Layer 1: Base Licence Requirements
Copilot requires a qualifying Microsoft 365 base licence. Not every M365 plan qualifies, and the base licence you choose determines both the Copilot features available and the all-in cost per user.
Required Qualifying Base Licences
Microsoft 365 Copilot requires one of the following base licences per user:
- Microsoft 365 E3 ($36/user/month list) — full Copilot in desktop and web Office apps, Teams, Outlook
- Microsoft 365 E5 ($57/user/month list) — full Copilot plus advanced security and analytics features that enhance Copilot capabilities
- Microsoft 365 Business Standard ($12.50/user/month list) — Copilot in web and mobile Office apps, Teams, Outlook
- Microsoft 365 Business Premium ($22/user/month list) — full Copilot with enhanced security baseline
- Office 365 E3/E5 — qualifies, but without Windows, Intune, or identity management features
Plans That Do NOT Qualify for Copilot
Microsoft 365 F1 and F3 (frontline worker plans) are not eligible for Microsoft 365 Copilot. Frontline workers on F-series licences cannot receive Copilot. If your organisation needs Copilot for any frontline role, those users must be upgraded to at least Business Standard or E3 — a 4–16× increase in per-user base cost.
Office 365 E1 does not qualify for Copilot. E1 users must upgrade to E3 minimum ($26/user/month increase).
Standalone Office apps (Office 2021, Office LTSC) do not qualify. Copilot requires cloud-connected M365 apps, not perpetual licence versions.
| Base Licence | List Price | + Copilot | All-In Base + Copilot | Copilot Eligible? |
|---|
| M365 Business Standard | $12.50 | $30.00 | $42.50 | Yes |
| M365 Business Premium | $22.00 | $30.00 | $52.00 | Yes |
| M365 E3 | $36.00 | $30.00 | $66.00 | Yes |
| M365 E5 | $57.00 | $30.00 | $87.00 | Yes |
| M365 F1 | $2.25 | — | — | No |
| M365 F3 | $8.00 | — | — | No |
| O365 E1 | $10.00 | — | — | No |
| O365 E3 | $23.00 | $30.00 | $53.00 | Yes |
The base licence choice matters beyond price. E5 users get better Copilot outcomes because E5 includes Entra ID P2 (better identity signals for Copilot context), Defender for Endpoint P2 (security controls for Copilot data access), and Power BI Pro (Copilot in Power BI). On E3, these capabilities are missing or require separate add-ons that increase the all-in cost further.
Layer 2: Identity and Access Prerequisites
Copilot accesses data through the Microsoft Graph, which means it can see everything a user has access to — emails, files, chats, meetings, SharePoint sites, and OneDrive content. This makes identity and access management not just a security concern but a Copilot readiness requirement. If your permissions are over-provisioned (as they are in most enterprises), Copilot will surface sensitive data to users who should not see it.
Required Microsoft Entra ID (Azure AD)
Minimum: Entra ID P1 (included in M365 E3). Provides conditional access policies and multi-factor authentication to secure Copilot access.
Recommended: Entra ID P2 (included in M365 E5, or $9/user/month add-on to E3). Adds Privileged Identity Management and Identity Protection — critical for controlling which admin and elevated-privilege accounts can use Copilot with access to sensitive organisational data.
- Conditional Access policies to control Copilot access by device, location, and risk level
- MFA enforcement for all Copilot-enabled users
- Access reviews to ensure Copilot users have appropriate data permissions
- Without Entra ID P2: no identity risk signals, no just-in-time privilege elevation, no automated access reviews
The Over-Permissioning Risk
This is the most underestimated Copilot prerequisite. In a typical enterprise, SharePoint permissions have accumulated over years of site creation, team formation, and one-off sharing. Users often have access to far more content than they need or realise. Without Copilot, this over-permissioning creates theoretical risk. With Copilot, it creates practical risk — because Copilot actively surfaces content from everything a user can access.
Before deploying Copilot, conduct a permissions audit across SharePoint, OneDrive, Teams, and Exchange. Identify and remediate: broadly shared sites (shared with “Everyone except external users”), stale sharing links, broken inheritance on sensitive document libraries, and over-provisioned group memberships. This audit is not optional — without it, Copilot becomes a data exposure tool rather than a productivity tool.
