents are designed to interact with an organization’s internal data.

Licensed User Experience: Comprehensive Access to Work Data

Users who possess a Microsoft 365 Copilot license gain access to a fully integrated AI-powered productivity tool. This tool seamlessly combines large language models with the user’s existing data within the Microsoft Graph and across various Microsoft 365 applications, including Word, Excel, PowerPoint, Outlook, and Teams.1 This deep integration is the cornerstone for delivering highly personalized and comprehensive responses, directly grounded in the user’s work emails, chat histories, and documents.1 The system is designed to provide real-time intelligent assistance, enhancing creativity, productivity, and skills.9

Furthermore, the Microsoft 365 Copilot license encompasses the usage rights for agents developed in Copilot Studio when deployed within Microsoft 365 products such as Microsoft Teams, SharePoint, and Microsoft 365 Copilot Chat. Crucially, interactions involving classic answers, generative answers, or tenant Microsoft Graph grounding for these licensed users are designated as “zero-rated usage”.6 This means that these specific types of interactions do not incur additional charges against Copilot Studio message meters or message packs. This comprehensive inclusion allows licensed users to fully harness the potential of these agents for retrieving information from their authorized internal data sources without incurring unexpected consumption costs. The Microsoft 365 Copilot license therefore functions not just as a feature unlocker but also as a significant cost-efficiency mechanism, particularly for high-frequency interactions with internal enterprise data. Organizations with a substantial user base expected to frequently interact with internal data via Copilot Studio agents should conduct a thorough Total Cost of Ownership (TCO) analysis, as the perceived higher per-user cost of a Microsoft 365 Copilot license might be strategically offset by avoiding unpredictable and potentially substantial pay-as-you-go charges.

Non-Licensed User Experience: Limitations in Accessing Work Data

Users who do not possess the Microsoft 365 Copilot add-on license will not benefit from the same deep, integrated access to their personalized work data via the Microsoft Graph. While these users may still be able to interact with Copilot Studio agents (particularly if the agent’s knowledge base relies on public information or pre-defined, non-Graph-dependent instructions), their capacity to receive responses comprehensively grounded in their specific enterprise work data is significantly restricted.3 This establishes a tiered system for data access within the Copilot ecosystem, where the richness and completeness of an agent’s response are directly linked to the user’s individual licensing status and their underlying data access rights within the organization.

A critical distinction arises for users who have an eligible Microsoft 365 subscription but lack the full Copilot add-on, often categorized as “Microsoft 365 Copilot Chat” users. If such a user interacts with an agent that accesses shared tenant data (e.g., content from SharePoint or through Copilot connectors), these interactions will trigger metered consumption charges, which are tracked via Copilot Studio meters.3 This transforms a functional limitation (less complete answers) into a direct financial consequence. The ability to access some internal data comes at a per-message cost. This means organizations must meticulously evaluate the financial implications of deploying agents to a mixed-license user base. If non-licensed users frequently query internal data via these agents, the cumulative pay-as-you-go (PAYG) charges could become substantial and unpredictable, making the “partial answer” scenario potentially a “costly answer” scenario.

Agents that exclusively draw information from instructions or public websites, however, do not incur these additional costs for any user.3 For individuals with no Copilot license or even a foundational Microsoft 365 subscription, access to Copilot features and its extensibility options, including agents leveraging M365 data, may not be guaranteed or might be entirely unavailable.3 A potential point of user experience friction arises because an agent might appear discoverable or “addable” within the Teams interface, creating an expectation of full functionality, even if the underlying licensing restricts its actual utility for that user.8 This discrepancy between apparent availability and actual capability can lead to significant user frustration and an increase in support requests.

The following table summarizes the comparative data access and cost implications across different license types:

Comparative Data Access and Cost by License Type
License Type Access to Personalized Work Data (Microsoft Graph) Access to Shared Tenant Data (SharePoint, Connectors) Access to Public/Instruction-based Data Additional Usage Charges for Agent Interactions Response Completeness (Relative)
Microsoft 365 Copilot (Add-on) Comprehensive Comprehensive (Zero-rated) Yes No High (rich, contextually grounded)
Microsoft 365 Copilot Chat (Included w/ eligible M365) Limited/No Yes (Metered charges apply via Copilot Studio meters) Yes Yes (for shared tenant data interactions) Moderate (limited by work data access)
No Copilot License/No M365 Subscription No Not guaranteed/No Yes (if agent accessible) N/A (likely no access) Low (limited to public/instructional data)

Agent Behavior Regarding Partial Answers and Notifications

A critical aspect of user experience with AI agents is how they communicate limitations or incompleteness in their responses. The analysis reveals specific behaviors of Copilot Studio agents in this regard.

Absence of Explicit Partial Answer Notifications

The available information consistently indicates that Copilot Studio agents are not designed to provide explicit notifications to users when a response is partial or incomplete due to the user’s lack of permissions to access underlying knowledge sources.4 Instead, the agent’s operational model dictates that it simply omits any content that the querying user is not authorized to access. This means the user receives a response that is, by design, incomplete from the perspective of the agent’s full knowledge base, but without any direct indication of this omission.

This design choice is a deliberate trade-off, prioritizing stringent data security and privacy protocols. It ensures that the agent never inadvertently reveals the existence of restricted information or the specific reason for its omission to an unauthorized user, thereby preventing potential information leakage or inference attacks. However, this creates a significant information asymmetry: end-users are left unaware of why an answer might be incomplete or why the agent could not fully address their query. They lack the context to understand if the limitation stems from a permission issue, a limitation of the agent’s knowledge, or a technical fault. This places a substantial burden on IT administrators and agent owners to proactively manage user expectations. Without transparent communication regarding the scope and limitations of agents for different user profiles, users may perceive the agent as unreliable, inconsistent, or broken, potentially leading to decreased adoption rates and an increase in support requests.

Generic Error Messages and Implicit Limitations

When a Copilot Studio agent encounters a scenario where it cannot fulfill a query comprehensively, whether due to inaccessible data, a lack of relevant information in its knowledge sources, or other technical issues, it typically defaults to generic, non-specific responses. A common example cited is “I’m sorry. I’m not sure how to help with that. Can you try rephrasing?”.5 Crucially, this message does not explicitly attribute the inability to provide a full answer to licensing limitations or specific data access permissions.

Other forms of service denial can manifest if the agent’s underlying capacity limits are reached. For instance, an agent might display a message stating, “This agent is currently unavailable. It has reached its usage limit. Please try again later”.12 While this is a clear notification of service unavailability, it pertains to a broader capacity issue rather than the specific scenario of partial data due to user permissions. When an agent responds with vague messages in situations where the underlying cause is a data access limitation, the actual reason for the failure remains opaque to the user. This effectively turns the agent’s decision-making and data retrieval process into a “black box” from the end-user’s perspective regarding data access. This lack of transparency directly hinders effective user interaction and self-service, as users cannot intelligently rephrase their questions, understand if they need a different license, or determine if they should seek information elsewhere.

Information for Makers/Admins vs. End-User Experience

Copilot Studio provides robust analytics capabilities designed for agent makers and administrators to monitor and assess agent performance.13 These analytics offer valuable insights into the quality of generative answers, capable of identifying responses that are “incomplete, irrelevant, or not fully grounded”.13 This diagnostic information is crucial for the continuous improvement of the agent.

However, a key distinction is that these analytics results are strictly confined to the administrative and development interfaces; “Users of agents don’t see analytics results; they’re available to agent makers and admins only”.13 This means that while administrators can discern

why an agent might be providing incomplete answers (e.g., due to data access issues), this critical diagnostic information is not conveyed to the end-user. This reinforces the need for clear guidance on what types of questions agents can answer for different user profiles and what data sources they are grounded in.

Licensing and Cost Implications for Agent Usage

Understanding the licensing models for Copilot Studio and Microsoft 365 Copilot is essential for managing the financial implications of deploying AI agents, especially in environments with diverse user licensing.

Overview of Copilot Studio Licensing Models

Microsoft Copilot Studio offers a flexible licensing framework comprising three primary models: Pay-as-you-go, Message Packs, and inclusion within the Microsoft 365 Copilot license.6 The Pay-as-you-go model provides highly flexible consumption-based billing at $0.01 per message, requiring no upfront commitment and allowing organizations to scale usage dynamically based on actual consumption.6 Alternatively, Message Packs offer a prepaid capacity, with a standard pack providing 25,000 messages per month for $200.6 For additional capacity beyond message packs, organizations are recommended to sign up for pay-as-you-go to ensure business continuity.6

Significantly, the Microsoft 365 Copilot license, an add-on priced at $30 per user per month, includes the usage rights for Copilot Studio agents when utilized within core Microsoft 365 products such as Teams, SharePoint, and Copilot Chat. Crucially, interactions involving classic answers, generative answers, or tenant Microsoft Graph grounding for these licensed users are “zero-rated,” meaning they do not consume from Copilot Studio message meters or incur additional charges.6 This provides a distinct cost advantage for organizations with a high number of Microsoft 365 Copilot licensed users.

It is important to differentiate between a Copilot Studio user license (which is free of charge) and the Microsoft 365 Copilot license. The free Copilot Studio user license is primarily for individuals who need access to create and manage agents.14 This does not imply free

consumption of agent responses for all users, particularly when those agents interact with enterprise data. This distinction is vital for IT administrators to communicate clearly within their organizations to prevent false expectations about “free” AI agent usage and potentially unexpected costs or functional limitations for end-users.

Discussion of Metered Charges for Non-Licensed Users Accessing Shared Tenant Data

While a dedicated Copilot Studio user license is primarily for authoring and managing agents 14 and not strictly required for interacting with a published agent, the user’s Microsoft 365 Copilot license status profoundly impacts the cost structure when the agent accesses shared tenant data.3 For users who possess an eligible Microsoft 365 subscription but do not have the Microsoft 365 Copilot add-on (i.e., those utilizing “Microsoft 365 Copilot Chat”), interactions with agents that retrieve information grounded in shared tenant data (such as SharePoint content or data via Copilot connectors) will trigger metered consumption charges. These charges are tracked and billed based on Copilot Studio meters.3 This is explicitly stated: “If people that the agent is shared with are not licensed with a Microsoft 365 Copilot license, they will start consuming on a PAYG subscription per message they receive from the agent”.8 Conversely, agents that rely exclusively on pre-defined instructions or publicly available website content do not incur these additional costs for any user, regardless of their Copilot license status.3

A significant governance concern arises when users share agents. If users share their agent with SharePoint content attached to it, the system may propose to “break the SharePoint permission on the assets attached and share the SharePoint resources directly with the audience group”.8 When combined with the metered PAYG model for non-licensed users accessing shared tenant data, this creates a potent dual risk. A well-meaning but uninformed user could inadvertently share an agent linked to sensitive internal data with a broad audience, potentially circumventing existing SharePoint permissions and exposing data, while simultaneously triggering unexpected and significant metered charges for those non-licensed users who then interact with the agent. This highlights a severe governance vulnerability, despite Microsoft’s statement that “security fears are gone” due to access inheritance.8 The acknowledgment of a “roadmap to address this security gap” 16 indicates that this remains an active area of concern for Microsoft.

