Netskope Global Technical Success (GTS)

Microsoft 365 Copilot (Corporate) - Allow Only Corporate Instance

Netskope Cloud Version - 129

Objective

Microsoft 365 Copilot (Corporate) - Allow Only Corporate Instance

Prerequisite

Netskope Next-Gen SWG license is required

Context

Microsoft suite customers want their end-user to access Microsoft Copilot but only their instance. All other Microsoft Copilot instances should be blocked.

Do You Know?

Microsoft Copilot is available for Personal and Corporate. Netskope has 2 predefined cloud app connectors for Microsoft Copilot.

• Microsoft Copilot for Personal Instances
• Microsoft 365 Copilot for Corporate Instances. 

Author Notes

• Microsoft is integrating Copilot capabilities at the operating system level, within Office apps, the Edge browser, and many other applications. This article focuses specifically on browser-based traffic directed to Microsoft 365 Copilot, and highlights the types of traffic where SSL decryption is possible.
• It is recommended to review the foundation parent first.

• Since this article is about Microsoft 365 Copilot, a few details need to be better understood.
• Microsoft 365 Copilot cloud app connector

• With the current Microsoft 365 Copilot cloud app connector, the ‘Post’ activity is supported only for DLP (Data Loss Prevention) use cases. It will not be detected in non-DLP scenarios.
• To enable detection of non-DLP ‘Post’ activities in Microsoft 365 Copilot, the ‘WebSocket for Non-DLP Activities’ feature flag must be enabled for each individual tenant.

Note - Raise a support case with Case Type - How-to-Question with Netskope GTS to enable ‘WebSocket for Non-DLP Activities’ feature flag.

Configuration

To implement this use case, Four distinct policy sets are required:

Given that Netskope enforces policies in a top-down order, the policies should be configured in the following sequence:

• Policy 1: Allow or monitor activity specific to the corporate instance of Microsoft Accounts.
• Policy 2: Block Post activity on Non-Corporate Instance of Microsoft 365 Copilot.
• Policy 3: Allow user traffic going to Microsoft 365 Copilot URLs, based on specific HTTP referrer headers.
• Policy 4: Block access to the broader Generative AI category, while making an exception for the corporate Microsoft 365 Copilot URLs (copilot.cloud.microsoft and m365.cloud.microsoft/chat).

Let’s start Configuring Real Time Policies

Policy 1: Allow activity specific to the corporate instance of Microsoft Accounts.

Step 1 - Instance Mapping for Microsoft 365 Copilot (Corporate) Organization account.

Step 2 - Real-time protection policy

Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy

Policy 2: Block Post activity on Non-Corporate Instance of Microsoft 365 Copilot

In addition to Policy 1, this policy will block post activities from all instances of Microsoft 365 Copilot, except the organization’s own instance.

Policy 3: Allow user traffic going to Microsoft 365 Copilot URLs, based on specific HTTP referrer headers.

• The M365 Copilot Applications relies on few of the M365 back-end services for log-in and post activity of Copilot. It is not a user facing site instead, Microsoft 365 apps and services communicate with it in the background. 
• The following URLs also need to be whitelisted when they are referenced by the Microsoft 365 Copilot application during transactions.

                  substrate.office.com

                  events.data.microsoft.com

                  res.public.onecdn.static.microsoft

                  login.microsoftonline.com

                  www.microsoft.com

Application Events reference for few URLs:

Step 1 - Create an HTTP Header profile for the Microsoft 365 Copilot URLs (copilot.cloud.microsoft and m365.cloud.microsoft)

Path: Netskope Tenant UI >>> Policies >>> HTTP Header

Step 2 - Create Custom URL Category for the above listed URLs

Path: Netskope Tenant UI >>> Profiles >>> URL Lists

Path: Netskope Tenant UI >>> Profiles >>> Custom Categories

Step 3 - Create a Real-Time Protection Policy

Path: Netskope Tenant UI >>> Policies >>> Real-time Protection

Policy 4: Block access to the broader Generative AI category, while making an exception for the corporate Microsoft 365 Copilot URLs

Step 1 - Create a custom URL category to add the below M365 Copilot URLs as exclusion from Generative AI Category 

• copilot.cloud.microsoft
• M365.cloud.microsoft

Path: Netskope Tenant UI >>> Policies >>> Profile - - - URL Lists

Path: Netskope Tenant UI >>> Policies >>> Profile - - - Custom Categories

Step 2 - Real-time protection policy

Path: Netskope Tenant UI >>> Policies >>> Real-time Protection >>> New Policy

Policy Order:

Verification

• Try posting on Microsoft 365 Copilot using any other Corporate Account: 

Path: Netskope Tenant UI >>> Skope IT >>> Alerts

• Try posting on Microsoft 365 Copilot using Sanctioned Organization Account:

Path: Netskope Tenant UI >>> Skope IT >>> Alerts

• Try accessing Microsoft Copilot (Personal) using Personal Account:

The action will be blocked.

Try accessing any other Generative AI App e.g. ChatGPT

The action will be blocked.

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.