Layer 3: Data Governance and Labelling
Copilot respects Microsoft Purview sensitivity labels and Data Loss Prevention (DLP) policies. If your organisation has not implemented these controls, Copilot has no guardrails on what it surfaces, summarises, or includes in generated content.
Recommended Microsoft Purview Information Protection
Included in E3: Basic sensitivity labels and manual classification.
Included in E5 (or add-on $7/user/month): Auto-labelling, trainable classifiers, exact data matching, and advanced DLP policies that Copilot will honour.
- Sensitivity labels applied to documents control whether Copilot can reference that content in responses
- DLP policies prevent Copilot from including regulated data (PII, financial records, health information) in generated content
- Retention labels ensure Copilot does not surface deleted or expired content
- Without labelling: Copilot treats all content equally, including confidential board materials, M&A documents, and HR files
Implementing sensitivity labels across an enterprise is a 30–60 day project (classification taxonomy, policy configuration, user training, auto-labelling rules). This must be completed before Copilot deployment — not after. Organisations that deploy Copilot without data governance in place discover the problem when a user asks Copilot to “summarise recent leadership discussions” and receives a summary that includes confidential compensation data, acquisition targets, or disciplinary proceedings.
Layer 4: Network and Infrastructure
Required Network and Connectivity
Copilot processes requests through Microsoft’s Azure OpenAI infrastructure. This requires reliable, low-latency connectivity to Microsoft 365 cloud endpoints.
- Bandwidth: No specific per-user bandwidth requirement published, but Copilot increases M365 API calls significantly — plan for 10–20% increase in M365 network traffic
- Latency: Sub-100ms latency to Microsoft 365 endpoints for responsive Copilot interactions
- Proxy and firewall: Copilot endpoints must be whitelisted; web proxies that inspect M365 traffic may need bypass rules for Copilot API calls
- Microsoft 365 network connectivity principles: Direct internet egress for M365 traffic (no backhauling through centralised proxies) per Microsoft’s published connectivity guidance
Most organisations that have already optimised their M365 network connectivity for Teams and Exchange Online meet the Copilot requirements without additional infrastructure changes. The exception: organisations using legacy web proxies that inspect all HTTPS traffic, which can add 200–500ms latency to Copilot interactions and degrade the user experience significantly.
Layer 5: Device and Application Readiness
Required Application and OS Versions
Copilot requires current Microsoft 365 apps and supported operating systems:
- Microsoft 365 Apps: Current Channel or Monthly Enterprise Channel. Semi-Annual Enterprise Channel receives Copilot features with delay. LTSC versions do not support Copilot.
- Windows: Windows 10 (22H2+) or Windows 11. Earlier Windows 10 versions have limited Copilot functionality.
- macOS: macOS 13 Ventura or later for full Copilot support in Office for Mac.
- Mobile: iOS 16+ and Android 13+ for Copilot in Outlook and Teams mobile apps.
- Web: Copilot in Office for the web works in current versions of Edge, Chrome, Safari, and Firefox.
- Not supported: Office 2021, Office 2019, Office LTSC, Office perpetual licence versions, Windows 8.1, macOS 12 or earlier.
The application channel requirement is critical. Organisations running Semi-Annual Enterprise Channel (SAEC) for stability will receive Copilot features 6–8 months after Current Channel. If your deployment strategy uses SAEC, Copilot users must be moved to Current Channel or Monthly Enterprise Channel — creating a split-channel management overhead. Evaluate whether this complexity is justified for your Copilot deployment scope.
The Licensing Implication of Device Readiness
If your organisation is running Windows 10 devices approaching end-of-support (October 2025 for consumer, extended through ESU for enterprise), Copilot deployment may require a hardware refresh or Windows 11 upgrade. Windows 11 hardware requirements (TPM 2.0, Secure Boot, specific CPU generations) disqualify many devices purchased before 2018. The cost of hardware replacement is not a Microsoft licensing cost, but it is a real Copilot prerequisite cost that must be included in deployment budgeting. For a 5,000-user organisation where 30% of devices do not meet Windows 11 requirements, budget $750K–$1.5M for device refresh — a cost that dwarfs the Copilot licence itself.