Capacity Enforcement and Service Denial

Organizations must understand that Copilot Studio’s purchased capacity, particularly through message packs, is enforced on a monthly basis, and any unused messages do not roll over to the subsequent month.6 Should an organization’s actual usage exceed its purchased capacity, technical enforcement mechanisms will be triggered, which “might result in service denial”.6 This can manifest to the end-user as an agent becoming unavailable, accompanied by a message such as “This agent is currently unavailable. It has reached its usage limit. Please try again later”.12 This underscores the critical importance of proactive capacity management to ensure service continuity and avoid disruptions to user access.

The following table provides a detailed breakdown of Copilot Studio licensing and its associated usage cost implications:

License Type Primary Purpose Cost Model Agent Usage of Personalized Work Data (Microsoft Graph) Agent Usage of Shared Tenant Data (SharePoint, Connectors) Agent Usage of Public/Instructional Data Capacity Enforcement Target User Type
Microsoft 365 Copilot (Add-on) Full M365 Integration & AI $30/user/month (add-on) Zero-rated Zero-rated (for licensed user’s interactions) Zero-rated N/A (unlimited for licensed features) Frequent users of M365 apps
Microsoft 365 Copilot Chat (Included w/ eligible M365) Web-based Copilot Chat & limited work data access Included with M365 subscription N/A Metered charges apply (via Copilot Studio meters) No extra charges N/A (unlimited for web, metered for work) Occasional Copilot users
Copilot Studio Message Packs Pre-purchased message capacity for agents $200/tenant/month (25,000 messages) Consumes message packs Consumes message packs Consumes message packs Monthly enforcement (unused don’t carry over) Broad internal/external agent users
Copilot Studio Pay-as-you-go On-demand message capacity for agents $0.01/message Consumes PAYG Consumes PAYG Consumes PAYG Monthly enforcement (based on actual usage) Flexible/scalable agent users
Copilot Studio Licensing and Usage Cost Implications

Key Considerations for IT Administrators and Deployment

The complexities of licensing, data access, and agent behavior necessitate strategic planning and robust management by IT administrators to ensure successful deployment and optimal user experience.

Managing User Expectations Regarding Agent Capabilities Based on Licensing

Given the tiered data access model and the agent’s silent omission of inaccessible content, it is paramount for IT administrators to proactively and clearly communicate the precise capabilities and inherent limitations of Copilot Studio agents to different user groups, explicitly linking these to their licensing status. This communication strategy must encompass educating users on the types of questions agents can answer comprehensively (e.g., those based on public information or general, universally accessible company policies) versus those queries that necessitate a Microsoft 365 Copilot license for personalized, internal data grounding. Setting accurate expectations can significantly mitigate user frustration and enhance perceived agent utility.17

Strategies for Data Governance and Access Control for Copilot Studio Agents

It is crucial to continually reinforce and leverage the fundamental principle of user-based permissions for data access within the Copilot ecosystem.1 This means that existing security policies and permission structures within SharePoint, OneDrive, and the broader Microsoft Graph environment remain the authoritative control points. Organizations must implement and rigorously enforce Data Loss Prevention (DLP) policies within the Power Platform. These policies are vital for granularly controlling how Copilot Studio agents interact with external APIs and sensitive internal data.16 Administrators should also remain vigilant about the acknowledged “security gap” related to API plugins and monitor Microsoft’s roadmap for addressing these improvements.16

Careful management of agent sharing permissions is non-negotiable. Administrators must be acutely aware of the potential for agents to prompt users to “break permissions” on SharePoint content when sharing, which could inadvertently broaden data access beyond intended boundaries.4 Comprehensive training for agent creators on the implications of sharing agents linked to internal data sources is essential. Administrators possess granular control over agent availability and access within the Microsoft 365 admin center, allowing for precise deployment to “All users,” “No users,” or “Specific users or groups”.18 This administrative control point is critical for ensuring that agents are only discoverable and usable by their intended audience, aligning with organizational security policies.

Best Practices for Deploying Agents in Mixed-License Environments

To optimize agent deployment and user experience in environments with mixed licensing, several best practices are recommended:

  • Purpose-Driven Agent Design: Design agents with a clear understanding of their intended audience and the data sources they will access. For broad deployment across a mixed-license user base, prioritize agents primarily grounded in public information, general company FAQs, or non-sensitive, universally accessible internal data. For agents requiring personalized work data access, specifically target their deployment to Microsoft 365 Copilot licensed users.
  • Proactive Cost Monitoring: Establish robust mechanisms for actively monitoring Copilot Studio message consumption, particularly if non-licensed users are interacting with agents that access shared tenant data. This proactive monitoring is crucial for avoiding unexpected and potentially significant pay-as-you-go charges.6
  • Comprehensive User Training and Education: Develop and deliver comprehensive training programs that clearly outline the capabilities and limitations of AI agents, the direct impact of licensing on data access, and what users can realistically expect from agent interactions based on their specific access levels. This proactive education is key to mitigating user frustration stemming from partial answers.
  • Structured Admin Approval Workflows: Implement mandatory admin approval processes for the submission and deployment of all Copilot Studio agents, especially those configured to access internal organizational data. This ensures that agents are compliant with company policies, properly configured for data access, and thoroughly tested before broad release.17
  • Strategic Environment Management: Consider establishing separate Power Platform environments within the tenant for different categories of agents (e.g., internal-facing vs. external-facing, or agents with varying levels of data sensitivity). This strategy enhances governance, simplifies access control, and helps prevent unintended data interactions across different use cases.8 It is also important to ensure that the “publish Copilots with AI features” setting is enabled for makers building agents with generative AI capabilities.16

Conclusion

This report confirms that Microsoft 365 Copilot licensing directly and significantly impacts the completeness and richness of responses provided by Copilot Studio agents, primarily by governing a user’s access to personalized work data via the Microsoft Graph. Licensed users benefit from comprehensive, contextually grounded answers, while non-licensed users face inherent limitations in accessing this internal data.

A critical finding is the absence of explicit notifications from Copilot Studio agents when a response is partial or incomplete due to licensing constraints or insufficient data access permissions. The agent employs a “silent omission” mechanism. While this approach benefits security by preventing unauthorized disclosure of data existence, it creates an information asymmetry for the end-user, who receives an incomplete answer without explanation.

Furthermore, the analysis reveals significant cost implications: interactions by non-licensed users with agents that access shared tenant data will incur metered consumption charges, contrasting sharply with the “zero-rated usage” for Microsoft 365 Copilot licensed users. This highlights that licensing directly affects not only functionality but also operational expenditure.

To optimize agent deployment and user experience, the following recommendations are provided:

  • Proactive User Communication: Organizations must implement comprehensive communication strategies to clearly articulate the capabilities and limitations of AI agents based on user licensing. This includes setting realistic expectations for response completeness and data access to prevent frustration and build trust in the AI solutions.
  • Robust Data Governance: It is imperative to strengthen existing data governance frameworks, including Data Loss Prevention (DLP) policies within the Power Platform, and to meticulously manage agent sharing controls. This proactive approach is crucial for mitigating security risks and controlling unexpected costs in environments with mixed license types.
  • Strategic Licensing Evaluation: IT leaders should conduct a thorough total cost of ownership analysis to evaluate the long-term financial benefits of broader Microsoft 365 Copilot adoption for users who frequently require access to internal organizational data through AI agents. This analysis should weigh the upfront license costs against the unpredictable nature of pay-as-you-go charges that would otherwise accumulate.
  • Continuous Monitoring and Refinement: Leverage Copilot Studio’s built-in analytics to continuously monitor agent performance, identify instances of incomplete or ungrounded responses, and use these observations to refine agent configurations, optimize knowledge sources, and further enhance user education.
Works cited
  1. What is Microsoft 365 Copilot? | Microsoft Learn, accessed on July 3, 2025, https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-overview
  2. Retrieve grounding data using the Microsoft 365 Copilot Retrieval API, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-365-copilot/extensibility/api-reference/copilotroot-retrieval
  3. Licensing and Cost Considerations for Copilot Extensibility Options …, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-365-copilot/extensibility/cost-considerations
  4. Publish and Manage Copilot Studio Agent Builder Agents | Microsoft Learn, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-365-copilot/extensibility/copilot-studio-agent-builder-publish
  5. Agent accessed via Teams not able to access Sharepoint : r/copilotstudio – Reddit, accessed on July 3, 2025, https://www.reddit.com/r/copilotstudio/comments/1l1gm82/agent_accessed_via_teams_not_able_to_access/
  6. Copilot Studio licensing – Learn Microsoft, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/billing-licensing
  7. Overview – Microsoft Copilot Studio | Microsoft Learn, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/fundamentals-what-is-copilot-studio
  8. Copilot agents on enterprise level : r/microsoft_365_copilot – Reddit, accessed on July 3, 2025, https://www.reddit.com/r/microsoft_365_copilot/comments/1l7du4v/copilot_agents_on_enterprise_level/
  9. Microsoft 365 Copilot – Service Descriptions, accessed on July 3, 2025, https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/microsoft-365-copilot
  10. Quickstart: Create and deploy an agent – Microsoft Copilot Studio, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/fundamentals-get-started
  11. Data, privacy, and security for web search in Microsoft 365 Copilot and Microsoft 365 Copilot Chat | Microsoft Learn, accessed on July 3, 2025, https://learn.microsoft.com/en-us/copilot/microsoft-365/manage-public-web-access
  12. Understand error codes – Microsoft Copilot Studio, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/error-codes
  13. FAQ for analytics – Microsoft Copilot Studio, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/faqs-analytics
  14. Assign licenses and manage access to Copilot Studio – Learn Microsoft, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/requirements-licensing
  15. Access to agents in M365 Copilot Chat for all business users? : r/microsoft_365_copilot, accessed on July 3, 2025, https://www.reddit.com/r/microsoft_365_copilot/comments/1i3gu63/access_to_agents_in_m365_copilot_chat_for_all/
  16. A Microsoft 365 Administrator’s Beginner’s Guide to Copilot Studio, accessed on July 3, 2025, https://practical365.com/copilot-studio-beginner-guide/
  17. Connect and configure an agent for Teams and Microsoft 365 Copilot, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/publication-add-bot-to-microsoft-teams
  18. Manage agents for Microsoft 365 Copilot in the Microsoft 365 admin center, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-365/admin/manage/manage-copilot-agents-integrated-apps?view=o365-worldwide

The Critical Nature of Website Ownership Attestation in Microsoft Copilot Studio for Public Knowledge Sources

bp1

Executive Summary

The inquiry regarding the website ownership attestation in Microsoft Copilot Studio, specifically when adding public websites as knowledge sources, points to a profoundly real and critical concern for organizations. This attestation is not a mere procedural step but a pivotal declaration that directly impacts an organization’s legal liability, particularly concerning intellectual property rights and adherence to website terms of service.

