End-to-end trace of a single Copilot interaction — 11 steps across 3 trust boundaries with protocol-level detail at each hop.
Live Prompt Flow — 11-Step Lifecycle
User keystroke → Substrate record. Three boundaries: device · M365 service · sub-processor.
Speed:
Step 1 / 11
Trust boundaries (frame colors)
Firm perimeter
Internet transit
Azure / Microsoft
M365 tenant (DPA)
AOAI inference
Sub-processor
Flows & indicators
Data / records flow
Identity / token flow
Sub-processor egress
Active step (animated)
🔍Click for deep-dive
11-STEP LIFECYCLE
STEP 1 / 11
M365 phase mapping — Microsoft's published Copilot architecture uses 5 phases. The 11-step flow above maps as:
Edge & Identity (steps 1–4) ·
Routing entry (step 5) ·
Pre-processing (step 6) ·
Grounding (step 7) ·
Routing decision (step 8) ·
Inference (steps 9–10) ·
Compliance & Persistence (step 11). Padlock glyphs mark TLS / mTLS hops.
M365 Inference Path — Hub-and-Spoke View
Hub-and-spoke view of the Copilot orchestrator and the default M365 inference path. Five phases mapped to Microsoft's framing.
Step 1 / 5
Numbered phases (Microsoft's framing)
1User prompt
2Grounding (Graph)
3Modified prompt → LLM (default)
3′Alt path · sub-processor (Anthropic)
4LLM response
5Compliance + persist
Boundaries & encryption
Microsoft cloud
M365 tenant (DPA)
AOAI inference plane
Sub-processor (Anthropic)
TLS 1.3 · MTLS · token-bound
Alt path always visible (architectural reality)
5-PHASE LIFECYCLE
STEP 1 / 5
This view follows Microsoft's published Copilot architecture phrasing — five numbered phases centred on the Copilot Orchestrator. The Live Prompt Flow tab carries the regulator-grade 11-step lifecycle (auth chain, egress edge, per-step compliance citations). The Anthropic alt path (3′) is shown at all times because it is the only step that can exit Microsoft's perimeter — by default Copilot routes to Azure OpenAI inside Microsoft's cloud.
Auth Token Chain — 6 Nodes
Device-bound PRT through OBO exchange. Evidence path for NYDFS §500.12, SOX ITGC, ISO 27001 A.9.
Step 1 / 6
AUTH TOKEN CHAIN
STEP 1 / 6
Data Packets — Grounded Prompt Assembly
Graph retrieval under the user's effective permissions. Sensitivity labels read on every artefact.
Step 1 / 6
DATA PACKET ASSEMBLY
STEP 1 / 6
LLM Inferencing — Boundary Crossing & Enterprise Data Protection
The only segment that may cross into a sub-processor. Layered Enterprise Data Protection confidence model.
Step 1 / 7
INFERENCE PATH
STEP 1 / 7
Copilot CoWork — Firm Extension Layer
Not a Microsoft service. The firm's own orchestrator, sitting beside or in front of M365 Copilot. Firm-operated, firm-logged, firm-accountable.
Step 1 / 8
CoWork is the firm's responsibility, end-to-end.
Microsoft's DPA does not cover content that flows through CoWork. The firm is the processor. Where CoWork invokes a third-party model directly (not via Microsoft), the vendor relationship is the firm's, not Microsoft's. Where CoWork surfaces M365 Copilot via the M365 Gateway, the two boundaries meet at the gateway.