Layer 6: Security Configuration
Recommended Security Baseline for Copilot
Copilot amplifies both productivity and security risk. The following security configurations are not technically required but are functionally essential for responsible deployment:
- Conditional Access policies: Restrict Copilot to managed devices, compliant devices, and approved locations. Prevent Copilot usage from unmanaged personal devices where organisational data could leak.
- Data Loss Prevention: DLP policies in Exchange, SharePoint, and Teams that prevent Copilot from including sensitive data types in generated content. E5 includes advanced DLP; E3 includes basic DLP.
- Microsoft Defender for Cloud Apps: Monitor Copilot usage patterns, detect anomalous data access, and enforce session policies. Included in E5; $3.50/user/month add-on for E3.
- Audit logging: Microsoft Purview audit logs capture Copilot interactions for compliance and investigation purposes. Standard audit is in E3; Advanced Audit (longer retention, more events) is in E5.
- Information barriers: Prevent Copilot from surfacing data across departmental boundaries where Chinese walls are required (financial services, legal, M&A). Requires E5 or E5 Compliance add-on.
The Security Add-On Cost for E3 Customers
To achieve the recommended security baseline for Copilot on an E3 licence, you need: Entra ID P2 ($9), Defender for Cloud Apps ($3.50), and potentially Purview Information Protection advanced ($7). That is $19.50/user/month in security add-ons on top of the $30 Copilot fee and $36 E3 base — bringing the true cost to $85.50/user/month. At this level, M365 E5 ($57) + Copilot ($30) = $87 is equivalent and includes far more features. For any Copilot deployment requiring the full security baseline, E5 is the correct base licence.
Layer 7: Change Management and Adoption
This is the prerequisite that has no licensing cost but determines whether the licensing investment delivers ROI. Copilot is not a tool that users adopt intuitively — it requires training on how to write effective prompts, understanding of what data Copilot can and cannot access, and new workflow habits that take 30–60 days to develop.
The Adoption Reality
Enterprise Copilot adoption data from the first 18 months of availability shows a consistent pattern: 60–70% of licensed users try Copilot in the first week, usage drops to 30–40% by week four, and stabilises at 25–35% of licensed users generating regular, meaningful interactions by month three. The remaining 65–75% of licences are generating little to no value.
This adoption curve means the effective cost per productive Copilot user is 2.5–4× the per-licence cost. If you licence 1,000 users at $30/month and 300 achieve consistent productive usage, your effective cost is $100/productive user/month. The antidote: deploy Copilot only to roles with demonstrated use cases (content creation, data analysis, email management, meeting summarisation), provide structured training programmes specific to each role’s Copilot use cases, and measure adoption at 30/60/90 days with the explicit willingness to reassign licences from low-usage to high-potential users.
Copilot Champions and Prompt Libraries
Organisations with the highest sustained adoption (40–50% of licensed users) invest in Copilot Champions programmes: 2–5% of users trained as internal Copilot experts who create role-specific prompt libraries, run lunch-and-learn sessions, and provide peer support. The Champions programme has no licensing cost but requires 5–10 hours/month per champion in time investment. Budget this as a real cost in your deployment plan.
The True Cost Calculator: What Copilot Actually Costs Per User
Combining all seven prerequisite layers, here is what Copilot actually costs per user at each base licence level:
| Cost Component | On E3 Base | On E5 Base |
|---|
| Base licence | $36.00 | $57.00 |
| Copilot add-on | $30.00 | $30.00 |
| Entra ID P2 (if needed) | $9.00 | Included |
| Defender for Cloud Apps (if needed) | $3.50 | Included |
| Purview Info Protection advanced (if needed) | $7.00 | Included |
| Monthly per-user licence cost | $85.50 | $87.00 |
| Annual per-user licence cost | $1,026 | $1,044 |
The E3 and E5 paths converge at nearly identical all-in costs ($85.50 vs $87.00) when Copilot security prerequisites are included. The E5 path is clearly superior because it includes additional features (Power BI Pro, Phone System, Advanced Audit, eDiscovery) that E3 does not, for only $1.50/user/month more.