The core understanding is that this attestation is intrinsically linked to how Copilot Studio agents leverage Bing to search and retrieve information from public websites designated as knowledge sources.1 Utilizing public websites that an organization does not own as knowledge sources, especially without explicit permission or a valid license, introduces substantial legal risks, including potential copyright infringement and breaches of contractual terms of service.3 A critical point of consideration is that while Microsoft offers a Customer Copyright Commitment (CCC) for Copilot Studio, this commitment explicitly excludes components powered by Bing.6 This exclusion places the full burden of compliance and associated legal responsibility squarely on the user. Therefore, organizations must implement robust internal policies, conduct thorough due diligence on external data sources, and effectively utilize Copilot Studio’s administrative controls, such as Data Loss Prevention (DLP) policies, to mitigate these significant risks.

1. Understanding Knowledge Sources in Microsoft Copilot Studio

Overview of Copilot Studio’s Generative AI Capabilities

Microsoft Copilot Studio offers a low-code, graphical interface designed for the creation of AI-powered agents, often referred to as copilots.7 These agents are engineered to facilitate interactions with both customers and employees across a diverse array of channels, including websites, mobile applications, and Microsoft Teams.7 Their primary function is to efficiently retrieve information, execute actions, and deliver pertinent insights by harnessing the power of large language models (LLMs) and advanced generative AI capabilities.1

The versatility of these agents is enhanced by their ability to integrate various knowledge sources. These sources can encompass internal enterprise data from platforms such as Power Platform, Dynamics 365, SharePoint, and Dataverse, as well as uploaded proprietary files.1 Crucially, Copilot Studio agents can also draw information from external systems, including public websites.1 The generative answers feature within Copilot Studio is designed to serve as either a primary information retrieval mechanism or as a fallback option when predefined topics are unable to address a user’s query.1

The Role of Public Websites as Knowledge Sources

Public websites represent a key external knowledge source type supported within Copilot Studio, enabling agents to search and present information derived from specific, designated URLs.1 When a user configures a public website as a knowledge source, they are required to provide the URL, a descriptive name, and a detailed description.2

For these designated public websites, Copilot Studio employs Bing to conduct searches based on user queries, ensuring that results are exclusively returned from the specified URLs.1 This targeted search functionality operates concurrently with a broader “Web Search” capability, which, if enabled, queries all public websites indexed by Bing.1 This dual search mechanism presents a significant consideration for risk exposure. Even if an organization meticulously selects and attests to owning a particular public website as a knowledge source, the agent’s responses may still be influenced by, or draw information from, other public websites not explicitly owned by the organization. This occurs if the general “Web Search” or “Allow the AI to use its own general knowledge” settings are active within Copilot Studio.1 This expands the potential surface for legal and compliance risks, as the agent’s grounding is not exclusively confined to the explicitly provided and attested URLs. Organizations must therefore maintain a keen awareness of these broader generative AI settings and manage them carefully to control the scope of external data access.

Knowledge Source Management and Prioritization

Copilot Studio offers functionalities for organizing and prioritizing knowledge sources, with a general recommendation to prioritize internal documents over public URLs due to their inherent reliability and the greater control an organization has over their content.11 A notable feature is the ability to designate a knowledge source as “official”.1 This designation is applied to sources that have undergone a stringent verification process and are considered highly trustworthy, implying that their content can be used directly by the agent without further validation.

This “Official source” flag is more than a mere functional tag; it functions as a de facto internal signal for trust and compliance. By marking a source as “official,” an organization implicitly certifies the accuracy, reliability, and, critically, the legal usability of its content. Conversely, refraining from marking a non-owned public website as official should serve as an indicator of higher inherent risk, necessitating increased caution and rigorous verification of the agent’s outputs. This feature can and should be integrated into an organization’s broader data governance framework, providing a clear indicator to all stakeholders regarding the vetting status of external information.

2. The “Website Ownership Attestation”: A Critical Requirement

Purpose of the Attestation

When incorporating a public website as a knowledge source within Copilot Studio, users encounter an explicit prompt requesting confirmation of their organization’s ownership of the website.1 Microsoft states that enabling this option “allows Copilot Studio to access additional information from the website to return better answers”.2 This statement suggests that the attestation serves as a mechanism to unlock enhanced indexing or deeper data processing capabilities that extend beyond standard public web crawling.

The attestation thus serves a dual purpose: it acts as a legal declaration that transfers the burden of compliance directly to the user, and it functions as a technical gateway. By attesting to ownership, the user implicitly grants Microsoft, and its underlying services such as Bing, permission to perform more extensive data access and processing on that specific website. Misrepresenting ownership in this context could lead to direct legal action from the actual website owner for unauthorized access or use. Furthermore, such misrepresentation could constitute a breach of Microsoft’s terms of service, potentially affecting the user’s access to Copilot Studio services.

Why Microsoft Requires this Confirmation

Microsoft’s approach to data sourcing for its general Copilot models demonstrates a cautious stance towards public data, explicitly excluding sources that are behind paywalls, violate policies, or have implemented opt-out mechanisms.12 This practice underscores Microsoft’s awareness of and proactive efforts to mitigate legal risks associated with public data.

For Copilot Studio, Microsoft clearly defines the scope of responsibility. It states that “Any agent you create using Microsoft Copilot Studio is your own product or service, separate and apart from Microsoft Copilot Studio. You are solely responsible for the design, development, and implementation of your agent”.7 This foundational principle is further reinforced by Microsoft’s general Terms of Use for its AI services, which explicitly state: “You are solely responsible for responding to any third-party claims regarding your use of the AI services in compliance with applicable laws (including, but not limited to, copyright infringement or other claims relating to content output during your use of the AI services)”.13 This legal clause directly mandates the user’s responsibility and forms the underlying rationale for the attestation requirement.

The website ownership attestation is a concrete manifestation of Microsoft’s shared responsibility model for AI. While Microsoft provides the secure platform and powerful generative AI capabilities, the customer assumes primary responsibility for the legality and compliance of the data they feed into their custom agents and the content those agents generate. This is a critical distinction from Microsoft’s broader Copilot offerings, where Microsoft manages the underlying data sourcing. For Copilot Studio users, the attestation serves as a clear legal acknowledgment of this transferred responsibility, making due diligence on external knowledge sources paramount.

3. Legal and Compliance Implications of Using Public Websites

3.1. Intellectual Property Rights and AI
 
Copyright Infringement Risks

Generative AI models derive their capabilities from processing vast quantities of data, which frequently includes copyrighted materials such as text, images, and articles scraped from the internet.4 The entire lifecycle of developing and deploying generative AI systems—encompassing data collection, curation, training, and output generation—can, in many instances, constitute a

prima facie infringement of copyright owners’ exclusive rights, particularly the rights of reproduction and to create derivative works.3

A significant concern arises when AI-generated outputs exhibit “substantial similarity” to the original training data inputs. In such cases, there is a strong argument that the model’s internal “weights” themselves may infringe upon the rights of the original works.3 The use of copyrighted material without obtaining the necessary licenses or explicit permissions can lead to costly lawsuits and substantial financial penalties for the infringing party.5 The legal risk extends beyond the initial act of ingesting data; it encompasses the potential for the AI agent to “memorize” and subsequently reproduce copyrighted content in its responses, leading to downstream infringement. The “black box” nature of large language models makes it challenging to trace the precise provenance of every output, placing a significant burden on the user to implement robust output monitoring and content moderation 6 to mitigate this complex risk effectively.

The “Fair Use” and “Text and Data Mining” Exceptions

The legal framework governing AI training on scraped data is complex and varies considerably across different jurisdictions.4 For instance, the United States recognizes a “fair use” exception to copyright law, while the European Union (EU) employs a “text and data mining” (TDM) exception.4

The United States Copyright Office (USCO) has issued a report that critically assesses common arguments for fair use in the context of AI training.3 This report explicitly states that using copyrighted works to train AI models is generally

not considered inherently transformative, as these models “absorb the essence of linguistic expression.” Furthermore, the report rejects the analogy of AI training to human learning, noting that AI systems often create “perfect copies” of data, unlike the imperfect impressions retained by humans. The USCO report also highlights that knowingly utilizing pirated or illegally accessed works as training data will weigh against a fair-use defense, though it may not be determinative.3

Relying on “fair use” as a blanket defense for using non-owned public websites as AI knowledge sources is becoming increasingly precarious. The USCO’s report significantly weakens this argument, indicating that even publicly accessible content is likely copyrighted, and its use for commercial AI training is not automatically protected. The global reach of Copilot Studio agents means that an agent trained in one jurisdiction might interact with users or data subject to different, potentially stricter, intellectual property laws, creating a complex jurisdictional landscape that necessitates a conservative legal interpretation and, ideally, explicit permissions.

Table: Key Intellectual Property Risks in AI Training
Risk Category Description in AI Context Relevance to Public Websites in Copilot Studio Key Sources
Copyright Infringement AI models trained on copyrighted material may reproduce or create derivative works substantially similar to the original, leading to claims of unauthorized copying. High. Content on most public websites is copyrighted. Using it for AI training without permission risks infringement of reproduction and derivative work rights. 3
Terms of Service (ToS) Violation Automated scraping or use of website content for AI training may violate a website’s ToS, which are legally binding contracts. High. Many public websites explicitly prohibit web scraping or commercial use of their content in their ToS. 4
Right of Publicity/Misuse of Name, Image, Likeness (NIL) AI output generating or using individuals’ names, images, or likenesses without consent, particularly in commercial contexts. Moderate. Public websites may contain personal data, images, or likenesses, the use of which by an AI agent could violate NIL rights. 4
Database Rights Infringement of sui generis database rights (e.g., in the EU) that protect the investment in compiling and presenting data, even if individual elements are not copyrighted. Moderate. If the public website is structured as a database, its use for AI training could infringe upon these specific rights in certain jurisdictions. 4
Trademarks AI generating content that infringes upon existing trademarks, such as logos or brand names, from training data. Low to Moderate. While less direct, an AI agent could inadvertently generate trademark-infringing content if trained on branded material. 4
Trade Secrets AI inadvertently learning or reproducing proprietary information that constitutes a trade secret from publicly accessible but sensitive content. Low. Public websites are less likely to contain trade secrets, but if they do, their use by AI could lead to misappropriation claims. 4
3.2. Terms of Service (ToS) and Acceptable Use Policies
Violations from Unauthorized Data Use

Website Terms of Service (ToS) and End User License Agreements (EULAs) are legally binding contracts that govern how data from a particular site may be accessed, scraped, or otherwise utilized.4 These agreements often include specific provisions detailing permitted uses, attribution requirements, and liability allocations.4

A considerable number of public websites expressly prohibit automated data extraction, commonly known as “web scraping,” within their ToS. Microsoft’s own general Terms of Use, for example, explicitly forbid “web scraping, web harvesting, or web data extraction methods to extract data from the AI services”.13 This position establishes a clear precedent for their stance on unauthorized automated data access and underscores the importance of respecting similar prohibitions on other websites. The legal risks extend beyond statutory copyright law to contractual obligations established by a website’s ToS. Violating these terms can lead to breach of contract claims, which are distinct from, and can occur independently of, copyright infringement. Therefore, using a public website as a knowledge source without explicit permission or a clear license, particularly if it involves automated data extraction by Copilot Studio’s underlying Bing functionality, is highly likely to constitute a breach of that website’s ToS. This means organizations must conduct a meticulous review of the ToS for

every public website they intend to use, as a ToS violation can lead to direct legal action, website blocking, and reputational damage.

