How to prevent use of Microsoft Copilot without commercial data protection with Netskope

  • 23 February 2024
  • 2 replies

Userlevel 1

Copilot with commercial data protection


To help business and educational organizations protect corporate data, Copilot adds commercial data protection when eligible users sign in with their work or school accounts (Entra ID).

Commercial data protection means user and organizational data are protected, prompts and responses are not saved, Microsoft has no eyes-on access, and chat data isn't used to train the underlying large language models. Unlike Copilot for Microsoft 365, Copilot has no access to organizational data in the Microsoft 365 Graph.

Commercial data protection applies to users with eligible work or school accounts wherever Copilot is available. (


One way to prevent the use of Copilot without commercial data protection is to update the DNS configuration by setting the DNS entry for to be a CNAME for But this will only work when the user is in the company network. 

However, we had the demand to prevent the use of Copilot without commercial data protection from anywhere. 

I was able to realize this with Netskope as follows:

Note: There is one Prerequisite: 'Commercial data protection for Microsoft Copilot' must be enabled in your Microsoft Tenant to enforce commercial data protection usage. 

  1. Make sure that Netskope does decrypt the SSL Traffic for the following URL’s:
  2. Create a new Cloud App for Microsoft Pilot
    • Go to Settings > Security Cloud Platform > App Definition
    • Click “New Cloud App” and configure the following:
      1. Application Name (can be any name, I used “Microsoft Copilot”)
      2. Connector
      3. Add new Domain 
        • Add the following 3 Domains to the Cloud App:
      4. Click Save
  3. Create a Header Insertion Profile

    • Go to Settings > Manage > Header Insertion

    • Click “New Header Insertion Profile” and configure the following

      1. Select the Cloud Application you have created earlier. (In my case it is [Microsoft Copilot])

      2. Select Custom as Header-Key-Value

      3. Enter x-ms-entraonly-copilot as header key

      4. Enter 1 as header value

      5. Click Save

  4. From now on Microsoft Copilot is only available with commercial data protection after login 

    • Logged out:

    • Logged in:


2 replies

Userlevel 4
Badge +17

Hi @MichaelL ,

Thank you for your valuable contribution to our Netskope Community! We're excited to see more of your exceptional work in the future. 🙂

Amazing article, many thanks for the detailed information, works perfect and it doesn’t requiere to apply any policy, just the steps on the post.