Deep dive on Copilots and Security

Microsoft Copilots

Microsoft Copilot isn’t a single service, but rather a suite of AI-powered assistants designed to enhance productivity and security across various Microsoft products and services. Here’s a breakdown of the different Copilots available:

  • Copilot for Azure:
    • Focus: Assists with Azure cloud development and management.
    • Function: Provides intelligent code completion, resource management suggestions, and infrastructure optimization recommendations.
  • Copilot for Dynamics 365:
    • Focus: Assists with customer relationship management (CRM) tasks in Dynamics 365.
    • Function: Offers data insights, automates repetitive tasks, and suggests next steps for sales and customer service interactions.
  • Copilot for Sales:
    • Focus: Specifically geared towards sales professionals within Microsoft products.
    • Function: Analyzes customer data, suggests personalized communication strategies, and automates sales workflows.
  • Copilot for Service:
    • Focus: Assists with customer service tasks within Microsoft products.
    • Function: Provides relevant customer data, suggests knowledge base articles, and automates repetitive service actions.
  • Security Copilot:
    • Focus: Improves security outcomes for security professionals.
    • Function: Analyzes data from various Microsoft security services, automates responses to incidents, and provides guidance to security analysts. (Now generally available)

Security Copilot architecture, I could write a whole series of Security Copilot, love it!

You have two different interfaces, Standalone ( and Embedded (directly in

  • Intune Copilot:
    • Focus: Assists with managing devices and security policies in Microsoft Intune.
    • Function: Provides insights into device configurations, helps generate compliant policies based on best practices, and helps summarize the impact of new policies.

M365 Copilot

Microsoft 365 Copilot is an intelligent assistant that leverages AI to enhance your workflow within various Microsoft 365 applications. Here’s a breakdown of its technical aspects:

  • Understanding Your Work:
    • Data Ingestion: Copilot taps into your emails, documents, chats, and other activities within Microsoft 365.
    • Natural Language Processing (NLP): It utilizes NLP techniques to analyze the meaning and context of your data, understanding your intent and needs.
  • Context-Aware Assistance:
    • Machine Learning (ML): Copilot employs machine learning models to personalize its suggestions and actions based on your work patterns, habits, and past interactions.
    • Predictive Capabilities: It can anticipate your needs and proactively surface relevant information, actions, or next steps within your workflow.
  • Powering Different Features:
    • Enhanced Search: Copilot refines search results by considering your context and past interactions, delivering more relevant information.
    • Smart Replies & Suggestions: It offers contextually-aware suggestions for email replies, documents, and other tasks, saving you time and effort.
    • Automation Workflows: Copilot can automate repetitive tasks based on your past behavior, streamlining your work.
  • Underlying Technology:
    • Microsoft Graph: Copilot leverages the Microsoft Graph, a comprehensive service that connects and indexes data across various Microsoft 365 applications, providing a centralized knowledge base.
    • Azure Artificial Intelligence (AI): It harnesses the power of Azure AI services like NLP and machine learning to analyze user data and generate intelligent recommendations.

What is Semantic Index?

The Microsoft 365 Copilot leverages a powerful semantic indexing technology to enhance your search experience and personalize your workflow within various Microsoft 365 applications. Here’s a detailed breakdown of its technical aspects:


  • Microsoft Graph: The semantic index builds upon the Microsoft Graph, a comprehensive service that connects and indexes data across different Microsoft 365 applications. This rich pool of information provides the foundation for understanding user activity and content within the M365 ecosystem.

Dual Indexing Approach:

  • User-Level Indexing: Copilot creates a personalized index for each user. This focuses on emails, documents they interact with, and content shared with them. It utilizes techniques like Named Entity Recognition (NER) and Natural Language Processing (NLP) to extract key concepts, people, locations, and other relevant entities from the user’s data. This personalized understanding allows Copilot to surface highly relevant information tailored to each user’s work needs and habits.
  • Tenant-Level Indexing (Optional): Additionally, the index can cover text-based SharePoint Online files accessible by multiple users within your organization (enabled through site inheritance). This broader organizational index provides access to company data, fostering collaboration and knowledge sharing. However, it only surfaces results to a specific user if they already have the necessary permissions to access the content, adhering to role-based access control (RBAC).

