The Microsoft Setting You Should Check Today

There is a setting in Microsoft 365 called Connected Experiences. Most organisations turned it on years ago. It runs things like spell check, translation, and document collaboration. Useful, unremarkable, easy to forget.

Here is the problem. Microsoft has quietly extended that same setting to cover parts of Copilot and the AI agents built on top of it. The setting you consented to five years ago for grammar checking now governs data flowing through AI agents that did not exist when you enabled it.

For a healthcare organisation running HIPAA-regulated data, that raises a simple question: can you prove your current Connected Experiences setting is HIPAA-compliant in the context of Copilot and agents? Most compliance officers cannot answer this today.

Check it yourself. Fifteen minutes.

• Log in to the Microsoft 365 admin centre.
• Find the privacy controls for Connected Experiences.
• Write down what is currently enabled.
• Pull out your current Microsoft 365 HIPAA Business Associate Agreement.
• Ask your compliance team: if we were audited tomorrow, could we defend this?

If the answer is yes, you are fine. If the answer is “we have not looked at this” — you have an exposure that needs assessing.

Why this matters

Microsoft is not the only one doing this. The same pattern applies to Google Workspace, Salesforce, ServiceNow, and every other enterprise platform that has added AI agents to software you were already using. You consented to one thing. The vendor extended the scope. Nobody asked you to re-consent. In a regulated environment, that is only a defensible position if someone has actually checked.

Go and check the setting.