COWORK LIFECYCLE
STEP 1 / 8
Native Copilot vs. CoWork — what actually differs
| Dimension | Native M365 Copilot | Copilot CoWork |
|---|---|---|
| Who operates the orchestrator | Microsoft | The firm |
| Trust boundary applicable | M365 service trust boundary | Firm Azure tenancy + (optionally) M365 via Gateway |
| Contract governing data | Microsoft DPA + Online Services Terms | Firm's internal SDLC + firm vendor contracts |
| Where prompt/response is stored | User Substrate (Exchange hidden mailbox) | Firm SIEM + firm WORM archive |
| Discovery mechanism | Purview eDiscovery (Standard / Premium) | SIEM query + WORM export |
| Default retention horizon | User mailbox retention policy | 7 years (firm policy; ≥ 17a-4 floor) |
| Model providers reachable | Azure OpenAI · Anthropic (M365 Copilot); xAI is a separate, independent-processor path (Copilot Studio, US) | Any model the firm contracts with |
| Sub-processor accountability | Microsoft is processor; sub-processors flow down | Firm is processor; firm owns vendor management |
| Audit log channel | UAL CopilotInteraction · Defender XDR | Firm Sentinel workspace · firm SIEM |
| DLP / sensitivity-label propagation | Purview native | Firm-implemented in policy layer |
OBO mechanics in CoWork
- Audience: CoWork APIs validate audience strictly. Tokens for one resource never replay against another.
- Scopes: Downstream tokens minimum-scoped (Mail.Read, Sites.Read.All, Files.Read.All). Application permissions forbidden in user-context paths.
- Claims: oid, tid, ipaddr, device_id, amr validated at every hop. Mismatch → reject.
- Lifetime: 60–90 min default. Shorter via CA token-lifetime policy for high-sensitivity workloads.
- Risk re-evaluation: Mid-session risk-score change re-evaluates CA; high-risk blocks the OBO exchange.
Firm-side controls beyond Microsoft DPA
- SDLC + change management: every CoWork skill is firm-owned code; deployed under standard SDLC.
- Model risk inventory: SR 11-7 / OCC 2011-12 entry per skill, independent validation proportionate to materiality.
- WORM-archived prompt+response: 7-year retention. Discovery via firm SIEM, not Purview.
- TPRM for direct vendors: any model invoked directly (not via Microsoft) lives in the firm's third-party register.
- HITL gates: for trading / compliance / financial-reporting use cases.
Inference Boundary — Nested Trust Model
Three boundaries, three accountabilities. Step 9 of the lifecycle is the only one that may cross into a sub-processor.
User / Device
Steps 1–4
The firm is fully accountable. Conditional Access, MFA, compliant device, PRT.
M365 service
Steps 5–8, 10–11
Microsoft is the processor under the DPA. Customer Data covered; sub-processor list maintained.
Sub-processor
Step 9 only
Anthropic under DPA flow-down. Microsoft remains the contracting processor for M365 Copilot. xAI sits outside this boundary — independent processor, Copilot Studio only.
Purview & Regulatory Mapping
Logging channels, retention horizons, and the regulations they feed.
UAL · Activity index
Standard 180d · Premium 1y · 10y add-on
Operation, UserId, ClientIP, Workload, ObjectId, AppId. Not the regulated record.
Substrate · The artefact
User mailbox retention · Litigation Hold
Full prompt & response. Discovered via Purview eDiscovery. This is the regulated record.
CoWork · Firm WORM
7-year retention (firm policy)
Firm SIEM + WORM archive. Outside Microsoft DPA scope. Firm-owned discovery.