The Correct Decision Framework
For Copilot-eligible users: M365 E5 + Copilot ($87/user/month at list; $68–$76 at EA rates). E5 provides the security and governance prerequisites that Copilot needs without add-on stacking.
For non-Copilot users: M365 E3 ($36/user/month at list; $28–$33 at EA rates). No Copilot add-on, no security add-on stack needed.
For frontline workers: M365 F1/F3 ($2.25–$8/user/month). Not Copilot-eligible, which is appropriate for these roles.
This segmented approach produces a blended cost of $38–$52/user/month for most enterprises versus $87+ for blanket E5 + Copilot.
Copilot Licensing for Specific Workloads
Copilot in Teams
Copilot in Teams provides meeting summarisation, action item extraction, and real-time conversation assistance. It requires a base M365 licence with Teams included (E3, E5, Business Standard, Business Premium) plus the Copilot add-on. Note: Teams Premium ($10/user/month) overlaps with Copilot in Teams for meeting intelligence features. If you deploy Copilot, Teams Premium’s AI meeting features are largely redundant. Do not purchase both for the same users unless you specifically need Teams Premium’s branded meeting templates or advanced webinar capabilities, which Copilot does not replicate.
Copilot in Power BI
Copilot in Power BI requires a Power BI Pro licence (included in E5, or $10/user/month add-on to E3) plus the Copilot add-on. Power BI Free users cannot use Copilot in Power BI even if they have a Copilot licence. This is a frequently missed prerequisite: organisations that deploy Copilot to analysts on E3 without adding Power BI Pro discover that Copilot’s data analysis capabilities are unavailable.
Copilot in Outlook, Word, Excel, PowerPoint
Copilot in core Office apps requires the base M365 licence and Copilot add-on with no additional prerequisites beyond the seven-layer readiness stack described above. However, Copilot in Excel’s advanced data analysis features (formula generation, pivot table creation, trend analysis) perform significantly better with structured data in Excel tables rather than raw cell ranges. This is a data readiness issue, not a licensing issue, but it directly impacts the perceived value of the Copilot investment.
Copilot in the Microsoft 365 App (formerly Bing Chat Enterprise)
The web-based Microsoft 365 Copilot experience (chat interface at microsoft365.com/copilot) accesses your Microsoft Graph data through natural language queries. This requires the full Copilot add-on and a qualifying base licence. The experience is distinct from the free Copilot (Bing Chat) which does not access organisational data. Ensure users understand the difference — using free Copilot for work queries provides no organisational context and may send proprietary prompts to Microsoft’s consumer AI service.
Government and Regulated Environments
Copilot availability varies by Microsoft cloud environment. In GCC, Copilot is available with a delayed release timeline (typically 3–6 months behind commercial). In GCC High, availability is limited and further delayed. In DoD, Copilot is not currently available. Government organisations should confirm Copilot availability in their specific environment before budgeting or negotiating Copilot licensing. See GCC Government Licensing Guide for environment-specific details.
For regulated industries (financial services under SEC/FINRA, healthcare under HIPAA, legal under attorney-client privilege), the data governance prerequisites described in Layer 3 are not optional — they are regulatory requirements. Deploying Copilot without sensitivity labels, DLP policies, and information barriers in these industries creates compliance exposure that extends well beyond Microsoft licensing.
Negotiating Copilot in Your Enterprise Agreement
Copilot should always be negotiated as a separate commercial event from your base EA, with its own pricing, terms, and exit provisions. Here are the five negotiation points that matter most:
1. Independent pricing. Do not let Microsoft bundle Copilot into your blended EA rate. Insist on a separate line item with a defined per-user price that can be independently adjusted at each EA anniversary.
2. Annual exit rights. The ability to reduce or eliminate Copilot seats at each EA anniversary without penalty. Standard EA terms may lock you into the Copilot commitment for the full three-year term. Exit rights protect you if adoption falls below expectations.
