M365 · Copilot Studio · GitHub Copilot · MCP
Secure your data with Microsoft Copilot
PortEden makes M365 Copilot tenant-wide-ready. The Graph proxy fronts Copilot with per-site, per-contact, per-label rules — so you can roll Copilot out to everyone without holding it back for a year-long DLP-labelling project. Same firewall covers Copilot Studio and GitHub Copilot agents.
M365 · Copilot Studio · GitHub Copilot · Free PortEden tier
Works With What You Already Use
Gmail
Outlook
Google Calendar
Google Drive
Google Docs
OneDrive
SharePoint
Teams
Slack
Notion
Asana
Monday
Linear
Jira
Confluence
Entra ID
Better Together
What PortEden Adds to Microsoft Copilot
- Microsoft 365 Copilot is the natural surface for users already working in M365. PortEden's Graph proxy applies per-site, per-contact, and per-label rules at the request boundary, providing governance for tenant-wide rollout independent of the maturity of your DLP labelling estate.
- Copilot Studio supports tenant-specific agents. PortEden routes those agents through Power Automate so each flow operates on redacted, audited data, under the same policy set that governs M365 Copilot itself.
- GitHub Copilot's agent mode reads code, tests, and documentation at speed. PortEden's CLI is callable from the agent's tool list, providing controlled access to Workspace and M365 data without granting the agent broad Graph permissions.
- Tenant-wide Copilot rollouts produce dense access patterns across SharePoint, Outlook, Teams, and OneDrive. PortEden unifies those streams into one exportable audit log keyed by user, site, and policy decision — feeding directly into Microsoft Sentinel, Splunk, or any SIEM, with a single source of truth for what Copilot grounded on and why.
Capability Matrix
Copilot With PortEden: What You Get
Capability
Copilot
Copilot + PortEden
Pre-grounding PII redaction
Stripped before Copilot grounds on Graph
No
Yes
Per-tool, per-action RBAC
No
Yes
Per-contact / per-domain firewall rules
No
Yes
SIEM-exportable audit log of every grounding call
Purview audit covers events; PortEden adds per-tool-call detail
Partial
Yes
Site- and label-aware oversharing protection
Microsoft DLP + PortEden's per-site rules
Partial
Yes
Native MCP support (Copilot Studio + federated connectors)
MCP GA in Copilot Studio 2026; M365 Copilot federated connectors use MCP
Yes
Yes
Custom Copilot connector (Copilot Studio)
Yes
Yes
GitHub Copilot agent integration
Via the PortEden CLI + VS Code MCP
Yes
Yes
Token-context reduction (smaller, faster prompts)
~80% reduction via context hygiene
No
Yes
IdP identity sync (Entra ID / Okta / Google Workspace)
Entra carries the user; PortEden ties firewall rules to IdP groups
Partial
Yes
Confirm-before-write on destructive actions
Send / delete / forward require explicit confirmation
No
Yes
One-click revocation across surfaces
No
Yes
Pre-grounding PII redaction
Stripped before Copilot grounds on Graph
CopilotNo
+ PortEdenYes
Per-tool, per-action RBAC
CopilotNo
+ PortEdenYes
Per-contact / per-domain firewall rules
CopilotNo
+ PortEdenYes
SIEM-exportable audit log of every grounding call
Purview audit covers events; PortEden adds per-tool-call detail
CopilotPartial
+ PortEdenYes
Site- and label-aware oversharing protection
Microsoft DLP + PortEden's per-site rules
CopilotPartial
+ PortEdenYes
Native MCP support (Copilot Studio + federated connectors)
MCP GA in Copilot Studio 2026; M365 Copilot federated connectors use MCP
CopilotYes
+ PortEdenYes
Custom Copilot connector (Copilot Studio)
CopilotYes
+ PortEdenYes
GitHub Copilot agent integration
Via the PortEden CLI + VS Code MCP
CopilotYes
+ PortEdenYes
Token-context reduction (smaller, faster prompts)
~80% reduction via context hygiene
CopilotNo
+ PortEdenYes
IdP identity sync (Entra ID / Okta / Google Workspace)
Entra carries the user; PortEden ties firewall rules to IdP groups
CopilotPartial
+ PortEdenYes
Confirm-before-write on destructive actions
Send / delete / forward require explicit confirmation
CopilotNo
+ PortEdenYes
One-click revocation across surfaces
CopilotNo
+ PortEdenYes
Agentic Coverage
Three Copilots, One Firewall
Connection: Graph proxy + Power Automate + CLI
M365 Copilot (Word / Excel / Outlook / Teams)
Add the PortEden Graph proxy as a custom Copilot connector in Copilot Studio. Copilot grounds on the proxy instead of Graph; redaction and per-site rules apply before any tenant data is returned.