Architecture-to-obligation cross-reference
| Architecture element | Tier | Primary regulatory anchors |
|---|---|---|
| Entra ID + Conditional Access + PIM | Identity | NYDFS §500.7, §500.12; SOX §404 ITGC; ISO 27001 A.9 |
| Exchange / SharePoint / OneDrive / Teams (incl. Substrate) | Data | GDPR; SEC 17a-4(b)(4); FINRA 4511; MiFID II Art. 16(7) |
| Microsoft Purview suite | Compliance | GDPR; NYDFS §500.13; SEC 17a-4; FINRA 3110/4511 |
| UAL + Defender XDR + Entra logs | Telemetry | DORA Art. 12, 17–23; NYDFS §500.16/17; SOX ITGC |
| EUDB + Multi-Geo + Customer Lockbox | Residency | GDPR Chapter V; EDPB Schrems II; DORA Art. 28(7) |
| Copilot orchestrator | AI overlay | EU AI Act Art. 26; SR 11-7; OCC 2011-12 |
| Anthropic sub-processor path | AI overlay | GDPR; NYDFS §500.11; DORA Art. 28–30; firm DPIA |
| Copilot CoWork | Firm-operated | Full firm responsibility — SR 11-7, EU AI Act, GDPR, NYDFS §500.7/11/13/16, SEC 17a-4, FINRA 4511 |
Appendix
Sub-processor reference (M365 Copilot)
| Sub-processor | Role | Geographic scope | Firm posture |
|---|---|---|---|
| Microsoft (intra-company) | Operates Azure OpenAI; primary inference path. | Global, including EUDB | Default; included in core DPA. |
| Anthropic | Provides Claude models for Copilot inference. | Disabled by default in EU/EFTA/UK; default-on in US with admin opt-out. | Enabled only after DPIA + TPRM concurrence; pinned through admin policy. |
| xAI | Provides Grok models — independent processor, NOT under the Microsoft M365 DPA. Reachable via Copilot Studio integration only, not the M365 Copilot inference path. | US tenants only. | Treat as a firm direct vendor relationship: TPRM register, separate DPA/MSA, firm DPIA. Microsoft DPA flow-down does not apply. |
Other Foundry catalog models are not, today, confirmed M365 Copilot sub-processors with active DPA flow-down. Use under Azure terms is a separate firm vendor relationship.
Revision history
| Version | Date | Notes |
|---|---|---|
| 2.2 | 2026-05-05 | Audit-defensibility softeners: (a) Substrate persistence now qualified with “for Copilot experiences that support persistence” — not all Copilot surfaces persist identically; (b) Anthropic non-retention reframed at first assertion as “per Microsoft contractual commitments under the DPA” — contractual, not architecturally verifiable; (c) TLS / ExpressRoute path qualified with “where applicable / depends on tenant network design” — ExpressRoute does not extend end-to-end to model providers; (d) CoWork “full payload” framing scoped to regulatory recordkeeping and supervisory review, otherwise minimised per firm policy — addresses GDPR data minimisation. Companion DOCX additionally adds an “emerging behaviour” footnote on Copilot Memories (IPM.Contact items) since Microsoft documentation is still evolving. |
| 2.1 | 2026-05-05 | Labeling refinements for Legal/Audit clarity. Orchestrator now explicitly marked “Microsoft-managed routing — policy & safety enforced” on diagrams (reinforces that model choice does not bypass governance and that Anthropic is not directly user-addressable). “Content Safety / Prompt Filtering” relabeled as “Pre- & post-inference safety controls” to reflect the actual two-stage pipeline. AWS/GCP infrastructure naming intentionally omitted — regulators evaluate jurisdiction and contractual control, not hyperscaler branding. |
| 2.0 | 2026-05-05 | Fact-check pass against Microsoft Learn / Trust Center. xAI reclassified from M365 Copilot sub-processor to independent processor (Copilot Studio integration only, US tenants). Replaced "Zero Data Retention (ZDR)" with Microsoft's actual term "Enterprise Data Protection (EDP)" — covered by the DPA + Product Terms. Removed unconfirmed claim that Anthropic operates on AWS/GCP — Microsoft has not publicly disclosed the underlying cloud. JWT lifetime corrected to 60–90 min default. |
| 1.0 | 2026-05-05 | Initial release. 5 themes, 3 audience modes, animated Live Prompt Flow / Auth / Data / Inference / CoWork. Deep-dive overlays: Vendor Infra, GPT Tier 1, EUDB Tree, ZDR Layers, Logging & Retention, Foundry Catalog, CoWork Accountability. |
Local deployment
Single self-contained
Internet connectivity is needed only for the Tailwind / Lucide / Google Fonts CDNs. For air-gapped use, self-host those assets and update the
index.html. Open directly in any modern browser, or serve from any static host (Azure Static Web Apps, S3, Nginx).
Internet connectivity is needed only for the Tailwind / Lucide / Google Fonts CDNs. For air-gapped use, self-host those assets and update the
<link> / <script> srcs.