3. Pilot pricing. Negotiate a 90-day pilot at 50–75% of the full rate for your initial deployment cohort. If the pilot demonstrates ROI, commit at the negotiated full rate. If not, exit without penalty.
4. Ramp commitments. Rather than committing to your full intended deployment upfront, negotiate a ramp: 500 seats in Year 1, expanding to 1,500 in Year 2 and 3,000 in Year 3, at the same per-seat rate throughout. This protects you from over-committing before adoption data is available.
5. No base-EA linkage. Microsoft may offer better Copilot pricing if you also increase your base EA commitment or add Azure MACC. Evaluate these offers on their own merits — do not accept a base EA price increase to fund a Copilot discount. The maths often nets out against you.
Frequently Asked Questions
What licence do I need for Microsoft 365 Copilot?+
You need a qualifying base licence (Microsoft 365 E3, E5, Business Standard, or Business Premium) plus the Microsoft 365 Copilot add-on at $30/user/month. Microsoft 365 F1, F3, Office 365 E1, and standalone/perpetual Office licences do not qualify. The true all-in cost is $66–$87/user/month depending on your base licence and security add-ons needed.
Does Copilot work with Microsoft 365 E3?+
Yes, M365 E3 is a qualifying base licence for Copilot. However, E3 lacks several features that enhance Copilot functionality and security: Entra ID P2 (identity risk signals), Defender for Cloud Apps (Copilot usage monitoring), advanced DLP (content guardrails), and Power BI Pro (Copilot in Power BI). Adding these to E3 costs $19.50/user/month, bringing E3 + security + Copilot to $85.50 — nearly identical to E5 + Copilot at $87. For Copilot users, E5 is the more efficient base.
Can frontline workers use Copilot?+
No. Microsoft 365 F1 and F3 (frontline worker plans) are not eligible for Microsoft 365 Copilot. Frontline workers who need Copilot must be upgraded to at least M365 Business Standard ($12.50) or M365 E3 ($36), plus the $30 Copilot add-on. This represents a 4–16× increase in base licensing cost. Evaluate whether the productivity gains justify the upgrade for specific frontline roles before committing.
Do I need to do anything before deploying Copilot?+
Yes — substantially. Before Copilot deployment, you need: (1) permissions audit and remediation across SharePoint, OneDrive, Teams, and Exchange (2–4 weeks), (2) sensitivity label implementation and auto-labelling policies (2–4 weeks), (3) DLP policy configuration for Copilot-generated content (1–2 weeks), (4) conditional access policies for Copilot-enabled users (1 week), (5) application channel updates to Current or Monthly Enterprise Channel (1–2 weeks), and (6) change management and user training programme (2–4 weeks). Total readiness timeline: 60–90 days for enterprise deployment.
How much does Copilot really cost per user?+
The Copilot add-on is $30/user/month at list ($23–$28 at EA rates). But the true all-in cost including the required base licence and recommended security prerequisites is
$66–$87/user/month at list or
$53–$76 at EA rates. Factor in that only 25–35% of licensed users achieve sustained productive adoption, and the effective cost per productive user is $150–$300/month. Deploy selectively to high-ROI roles to keep the effective cost reasonable. See
M365 Cost 2026.
Is Copilot included in Microsoft 365 E5?+
No. Copilot is not included in any Microsoft 365 plan. It is always a separate add-on at $30/user/month on top of the base licence. E5 provides the best foundation for Copilot (identity, security, governance features included) but does not include the Copilot licence itself. This is one of the most common misconceptions about Copilot licensing.
Should I buy Teams Premium if I have Copilot?+
Generally no. Copilot in Teams provides AI meeting summaries, action items, and conversation intelligence that overlaps significantly with Teams Premium’s intelligent meeting recap feature. Teams Premium ($10/user/month) adds branded meeting templates, advanced webinar capabilities, and meeting protection (watermarking, sensitivity labels on meetings). If you only want the AI meeting features, Copilot alone is sufficient. If you need the branding and webinar features, Teams Premium adds value — but confirm you are not paying $40/user/month for overlapping AI capabilities. See
M365 Add-On Guide.