1. Licensing and Device Management
Licensing Onboarding
Before purchasing and onboarding any M365 Copilot licences, Local Admins must ensure that the following licensing and device management prerequisites are met:
Organisations onboarding M365 Copilot licences for NHS.net Connect users will need to opt in to Global Sensitivity Label Policy before onboarding any M365 Copilot licences. Once the organisation has been onboarded, all users will have the ability to access the sensitivity labels outlined in the table below.
- Users are licensed with M365 E3 base licence (part of Enhanced Service)
- Users are licensed with M365 Apps for Enterprise (part of Enhanced Service)
- All users with M365 Copilot licence must use MFA unless they have a short or long-term exception. Additionally, users within a Named Location will not be prompted for MFA; this is aligned to the NHS.net Connect MFA policy
- Organisations should securely manage users’ devices, either via NHS.net Connect Intune or a local device management solution
Endpoint Management
Access to the Microsoft 365 Copilot users should be scoped to corporate managed devices only preferably as follows:
- NHS.net Organisations Domain-joined devices
- NHS.net Connect Intune Entra-joined devices
- NHS.net Connect Intune Entra-hybrid-joined devices
- NHS.net Connect Intune Android / iOS Devices
Organisations that are not utilising NHS.net Connect Intune for their device management need to ensure that M365 Copilot licensed users access the platform from corporate devices.
2. Sensitivity Labels
Organisations onboarding M365 Copilot licences for NHS.net Connect users will need to opt in to Global Sensitivity Label Policy before onboarding any M365 Copilot licences. Once the organisation has been onboarded, all users will have the ability to access the sensitivity labels outlined in the table below.
Global Sensitivity Labels will be accessible by all users in your organisation, including those not being licensed with M365 Copilot
Organisations will need to follow the process as outlined in Sensitivity Labels Scope and Requirements..
The Global Sensitivity Policy contains the following Labels:
| Label Name | Description | Sub-label Name |
| General | This label does not apply any protection and is for labelling purposes only. It should be used to mark documents and emails that are not business records or sensitive. | N/A |
| Corporate
|
For information related to business processes, examples include Finance and Communications. |
|
| Official
|
For items which contain personal identifiable or business sensitive data. Commercial- or market-sensitive information, including that subject to statutory or regulatory obligations, which may be damaging to HMG or to a commercial partner if improperly accessed. |
|
| Official Sensitive
|
Sensitive company, client or customer personal data that can only be shared with a specific business need. Applies to data regulated by privacy laws including personnel financial information, and technical infrastructure documentation. | · Official Sensitive Recipients Have Full Control
· Official Sensitive Internal Use Editable · Official Sensitive Internal Use Read Only |
All content labelled as ‘Official Sensitive’ will be prevented from M365 Copilot Access
When sending Official Sensitive labelled documents via email, emails must also be labelled with Official Sensitive to ensure attachment content is not accessible by M365 Copilot.
You can view the detailed information on the labels and their functionality in this support article.
3. Networking Requirements
M365 Copilot is integrated with Microsoft 365 applications and uses the same network connections and endpoints that Microsoft 365 apps use. Local Admins must ensure the following configuration settings are applied before onboarding M365 Copilot licences.
| Category | Local Admin Actions | Configuration Settings |
| Network endpoint requirements | Organisations must ensure that their baseline network configuration is configured to allow Microsoft 365 endpoints. | Allow the worldwide Microsoft 365 URLs and IP address ranges.
Allow the Copilot Chat network requirements. Block traffic to the following domains: copilot.microsoft.com, *.copilot.microsoft.com |
| WebSockets (WSS) protocol requirements | Verify the network supports full WSS connectivity from user devices running Microsoft 365 applications to the following domains. | Microsoft 365 Copilot enterprise experiences: *.cloud.microsoft, *.office.com
Other Copilot experiences, including consumer: *.bing.com, copilot.microsoft.com, *.copilot.microsoft.com We suggest reviewing the Copilot Chat network requirements.
|
| Fully Qualified Domain Names (FQDNs) and subdomains | Because of its large scale and dynamic services, Microsoft 365 cannot list specific FQDNs for individual features. Providing such details would lead to complex configurations, frequent network changes, and connectivity issues. | When you review and implement the recommended network configurations, consider all the FQDNs and subdomains where wildcards are specified. |
4. Software
The tables below show the different M365 Copilot applications available, along with the necessary configurations for both tenant and user levels, which are managed by local organisations.
