The Most Confusing AI Product Line
Microsoft has done something uniquely frustrating: they've attached the name "Copilot" to at least three different products with three different data policies. We've had clients tell us they "have Copilot" without knowing which one, and the privacy implications are very different.
Microsoft has attached the name 'Copilot' to at least three different products with three different data policies. The privacy implications are very different.
Let me untangle this.
Copilot in Bing/Edge (Free)
This is the Copilot that's built into Microsoft Edge and available at copilot.microsoft.com. It's free, it's powered by GPT-4, and it's essentially a consumer product.
Data policies here are similar to any free AI tool: your conversations may be used for product improvement, there are no admin controls, and there's no business data protection. Microsoft's Copilot in Edge also integrates web search, meaning your queries are hitting Bing's infrastructure as well.
WARNING
Employees may think that because it says "Microsoft" and it's built into their work browser, it's safe for business data. It is not. Free Copilot in Edge should be treated the same as any other free consumer AI tool.
Microsoft 365 Copilot ($30/user/month)
This is Microsoft's flagship business AI product, and it's fundamentally different from the free version. Here's why:
Free Copilot (Bing/Edge)
Consumer product
- ✗ Data may be used for product improvement
- ✗ No admin controls or governance
- ✗ No compliance certifications
- ✗ No data loss prevention policies
- ✗ Web search queries hit Bing infrastructure
M365 Copilot ($30/user/mo)
Enterprise product
- ✓ Data stays in your M365 tenant
- ✓ Inherits M365 compliance certifications (SOC 2, HIPAA, GDPR)
- ✓ Data is not used for training foundation models
- ✓ Sensitivity labels and DLP policies apply
- ✓ Full admin controls via M365 Admin Center
M365 Copilot integrates directly into the tools your team already uses: Word, Excel, PowerPoint, Outlook, Teams. It can draft emails, summarize meetings, create presentations from documents, and analyze spreadsheet data, all within your secured M365 environment.
PREREQUISITES
M365 Copilot requires Microsoft 365 Business Standard, Business Premium, E3, or E5 licenses. You can't add it to basic Microsoft 365 plans.
Azure OpenAI Service
Azure OpenAI is a different product entirely. It's an enterprise API platform that gives you access to GPT-4, GPT-4o, and other OpenAI models through Microsoft's Azure cloud infrastructure.
- Zero data retention option: You can configure Azure OpenAI with a zero-data-retention policy, meaning your prompts and completions are processed and immediately discarded.
- HIPAA eligible with BAA: Azure OpenAI can be included in a Microsoft BAA, making it one of the few AI platforms suitable for processing Protected Health Information.
- Full Azure compliance framework: Inherits Azure's extensive compliance certifications (SOC 1/2/3, ISO 27001, HIPAA, FedRAMP, and more).
- Network isolation: Can be deployed within your Azure Virtual Network for complete network-level isolation.
Azure OpenAI is for organizations that need maximum control, are building custom AI applications, or operate in highly regulated industries. It's not a consumer product. It requires Azure infrastructure and development resources to implement.
The Biggest Risk with Copilot
The biggest risk with M365 Copilot isn't data leaving Microsoft. It's data being surfaced to the wrong people inside your organization.
M365 Copilot has access to everything a user has access to: emails, documents, SharePoint sites, Teams chats. It synthesizes information across all of these sources to generate responses. That means:
- If your SharePoint permissions are messy (and most are), Copilot will surface documents that users technically have access to but weren't supposed to see.
- If HR documents are stored on a SharePoint site with overly broad permissions, Copilot could summarize salary data, performance reviews, or termination plans for anyone who asks the right question.
- If former employees' accounts still have delegated access to mailboxes or shared drives, Copilot inherits that access too.
THE OVERSHARING PROBLEM
This is the number one issue we address when helping clients deploy M365 Copilot. Before you turn on Copilot, you need to clean up your permissions.
Here's the pre-deployment checklist we recommend:
Audit SharePoint and OneDrive permissions
Review permissions across all sites. Identify overly broad access grants.
Restrict broad sharing links
Review and remove "Everyone" or "Everyone except external users" sharing links.
Apply sensitivity labels
Tag confidential documents with Microsoft sensitivity labels to control access.
Remove stale access
Revoke access from former employees, expired contractors, and orphaned accounts.
Enable Microsoft Purview
Configure Purview for ongoing data governance, classification, and monitoring.
Run a pilot first
Start with a small group before rolling out company-wide. Monitor what Copilot surfaces.
Copilot + Your Microsoft Stack
If your business already runs on Microsoft 365 Business Premium or E3/E5, M365 Copilot is the natural choice. It plugs directly into the tools your team uses daily, it inherits your existing security posture, and there's no additional infrastructure to manage.
But the setup matters. We've seen companies flip the switch on Copilot without doing the permissions work first, and the result is always the same: someone discovers they can ask Copilot to "summarize all recent HR documents" and gets back information they should never have seen.
BOTTOM LINE
The technology is solid. The implementation is where it succeeds or fails.
Which Copilot Do You Need?
Free
Copilot in Bing/Edge: personal use only
$30/mo
M365 Copilot per user: business teams
Usage
Azure OpenAI: regulated industries & custom apps
| Product | Cost | Data Training | Best For |
|---|---|---|---|
| Copilot (Bing/Edge) | Free | May be used | Personal use only |
| M365 Copilot | $30/user/mo | Not used | M365 businesses (5-500+) |
| Azure OpenAI | Usage-based | Not used (ZDR option) | Custom apps, regulated industries |
Need help figuring out your Copilot strategy? Compare all providers in our Provider Privacy Matrix, or schedule a discovery call and we'll build a deployment plan that accounts for your permissions, compliance requirements, and budget.