Implications of Using Content Against a Website’s ToS

Breaching a website’s Terms of Service can result in a range of adverse consequences, including legal action for breach of contract, the issuance of injunctions to cease unauthorized activity, and the blocking of future access to the website.

Furthermore, if content obtained in violation of a website’s ToS is subsequently used to train a Copilot Studio agent, and that agent’s output then leads to intellectual property infringement or further ToS violations, the Copilot Studio user is explicitly held “solely responsible” for any third-party claims.7 The common assumption that “public websites” are freely usable for any purpose is a misconception. The research consistently contradicts this, emphasizing copyright and ToS restrictions.3 The term “public website” in this context merely signifies accessibility, not a blanket license for its content’s use. For AI training and knowledge sourcing, organizations must abandon the assumption of free use and adopt a rigorous due diligence process. This involves not only understanding copyright implications but also meticulously reviewing the terms of service, privacy policies, and any explicit licensing information for every external URL. Failure to do so exposes the organization to significant and avoidable legal liabilities, as the attestation transfers this burden directly to the customer.

4. Microsoft’s Stance and Customer Protections

4.1. Microsoft’s Customer Copyright Commitment (CCC)
 
Scope of Protection for Copilot Studio

Effective June 1, 2025, Microsoft Copilot Studio has been designated as a “Covered Product” under Microsoft’s Customer Copyright Commitment (CCC).6 This commitment signifies that Microsoft will undertake the defense of customers against third-party copyright claims specifically related to content

generated by Copilot Studio agents.6 The protection generally extends to agents constructed using configurable Metaprompts or other safety systems, and features powered by Azure OpenAI within Microsoft Power Platform Core Services.6

Exclusions and Critical Limitations

Crucially, components powered by Bing, such as web search capabilities, are explicitly excluded from the scope of the Customer Copyright Commitment and are instead governed by Bing’s own terms.6 This “Bing exclusion” represents a significant gap in indemnification for public websites. The attestation for public websites is inextricably linked to Bing’s search functionality within Copilot Studio.1 Because Bing-powered components are

excluded from Microsoft’s Customer Copyright Commitment, any copyright claims arising from the use of non-owned public websites as knowledge sources are highly unlikely to be covered by Microsoft’s indemnification. This means that despite the broader CCC for Copilot Studio, the legal risk for content sourced from public websites not owned by the organization, via Bing search, remains squarely with the customer. The attestation serves as a clear acknowledgment of this specific risk transfer.

Required Mitigations for CCC Coverage (where applicable)

To qualify for CCC protection, for the covered components of Copilot Studio, customers are mandated to implement specific safeguards outlined by Microsoft.6 These mandatory mitigations include robust content filtering to prevent the generation of harmful or inappropriate content, adherence to prompt safety guidelines that involve designing prompts to reduce the risk of generating infringing material, and diligent output monitoring, which entails reviewing and managing the content generated by agents.6 Customers are afforded a six-month period to implement any new mitigations that Microsoft may introduce.6 These required mitigations are not merely suggestions; they are contractual prerequisites for receiving Microsoft’s copyright indemnification. For organizations, this necessitates a significant investment in robust internal processes for prompt engineering, content moderation, and continuous output review. Even for components

not covered by the CCC (such as Bing-powered public website search), these mitigations represent essential best practices for responsible AI use. Implementing them can significantly reduce general legal exposure and demonstrate due diligence, regardless of direct indemnification.

Table: Microsoft’s Customer Copyright Commitment (CCC) for Copilot Studio – Scope and Limitations
Copilot Studio Component/Feature CCC Coverage Conditions/Exclusions Key Sources
Agents built with configurable Metaprompts/Safety Systems Yes Customer must implement required mitigations (content filtering, prompt safety, output monitoring). 6
Features powered by Azure OpenAI within Microsoft Power Platform Core Services Yes Customer must implement required mitigations (content filtering, prompt safety, output monitoring). 6
Bing-powered components (e.g., Public Website Knowledge Sources) No Explicitly excluded; follows Bing’s own terms. 6
4.2. Your Responsibilities as a Copilot Studio User
Adherence to Microsoft’s Acceptable Use Policy

Users of Copilot Studio are bound by Microsoft’s acceptable use policies, which strictly prohibit any illegal, fraudulent, abusive, or harmful activities.15 This explicitly includes the imperative to respect the intellectual property rights and privacy rights of others, and to refrain from using Copilot to infringe, misappropriate, or violate such rights.15 Microsoft’s general Terms of Use further reinforce this by prohibiting users from employing web scraping or data extraction methods to extract data from

Microsoft’s own AI services 13, a principle that extends to respecting the terms of other websites.

Importance of Data Governance and Data Loss Prevention (DLP) Policies

Administrators possess significant granular and tenant-level governance controls over custom agents within Copilot Studio, accessible through the Power Platform admin center.16 Data Loss Prevention (DLP) policies serve as a cornerstone of this governance framework, enabling administrators to control precisely how agents connect with and interact with various data sources and services, including public URLs designated as knowledge sources.16

Administrators can configure DLP policies to either enable or disable specific knowledge sources, such as public websites, at both the environment and tenant levels.16 These policies can also be used to block specific channels, thereby preventing agent publishing.16 DLP policies are not merely a technical feature; they are a critical organizational compliance shield. They empower administrators to enforce internal legal and ethical standards, preventing individual “makers” from inadvertently or intentionally introducing high-risk public data into Copilot Studio agents. This administrative control is vital for mitigating the legal exposure that arises from the “Bing exclusion” in the CCC and the general user responsibility for agent content. It allows companies to tailor their risk posture based on their specific industry regulations, data sensitivity, and overall risk appetite, providing a robust layer of defense.

 

5. Best Practices for Managing Public Website Knowledge Sources

Strategies for Verifying Website Ownership and Usage Rights

To effectively manage the risks associated with public website knowledge sources, several strategies for verification and rights management are essential:

  • Legal Review of Terms of Service: A thorough legal review of the Terms of Service (ToS) and privacy policy for every single public website intended for use as a knowledge source is imperative. This review should specifically identify clauses pertaining to data scraping, AI training, commercial use, and content licensing. It is prudent to assume that all content is copyrighted unless explicitly stated otherwise.
  • Direct Licensing and Permissions: Whenever feasible and legally necessary, organizations should actively seek direct, written licenses or explicit permissions from website owners. These permissions must specifically cover the purpose of using their content for AI training and subsequent output generation within Copilot Studio agents.
  • Prioritize Public Domain or Openly Licensed Content: A strategic approach involves prioritizing the use of public websites whose content is demonstrably in the public domain or offered under permissive open licenses, such as Creative Commons licenses. Strict adherence to any associated attribution requirements is crucial.
  • Respect Technical Directives: While not always legally binding, adhering to robots.txt directives and other machine-readable metadata that indicate a website’s preferences regarding automated access and data collection demonstrates good faith and can significantly reduce the likelihood of legal disputes.

Given the complex and evolving legal landscape of AI and intellectual property, proactive legal due diligence on every external URL is no longer merely a best practice; it has become a fundamental, non-negotiable requirement for responsible AI deployment. This shifts the organizational mindset from “can this data be accessed?” to “do we have the explicit legal right to use this specific data for AI training and to generate responses from it?” Ignoring this foundational step exposes the organization to significant and potentially unindemnified legal liabilities.

Considerations for Using Non-Owned Public Data

Even with careful due diligence, specific considerations apply when using non-owned public data:

  • Avoid Sensitive/Proprietary Content: Exercise extreme caution and, ideally, avoid using public websites that contain highly sensitive, proprietary, or deeply expressive creative works (e.g., unpublished literary works, detailed financial reports, or personal health information). Such content should only be considered if explicit, robust permissions are obtained and meticulously documented.
  • Implement Robust Content Moderation: Configure content moderation settings within Copilot Studio 1 to filter out potentially harmful, inappropriate, or infringing content from agent outputs. This serves as a critical last line of defense against unintended content generation.
  • Clear User Disclaimers: For Copilot Studio agents that utilize external public knowledge sources, it is essential to ensure that clear, prominent disclaimers are provided to end-users. These disclaimers should advise users to exercise caution when considering answers and to independently verify information, particularly if the source is not designated as “official” or is not owned by the organization.1
  • Strategic Management of Generative AI Settings: Meticulously manage the “Web Search” and “Allow the AI to use its own general knowledge” settings 1 within Copilot Studio. This control limits the agent’s ability to pull information from the broader internet, ensuring that its responses are primarily grounded in specific, vetted, and authorized knowledge sources. This approach significantly reduces the risk of unpredictable and potentially infringing content generation.

A truly comprehensive risk mitigation strategy requires a multi-faceted approach that integrates legal vetting with technical and operational controls. Beyond the initial legal assessment of data sources, configuring in-platform features like content moderation, carefully managing the scope of generative AI’s general knowledge, and providing clear user disclaimers are crucial operational measures. These layers work in concert to reduce the likelihood of infringing outputs and manage user expectations regarding the veracity and legal standing of information derived from external, non-owned sources, thereby strengthening the organization’s overall compliance posture.

Implementing Internal Policies and User Training

Effective governance of AI agents requires a strong internal framework:

  • Develop a Comprehensive Internal AI Acceptable Use Policy: Organizations should create and enforce a clear, enterprise-wide acceptable use policy for AI tools. This policy must specifically address the use of external knowledge sources in Copilot Studio and precisely outline the responsibilities of all agent creators and users.15 The policy should clearly define permissible types of external data and the conditions under which they may be used.
  • Mandatory Training for Agent Makers: Providing comprehensive and recurring training to all Copilot Studio agent creators is indispensable. This training should cover fundamental intellectual property law (with a focus on copyright and Terms of Service), data governance principles, the specifics of Microsoft’s Customer Copyright Commitment (including its exclusions), and the particular risks associated with using non-owned public websites as knowledge sources.15
  • Leverage DLP Policy Enforcement: Actively utilizing the Data Loss Prevention (DLP) policies available in the Power Platform admin center is crucial. These policies should be configured to restrict or monitor the addition of public websites as knowledge sources, ensuring strict alignment with the organization’s defined risk appetite and compliance requirements.16
  • Regular Audits and Review: Establishing a process for regular audits of deployed Copilot Studio agents, their configured knowledge sources, and their generated outputs is vital for ensuring ongoing compliance with internal policies and external regulations. This proactive measure aids in identifying and addressing any unauthorized or high-risk data usage.

Effective AI governance and compliance are not solely dependent on technical safeguards; they are fundamentally reliant on human awareness, behavior, and accountability. Comprehensive training, clear internal policies, and robust administrative oversight are indispensable to ensure that individual “makers” fully understand the legal implications of their actions within Copilot Studio. This human-centric approach is vital to prevent inadvertent legal exposure and to foster a culture of responsible AI development and deployment within the organization, complementing technical controls with informed human decision-making.

