Coexisting with Microsoft Copilot

Microsoft 365 Copilot covers email, calendar, Office documents, Teams meetings, and broad Microsoft Graph search.

Employees often already have licences funded by workplace programmes. Rebuilding generic summarise-my-inbox features rarely returns incremental value. See Copilot adoption resources.

Copilot strength is personal productivity inside M365, not deep integration with CRM, ITSM, or custom policy corpora that require audit-grade citations. Custom RAG fills that gap.

Programme leads should document what Copilot is chartered to do before approving another internal chatbot. Publish alongside the program charter.

Custom applications win when workflows tie to your systems of record with strict policy. Model them with agent vs workflow patterns where approvals matter.

Examples include CRM writes behind approval, citations to internal policy sets, escalation queues, custom evals, and IAM mapped to your roles.

Position custom work as systems-of-record workflows, not another chatbot in the intranet. Demo Azure Foundry RAG for cite-only Q&A.

Measure incremental value: tasks Copilot cannot complete because Graph scope or connectors do not reach your data. Track in OpenAI evals dashboards.

Copilot Studio fits conversational bots on Teams channels with connector-based actions and lighter governance.

It suits FAQ, simple handoffs, and departmental assistants that do not need full RAG pipelines or complex orchestration.

Custom Foundry and Azure OpenAI applications fit when you need retrieval pipelines, Content Safety scoring, sequential orchestration, and enterprise IAM to your app registration.

Choose Studio when time to channel matters and risk is low. Choose custom when citations, approvals, and eval gates are mandatory.

Employees confuse overlapping tools when every team launches a chat surface. A matrix prevents duplicate OWASP LLM Top 10.

Publish a simple matrix: Copilot for draft and summarise, custom app for policy answers, human queue for exceptions. Link Copilot overview and custom app URLs.

Include examples of allowed and disallowed prompts per channel, especially for HR and legal topics. Align restricted topics with data privacy classes.

Review the matrix quarterly as Copilot features and your custom pilots evolve. Present updates to the NIST AI RMF Govern.

Use the same content safety, retention, and logging rules across Copilot and custom apps where possible.

Document which channels may use general chat versus citation-required RAG. Reference responsible AI overview.

Align with Copilot data protection commitments while adding controls custom apps need beyond Graph defaults.

Risk teams prefer one narrative, not parallel policies that contradict each other. Consolidate in the AWS AI compliance.

Copilot M365 licences are often already in flight as an enterprise programme. Track separately from custom API spend in unified model gateway.

Custom apps add API usage for tokens, search, safety, and storage on top of those licences.

Finance needs a line-item forecast for custom usage, not a surprise invoice after pilot expansion. Forecast with OpenAI evals volume assumptions.

Avoid duplicating Copilot scenarios unless you show incremental value in a system of record Copilot cannot write to. See Azure Well-Architected for spend narrative.

Copilot respects Graph permissions the user already has. Custom apps must implement the same discipline via search filters and app roles. Use Entra conditional access.

Do not expose corpora in custom RAG that employees would not see in SharePoint or the source system.

Map Entra ID groups to application roles and retrieval filters. Test with a standard user, not only admins. Demo content safety example.

Document service accounts versus delegated user identity for automation workflows. Align with OpenAI safety best practices for writes.

IT wants fewer bespoke bots to secure and operate. The business wants governed answers inside CRM and ITSM. Frame complementarity in the NIST AI RMF Govern deck.

Frame the programme as complementary: Copilot lifts individual productivity, custom apps automate governed workflows with agent patterns.

Use shared metrics: ticket deflection, time to answer policy questions, approval queue SLA.

Celebrate wins in both channels without forcing a single tool for every task. Retire redundant bots per OWASP LLM Top 10 guidance.

Run table-top scenarios with HR, legal, sales, and IT. Ask which channel should answer each question. Use NIST AI RMF facilitation timing.

Scenario: employee asks for parental leave policy with mandatory citation. Expected channel: custom RAG. Demo Foundry RAG.

Scenario: manager drafts performance review language. Expected channel: Copilot in Word.

Scenario: agent proposes updating Salesforce opportunity stage. Expected channel: custom app with approval. See meeting-to-actions example.

Good looks like employees knowing which door to knock on without a survey of fifteen chat links. The channel matrix lives on the intranet next to trust materials.

Good looks like risk reviewing one coherent control set with channel-specific attachments in the AWS AI compliance.

Good looks like custom apps passing the same eval gates you would require for any production AI.

Good looks like Copilot licence spend visible alongside custom API forecast in the same program dashboard.

Teams rebuild M365 summarise features and annoy users who already have Copilot. Focus custom work on systems of record.

Teams deploy custom policy bots without citations, creating a second fluent wrong answer surface. Require RAG cite-only behaviour.

Teams skip the matrix and wonder why adoption fragments across shadow tools. Log duplicates in OWASP LLM Top 10.

Teams fight IT instead of aligning on systems-of-record scope for custom work. Escalate through the NIST AI RMF Govern.