Interactive walkthrough of how a prompt becomes a response inside Microsoft 365 Copilot. Animated 11-step lifecycle, auth-token chain, six trust boundaries, the Copilot CoWork extension layer, and a Purview / regulatory mapping built for deployment in globally large financial institutions. Companion to the M365 E5 Copilot Architecture research piece.
M365 Copilot + CoWork — Architecture Reference
G-SIFI reference edition · v2.2
Lens:
End-to-end trace of a single Copilot interaction — 11 steps across 3 trust boundaries with protocol-level detail at each hop.
Live Prompt Flow — 11-Step Lifecycle
User keystroke → Substrate record. Three boundaries: device · M365 service · sub-processor.
Hub-and-spoke view of the Copilot orchestrator and the default M365 inference path. Five phases mapped to Microsoft's framing.
Step 1 / 5
Numbered phases (Microsoft's framing)
1User prompt
2Grounding (Graph)
3Modified prompt → LLM (default)
3′Alt path · sub-processor (Anthropic)
4LLM response
5Compliance + persist
Boundaries & encryption
Microsoft cloud
M365 tenant (DPA)
AOAI inference plane
Sub-processor (Anthropic)
TLS 1.3 · MTLS · token-bound
Alt path always visible (architectural reality)
5-PHASE LIFECYCLE
STEP 1 / 5
This view follows Microsoft's published Copilot architecture phrasing — five numbered phases centred on the Copilot Orchestrator. The Live Prompt Flow tab carries the regulator-grade 11-step lifecycle (auth chain, egress edge, per-step compliance citations). The Anthropic alt path (3′) is shown at all times because it is the only step that can exit Microsoft's perimeter — by default Copilot routes to Azure OpenAI inside Microsoft's cloud.
Auth Token Chain — 6 Nodes
Device-bound PRT through OBO exchange. Evidence path for NYDFS §500.12, SOX ITGC, ISO 27001 A.9.
Step 1 / 6
AUTH TOKEN CHAIN
STEP 1 / 6
Data Packets — Grounded Prompt Assembly
Graph retrieval under the user's effective permissions. Sensitivity labels read on every artefact.
Step 1 / 6
DATA PACKET ASSEMBLY
STEP 1 / 6
LLM Inferencing — Boundary Crossing & Enterprise Data Protection
The only segment that may cross into a sub-processor. Layered Enterprise Data Protection confidence model.
Step 1 / 7
INFERENCE PATH
STEP 1 / 7
Copilot CoWork — Firm Extension Layer
Not a Microsoft service. The firm's own orchestrator, sitting beside or in front of M365 Copilot. Firm-operated, firm-logged, firm-accountable.
Step 1 / 8
CoWork is the firm's responsibility, end-to-end.
Microsoft's DPA does not cover content that flows through CoWork. The firm is the processor. Where CoWork invokes a third-party model directly (not via Microsoft), the vendor relationship is the firm's, not Microsoft's. Where CoWork surfaces M365 Copilot via the M365 Gateway, the two boundaries meet at the gateway.
COWORK LIFECYCLE
STEP 1 / 8
Native Copilot vs. CoWork — what actually differs
Dimension
Native M365 Copilot
Copilot CoWork
Who operates the orchestrator
Microsoft
The firm
Trust boundary applicable
M365 service trust boundary
Firm Azure tenancy + (optionally) M365 via Gateway
Contract governing data
Microsoft DPA + Online Services Terms
Firm's internal SDLC + firm vendor contracts
Where prompt/response is stored
User Substrate (Exchange hidden mailbox)
Firm SIEM + firm WORM archive
Discovery mechanism
Purview eDiscovery (Standard / Premium)
SIEM query + WORM export
Default retention horizon
User mailbox retention policy
7 years (firm policy; ≥ 17a-4 floor)
Model providers reachable
Azure OpenAI · Anthropic (M365 Copilot); xAI is a separate, independent-processor path (Copilot Studio, US)
Any model the firm contracts with
Sub-processor accountability
Microsoft is processor; sub-processors flow down
Firm is processor; firm owns vendor management
Audit log channel
UAL CopilotInteraction · Defender XDR
Firm Sentinel workspace · firm SIEM
DLP / sensitivity-label propagation
Purview native
Firm-implemented in policy layer
OBO mechanics in CoWork
Audience: CoWork APIs validate audience strictly. Tokens for one resource never replay against another.
SDLC + change management: every CoWork skill is firm-owned code; deployed under standard SDLC.
Model risk inventory: SR 11-7 / OCC 2011-12 entry per skill, independent validation proportionate to materiality.
WORM-archived prompt+response: 7-year retention. Discovery via firm SIEM, not Purview.
TPRM for direct vendors: any model invoked directly (not via Microsoft) lives in the firm's third-party register.
HITL gates: for trading / compliance / financial-reporting use cases.
Inference Boundary — Nested Trust Model
Three boundaries, three accountabilities. Step 9 of the lifecycle is the only one that may cross into a sub-processor.
User / Device
Steps 1–4
The firm is fully accountable. Conditional Access, MFA, compliant device, PRT.