Conclusion and Recommendations

Summary of Key Concerns

The “website ownership attestation” in Microsoft Copilot Studio, when adding public websites as knowledge sources, represents a significant legal declaration. This attestation effectively transfers the burden of intellectual property compliance for designated public websites directly to the user. The analysis indicates that utilizing non-owned public websites as knowledge sources for Copilot Studio agents carries substantial and largely unindemnified legal risks, primarily copyright infringement and Terms of Service violations. This is critically due to the explicit exclusion of Bing-powered components, which facilitate public website search, from Microsoft’s Customer Copyright Commitment. The inherent nature of generative AI, which learns from vast datasets and possesses the capability to produce “substantially similar” outputs, amplifies these legal risks, making careful data sourcing and continuous output monitoring imperative for organizations.

Actionable Advice and Recommendations

To navigate these complexities and mitigate potential legal exposure, the following actionable advice and recommendations are provided for organizations utilizing Microsoft Copilot Studio:

  • Treat the Attestation as a Legal Oath: It is paramount to understand that checking the “I own this website” box constitutes a formal legal declaration. Organizations should only attest to ownership for websites that they genuinely own, control, and for which they possess the full legal rights to use content for AI training and subsequent content generation.
  • Prioritize Owned and Explicitly Licensed Data: Whenever feasible, organizations should prioritize the use of internal, owned data sources (e.g., SharePoint, Dataverse, uploaded proprietary files) or external content for which clear, explicit licenses or permissions have been obtained. This approach significantly reduces legal uncertainty.
  • Conduct Rigorous Legal Due Diligence for All Public URLs: For any non-owned public website being considered as a knowledge source, a meticulous legal review of its Terms of Service, privacy policy, and copyright notices is essential. The default assumption should be that all content is copyrighted, and its use should be restricted unless explicit permission is granted or the content is unequivocally in the public domain.
  • Leverage Administrative Governance Controls: Organizations must proactively utilize the Data Loss Prevention (DLP) policies available within the Power Platform admin center. These policies should be configured to restrict or monitor the addition of public websites as knowledge sources, ensuring strict alignment with the organization’s legal and risk tolerance frameworks.
  • Implement a Comprehensive AI Governance Framework: Establishing clear internal policies for responsible AI use, including specific guidelines for external data sourcing, is critical. This framework should encompass mandatory and ongoing training for all Copilot Studio agent creators on intellectual property law, terms of service compliance, and the nuances of Microsoft’s Customer Copyright Commitment. Furthermore, continuous monitoring of agent outputs and knowledge source usage should be implemented.
  • Strategically Manage Generative AI Settings: Careful configuration and limitation of the “Web Search” and “Allow the AI to use its own general knowledge” settings within Copilot Studio are advised. This ensures that the agent’s responses are primarily grounded in specific, vetted, and authorized knowledge sources, thereby reducing reliance on broader, unpredictable public internet searches and mitigating associated risks.
  • Provide Transparent User Disclaimers: For any Copilot Studio agent that utilizes external public knowledge sources, it is imperative to ensure that appropriate disclaimers are prominently displayed to end-users. These disclaimers should advise users to consider answers with caution and to verify information independently, especially if the source is not marked as “official” or is not owned by the organization.
Works cited
  1. Knowledge sources overview – Microsoft Copilot Studio, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/knowledge-copilot-studio
  2. Add a public website as a knowledge source – Microsoft Copilot Studio, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/knowledge-add-public-website
  3. Copyright Office Weighs In on AI Training and Fair Use, accessed on July 3, 2025, https://www.skadden.com/insights/publications/2025/05/copyright-office-report
  4. Legal Issues in Data Scraping for AI Training – The National Law Review, accessed on July 3, 2025, https://natlawreview.com/article/oecd-report-data-scraping-and-ai-what-companies-can-do-now-policymakers-consider
  5. The Legal Risks of Using Copyrighted Material in AI Training – PatentPC, accessed on July 3, 2025, https://patentpc.com/blog/the-legal-risks-of-using-copyrighted-material-in-ai-training
  6. Microsoft Copilot Studio: Copyright Protection – With Conditions – schneider it management, accessed on July 3, 2025, https://www.schneider.im/microsoft-copilot-studio-copyright-protection-with-conditions/
  7. Copilot Studio overview – Learn Microsoft, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/fundamentals-what-is-copilot-studio
  8. Microsoft Copilot Studio | PDF | Artificial Intelligence – Scribd, accessed on July 3, 2025, https://www.scribd.com/document/788652086/Microsoft-Copilot-Studio
  9. Copilot Studio | Pay-as-you-go pricing – Microsoft Azure, accessed on July 3, 2025, https://azure.microsoft.com/en-in/pricing/details/copilot-studio/
  10. Add knowledge to an existing agent – Microsoft Copilot Studio, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/knowledge-add-existing-copilot
  11. How can we manage and assign control over the knowledge sources – Microsoft Q&A, accessed on July 3, 2025, https://learn.microsoft.com/en-us/answers/questions/2224215/how-can-we-manage-and-assign-control-over-the-know
  12. Privacy FAQ for Microsoft Copilot, accessed on July 3, 2025, https://support.microsoft.com/en-us/topic/privacy-faq-for-microsoft-copilot-27b3a435-8dc9-4b55-9a4b-58eeb9647a7f
  13. Microsoft Terms of Use | Microsoft Legal, accessed on July 3, 2025, https://www.microsoft.com/en-us/legal/terms-of-use
  14. AI-Generated Content and IP Risk: What Businesses Must Know – PatentPC, accessed on July 3, 2025, https://patentpc.com/blog/ai-generated-content-and-ip-risk-what-businesses-must-know
  15. Copilot privacy considerations: Acceptable use policy for your bussines – Seifti, accessed on July 3, 2025, https://seifti.io/copilot-privacy-considerations-acceptable-use-policy-for-your-bussines/
  16. Security FAQs for Copilot Studio – Learn Microsoft, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/security-faq
  17. Copilot Studio security and governance – Learn Microsoft, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/security-and-governance
  18. A Microsoft 365 Administrator’s Beginner’s Guide to Copilot Studio, accessed on July 3, 2025, https://practical365.com/copilot-studio-beginner-guide/
  19. Configure data loss prevention policies for agents – Microsoft Copilot Studio, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/admin-data-loss-prevention

CIA Brief 20250712

image

Navigating Copilot Studio Agent Access: Data Grounding and Licensing for Unlicensed Users –

https://blog.ciaops.com/2025/07/12/navigating-copilot-studio-agent-access-data-grounding-and-licensing-for-unlicensed-users/

Your Windows release information toolbox –

https://techcommunity.microsoft.com/blog/windows-itpro-blog/your-windows-release-information-toolbox/4430980

Support tip: Troubleshooting Microsoft Intune management agent on macOS –

https://techcommunity.microsoft.com/blog/intunecustomersuccess/support-tip-troubleshooting-microsoft-intune-management-agent-on-macos/4431810

Should your team upgrade to Microsoft 365 Business Premium? –

https://www.youtube.com/watch?v=ZZSkb9qBEQo

Introducing Summary Rules Templates: Streamlining Data Aggregation in Microsoft Sentinel –

https://techcommunity.microsoft.com/blog/microsoftsentinelblog/introducing-summary-rules-templates-streamlining-data-aggregation-in-microsoft-s/4428779

Learn how to build an AI-powered, unified SOC in new Microsoft e-book –

https://www.microsoft.com/en-us/security/blog/2025/07/07/learn-how-to-build-an-ai-powered-unified-soc-in-new-microsoft-e-book/

Request more access in Word, Excel, and PowerPoint for the web –

https://techcommunity.microsoft.com/blog/Microsoft365InsiderBlog/request-more-access-in-word-excel-and-powerpoint-for-the-web/4429019

Summarize transferred calls in Teams with Copilot –

https://techcommunity.microsoft.com/blog/Microsoft365InsiderBlog/summarize-transferred-calls-in-teams-with-copilot/4427247

After hours

The truth about working from home – that your boss won’t tell you – https://www.youtube.com/watch?v=_NFYtS59xa4

Editorial

If you found this valuable, the I’d appreciate a ‘like’ or perhaps a donation at https://ko-fi.com/ciaops. This helps me know that people enjoy what I have created and provides resources to allow me to create more content. If you have any feedback or suggestions around this, I’m all ears. You can also find me via email director@ciaops.com and on X (Twitter) at https://www.twitter.com/directorcia.

If you want to be part of a dedicated Microsoft Cloud community with information and interactions daily, then consider becoming a CIAOPS Patron – www.ciaopspatron.com.

Watch out for the next CIA Brief next week

Navigating Copilot Studio Agent Access: Data Grounding and Licensing for Unlicensed Users

bp1

Executive Summary

A user without a Microsoft 365 Copilot license can interact with a custom Agent built in Copilot Studio that uses both public and company data sources. However, their access to company data will be strictly governed by their existing Microsoft Entra ID permissions to those specific data sources (e.g., SharePoint, Dataverse, uploaded PDFs). If they lack the necessary permissions or if the agent’s authentication is not configured to allow their access to internal resources, the agent will effectively be “blocked” from retrieving or generating responses from that internal company data for them. Their results will then be limited to what can be generated from public data sources, provided the agent is designed to handle such limitations gracefully and the query can be fulfilled solely from public information. It is crucial to note that interactions by unlicensed users with Copilot Studio agents, especially those using generative answers or internal data, will incur costs against the organization’s Copilot Studio message capacity.

Introduction

The rapid evolution of AI capabilities within Microsoft’s ecosystem, particularly with Microsoft 365 Copilot and Copilot Studio, has introduced powerful new ways to interact with information. However, this advancement often brings complexities, especially concerning licensing and data access. A common point of confusion arises when organizations deploy custom AI Agents built using Microsoft Copilot Studio, which can leverage a mix of public internet data and sensitive internal company information (such as PDFs, SharePoint documents, or Dataverse records). The central question for IT professionals is whether users who do not possess a Microsoft 365 Copilot license will be able to utilize these Agents, and if so, what limitations apply, particularly regarding access to proprietary company data. This report aims to demystify these interactions, providing a clear, definitive guide to the interplay of licensing, data grounding, and authentication for Copilot Studio Agents.

Understanding the Copilot Ecosystem

The Microsoft Copilot ecosystem comprises several distinct but interconnected components, each with its own purpose and licensing model. Understanding these distinctions is fundamental to clarifying access rights.

Microsoft 365 Copilot: The Enterprise Productivity AI

Microsoft 365 Copilot represents an advanced AI-powered productivity tool deeply integrated across the suite of Microsoft 365 applications, including Word, Excel, PowerPoint, Outlook, and Teams. Its primary function is to enhance user productivity by orchestrating Large Language Models (LLMs) with a user’s organizational data residing within Microsoft Graph and the content generated and managed within Microsoft 365 applications.1 This powerful synergy enables it to generate responses, summarize extensive content, draft emails, create presentations, and analyze data, all within the rich context of a user’s specific work environment.