Setup guideCopilot Studio agents
Power Automate flows call the PortEden REST API. Same firewall, same audit, same per-token RBAC — just routed through Copilot Studio instead of M365 Copilot.
Setup guideGitHub Copilot agents (Workspace, agent mode)
The PortEden CLI in the agent's tool list. Agents shell out to porteden for any Workspace or M365 data — no direct Graph or Drive calls, every tool call audited.
Setup guideTooling Notes
- The Graph proxy supports the Microsoft Graph endpoints Copilot grounds on most: Mail, Calendar, SharePoint, OneDrive, Teams chat.
- Copilot Studio's custom connector takes a Bearer token — paste a PortEden API key and the agent inherits the token's permissions.
- GitHub Copilot agents call the CLI just like OpenClaw skills. Same -jc compact-JSON format, same per-token quotas.
- Per-contact and per-domain access rules are the most useful Copilot control — block sensitive contacts (legal, HR, executive) at the firewall and Copilot can't ground on their content even with a permissive token.
- Audit log captures the tool call, the arguments, the rule that fired, and the redacted payload — exportable as CSV or piped to a SIEM.
Connect Copilot in Under 10 Minutes
1
Generate a PortEden Graph-proxy token
At my.porteden.com, create a token scoped to the M365 services Copilot should ground on. Set per-site access rules.
2
Add a custom connector in Copilot Studio
Point it at https://graph-proxy.porteden.com/v1 with the Bearer token. Publish to your tenant.
3
Use Copilot exactly as you do today
M365 Copilot grounds through PortEden. Per-contact and per-site rules block sensitive content invisibly. Every call is audited at my.porteden.com.
Copilot + PortEden
Five-Minute Setup. Free While You Test.
Connect a data source, plug Copilot into PortEden, and put Copilot to work on the data your team actually needs to handle.
Frequently Asked Questions
Does PortEden replace Microsoft Purview?
No — PortEden complements Purview. Purview governs labels and DLP across the tenant; PortEden enforces them at the Copilot grounding boundary plus adds firewall-style per-contact rules and a per-call audit. Tenants run both: Purview for the long-cycle data-governance program, PortEden for the immediate Copilot blast radius.
How does the Graph proxy actually work?
PortEden hosts a Microsoft Graph-compatible API at graph-proxy.porteden.com. You add it to Copilot Studio as a custom connector. When M365 Copilot calls a Graph endpoint through the connector, PortEden's policy engine evaluates the request, fetches the underlying data with the user's delegated permission, redacts sensitive fields, and returns the cleaned payload. Copilot grounds on what comes back.
Will GitHub Copilot agents work with PortEden?
Yes — GitHub Copilot's agent-mode and Copilot Workspace agents can shell out to the PortEden CLI just like OpenClaw skills. The CLI returns redacted Workspace/M365 data; the agent never touches Graph or Drive directly. Same audit log, same per-token quotas as the rest of PortEden.
What happens when Copilot tries to ground on something the firewall blocks?
The Graph proxy returns a structured permission-denied response. Copilot sees the rejection and surfaces it in the answer ("I couldn't read content from [site] — your firewall blocks Copilot from grounding there"). The audit log captures the tool call, the site, and the rule that fired.
Will this slow Copilot down?
The proxy adds ~150-300 ms per grounding call. Most tenants see end-to-end Copilot latency stay flat or improve, because PortEden also reduces the volume of irrelevant data Copilot grounds on (per-site rules trim the search space).
How do I deploy this tenant-wide?
Through Copilot Studio. Publish the custom connector to the tenant; M365 Copilot users adopt it via the standard Copilot agent-onboarding flow. For larger rollouts, talk to sales — we have an admin-driven deployment path that doesn't require user-by-user opt-in.
Keep Exploring
Get More From Copilot With PortEden
Five-minute setup. Free tier for solo licensed practitioners. Same AI you already use — now ready for the work your team actually needs to do.
Rolling out to a whole team? Talk to sales →