Network and Endpoint Requirements

Overview

If Copilot can’t reach the services it depends on, it won’t work. No error message, no degraded experience—Copilot features simply won’t appear. Network and endpoint readiness is a hard gate for deployment.

This video covers the specific network configuration you need for Microsoft 365 Copilot in GCC, GCC High, and DoD environments: which endpoints to allow, how to configure your proxy and firewall, what to expect for bandwidth, and how to verify everything is working before you enable licenses.

What You’ll Learn

• Required Endpoints: The specific URLs and IP ranges Copilot needs to function
• Proxy and Firewall: Configuration recommendations including SSL inspection considerations
• Bandwidth: Why Copilot is lightweight and what matters more than throughput
• Client Requirements: Which Office versions support Copilot and how to verify your fleet
• Testing: How to validate connectivity before rollout

Script

Hook: Copilot won’t work if it can’t connect

Network readiness is one of those prerequisites that’s easy to underestimate. Most of your Microsoft 365 services already work, so you assume Copilot will too.

But Copilot relies on specific service endpoints that may not be in your current allow lists. If those endpoints are blocked by your proxy, your firewall, or your network security appliances, Copilot features won’t appear in your users’ apps. There’s no helpful error message. It just doesn’t show up.

Let’s make sure that doesn’t happen.

Required URLs and endpoints

Microsoft publishes a list of required URLs and IP address ranges for all Microsoft 365 services. This list is your source of truth for network configuration.

For Copilot specifically, there are several categories of endpoints that must be reachable. The Microsoft Graph API endpoints are critical—Copilot uses Graph to access user data, files, and organizational information. The Microsoft 365 substrate endpoints handle the orchestration layer that powers Copilot’s AI processing. And there are Copilot-specific service endpoints that handle the natural language processing and response generation.

Here’s the important part for government: the endpoint lists differ by cloud environment. GCC endpoints are similar to commercial but use government-specific domains and IP ranges. GCC High uses entirely separate infrastructure with different endpoints. DoD has its own endpoint set as well.

Do not use the commercial endpoint list for your government tenant. Go to the Microsoft Learn documentation for Microsoft 365 URLs and IP address ranges and select the tab for your specific government cloud. The page provides downloadable lists that you can import into your firewall management tools.

Microsoft updates these endpoint lists periodically. Subscribe to the RSS feed or change notifications so you know when new endpoints are added. Missing a new required endpoint after a service update is a common cause of Copilot features suddenly breaking.

Proxy and firewall configuration

Once you have the endpoint list, you need to configure your network infrastructure to allow traffic.

First, SSL and TLS inspection. Many government networks use SSL inspection appliances to examine encrypted traffic. Microsoft recommends bypassing SSL inspection for Microsoft 365 “Optimize” and “Allow” category endpoints. SSL inspection on these endpoints can cause certificate errors, latency spikes, and broken functionality.

For Copilot specifically, inspecting the traffic between client and service can interfere with the real-time interaction model. If you must inspect M365 traffic for compliance reasons, test thoroughly with Copilot features enabled to ensure nothing breaks.

Second, proxy configuration. If your network routes traffic through a proxy server, update your PAC file or proxy auto-configuration to direct Microsoft 365 traffic appropriately. The best practice is to route Optimize-category endpoints directly to the internet—bypassing your proxy entirely—and route Allow-category endpoints through your proxy with minimal inspection.

In government environments, you may have additional requirements about traffic routing through approved network paths or TICAP points. Work with your network security team to ensure Copilot traffic follows your approved architecture while still meeting Microsoft’s connectivity requirements.

Third, firewall rules. Add the required endpoints and IP ranges for your government cloud to your firewall allow lists. Remember to allow both TCP 443 for HTTPS and any additional ports specified in the endpoint documentation.

Bandwidth and performance

Here’s good news: Copilot is not a bandwidth hog.

Unlike Teams video calls or large file sync operations, Copilot interactions are text-based. A user asks a question, Copilot processes it, and returns a text response. The data transfer per interaction is small—typically a few kilobytes for the request and response.

What matters more than bandwidth is latency. Copilot is an interactive, conversational experience. Users type a prompt and wait for a response. If network latency is high—say, 200 milliseconds or more round-trip to Microsoft’s service endpoints—the delay becomes noticeable and frustrating.

Focus your network optimization on reducing latency to Microsoft 365 endpoints rather than provisioning additional bandwidth. This typically means ensuring direct network paths without unnecessary hops, avoiding proxy chains that add latency, and using split tunneling for VPN users when your security policy allows it.

During your pilot, monitor network performance metrics for Copilot traffic. Track round-trip latency, connection success rates, and any timeout errors. This baseline data helps you identify and resolve issues before expanding to more users.

Client and endpoint requirements

Copilot runs inside the Microsoft 365 applications your users already use—Word, Excel, PowerPoint, Outlook, Teams. But it requires current versions of those applications.

Specifically, you need Microsoft 365 Apps for Enterprise. That’s the subscription version of Office that updates regularly. Your deployment must be on either the Current Channel or the Monthly Enterprise Channel to receive Copilot features. If you’re on the Semi-Annual Enterprise Channel, you may experience delays in receiving Copilot updates.

Perpetual versions of Office—Office 2019, Office 2021, Office LTSC—do not support Copilot. If you have users on perpetual licenses, they need to be migrated to Microsoft 365 Apps for Enterprise before they can use Copilot.

For web apps, Copilot is available through the browser-based versions of Word, Excel, PowerPoint, and Outlook at office.com. Make sure your users’ browsers are current and that content security policies or browser extensions don’t block Copilot’s interface elements.

Teams desktop and mobile clients also support Copilot. Verify that your Teams deployment is on a supported version—Teams updates frequently, and Copilot features require recent builds.

To check client versions across your fleet, use the Microsoft 365 Apps admin center or your endpoint management tool. Look for users on outdated versions and plan updates before enabling Copilot.

Close: testing connectivity before rollout

Before you assign Copilot licenses to your pilot group, test connectivity.

Microsoft provides a network connectivity test tool that validates your connection to Microsoft 365 services. Run it from devices on your government network to identify any connectivity issues.

For a more targeted approach, have a test user attempt to access Copilot features after licensing. If the Copilot button appears in Word, Teams, and Outlook, your network is configured correctly. If it doesn’t, check your proxy logs and firewall rules for blocked connections to Copilot endpoints.

Here’s your network readiness checklist. Required endpoints for your government cloud are allow-listed. Proxy is configured with appropriate bypass rules. SSL inspection is bypassed or tested for compatibility. Client apps are on Microsoft 365 Apps for Enterprise, Current or Monthly Enterprise Channel. Connectivity has been validated on pilot devices.

Check these off, and your network is ready for Copilot.

Sources & References

• Microsoft 365 URLs and IP address ranges — Official endpoint list for commercial and government
• Microsoft 365 Copilot requirements — Copilot-specific requirements including network
• Network planning and performance for Microsoft 365 — Network planning guidance