To fully leverage Microsoft 365 Copilot, users must satisfy specific licensing prerequisites. This includes possession of an eligible Microsoft 365 or Office 365 base license, such as Microsoft 365 E3, E5, A3, A5, Business Standard, Business Premium, or Office 365 E3, E5, A3, A5, F1, F3, E1, Business Basic.2 Beyond this foundational license, a separate Microsoft 365 Copilot add-on license is required, typically priced at $30 per user per month.3 This add-on license is not merely an optional feature; it is essential for unlocking the full spectrum of capabilities, particularly its seamless ability to access and ground responses in a user’s

shared enterprise data and individual data that is indexed via Microsoft Graph.1

A cornerstone of Microsoft 365 Copilot’s design is its robust Enterprise Data Protection (EDP) framework. It operates strictly within the Microsoft 365 service boundary, ensuring that all user prompts, retrieved data, and generated responses remain securely within the organization’s tenant.1 Critically, this data is not utilized to train the foundational LLMs that power Microsoft 365 Copilot. Furthermore, the system rigorously adheres to existing Microsoft 365 permission models. This means that Microsoft 365 Copilot will “only surface organizational data to which individual users have at least view permissions”.1 This semantic index inherently respects user identity-based access boundaries, preventing unauthorized data exposure. This design implies a fundamental level of trust where Microsoft 365 Copilot acts as an intelligent extension of the user’s existing access rights within the Microsoft 365 ecosystem. This broad, personalized access to all relevant Microsoft 365 data, coupled with built-in security and privacy controls that mirror existing access permissions, represents a core differentiation from a more basic custom agent built in Copilot Studio. Consequently, organizations planning to deploy Microsoft 365 Copilot must first ensure their Microsoft 365 permission structures are meticulously managed and robust. Without proper governance, Copilot could inadvertently expose data based on over-permissioned content or previously “dark data,” underscoring the necessity for a well-defined data access strategy.

Microsoft Copilot Studio: The Custom Agent Builder

In contrast to the integrated nature of Microsoft 365 Copilot, Microsoft Copilot Studio serves as a low-code platform specifically engineered for the creation of custom conversational AI agents. These agents, often referred to as “copilots” or “bots,” are designed to answer specific questions, perform defined tasks, and integrate with a diverse array of data sources and external systems.5 A key strength of Copilot Studio is its versatility in deployment; agents can be published across multiple channels, including public websites, Microsoft Teams, and can even be configured to extend the capabilities of Microsoft 365 Copilot itself.5 The platform empowers makers to define explicit instructions, curate specific knowledge sources, and program actions for their agents.6

The agents developed within Copilot Studio possess a standalone operational nature. They can function independently, establishing connections to various data repositories. These include public websites, documents uploaded directly (such as PDFs), content residing in SharePoint, data within Dataverse, and other enterprise systems accessible via a wide range of connectors.5 This independent operation distinguishes them from the deeply embedded functionality of Microsoft 365 Copilot.

Despite their standalone capability, Copilot Studio agents are also designed for seamless integration with Microsoft 365 Copilot. They can be purpose-built to “extend Microsoft 365 Copilot” 6, allowing organizations to develop highly specialized agents. These custom agents can then leverage the sophisticated orchestration engine of Microsoft 365 Copilot, incorporating bespoke domain knowledge or executing specific actions directly within the broader Microsoft 365 Copilot experience. This positions Copilot Studio as a controlled gateway for data access. Unlike Microsoft 365 Copilot, which provides broad access to a user’s Microsoft Graph data based on their existing permissions, Copilot Studio explicitly enables makers to

select and configure precise knowledge sources.7 This granular control over what information an agent can draw upon is critical for effective governance. It makes Copilot Studio particularly suitable for scenarios where only specific, curated datasets should be exposed via an AI agent, even if the user might possess broader permissions elsewhere within the Microsoft 365 environment. This capability allows organizations to create agents that offer targeted access to internal knowledge bases for a wider audience, potentially including users who do not possess Microsoft 365 Copilot licenses, without inadvertently exposing the full breadth of their Microsoft Graph data. However, achieving this requires meticulous configuration of the agent’s knowledge sources and authentication mechanisms.

Licensing Models for Copilot Studio Agents

A frequent area of misunderstanding pertains to the distinct licensing model governing Copilot Studio Agents, which operates separately from the Microsoft 365 Copilot user license. This fundamental distinction means that the agent itself incurs costs based on its usage, regardless of whether the individual interacting with it holds a Microsoft 365 Copilot license.

Copilot Studio’s Independent Licensing

Copilot Studio offers flexible licensing models tailored to organizational needs. The Pay-as-you-go model allows organizations to pay solely for the actual number of messages consumed by their agents each month, eliminating the need for upfront commitment. This model is priced at $0.01 per message 8, providing inherent flexibility and scalability to accommodate fluctuating usage patterns.9 Alternatively, organizations can opt for

Message Packs, which are subscription-based, with one message pack equating to 25,000 messages per month for a cost of $200 per tenant.8 Should an agent’s usage exceed the purchased message pack capacity, the pay-as-you-go meter automatically activates to cover the excess.8 It is important to note that unused messages from a message pack do not roll over to the subsequent month.8

A critical understanding for any deployment is that all interactions with a Copilot Studio agent that result in a generated response—defined as a “message”—contribute to these billing models. This applies unless specific exceptions are met, such as interactions by users holding a Microsoft 365 Copilot license within Microsoft 365 services, as detailed below. Consequently, interactions initiated by users who do not possess a Microsoft 365 Copilot license will directly consume from the organization’s Copilot Studio message capacity and, therefore, incur costs.8 This represents a significant operational cost consideration that is often overlooked. Even when an unlicensed user interacts with a Copilot Studio agent to query seemingly “free” public data, the organization still bears a per-message cost for the Copilot Studio service itself. This necessitates a careful evaluation of the anticipated usage by unlicensed users and the integration of these Copilot Studio message costs into the overall budget. Such financial implications can significantly influence decisions regarding the broad exposure of certain agents versus prioritizing Microsoft 365 Copilot licensing for frequent users who require access to internal data, thereby leveraging the benefits of zero-rated usage.

Copilot Studio Use Rights with Microsoft 365 Copilot

For users who are provisioned with a Microsoft 365 Copilot license, a distinct advantage emerges in their interactions with Copilot Studio agents. Their usage of agents specifically built in Copilot Studio for deployment within Microsoft Teams, SharePoint, and Microsoft 365 Copilot (such as Copilot Chat) is designated as “zero-rated”.8 This means that interactions by these licensed users, when occurring within the context of Microsoft 365 products, do not count against the organization’s Copilot Studio message pack or pay-as-you-go meter. This zero-rating applies to classic answers, generative answers, and tenant Microsoft Graph grounding.8

Beyond cost benefits, the Microsoft 365 Copilot license also confers specific use rights within Copilot Studio. These rights include the ability to “Create and publish your own agents and plugins to extend Microsoft 365 Copilot”.8 This capability underscores a symbiotic relationship: users with Microsoft 365 Copilot licenses gain enhanced functionality and significant cost efficiencies when interacting with custom agents that are integrated within the Microsoft 365 ecosystem. This contrast in billing models highlights a clear financial incentive. If a substantial volume of agent usage involves internal data or generative answers, and the users engaged in these interactions already possess Microsoft 365 Copilot licenses, the organization benefits from the zero-rated usage, potentially leading to considerable cost savings. Conversely, if a large proportion of users are unlicensed, every message generated by the Copilot Studio agent will incur a direct cost. This situation presents a strategic licensing decision point for organizations. A thorough analysis of the user base and agent usage patterns is advisable. If widespread access to internal data via AI agents is a strategic priority, investing in Microsoft 365 Copilot licenses for relevant users can substantially reduce or eliminate the Copilot Studio message costs for those specific interactions within Microsoft 365 applications. This tiered access and cost model is crucial for informing the overall AI strategy and budget allocation, distinguishing between basic, publicly-grounded agents (which still incur Copilot Studio message costs for unlicensed users) and agents providing deep internal data insights (which are more cost-effective when accessed by Microsoft 365 Copilot licensed users within the Microsoft 365 environment).

Data Grounding and Knowledge Sources in Copilot Studio

Copilot Studio agents derive their intelligence and ability to provide relevant information from “knowledge sources,” which are meticulously configured to provide the data necessary for generative answers. The specific type of knowledge source selected directly dictates its authentication requirements and, consequently, determines who can access the information presented by the agent.

Supported Knowledge Sources

Copilot Studio agents offer robust capabilities for grounding in a diverse array of data sources, enabling them to provide rich, relevant information and insights.7 These supported knowledge sources include:

  • Public Websites: Agents can be configured to search and return results from specific, predefined public URLs. Additionally, they can perform a broader general web search, drawing information from public websites indexed by Bing.7 Crucially, no authentication is required for public websites to serve as a knowledge source.7
  • Documents (Uploaded Files/PDFs): Agents can search the content of documents, including PDFs, that have been uploaded to Dataverse. The agent then generates responses based on the information contained within these document contents.7 These are considered internal organizational sources.
  • SharePoint: Agents can establish connections to specified SharePoint URLs, utilizing Microsoft Graph Search capabilities to retrieve and return relevant results from the SharePoint environment.7 This is a common internal data source for many organizations.
  • Dataverse: The agent can connect directly to the configured Dataverse environment, employing retrieval-augmented generative techniques within Dataverse to synthesize and return results from structured data.7 This is a powerful internal data source for business applications.
  • Enterprise Data using Connectors: Copilot Studio agents can connect to a wide array of connectors that facilitate access to organizational data indexed by Microsoft Search or other external systems.5 The platform supports over 1,400 Power Platform connectors, enabling integration with a vast ecosystem of internal and third-party services.5 These are fundamental internal data sources.
  • Real-time Connectors: For specific enterprise systems like ServiceNow or Zendesk, real-time connectors can be added.10 In these configurations, Microsoft primarily indexes metadata, such as table and column names, rather than the raw data itself. Access to the actual enterprise data remains strictly controlled by the user’s existing access permissions within that specific enterprise system.10
The Role of Authentication

Authentication plays an indispensable role in controlling access for agents that interact with restricted resources or sensitive information.11 Copilot Studio provides several authentication options to meet varying security requirements, including “No authentication,” “Authenticate with Microsoft” (leveraging Microsoft Entra ID), or “Authenticate manually” with various OAuth2 identity providers such as Google or Facebook.11

The choice of authentication directly impacts data accessibility:

  • Public Data Access: If an agent is configured with the “No authentication” option, it is inherently limited to accessing only public information and resources.11 This configuration allows public website grounding to function without requiring any user sign-in.
  • Internal Data Access: For knowledge sources containing sensitive internal data, such as SharePoint, Dataverse, or enterprise data accessed via connectors, authentication is explicitly required.7 These internal sources typically rely on the “Agent user’s Microsoft Entra ID authentication”.7 This means that the user interacting with the agent must successfully sign in with their Microsoft Entra ID account. Once authenticated, their existing Microsoft Entra ID permissions to the underlying data source are meticulously honored.1

This principle of permission inheritance is foundational. Microsoft 365 Copilot, and by extension, Copilot Studio agents configured to access Microsoft 365 data, will “only surface organizational data to which individual users have at least view permissions”.1 This fundamental security control ensures that the AI agent cannot inadvertently or intentionally provide information to a user that they would not otherwise be authorized to access directly. This establishes the user’s existing permission boundary as the ultimate gatekeeper for data access. The most significant factor in “blocking” access to internal company data is not the Copilot Studio agent’s configuration itself, but rather the underlying permission structure within Microsoft 365, encompassing SharePoint permissions, Dataverse security roles, and granular file-level permissions. If a user lacks the requisite permissions to a specific document, SharePoint site, or Dataverse record, the agent is inherently unable to retrieve or generate information from that source for them, irrespective of the agent’s own capabilities. This reinforces the paramount importance of robust data governance and diligent permission management within an organization. The deployment of AI agents amplifies the necessity for a “least privilege” approach to data access, ensuring that any potential data exposure via an agent is a symptom of pre-existing permission vulnerabilities, rather than a flaw in the agent’s inherent security model.

