Microsoft Copilot for Microsoft 365 is available under FedRAMP High authorization for US government customers. This status means the service meets the strictest security requirements for handling controlled unclassified information. Many organizations in defense, intelligence, and civilian agencies need to verify this authorization before they can deploy Copilot. This article explains what FedRAMP High covers, which Copilot features are included, and what is excluded under the current authorization.
Key Takeaways: Copilot FedRAMP High Authorization Scope
- Microsoft 365 Government Community Cloud High GCC High tenant: Required for Copilot to operate under FedRAMP High authorization.
- Copilot core features in Word Excel PowerPoint Outlook Teams: Included in FedRAMP High authorization.
- Copilot with Graph-grounded data retrieval: Authorized for tenant data only no external web grounding.
- Copilot plugins and Microsoft Graph connectors: Excluded from current FedRAMP High authorization.
What FedRAMP High Authorization Means for Copilot
FedRAMP High is the highest security classification in the Federal Risk and Authorization Management Program. It applies to cloud services that handle controlled unclassified information CUI including data that requires protection under Executive Order 13556. Microsoft 365 Government Community Cloud High GCC High is the only environment where Copilot can operate under this authorization.
The authorization covers the Copilot service itself not every connected feature. Microsoft submitted Copilot for Microsoft 365 for a FedRAMP High authorization through a joint authorization board JAB review. The authorization scope includes the core Copilot AI service running on Azure infrastructure that is already FedRAMP High authorized.
Copilot under FedRAMP High does not use internet search or public web data. All data retrieval is limited to the tenant’s own Microsoft Graph data such as emails documents calendar entries and Teams messages. This design aligns with government data residency and compliance requirements.
Copilot Features Included in FedRAMP High Authorization
The following Copilot features are available under the current FedRAMP High authorization for GCC High tenants.
Copilot in Word Excel PowerPoint and Outlook
Users can draft text in Word generate formulas in Excel create slides in PowerPoint and summarize emails in Outlook. All processing happens within the tenant boundary. No data leaves the GCC High environment. Responses are generated from tenant data only.
Copilot in Microsoft Teams
Teams meeting summaries chat recaps and action item extraction are authorized. Copilot can read meeting transcripts and chat history within the same tenant. External meeting participants from non-GCC High tenants are not supported for Copilot features.
Copilot in Microsoft Loop and OneNote
Loop workspaces and OneNote notebooks are included in the authorization scope. Copilot can summarize Loop components and OneNote pages. Data remains within the GCC High tenant boundary.
Copilot Features Excluded from FedRAMP High Authorization
Several Copilot features are not yet covered under the FedRAMP High authorization. These exclusions affect how government tenants can use the service.
Copilot with Plugins and Microsoft Graph Connectors
Third-party plugins and custom Microsoft Graph connectors are excluded from the current authorization. This means Copilot cannot access data from external systems like ServiceNow Salesforce or custom line-of-business applications through connectors. Only native Microsoft 365 data sources are authorized.
Copilot with Web Grounding
The feature that allows Copilot to search the public internet for up-to-date information is not authorized under FedRAMP High. Copilot responses are limited to tenant data. Users cannot ask Copilot to retrieve information from external websites or Bing search.
Copilot with Microsoft 365 Chat Enterprise Chat
The full Microsoft 365 Chat experience that combines tenant data with web search is not available. The authorized version of Microsoft 365 Chat in GCC High uses tenant data only. The web grounding toggle in the Copilot settings is disabled for GCC High tenants.
How to Verify Copilot FedRAMP High Authorization for Your Tenant
Tenant administrators can confirm the authorization status through the Microsoft 365 admin center.
- Open the Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in with a Global Admin or Billing Admin account for your GCC High tenant. - Navigate to Billing > Licenses
Select Billing from the left navigation then select Licenses. Find the Copilot for Microsoft 365 license assigned to your tenant. - Review the service plan details
Click the license name and look for the service plan named Microsoft Copilot for Microsoft 365 GCC High. This plan indicates FedRAMP High authorization. - Check the Service Health Dashboard
Go to Health > Service Health and search for Copilot. The status page shows the current authorization level and any service advisories specific to GCC High.
For a complete list of authorized features Microsoft publishes the FedRAMP High authorization letter and the system security plan SSP on the Microsoft Service Trust Portal. Tenant administrators can download these documents from https://servicetrust.microsoft.com under the FedRAMP reports section.
Common Misconceptions About Copilot FedRAMP High
Copilot in GCC High Is the Same as Commercial Copilot
This is not correct. The GCC High version of Copilot has fewer features than the commercial version. Web grounding plugins and Graph connectors are excluded. The feature set is intentionally limited to meet FedRAMP High requirements.
All Microsoft 365 Data Is Automatically Covered
Not all data in a GCC High tenant is automatically within the Copilot authorization scope. Copilot can only access data that is stored in Exchange Online SharePoint Online OneDrive for Business and Teams. Data stored in third-party systems or custom databases is not accessible through Copilot under the current authorization.
Copilot Authorization Covers All Future Updates
Microsoft must reauthorize or amend the authorization for each new Copilot feature. Features added after the original authorization date are not automatically covered. Government tenants should review each feature update against the current authorization scope before enabling it.
Copilot Commercial vs Copilot GCC High: Key Differences
| Item | Copilot Commercial | Copilot GCC High FedRAMP High |
|---|---|---|
| Tenant type | Standard Microsoft 365 tenant | GCC High tenant only |
| Web grounding | Included | Excluded |
| Third-party plugins | Supported | Not supported |
| Microsoft Graph connectors | Supported | Not supported |
| Data residency | Global datacenters | US datacenters only |
| Authorized data sources | Tenant data plus web | Tenant data only |
Tenant administrators in government agencies must plan deployments based on these differences. The excluded features may require alternative solutions such as manual data retrieval or custom development outside Copilot.
Conclusion
Microsoft Copilot for Microsoft 365 is available under FedRAMP High authorization for GCC High tenants. The authorized feature set includes Copilot in Word Excel PowerPoint Outlook Teams Loop and OneNote but excludes web grounding plugins and Graph connectors. Government tenants should verify their authorization level through the Microsoft 365 admin center and review the Service Trust Portal for the latest authorization documents. For organizations that need the full Copilot feature set including web search and connectors a separate commercial tenant with appropriate data handling policies is required. Always confirm the authorization scope before enabling new Copilot features in a FedRAMP High environment.