How M365 Copilot Works in 7 Layers — Free Mind Map
Visual walkthrough of M365 Copilot's hidden architecture — apps, identity, orchestrator, grounding (RAG), AI models, responsible AI. Free mind map.
Where does your prompt actually go? The 7 invisible layers between 'Summarise this' and the answer that comes back.
Last reviewed
Frequently Asked Questions
Does Copilot send my data to OpenAI?
No. Your prompts and grounding data stay inside Microsoft's commercial boundary. Microsoft hosts the AI models in Azure OpenAI Service — your data is not used to train foundation models, is not sent to OpenAI, and is encrypted in transit and at rest.
What is grounding and why does it matter?
Grounding (Retrieval-Augmented Generation, or RAG) is the step where the orchestrator fetches relevant data from your Microsoft Graph — emails, files, chats, calendar — and adds it to your prompt before the AI model sees it. It's why Copilot can answer 'summarise the Q3 sales report' instead of guessing. Without grounding, Copilot would just be ChatGPT.
Do I need to configure anything for Copilot security?
Mostly no. Copilot inherits every Conditional Access policy, MFA requirement, DLP rule, and sensitivity label you already have. If a user is blocked from M365 by your existing policies, they're blocked from Copilot. The thing you DO need to review is permissions hygiene in SharePoint and OneDrive — Copilot sees what the user can see.
Which AI model does Copilot actually use?
Microsoft 365 Copilot uses a mix of OpenAI's GPT-4 family models hosted in Azure OpenAI, plus Anthropic Claude models for some scenarios since 2026. The orchestrator picks the right model for the task. You don't pick — and from your seat the experience is the same.