The Core Question: Unlicensed Users and Mixed Data Agents

Addressing the user’s central query directly, the behavior of a Copilot Studio Agent configured with mixed data sources (combining company data and public websites) when accessed by users without a Microsoft 365 Copilot license is nuanced but can be clearly defined.

Access to Public Data

Users who do not possess a Microsoft 365 Copilot license can indeed access information derived from public websites through a Copilot Studio Agent. This functionality is feasible under specific conditions: the agent must be explicitly configured to utilize public website knowledge sources.7 Furthermore, the agent’s authentication setting can be configured as “No authentication” 11, allowing access without requiring user sign-in, provided the query can be resolved solely from public sources. It is important to remember that even in this scenario, the organization will incur Copilot Studio message costs for these interactions.8 The mechanism for this access involves the agent searching public websites indexed by Bing when Web Search is enabled, a process that can occur in parallel with searches of specific public website knowledge sources configured for the agent.7

Access to Company Data (PDFs, SharePoint, etc.)

Access to internal company data, such as PDFs uploaded to Dataverse, SharePoint content, or data retrieved from enterprise connectors, is fundamentally governed by the individual user’s existing permissions to those specific data sources.1 This is the primary blocking mechanism. If an unlicensed user—or, for that matter, any user regardless of their licensing status—lacks the necessary view permissions to the underlying document, SharePoint site, or Dataverse record, the agent will unequivocally

not be able to retrieve or generate responses from that data for them. The agent operates strictly within the security context and permission boundaries of the interacting user.

For agents configured to access internal data sources like SharePoint, Dataverse, or enterprise connectors, authentication is an explicit requirement.7 This typically involves setting the agent’s authentication to “Authenticate with Microsoft,” which mandates that the user interacting with the agent

must sign in with their Microsoft Entra ID account. Upon successful authentication, the user’s existing Microsoft Entra ID permissions are rigorously checked against the internal data source.7

Therefore, for unlicensed users, the outcome is clear: they will be effectively “blocked” from accessing company data via the agent if they lack the necessary permissions to the underlying data source. This blocking also occurs if the agent’s authentication configuration, such as being set to “Authenticate with Microsoft” without the user being signed in, or if organizational policies prevent their access to internal resources, restricts their access. In scenarios where an agent is configured with mixed data sources, and a query requires internal data for which the user is unauthorized, the agent’s response will be limited to what can be generated from the public data sources. This limitation is only possible if the agent has been specifically designed to gracefully handle such access denials and if the query can be adequately fulfilled using only public information. This graceful degradation is a critical aspect of agent design.

It is also important to understand the nuance regarding Microsoft Graph grounding and Enterprise Data Protection (EDP). While Copilot Studio agents can be configured to access specific SharePoint sites or Graph connectors 4, the broader, seamless access to a user’s

shared enterprise data, individual data, or external data indexed via Microsoft Graph connectors is a core capability fundamentally tied to the Microsoft 365 Copilot license.1 For users who do not possess a Microsoft 365 Copilot license, “Copilot Chat can’t access the user’s shared enterprise data, individual data, or external data indexed via Microsoft Graph connectors”.4 This means that while a Copilot Studio agent

could be configured to provide access to a specific, shared SharePoint site for an unlicensed user (provided authentication and permissions are met, and Copilot Studio metering is enabled), the unlicensed user will not experience the personalized, broad Graph-grounded capabilities that a Microsoft 365 Copilot licensed user would. Furthermore, the “Enhanced search results” feature within Copilot Studio, which leverages semantic search to improve the quality of results from SharePoint and connectors, also necessitates a Microsoft 365 Copilot license within the same tenant and requires the agent’s authentication to be set to “Authenticate with Microsoft”.7

The distinction between results being “limited” or “blocked” is crucial. While access to company data is generally “blocked” if permissions are not met, the results can be “limited” to public data if the agent is intelligently programmed to fall back to publicly available information. This highlights a critical imperative for agent design: developers building agents with mixed data sources must explicitly consider and implement how the agent behaves when internal data access is denied for a given user. This requires robust error handling and conditional logic within the agent’s design. If an agent attempts to access internal data for a user and is denied due to insufficient permissions, it should be programmed either to inform the user clearly about the access restriction or to attempt to answer the query using only the public data sources, if applicable and relevant. This proactive approach ensures a significantly better user experience, preventing hard failures or ambiguous responses. This extends beyond mere technical feasibility to encompass user experience design and effective governance, as an agent that silently fails or provides incomplete answers without explanation can lead to user frustration and erode trust in the system. Clear communication regarding data access limitations is therefore essential.

The following table summarizes user access capabilities to mixed-data agents based on their Microsoft 365 Copilot license status:

Feature/Scenario User has Microsoft 365 Copilot License User does NOT have Microsoft 365 Copilot License
Access to Public Website Data (via Copilot Studio Agent) Yes (Agent configured for public sources) Yes (Agent configured for public sources, “No authentication” option possible)
Access to Company Data (PDFs, SharePoint, Dataverse, etc. via Copilot Studio Agent) Yes (Subject to user’s existing Microsoft Entra ID permissions to data sources; agent authentication required) Yes (Subject to user’s existing Microsoft Entra ID permissions to data sources; agent authentication required; access is specific to configured Copilot Studio sources, not broad Graph access)
Seamless Access to User’s Shared Enterprise/Individual Data (via Microsoft Graph) Yes (Core capability of M365 Copilot)1 No (Copilot Chat cannot access user’s shared enterprise/individual data indexed via Microsoft Graph connectors)4
“Enhanced Search Results” (Semantic Search for SharePoint/Connectors in Copilot Studio) Yes (Requires M365 Copilot license in tenant & “Authenticate with Microsoft” for agent)7 No (Feature requires M365 Copilot license in tenant)7
Copilot Studio Message Billing for Agent Interactions Zero-rated when used within Microsoft 365 products (Teams, SharePoint, Copilot Chat)8 Incurs Copilot Studio message costs (Pay-as-you-go or Message Packs)8
Ability to Extend Microsoft 365 Copilot with Custom Agents/Plugins Included use rights with M365 Copilot license8 Not included8

Conclusion and Recommendations

The analysis demonstrates that users without a Microsoft 365 Copilot license are not entirely excluded from interacting with custom Agents built in Copilot Studio that leverage both public and company data sources. However, their access is critically contingent upon several factors, primarily their existing permissions to internal data and the authentication configuration of the Copilot Studio agent. While public data can generally be accessed without explicit user authentication (though still incurring Copilot Studio message costs for the organization), access to internal company data is strictly governed by the user’s Microsoft Entra ID permissions. If these permissions are insufficient, the agent will effectively be prevented from retrieving that sensitive information for the user.

Organizations deploying Copilot Studio Agents with mixed data sources should consider the following recommendations to ensure optimal functionality, security, and cost management:

  • Prioritize Robust Data Governance: The foundational security principle is that Copilot Studio Agents, like Microsoft 365 Copilot, honor existing user permissions. Therefore, a meticulous review and ongoing management of permissions on SharePoint sites, Dataverse environments, and other internal data sources are paramount. This proactive approach prevents unintended data exposure and ensures that agents only surface information to authorized individuals.1
  • Implement Strategic Authentication: Configure Copilot Studio agent authentication settings carefully based on the data sources employed. For agents accessing internal company data, “Authenticate with Microsoft” should be enabled to leverage Microsoft Entra ID and enforce user-specific permissions. For agents relying solely on public information, “No authentication” can be used, but with an understanding of the associated Copilot Studio message costs.7
  • Design Agents for Graceful Degradation: When developing agents that combine public and internal data sources, incorporate robust error handling and conditional logic. If an agent attempts to access internal data for an unauthorized user, it should be programmed to either clearly inform the user of the access restriction or intelligently pivot to providing information solely from public sources, if the query allows. This approach enhances the user experience and maintains trust in the agent’s capabilities.
  • Manage Copilot Studio Costs Proactively: All interactions with a Copilot Studio agent, regardless of the user’s Microsoft 365 Copilot license status, consume messages that are billed against the organization’s Copilot Studio capacity (Pay-as-you-go or Message Packs).8 Organizations should closely monitor message consumption and factor these costs into their budget.
  • Leverage Microsoft 365 Copilot Licenses Strategically: For scenarios requiring extensive, personalized access to Microsoft Graph-grounded enterprise data via agents within Microsoft 365 applications (Teams, SharePoint, Copilot Chat), licensing users for Microsoft 365 Copilot offers significant benefits, including zero-rated Copilot Studio message usage for those interactions.8 This can lead to substantial cost optimization for high-usage internal data scenarios.
  • Manage User Expectations: Clearly communicate to users what an agent can and cannot provide based on their licensing and permissions. Transparency helps manage expectations and reduces frustration when access to certain internal data is restricted.

By adhering to these recommendations, organizations can effectively deploy Copilot Studio Agents, maximizing their utility across diverse user groups while maintaining stringent control over data access and managing operational costs efficiently.

Works cited
  1. Data, Privacy, and Security for Microsoft 365 Copilot, accessed on July 3, 2025, https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-privacy
  2. App and network requirements for Microsoft 365 Copilot admins, accessed on July 3, 2025, https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-requirements
  3. Microsoft 365 Copilot: Licensing, Pricing, ROI – SAMexpert, accessed on July 3, 2025, https://samexpert.com/microsoft-365-copilot-licensing/
  4. Frequently asked questions about Microsoft 365 Copilot Chat, accessed on July 3, 2025, https://learn.microsoft.com/en-us/copilot/faq
  5. Customize Copilot and Create Agents | Microsoft Copilot Studio, accessed on July 3, 2025, https://www.microsoft.com/en-us/microsoft-copilot/microsoft-copilot-studio
  6. Copilot Studio overview – Learn Microsoft, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/fundamentals-what-is-copilot-studio
  7. Knowledge sources overview – Microsoft Copilot Studio, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/knowledge-copilot-studio
  8. Copilot Studio licensing – Learn Microsoft, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/billing-licensing
  9. Billing rates and management – Microsoft Copilot Studio, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/requirements-messages-management
  10. Add real-time knowledge with connectors – Microsoft Copilot Studio, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/knowledge-real-time-connectors
  11. Configure user authentication in Copilot Studio – Learn Microsoft, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/configuration-end-user-authentication
  12. FAQ for Copilot data security and privacy for Dynamics 365 and Power Platform, accessed on July 3, 2025, https://learn.microsoft.com/en-us/power-platform/faqs-copilot-data-security-privacy
  13. Copilot Studio security and governance – Learn Microsoft, accessed on July 3, 2025, https://learn.microsoft.com/en-us/microsoft-copilot-studio/security-and-governance

MVP 2025-26

image

Excited and proud to share that I’ve been awarded Microsoft MVP for 2025–26! This is now 14 years as a Microsoft MVP.

