IT Lens
The firm brings the regulatory judgment. This board brings the control map: where Claude has an admin setting, where Microsoft 365 is the real enforcement point, and where policy or process has to fill the gap.
Start with the product boundary
Direct Claude and Microsoft 365 Copilot can both provide access to Anthropic models, but they use different tenants, administrators, storage paths, monitoring feeds, and permission systems. The first decision is which control plane the firm is ordering.
Keep identity and data access separate
Entra decides who may sign in or use Microsoft-connected applications. Microsoft 365 permissions decide which business content a user can reach. Claude or Copilot settings then decide which AI capabilities can act on that access.
Map each activity to its actual telemetry
Claude Chat, Claude Cowork, Microsoft Graph activity, Copilot Chat, Copilot Cowork, and agents do not all appear in the same logs. The control map below makes each feed and known visibility gap explicit.
Choose the Deployment Architecture
These are separate deployment options. Selecting one changes which configuration menu and locked-path inventory are shown; selecting both keeps each control plane distinct.
Microsoft 365 Copilot Native Menu
Applies when Microsoft 365 Copilot, Copilot Chat, Microsoft agents, or Copilot Cowork are the deployment product. Microsoft 365, Entra, Copilot Control System, Agent Registry, and Purview are the control plane.
Anthropic model access inside Copilot is a Microsoft AI-provider setting. It does not create a Claude Team or Enterprise organization, and the Direct Claude settings above do not govern it.
Locked Path Inventories
These tabs assume the plan choice has already been made. The inventory is deliberately long: it is a client-owned spec capture sheet so implementation technicians are not left to choose defaults.
Control Coverage Map
This map describes the technical source of control and visibility. It does not characterize whether any combination satisfies a firm requirement.
| Activity surface | Primary administrator | Primary storage location | Claude audit / Compliance API | Cowork OTel | Microsoft Purview / audit | Endpoint visibility |
|---|---|---|---|---|---|---|
| Direct Claude Chat and Projects | Claude organization | Anthropic service | Enterprise: supported Team: limited admin reporting |
Not applicable | Enterprise preview connector: DSPM and audit only | Browser and device controls only |
| Claude Cowork local session | Claude organization plus device management | User device; code runs in local isolated VM | Not currently captured | Prompts, tools, files, approvals and usage | Not through the Claude Purview connector | Host EDR cannot inspect inside the VM |
| Claude Cowork remote session | Claude organization | Anthropic account and isolated remote session | Not currently captured | Primary activity feed | Not through the Claude Purview connector | Runs outside the endpoint |
| Claude Microsoft 365 connector | Claude owner plus Entra administrator | M365 source remains in tenant; retrieved results can enter Claude chats | Claude tool and chat records where supported | When invoked through Cowork | Microsoft Graph operations in M365 audit | Authentication and device posture |
| Microsoft 365 Copilot Chat | Microsoft 365 and Copilot administrators | Microsoft 365 service and hidden Exchange mailbox locations | Not a direct Claude feed | Not applicable | Purview audit, retention and licensed controls | Microsoft app and device controls |
| Copilot Cowork and browser tasks | Microsoft 365 Copilot administrators | Microsoft 365 service; browser tasks use local Edge work profile | Not a direct Claude feed | Not Claude Cowork OTel | Unified audit and applicable Purview controls | Local Edge, Conditional Access and browser policy |
| Microsoft agents | Microsoft 365 Agent Registry / Power Platform | Depends on agent, channel and connected data source | Not a direct Claude feed | Not applicable | Agent audit, registry and risk surfaces | Depends on agent channel |
Suggested Combos
These are starting points for the meeting, not final policy positions.
Balanced enterprise rollout
Enterprise plan, Entra SSO/SCIM, role groups, export-first records path, read-only M365 pilot, needs-approval tool policy, central skills, remote Cowork pilot with OTel, controlled builders, mapped telemetry feeds, and wave rollout.
Minimum surface
Enterprise plan, strict Entra groups, no M365 connector at launch, Cowork off, central skills only, manual direct-Claude review, managed-device access, and a small invite wave.
Builder enablement
Enterprise plan with controlled builder roles, reviewed custom skills, local and remote Cowork, dev/test API workspaces, approved connector tools, higher spend caps, mapped telemetry feeds, and promotion gates for repeatable workflows.
Implementation Runbook
The MSP can run this once the firm's internal owners select the menu posture.
| Step | What gets configured | Owner to involve |
|---|---|---|
| 1. Lock the deployment architecture | Select Direct Claude, Microsoft 365 Copilot native, or both. Record the tenant IDs, products, license paths, user populations, administrators, and whether Anthropic models are accessed directly, through Copilot, or both. | Business sponsor, IT, vendor owner |
| 2. Build identity and role groups | Verify domains and Entra groups. For Direct Claude, configure SSO, JIT or SCIM, Claude groups, and roles. For Copilot, configure licenses, app access, provider groups, Cowork groups, and agent-maker groups. | IT, MSP, security |
| 3. Configure storage and evidence paths | Map direct Claude retention, audit and Compliance API; Cowork local or account storage and OTel; Microsoft Copilot retention locations and unified audit; and the downstream destination and reviewer for each selected feed. | Information management, IT, security operations |
| 4. Configure Microsoft data access | For the Direct Claude connector, set both Entra app assignments, exact Graph read scopes, optional write scopes, and tool approvals. For native Copilot, review work-grounding permissions, SharePoint readiness, labels, DLP, and app surfaces. | IT, security, compliance |
| 5. Configure agentic execution | For Claude Cowork, select local, remote, or both plus network, MDM, approval, plugin, trusted-device, and OTel settings. For Copilot Cowork and agents, configure billing, discoverability, models, plugins, browser use, maker rights, Registry, publication, and deployment. | IT, security, endpoint, Power Platform |
| 6. Publish the enablement pack | Publish product-specific user guidance, Direct Claude organization instructions and skills, Copilot application guidance, request paths for connectors or agents, and support routing that distinguishes the two products. | Business owner, IT, enablement owner |
| 7. Verify and expand by evidence | Test allowed and blocked identities, content access, read and write actions, local and remote execution, telemetry, billing, incident shutdown controls, and mobile and desktop surfaces before adding groups or capabilities. | Steering group |
Product Sources
Source links are limited to technical product controls. The firm's legal and compliance team should map these settings to their own policies and obligations.