Manage Copilot
Commercial data protection eligibility
Microsoft Copilot (formerly Bing Chat Enterprise) includes commercial data protection for eligible users signed in with work or school accounts (Entra ID). Currently, commercial data protection is available in Copilot for users with an eligible license:
Enterprises
- Microsoft 365 E3 or E5
- Microsoft 365 F1 or F3
- Microsoft 365 Business Standard, Premium, or Basic
- Microsoft 365 Apps for enterprise or business
- Office 365 E1, E1 Plus, E3, or E5
Education faculty and higher ed students (18+)
- Microsoft 365 A1, A3, or A5
- Office 365 A1, A3, or A5
Eligibility for students includes Student Use Benefit licenses.
Office 365 A1 Plus licenses are not eligible due to its retirement later this year. Learn more: Retirement Plan for the Office 365 A1 Plus | Microsoft Education.
The 'Commercial data protection for Microsoft Copilot' service plan allows IT admins to manage whether users receive commercial data protection while using Copilot. Commercial data protection is on by default for users with each of these licenses.
At this time, commercial data protection in Copilot isn't available for government cloud customers or for K-12 students. Copilot will add commercial data protection to more work and school accounts (Entra ID) over time.
Copilot is governed by the Universal License Terms for Online Services.
Managing commercial data protection using the service plan
To receive commercial data protection, users must sign in to Copilot with their eligible work or school account (Entra ID). Users signed in to Copilot with MSA accounts don't receive commercial data protection.
The 'Commercial data protection for Microsoft Copilot' service plan (part number: bing_chat_enterprise) must be enabled for your eligible users to receive commercial data protection when they're signed in to Copilot with their work or school account (Entra ID). The Copilot service plan is included with your eligible users' Microsoft 365 licenses. To help ensure that your users are using Copilot with commercial data protection, the service plan is enabled by default.
PowerShell allows you to bulk assign and remove licenses for your intended users. Learn more about how to assign Microsoft 365 licenses to user accounts with PowerShell or how to disable access to Microsoft 365 services with PowerShell.
Note
Changes can take up to 48 hours to go into effect.
Managing Copilot for Microsoft 365 E3/E5 Original subscriptions
Organizations with Microsoft 365 E3 or E5 Original subscriptions purchased through an Enterprise Agreement (EA) no longer need to use the Microsoft 365 E3 or E5 Extra Features license to manage Microsoft Copilot for their users. Because Copilot is now available at no additional charge to customers with a greater range of licenses, organizations with Original subscriptions can now use the 'Commercial data protection for Microsoft Copilot' service plan under their Office 365 license to manage Copilot for their users.
Require commercial data protection in Copilot
To ensure that your users have commercial data protection when they use Copilot, you need to:
- Enforce commercial data protection: Enable the 'Commercial data protection for Microsoft Copilot' service plan for your eligible users
- Prevent use of Copilot without commercial data protection: Update your DNS configuration by setting the DNS entry for www.bing.com to be a CNAME for nochat.bing.com
Note: Use a CNAME rather than the nochat.bing.com IP because the CNAME continues to work even if the IP for nochat.bing.com changes.
By taking these steps, you're requiring users to sign in to Copilot with their work or school account (Entra ID) so they receive commercial data protection. This configuration applies when accessing Copilot through bing.com/chat, Copilot in Edge, and Copilot in Windows.
For organizations that cannot change the DNS configuration as described above: Try one of two alternate strategies to enforce commercial data protection in Copilot:
Header solution. Append the following HTTP header to all outgoing requests to www.bing.com, edgeservices.bing.com, and copilot.microsoft.com:
x-ms-entraonly-copilot: 1
Firewall solution. Use your corporate firewall to do Destination Network Address Translation (DNAT) for www.bing.com and edgeservices.bing.com to nochat.bing.com. The Zscaler firewall does DNAT based on the hostname, so the DNAT IP address should be set to nochat.bing.com. Also, do DNAT for copilot.microsoft.com to cdp.copilot.microsoft.com.
Either of these methods ensure that users can only access Copilot while using their Entra ID, which thereby requires commercial data protection.
For users of copilot.microsoft.com and the Copilot mobile app: To ensure that your users have commercial data protection when they access Copilot through copilot.microsoft.com and the Copilot mobile app, the solution is similar:
- Enforce commercial data protection: Enable the 'Commercial data protection for Microsoft Copilot' service plan for your eligible users
- Prevent use of Copilot without commercial data protection: Update your DNS configuration by setting the DNS entry for copilot.microsoft.com to be a CNAME for cdp.copilot.microsoft.com
Copilot makes it clear that commercial data protection is turned on by featuring a unique design. Above the chat input box and on top of every chat answer, users see a message confirming 'Your personal and company data are protected in this chat.' Additionally, users see a green 'Protected' label next to their user profile icon and name at the top of the experience.
These configurations apply only when devices are connected to your corporate network. Copilot is a public service, like search, and remains available if accessed outside the corporate network.
To block access to Copilot in Edge only, see the Copilot in Edge documentation.
Note: Blocking the <www.bing.com> IP could also block other Microsoft domains.
Copilot in Edge and Windows
For information on how to manage Copilot in Edge, see the Copilot in Edge documentation.
For information on how to manage Copilot in Windows, see the Copilot in Windows documentation.