M365 service
Steps 5–8, 10–11
Microsoft is the processor under the DPA. Customer Data covered; sub-processor list maintained.
Sub-processor
Step 9 only
Anthropic under DPA flow-down. Microsoft remains the contracting processor for M365 Copilot. xAI sits outside this boundary — independent processor, Copilot Studio only.
Purview & Regulatory Mapping
Logging channels, retention horizons, and the regulations they feed.
UAL · Activity index
Standard 180d · Premium 1y · 10y add-on
Operation, UserId, ClientIP, Workload, ObjectId, AppId. Not the regulated record.
Substrate · The artefact
User mailbox retention · Litigation Hold
Full prompt & response. Discovered via Purview eDiscovery. This is the regulated record.
NYDFS §500.7, §500.12; SOX §404 ITGC; ISO 27001 A.9
Exchange / SharePoint / OneDrive / Teams (incl. Substrate)
Data
GDPR; SEC 17a-4(b)(4); FINRA 4511; MiFID II Art. 16(7)
Microsoft Purview suite
Compliance
GDPR; NYDFS §500.13; SEC 17a-4; FINRA 3110/4511
UAL + Defender XDR + Entra logs
Telemetry
DORA Art. 12, 17–23; NYDFS §500.16/17; SOX ITGC
EUDB + Multi-Geo + Customer Lockbox
Residency
GDPR Chapter V; EDPB Schrems II; DORA Art. 28(7)
Copilot orchestrator
AI overlay
EU AI Act Art. 26; SR 11-7; OCC 2011-12
Anthropic sub-processor path
AI overlay
GDPR; NYDFS §500.11; DORA Art. 28–30; firm DPIA
Copilot CoWork
Firm-operated
Full firm responsibility — SR 11-7, EU AI Act, GDPR, NYDFS §500.7/11/13/16, SEC 17a-4, FINRA 4511
Appendix
Sub-processor reference (M365 Copilot)
Sub-processor
Role
Geographic scope
Firm posture
Microsoft (intra-company)
Operates Azure OpenAI; primary inference path.
Global, including EUDB
Default; included in core DPA.
Anthropic
Provides Claude models for Copilot inference.
Disabled by default in EU/EFTA/UK; default-on in US with admin opt-out.
Enabled only after DPIA + TPRM concurrence; pinned through admin policy.
xAI
Provides Grok models — independent processor, NOT under the Microsoft M365 DPA. Reachable via Copilot Studio integration only, not the M365 Copilot inference path.
US tenants only.
Treat as a firm direct vendor relationship: TPRM register, separate DPA/MSA, firm DPIA. Microsoft DPA flow-down does not apply.
Other Foundry catalog models are not, today, confirmed M365 Copilot sub-processors with active DPA flow-down. Use under Azure terms is a separate firm vendor relationship.
Revision history
Version
Date
Notes
2.2
2026-05-05
Audit-defensibility softeners: (a) Substrate persistence now qualified with “for Copilot experiences that support persistence” — not all Copilot surfaces persist identically; (b) Anthropic non-retention reframed at first assertion as “per Microsoft contractual commitments under the DPA” — contractual, not architecturally verifiable; (c) TLS / ExpressRoute path qualified with “where applicable / depends on tenant network design” — ExpressRoute does not extend end-to-end to model providers; (d) CoWork “full payload” framing scoped to regulatory recordkeeping and supervisory review, otherwise minimised per firm policy — addresses GDPR data minimisation. Companion DOCX additionally adds an “emerging behaviour” footnote on Copilot Memories (IPM.Contact items) since Microsoft documentation is still evolving.
2.1
2026-05-05
Labeling refinements for Legal/Audit clarity. Orchestrator now explicitly marked “Microsoft-managed routing — policy & safety enforced” on diagrams (reinforces that model choice does not bypass governance and that Anthropic is not directly user-addressable). “Content Safety / Prompt Filtering” relabeled as “Pre- & post-inference safety controls” to reflect the actual two-stage pipeline. AWS/GCP infrastructure naming intentionally omitted — regulators evaluate jurisdiction and contractual control, not hyperscaler branding.
2.0
2026-05-05
Fact-check pass against Microsoft Learn / Trust Center. xAI reclassified from M365 Copilot sub-processor to independent processor (Copilot Studio integration only, US tenants). Replaced "Zero Data Retention (ZDR)" with Microsoft's actual term "Enterprise Data Protection (EDP)" — covered by the DPA + Product Terms. Removed unconfirmed claim that Anthropic operates on AWS/GCP — Microsoft has not publicly disclosed the underlying cloud. JWT lifetime corrected to 60–90 min default.
Single self-contained index.html. Open directly in any modern browser, or serve from any static host (Azure Static Web Apps, S3, Nginx).
Internet connectivity is needed only for the Tailwind / Lucide / Google Fonts CDNs. For air-gapped use, self-host those assets and update the <link> / <script> srcs.
Tell Mogambo
What could the next version of this piece do better? Pushback, corrections, "you missed this" — short notes count.