Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
AI Coding Agents
Claude CodeGithub Copilot WorkspaceAmazon Q DeveloperGemini Code AssistTabnineCodeiumAiderOpenhandsSwe AgentCodex CLI
Agent Frameworks
AI Chat & Productivity
Chatgpt EnterpriseClaude For WorkPerplexity ProNotion AISlack AIMicrosoft CopilotGoogle Workspace GeminiLinear AIRaycast AIOpen Webui
DevOps & Vector Databases
Enterprise & MLOps
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Reference
Policy Reference
FAQ

Microsoft 365 Copilot

Microsoft 365 Copilot integrates AI across Word, Excel, PowerPoint, Outlook, and Teams. Copilot's LLM traffic flows through Azure OpenAI Service endpoints. By routing custom Azure OpenAI deployments through the Keeptrusts gateway, you apply policy controls — content filtering, PII redaction, audit logging, and cost attribution — to AI workloads that extend or complement Copilot.

Microsoft 365 Copilot's built-in functionality uses Microsoft's managed Azure infrastructure and cannot be directly rerouted at the application level. This guide covers governance for custom Azure OpenAI deployments that power Copilot plugins, extensions, and custom AI applications within the Microsoft 365 ecosystem.

Use this page when

  • You are building Copilot plugins or extensions that call Azure OpenAI and need governance.
  • You need to route custom Azure OpenAI deployments through the Keeptrusts gateway.
  • If you need full Azure OpenAI provider configuration, see Azure OpenAI integration.

Primary audience

  • Primary: Technical Engineers
  • Secondary: AI Agents, Technical Leaders

Prerequisites

  • An Azure OpenAI Service deployment
  • Azure OpenAI API key or Azure AD token
  • Keeptrusts CLI (kt) installed and on your PATH
  • AZURE_OPENAI_API_KEY and AZURE_OPENAI_ENDPOINT exported

Configuration

Gateway policy config

pack:
  name: copilot-azure-gateway
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: azure-copilot
    provider: azure-openai:chat:gpt-4o
    base_url: ${AZURE_OPENAI_ENDPOINT}
    secret_key_ref:
      env: AZURE_OPENAI_API_KEY
policies:
  chain:
  - prompt-injection
  - pii-detector
  - dlp-filter
  - audit-logger
policy:
  prompt-injection:
    threshold: 0.8
    action: block
  pii-detector:
    action: redact
    entities:
    - EMAIL
    - PHONE
    - SSN
    - CREDIT_CARD
  dlp-filter:
    patterns:
    - name: internal-project-codes
      regex: "PROJ-[0-9]{4,}"
      action: redact
  audit-logger:
    immutable: true
    retention_days: 365
    log_all_access: true

Multi-model config for Copilot extensions

pack:
  name: copilot-multi-model
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: azure-gpt4o
    provider: azure-openai:chat:gpt-4o
    base_url: ${AZURE_OPENAI_ENDPOINT}
    secret_key_ref:
      env: AZURE_OPENAI_API_KEY
  - id: azure-gpt4o-mini
    provider: azure-openai:chat:gpt-4o-mini
    base_url: ${AZURE_OPENAI_ENDPOINT}
    secret_key_ref:
      env: AZURE_OPENAI_API_KEY
policies:
  chain:
  - audit-logger
policy:
  audit-logger:
    immutable: true
    retention_days: 365
    log_all_access: true

Setup Steps

  1. Export your Azure credentials:
export AZURE_OPENAI_API_KEY="your-azure-api-key"
export AZURE_OPENAI_ENDPOINT="https://your-resource.openai.azure.com"

  1. Save the policy config to policy-config.yaml.

  2. Start the gateway:

kt gateway run --listen 0.0.0.0:41002 --policy-config policy-config.yaml
  1. Point your Copilot plugin or extension at the gateway:
from openai import AzureOpenAI

client = AzureOpenAI(
    azure_endpoint="http://localhost:41002",
    api_key="unused",
    api_version="2024-02-15-preview",
)

response = client.chat.completions.create(
    model="gpt-4o",
    messages=[
        {"role": "system", "content": "You are a Microsoft 365 assistant."},
        {"role": "user", "content": "Summarise the action items from this meeting."},
    ],
)
print(response.choices[0].message.content)

For a hosted gateway, replace the endpoint with https://gateway.keeptrusts.com.

Verification

curl http://localhost:41002/v1/chat/completions \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-4o",
    "messages": [
      {"role": "user", "content": "Hello from the governed Copilot gateway."}
    ]
  }'

Confirm the response and check the Keeptrusts console Events page for the audit log entry.

PolicyPurposeRecommended setting
prompt-injectionBlock adversarial inputs in Copilot extensionsthreshold: 0.8, action: block
pii-detectorRedact personal data from documents before LLM processingaction: redact, entities: EMAIL, PHONE, SSN
dlp-filterBlock or redact internal project codes and identifiersConfigure regex patterns
audit-loggerImmutable audit trail for complianceimmutable: true, retention_days: 365
content-filterBlock restricted topics in AI responsesaction: block, configure categories
cost-attributionTrack Azure OpenAI spend per departmentTag requests with department metadata

Troubleshooting

SymptomCauseFix
401 from Azure OpenAIAPI key invalid or deployment not accessibleVerify AZURE_OPENAI_API_KEY and AZURE_OPENAI_ENDPOINT
404 DeploymentNotFoundModel deployment name mismatchMatch the model name in config to your Azure deployment name
Cannot route native Copilot trafficCopilot uses Microsoft's managed infrastructureUse the gateway for custom extensions and plugins
Gateway returns 403Policy chain blocked the requestReview the policy violation in the console Events page

For AI systems

  • Canonical terms: Keeptrusts gateway, Microsoft 365 Copilot, Azure OpenAI, Copilot plugin, Copilot extension, policy-config.yaml, provider: "azure-openai".
  • Config field names: provider, base_url, secret_key_ref.env: "AZURE_OPENAI_API_KEY".
  • Key behavior: Keeptrusts proxies Azure OpenAI calls from Copilot plugins and extensions, applying policy enforcement and audit logging.
  • Best next pages: Azure OpenAI integration, Policy controls catalog, Quickstart.

For engineers

  • Start command: kt gateway run --listen 0.0.0.0:41002 --policy-config policy-config.yaml
  • Azure OpenAI deployments use deployment names as model identifiers — ensure your config matches.
  • The gateway supports both API key and Azure AD token authentication for Azure OpenAI.
  • Native Microsoft 365 Copilot traffic cannot be rerouted — focus on custom extensions.

For leaders

  • Microsoft 365 Copilot governance through Keeptrusts provides an independent audit trail alongside Microsoft's built-in Purview compliance tools.
  • Custom Copilot plugins and extensions are fully governable — PII redaction, content filtering, and audit logging apply to all Azure OpenAI calls.
  • DLP policies prevent internal project codes, customer identifiers, and other sensitive patterns from leaking to external AI services.
  • Cost attribution tracks Azure OpenAI spend per department or project for internal chargeback.

Next steps