Copilot is appearing across Microsoft 365 in ways that were not there a year ago. If you are running a team of 10 to 40 people on a Microsoft 365 business plan, you may have already encountered it: listed in your subscription summary, mentioned by your IT reseller as a potential add-on, or surfacing as a suggestion inside Teams or Word. The promotional price of £13.80 per user per month for the integrated tier looks attractive, especially compared with the full rate of £24.70. The choice between the free, bundled, and paid integrated versions is really a question of what your people actually do all day and how your firm handles the personal data flowing through your technology stack.
What choice are you actually facing?
Microsoft’s Copilot line-up is more fragmented than the marketing implies. Copilot Free and the bundled Copilot Chat are web-based tools with no access to your emails, files, or SharePoint. The integrated experiences, Microsoft 365 Copilot at £24.70 per user per month and the SMB-focused Copilot Business at £13.80, are a different product entirely. That distinction is the real decision.
Copilot Free is a consumer chat tool at copilot.microsoft.com. It can help draft copy, generate images, and answer general questions, but it has no visibility of your organisation’s data whatsoever. Copilot Chat, bundled with eligible Microsoft 365 Business and Enterprise plans, is similar in practice: it offers commercial data protection for your prompts (Microsoft does not use your input to train its models), but it still does not reach into your email inbox, your SharePoint library, or your Teams threads.
The two integrated tiers, Microsoft 365 Copilot and the newer Copilot Business SKU built for organisations with fewer than 300 users, connect to your working data. Via Microsoft Graph, they can surface relevant information across your tenant to draft documents, summarise email threads, and answer questions grounded in your firm’s actual files and conversations, subject to each user’s existing access permissions. These are, effectively, a different product category from the free chat tools.
When is personal Copilot enough?
The free and bundled options genuinely serve a purpose. If your team occasionally needs help drafting copy or experimenting with prompts, Copilot Free delivers that at no extra cost. The lack of connection to your company’s data means no exposure risk when governance is still developing. For occasional, generic tasks, the cost-benefit calculation favours starting there.
There are specific situations where holding off on the upgrade makes sense. If AI use across your firm is genuinely occasional, a handful of staff trying a tool rather than a firm-wide capability, the licence cost for Copilot Business may not be justified. At £13.80 per user per month on an annual commitment, 10 licences runs to £1,656 per year before VAT.
If your Microsoft 365 governance is still immature, weak access controls or no sensitivity labels configured, the NCSC’s guidance is worth noting here: poor configuration can mean an AI assistant surfaces information that users should not be seeing. Getting the access framework right before enabling the integrated tier is often the safer order of operations.
The personal and free tiers also have a legitimate place as a starting point for individuals who want to understand what Copilot can do before your firm commits to anything formal.
When does Copilot Business make sense?
Copilot Business earns its cost when your work is document-and-email-heavy and your staff need AI to act on real business data. Via Microsoft Graph, it can search across emails, SharePoint files, Teams conversations, and calendars to draft, summarise, and answer questions specific to your firm. Prompts and responses stay within your Microsoft 365 tenant and are not used to train Microsoft’s foundation models.
For many owner-managed firms with 5 to 50 staff, the business case is clear if a meaningful share of the team spends its day writing, searching, and summarising inside Microsoft 365. The integrated version can draft meeting follow-ups from a Teams call, pull together a client proposal that references the right files, or summarise a long email thread in seconds. For a knowledge-work firm, those are hours back per week rather than marginal improvements.
The compliance case is also compelling. Copilot Business runs within your Microsoft 365 tenant boundary, with activity logs accessible via Microsoft Purview for Business Standard and Business Premium customers. For firms in regulated sectors, having an auditable record of how AI was used when drafting a client communication or analysing financial data is becoming harder to ignore. The ICO expects organisations to be able to account for how personal data is processed, and the FCA holds regulated firms responsible for AI-assisted communications and decisions even when the tool is third-party. A business on Copilot Business has at least the logging infrastructure to start answering those questions.
What does it cost to get this call wrong?
The risk runs in both directions. If your team uses personal Copilot for work involving customer or staff data, demonstrating GDPR compliance becomes harder. The ICO expects organisations to document how personal data is processed and to have a lawful basis for doing so. Consumer tools carry no audit trail, and ICO fines can reach £17.5 million or 4 per cent of global annual turnover.
The NCSC is equally direct: organisations should avoid sending sensitive data to consumer AI tools that lack enterprise controls. Unmanaged personal Copilot use spreading across a team is a form of shadow IT, and unpicking inconsistent AI usage patterns later, once workflows have evolved around it, doubles the change-management effort.
The risk also runs the other way. Buying Copilot Business licences for every member of a 20-person team when only six of them do document-heavy knowledge work means paying for capability that will mostly sit unused. Microsoft positions Copilot as a tool for staff whose day is writing, searching, and meeting-heavy. Starting with a targeted cohort, measuring usage over 90 days, and expanding from there is a sounder commercial approach than a blanket rollout driven by a promotional deadline.
The CMA’s foundation model review flags a longer-term concern as well: deep integration with one productivity ecosystem makes switching harder if alternatives improve or prices change materially. That is worth factoring in before you build workflows that depend on Microsoft-specific integrations.
What should you ask before you decide?
Three diagnostic questions will do the heavy lifting before you open the pricing page. Which roles actually spend the bulk of their day inside Microsoft 365 writing, searching, and summarising? Do those roles handle data about customers or staff, and have you documented how it is processed? And are you buying for a handful of heavy users or expecting every seat to earn its cost?
Beyond those three, a few practical checks are worth running before you sign anything.
Does your rollout involve personal data at scale? If Copilot Business will connect to inboxes or files containing customer or employee data, you will likely need a Data Protection Impact Assessment before enabling it. The ICO’s guidance on generative AI is explicit that new AI processing activities may require a DPIA, and skipping that step is the kind of oversight that creates regulatory exposure later.
Are your access controls and sensitivity labels configured? Copilot Business only surfaces information a user is already permitted to see. If your permissions are loose across SharePoint or Teams, the AI will reflect that, surfacing files and conversations that were only loosely restricted because nobody had got round to tidying them.
Are you eligible for bundle pricing? If you are already on Microsoft 365 Business Standard or Premium, promotional bundles combining Copilot Business have been available at discounts of up to 35 per cent on annual commitments. Check your current licence terms before buying standalone.
Finally, if your firm has EU customers or operations, the EU AI Act introduces transparency requirements for general-purpose AI deployments. It is worth a conversation with your legal adviser before you commit to a firm-wide rollout, particularly in sectors where clients or regulators may ask questions about how AI is used in their matters.
