[Security: Copilot] How To Block Bring Your Own Copilot For Work 

15-07-2026

In this blogpost we're going to talk about blocking bring your own Copilot (BYOC) on work documents. What is BYOC and why should we allow or block this?


1. What Is Bring Your Own Copilot?

Imagine you have a personal, family or premium M365 subscription with Copilot and you want to use the Copilot feature in your work environment. Microsoft allows you to sign into Microsoft 365 apps with both work and personal accounts so you are able to use this Copilot to work on work documents. By default this option is enabled unless you are a Microsoft 365 GCC, GCC high, DoD or Microsoft 365 operated by 21Vianet.

With BYOC you are able to work on your work documents using your personal Copilot. For example it can assist you editing documents in Word or Excel. Other things it can do (source MS Learn):


1.1 So, That's Great Right? How About Security?

From a security perspective, the following Microsoft Copilot security guard rails are still enabled when you use this personal feature:

  • All data that Copilot processes is secured within the Microsoft cloud with data encrypted both ways;

  • Microsoft does not use your tenant's content or Copilot interactions to train its AI models;

  • Existing inheritance, sensitivity labels and retention policies are fully respected by Copilot. Users only see content they are authorized to access;

  • Built-in defenses against prompt injection, data exfiltration and generating malicious content remain active;

  • All Copilot-related actions are captured and traceable in the audit logs.

So, when reading the above, it's safe to have this enabled right?

From an identity & access and governance perspective I recommend turning this feature off but this is closely related to the governance and how your organization plans to adopt AI tools.

I believe that several considerations play an important role:

  • If this feature is enabled while other private or personal AI tools (such as Claude or ChatGPT) are not allowed, it effectively introduces a personal Copilot experience into the organization. This can be difficult to justify to employees who are restricted from using other personal AI assistants;

  • AI adoption planning is essential. The feature should fit within the defined AI adoption strategy: for example, whether only full enterprise licenses are permitted or whether personal accounts and individual AI tools are also allowed.

Disabling this feature can reduce confusion around AI usage and strengthen organizational governance, but this al depends on your AI strategy. When only managed (paid) licenses are allowed, it becomes easier to maintain control over who uses Copilot, which AI tools are deployed/you want to deploy and how they are governed within your work environment.


2. How Do I Turn This Off?

Follow these steps to disable this feature:

Option 1:

Browse to the Microsoft Intune admin center (https://intune.microsoft.com/)

Select "Apps" -> "Policies for Microsoft 365 apps"

Option 2:

Browse to the Microsoft 365 Apps admin center (https://config.office.com/officeSettings)

Select "Customization"  -> "Policy Management"

Select the default policy or create one.

Name the policy and select "Next"

Select the scope. The default policy is already applied to all users. Select "Next"

Search for "Copilot" in the search field and select "Multiple account access to Copilot for work documents"

Set the "Configuration setting" to "Disabled"

Select "Next" and click on "Update" or "Create" depending on the policy. 


3. Wrap Up

Like already described above, enabling or disabling this feature depends on your organization current stage of AI adoption and governance. I recommend a guided and controlled rollout of AI within your organization with every security and compliance aspect reviewed. My advice is to always keep personal and corporate accounts separated from each other.

Share