Huge thanks to Microsoft and the Microsoft MVP team for the continued recognition and support. It’s a privilege to be part of such a passionate and innovative community and I look forward to another year of helping others work with the Microsoft Cloud.

Of course, thanks also to everyone who reads, listens or consumes the things that I create. It is always great to hear the benefits that this content has helped, so don’t be shy in reaching out if I have been able to help in any way. Your continued support of my endeavours is what drives me every day to create more.

This past year, I’ve been all-in on Microsoft 365—especially Copilot. From building agents and using notebooks with podcasts to exploring automations and more, it’s been incredible to see how AI is transforming the way I work and exciting to see what the future brings with AI.

Grateful for the opportunities to learn, share, and collaborate—and looking forward to another year of building, breaking (in the lab), and helping others get the most out of Microsoft 365 + Copilot and everything in the Microsoft Cloud.

Let’s keep pushing what’s possible.

Thank you.

Exchange Online PowerShell configuration rules and policy relationship

bp1

In the context of configuring anti-spam settings in Exchange (particularly Exchange Online, which uses Exchange Online Protection or EOP), “rules” and “policies” work together to define how email is processed and protected. PowerShell is the primary tool for granular control over these settings.

Here’s a breakdown of their relationship:

1. Policies (Anti-Spam Policies):

  • What they are: Policies are the core configuration containers that define the overall anti-spam settings. They specify what actions to take when a message is identified with a certain spam confidence level (SCL) or other anti-spam verdict (e.g., spam, high-confidence spam, phishing, bulk email).

  • Key settings within policies:

    • Spam Actions: What to do with messages identified as spam (e.g., move to Junk Email folder, quarantine, add X-header, redirect).

    • High-Confidence Spam Actions: Similar to spam actions, but for messages with a very high probability of being spam.

    • Phishing Actions: Actions for phishing attempts.

    • Bulk Email Thresholds (BCL – Bulk Complaint Level): How to treat bulk mail (e.g., newsletters, marketing emails) that isn’t necessarily spam but users might not want.

    • Allowed/Blocked Senders and Domains: Lists of specific senders or domains that should always be allowed or blocked, bypassing some or all spam filtering.

    • Advanced Spam Filter (ASF) settings: More granular options like increasing spam score for specific characteristics (e.g., certain languages, countries, or specific URLs/patterns).

  • Default Policies: Exchange/EOP comes with built-in default policies (e.g., “Default,” “Standard Preset Security,” “Strict Preset Security”) that provide a baseline level of protection.

  • Custom Policies: You can create custom anti-spam policies to apply different settings to specific users, groups, or domains within your organization.

  • PowerShell Cmdlets:

    • Get-HostedContentFilterPolicy: Views existing anti-spam policies.

    • New-HostedContentFilterPolicy: Creates a new custom anti-spam policy.

    • Set-HostedContentFilterPolicy: Modifies an existing anti-spam policy.

    • Get-HostedOutboundSpamFilterPolicy, Set-HostedOutboundSpamFilterPolicy, New-HostedOutboundSpamFilterPolicy: Manage outbound spam policies.

2. Rules (Anti-Spam Rules / Mail Flow Rules / Transport Rules):

  • What they are: Rules are used to apply policies to specific recipients or groups of recipients, or to implement more dynamic and conditional anti-spam actions. While “anti-spam rules” are directly linked to anti-spam policies, “mail flow rules” (also known as “transport rules”) offer a broader range of conditions and actions, including those that can influence spam filtering.

  • Relationship to Policies:

    • Anti-Spam Rules (specifically): An anti-spam rule (e.g., created with New-HostedContentFilterRule) links an anti-spam policy to specific conditions (e.g., applying the policy to members of a certain distribution group). A single anti-spam policy can be associated with multiple rules, but a rule can only be associated with one policy. This allows you to apply different policies to different sets of users.

    • Mail Flow Rules (broader impact): Mail flow rules can also be used to influence anti-spam behavior, even if they aren’t strictly “anti-spam rules.” For example:

      • Bypassing spam filtering: You can create a mail flow rule to set the Spam Confidence Level (SCL) of a message to -1 (Bypass spam filtering) if it meets certain conditions (e.g., from a trusted internal system, or specific external partners).

      • Increasing SCL: You can increase the SCL of messages that contain specific keywords or come from particular sources, forcing them to be treated more aggressively by anti-spam policies.

      • Redirecting/Quarantining: Mail flow rules can directly redirect suspicious messages to a quarantine mailbox or add specific headers for further processing, often based on content or sender characteristics that might indicate spam or phishing.

  • PowerShell Cmdlets:

    • Get-HostedContentFilterRule: Views existing anti-spam rules.

    • New-HostedContentFilterRule: Creates a new anti-spam rule and links it to an anti-spam policy.

    • Set-HostedContentFilterRule: Modifies an existing anti-spam rule.

    • Get-TransportRule, New-TransportRule, Set-TransportRule: Manage general mail flow (transport) rules, which can include anti-spam related actions.

How they work together (with PowerShell in mind):

  1. Define the “What”: You use New-HostedContentFilterPolicy or Set-HostedContentFilterPolicy to define the core anti-spam behavior (e.g., “quarantine spam, move high-confidence spam to junk, block these specific senders”).

  2. Define the “Who/When”: You then use New-HostedContentFilterRule to create a rule that applies that specific policy to certain users or under specific conditions. You can prioritize these rules using the -Priority parameter on the Set-HostedContentFilterRule cmdlet, where a lower number means higher priority.

  3. Advanced Scenarios: For more nuanced control, or to handle edge cases not covered directly by anti-spam policies, you leverage New-TransportRule or Set-TransportRule. These allow you to:

    • Exempt certain senders/domains from all spam filtering (SCL -1).

    • Apply custom actions based on message headers (e.g., from a third-party spam filter).

    • Implement more sophisticated content-based filtering using keywords or regular expressions before the message hits the main anti-spam policies.

Example Scenario and PowerShell:

Let’s say you want to:

  • Apply a strict anti-spam policy to your “Executives” group.

  • Allow a specific partner domain to bypass most spam filtering.

Using PowerShell, you might:

  1. Create a custom anti-spam policy for executives:

    PowerShell

    New-HostedContentFilterPolicy -Name "ExecutiveSpamPolicy" -HighConfidenceSpamAction Quarantine -SpamAction Quarantine -BulkThreshold 4 -MarkAsSpamBulkMail $true

  2. Create an anti-spam rule to apply this policy to the “Executives” group:

    PowerShell

    New-HostedContentFilterRule -Name "ApplyExecutiveSpamPolicy" -HostedContentFilterPolicy "ExecutiveSpamPolicy" -SentToMemberOf "ExecutivesGroup" -Priority 1

  3. Create a mail flow rule to bypass spam filtering for the partner domain:

    PowerShell

    New-TransportRule -Name "BypassSpamForPartner" -FromScope OutsideOrganization -FromDomainIs "partnerdomain.com" -SetSCL -1 -Priority 0 # Higher priority to ensure it's processed first

In summary:

  • Policies define the actions for different spam verdicts and general anti-spam behavior.

  • Rules (both anti-spam rules and broader mail flow/transport rules) define the conditions under which those policies or other anti-spam actions are applied.

PowerShell gives administrators the power to create, modify, and manage these policies and rules with a high degree of precision and automation, which is crucial for effective anti-spam protection in Exchange environments.

M365 Copilot reasoning agents limits

bp1

Yes, there is a usage limit for Research and Analyst Agent prompts in Microsoft 365 Copilot. These agents are included in a Microsoft 365 Copilot license but not with the free Copilot Chat.

According to Microsoft’s official documentation and recent updates, each user with a Microsoft 365 Copilot license is allowed to run up to 25 combined queries per calendar month using the Researcher and Analyst agents

Researcher and Analyst Usage Limits | Microsoft Community Hub

Researcher and Analyst are now generally available | Microsoft 365 Blog

This limit resets on the 1st of each month, not on a rolling 30-day basis

This cap is in place because the Research Agent performs deep, multi-step reasoning and consumes more compute resources than standard Copilot Chat. It’s designed for complex, structured tasks—like generating detailed reports with citations—rather than quick, conversational queries.

If your organization anticipates higher usage, Microsoft offers message packs as an add-on. For example, a couple of packs covering ~50,000 queries might cost around $400/month, while licensing 100 users directly would be about $3,000/month. Microsoft recommends starting with minimal licenses, monitoring usage, and scaling based on actual demand.

The next question is then about how the 25-prompt monthly limit for the Researcher agent in Microsoft 365 Copilot applies when you create a custom agent in Copilot Studio that uses “reason” in its instructions.

Key Clarification

The 25-prompt limit applies specifically to the Researcher agent—a specialized, high-computation mode within Microsoft 365 Copilot designed for deep, multi-step reasoning across enterprise and web data. It’s distinct from standard Copilot chat and is licensed separately.

What Happens in Copilot Studio?

When you create an agent in Copilot Studio and include the word “reason” in the instructions (e.g., “use reasoning to evaluate…”), that does not automatically invoke the Researcher agent or count against your 25 monthly Researcher prompts.

Instead, Copilot Studio agents operate based on:

  • The generative answer node and its custom instructions.

  • The data sources you’ve connected (e.g., SharePoint, Dataverse, websites).

  • The reasoning complexity you’ve built into the flow (e.g., branching logic, memory, variables).

Unless your agent explicitly calls the Researcher agent (via a connector or API that invokes it), or unless Microsoft has integrated Researcher-like capabilities into your agent’s backend (which would be documented), your usage won’t count against the Researcher quota.

Optimize prompts with custom instructions – Microsoft Copilot Studio | Microsoft Learn

Researcher agent in Microsoft 365 Copilot | Microsoft Community Hub


What “Reason” Means in Instructions

Using “reason” in your instructions—such as “reason through the options before answering”—is interpreted as a style or tone directive for the generative AI. It helps shape how the agent responds but doesn’t trigger the Researcher agent’s quota-based behaviour.

✅ Summary
  • No, using “reason” in Copilot Studio instructions does not count against your 25 Researcher prompts.

  • The Researcher agent quota applies only when that specific agent is invoked.

  • You can safely build reasoning-style flows in Copilot Studio without worrying about prompt limits—unless you explicitly integrate the Researcher agent.

Would you like help designing a reasoning-style Copilot Studio agent that stays within standard usage?

References

Optimize prompts with custom instructions – Microsoft Copilot Studio

Researcher agent in Microsoft 365 Copilot