Vector Representations:

  • Beyond traditional keyword matching, the semantic index employs a technique called Vector Space Retrieval. Here, data points (documents, emails, etc.) are mapped into high-dimensional vector spaces. Similar concepts or entities are positioned closer together within this space. This allows Copilot to identify relationships between information elements, even if they don’t share identical keywords. Imagine a web of interconnected ideas, where Copilot can navigate these connections to find the most relevant results for your specific needs.

Machine Learning Integration:

  • The semantic index is further enhanced by machine learning (ML) algorithms. These algorithms are trained on user interactions, search queries, and other data points to continuously improve the accuracy and relevance of search results. Over time, Copilot learns your work style, preferences, and frequently used terminology, enabling it to anticipate your needs and proactively surface helpful information or suggestions.

Security baked in?

Well no but the same security constrains exist than with any other SaaS service.

By-default on Underlying Security Practices:

  • Data Access Control: Copilot adheres to strict role-based access control (RBAC) within Microsoft 365. This ensures the LLM only accesses and processes data you have permission to see. It can’t access information beyond your individual permissions or organizational boundaries.
  • Data Encryption: Data used by Copilot, including your emails, documents, and other activities, is encrypted at rest and in transit using industry-standard encryption protocols. This helps safeguard your information from unauthorized access.
  • Microsoft Cloud Infrastructure: Copilot runs on Microsoft’s secure and compliant cloud infrastructure. This infrastructure benefits from rigorous security measures, including physical security, background checks, and multi-layered security controls.

How to make it more secure?

But there are always ways to do more for security

Protect your data

I’m currently making SC-400 study content, which will cover the “Know and Protect your Data” concept.

Using SITs

And Sensitivity Labels

Also enable Encryption to those emails

Don’t forget Data Loss

Also cover those Endpoints

The traffic with In-browser protection

Plan you Identity governance

And hey, Machine Learning will also help in that!

Reviewers Get AI Help with Access Decisions

Machine learning helps reviewers grant access quickly and securely by suggesting approvals based on past decisions and organizational structure. This is just the first step towards AI-powered access management.

Inactive User Scoping: Cleaning Up Dormant Accounts

New “inactive user scoping” helps admins identify and remove dormant accounts that pose security risks. It goes beyond sign-ins to consider all user activity.


Monitor those actions, use Activity logs to understand what’s happening, who is is logging from where.

And hey, Machine Learning will help in that!

Microsoft will do their best.

  • Security Monitoring: Microsoft continuously monitors Copilot and its underlying systems for potential security vulnerabilities. They take proactive steps to address any identified threats and strengthen security measures over time.
  • Threat Modeling: Microsoft conducts regular threat modeling exercises to identify potential security risks associated with Copilot’s LLM. These exercises help mitigate risks and ensure the system’s overall security posture.

External resources

But you can do more for those Large Langue Models. See these excellent resources from Elli Shlomo


Super-charged next-gen version of Secure score, more comprehensive than ever.

Security Exposure Management actively gathers security posture information and insights from workloads such as:

  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Office
  • Microsoft Defender for IoT
  • Microsoft Secure Score
  • Microsoft Defender Vulnerability Management
  • Microsoft Defender for Cloud
  • Microsoft Entra ID
  • Microsoft Defender External Attack Surface Management (EASM)

And it’s friend CSPM

Defender for Cloud simplifies cloud security posture management (CSPM) by continuously assessing your resources across Azure, AWS, and GCP. It offers recommendations to improve your security posture and provides a score to track your progress.


Like we saw, there is a lot you do can for you SaaS GenAI and the components is uses to generate that information.

If you are developing your own solution for AI, you should also cover the infrastructure underneath, it’s a shared responsibility.

It’s not only about trusting the provider, they are doing their best but you must also.

Author: Harri Jaakkonen