Microsoft 365 Apps
| NHS.net Connect Users | MoSCoW | NHS.net Connect Tenant | Action Required by Your Org |
| NHS.net user must have Office on the web enabled. | Must | The licensing of a base licence is managed via the NHS portal. | · Third-party cookies need to be enabled for M365 Copilot to function in Word Online, Excel Online, and PowerPoint Online.
· Privacy controls must be on for M365 Copilot features to work. |
Microsoft Outlook
| NHS.net Connect Users | MoSCoW | NHS.net Connect Tenant | Action Required by Your Org |
| M365 Copilot works with Outlook on the web, New Outlook for Windows, new Outlook for Mac, and Outlook for Mobile. | Should | All nhs.net users are enabled for Exchange Online as a default. | · To benefit from M365 Copilot in Outlook, users must have the latest version of Outlook.
· New Outlook offers the latest features for M365 Copilot and is the recommended option for end users. · Classic Outlook should have minimum build (Current or Monthly enterprise channel) as follows: · Summarise: 16.0.17028.10000+ · Coaching by M365 Copilot: 16.0.17231.20182+ · Draft with M365 Copilot: 16.0.17425.20174+ · Microsoft 365 Copilot is only supported on primary mailboxes that are hosted on Exchange Online. It isn’t available on a user’s archive mailbox, group mailboxes, or shared and delegate mailboxes that they have access to. |
Microsoft OneDrive for Business
| NHS.net Connect Users | MoSCoW | NHS.net Connect Tenant | Action Required by Your Org |
| Some features in M365 Copilot, such as file restore and OneDrive management, require that nhs.net users have a OneDrive for Business account. | Should | The licensing of a base licence is managed via the NHS portal. | · Ensuring that the users are licensed. |
Microsoft Teams
| NHS.net Connect Users | MoSCoW | NHS.net Connect Tenant | Action Required by Your Org |
| Users must be enabled for Microsoft Teams to use M365 Copilot features in Teams. | Must | The licensing of a base licence is managed via the NHS portal.
M365 Copilot in Teams is effective with Teams meetings with Transcription and Recording features. Both features are enabled in the global policies. |
· Ensuring that the users are licensed.
· To ensure, that M365 Copilot users can use M365 Copilot features in Teams, should have transcription enabled. |
Microsoft Teams Phone
| NHS.net Connect Users | MoSCoW | NHS.net Connect Tenant | Action Required by Your Org |
| M365 Copilot in Teams Phone supports VOIP and PSTN calls. | Cloud | The licensing of a base licence is managed via the NHS portal.
M365 Copilot in Teams Phone is effective with Teams Transcription and Recording features. Both features are enabled in the global policies.
|
· Ensuring that their users are licensed. To use Teams Phone PSTN features, organisations must be onboarded for the Phone System.
· Manage Microsoft 365 Copilot in Teams meetings and events – Microsoft Teams | Microsoft Learn |
Microsoft Loop
| NHS.net Connect Users | MoSCoW | NHS.net Connect Tenant | Action Required by Your Org |
| To use M365 Copilot features in Microsoft Loop, users must be enabled for Loop. | Must | Microsoft Loop is enabled by default for all users at tenant level, as part of the NHS.net Connect Enhanced Service, without any toggle in the NHS.net Connect portal.
For NHS.net Connect Standard Service, limited Loop functionality is available without a licence. |
· None |
Microsoft Whiteboard
| NHS.net Connect Users | MoSCoW | NHS.net Connect Tenant | Action Required by Your Org |
| To use M365 Copilot features in Whiteboard, users need to be enabled for Microsoft Whiteboard. | Must | The licensing of a base licence is managed via the NHS portal.
|
· Ensuring that the users are licensed. |
Microsoft 365 Apps for Enterprise
| NHS.net Connect Users | MoSCoW | NHS.net Connect Tenant | Action Required by Your Org |
| To use M365 Copilot with M365 Apps for Enterprise (desktop applications), users must have M365 Apps enterprise licence assigned. | Must | M365 Apps for Enterprise is supported as a BYOL add-on licence and assigned via the NHS portal. | · Organisation must onboard M365 Apps for Enterprise as a BYOL licence (add-on or EA licence).
· To use M365 Copilot, devices must be on Current or monthly update channel for Microsoft 365 Apps. · M365 Copilot is unavailable with device-based licensing for Microsoft 365 Apps for enterprise. |
| Last Reviewed Date | 08/08/2024 |
