FRONTIER · Issue 001
← All issues
Frontier · Issue 001 · 28 May 2026

Anthropic in M365 — Who Processes What, and Where

Claude is now inside Microsoft 365 Copilot as a formal subprocessor. Not a SaaS add-on your users signed up for separately — a contracted third-party model that Microsoft routes your data to under its own Product Terms and DPA.

This issue maps the architecture: what Microsoft processes, what Anthropic processes, what leaves the EU Data Boundary, what doesn't, and what your admins, compliance teams, and board need to know before the default-on date hits your tenant.

Audience: CTO Compliance M365 Admin 8 min read
Frontier Craig Stanley Studio
Issue 001 28 May 2026
ANTHRO
PIC IN
M365
Co-processing · Subprocessors · EUDB
Who processes what, and where.

Claude is inside your tenant now. Here is what that means for your data, your compliance, and your admin controls.

Subprocessor EU Data Boundary Copilot Cowork Admin controls
01 — The Setup

What Changed: Anthropic Becomes a Microsoft Subprocessor

Until recently, organisations that wanted to use Claude models inside Microsoft 365 Copilot had to opt in through a separate route — the "Anthropic independent processor" path — which meant accepting Anthropic's own terms and DPA directly for certain frontier features.[1]

That arrangement was decommissioned on 1 May 2026.[2] In its place, Anthropic has been onboarded as a formal Microsoft subprocessor under the standard Microsoft Product Terms and Data Protection Addendum (DPA). You no longer sign separate Anthropic enterprise contracts for these workloads. You don't need to. The Microsoft contract covers it.

For most non-EU commercial tenants, Anthropic as subprocessor is enabled by default from 7 January 2026. For EU, EFTA, and UK tenants, Anthropic remains off by default and requires explicit admin opt-in for both the global subprocessor setting and the separate M365 apps toggle.[3]

Anthropic is now inside your Microsoft contract — not a separate vendor relationship.

What the subprocessor arrangement means in practice

  • Anthropic must implement appropriate technical and organisational measures as required by Microsoft's DPA.[4]
  • Enterprise Data Protection and the Customer Copyright Commitment apply to Anthropic-processed workloads in the same way they apply to OpenAI-backed Copilot workloads.[4]
  • Anthropic cannot train on your data. Prompts, responses, and content processed via M365 Copilot are not used to improve Anthropic or Microsoft foundation models.[5]
  • Anthropic appears in Microsoft's published online services subprocessor list — the same list that includes Azure, LinkedIn, and GitHub.[6]
02 — The Architecture

Co-processing: What Each Party Actually Does

The phrase "co-processing" describes the division of labour between Microsoft and Anthropic when a Copilot request routes to a Claude model. It is not joint controllership — Anthropic is a processor acting on Microsoft's instructions. But understanding who does what is essential for compliance assessments, DPIAs, and honest conversations with your legal team.

Request lifecycle — co-processing in three steps
01
Microsoft — Orchestration

Copilot receives the request. It grounds the prompt using Microsoft Graph data, applies Entra ID permissions, enforces DLP and Purview policies, and constructs a bounded, filtered input for the model layer.[7]

02
Anthropic — Inference

Microsoft sends the bounded, encrypted prompt to Anthropic Claude for inference. Anthropic acts as a stateless subprocessor — it receives the input, generates a response, and returns it. No persistent storage. No state retained between requests.[8]

03
Microsoft — Output + Actions

Microsoft receives the model output, applies safety and compliance filters, and either presents the result or — in Cowork — queues approved actions for execution. All outputs and actions are logged within your tenant.[9]

Anthropic does not become a system of record. It performs transient inference on inputs that Microsoft controls. Microsoft retains responsibility for storage, logging, audit trails, and policy enforcement.[10] The risk surface for Anthropic is the prompt and the inference window — not your broader tenant data.

03 — Data

Where Data Goes and Why It Matters

This is the question that matters most for regulated organisations, and it requires two separate answers — one logical, one physical.

The logical answer (tenant boundary)

Logically, your data stays within your Microsoft 365 tenant boundary. Copilot uses your existing Entra ID permissions and DLP policies. Outputs and audit trails land back in tenant-owned storage. The compliance boundary — what you can discover, retain, and policy-enforce — does not change.[10]

The physical / geographic answer (EU Data Boundary)

Physically, it is more nuanced. When Anthropic models are used, a subset of data — the prompt and selected context — is transmitted to Anthropic's infrastructure for inference. Microsoft explicitly states that this processing is excluded from its EU Data Boundary and in-country processing commitments.[3][11]

Anthropic processing is excluded from the EU Data Boundary. Explicitly. In writing.

Microsoft's documentation for the "Copilot in Microsoft 365 apps with Anthropic models" setting states: "data processing for these models occurs outside of the Microsoft EU Data Boundary (EUDB)".[11]

Storage and state, however, remain in-region and under Microsoft's control. Anthropic does not hold persistent copies of customer data. No customer data or state is stored outside EU data centres for these workloads — only the transient inference window crosses the boundary.[3][12]

Data category Stays in EU? Notes
Tenant storage (SharePoint, OneDrive, Exchange) Yes Governed by Microsoft's standard EUDB commitments
Copilot outputs & conversation history Yes Stored in tenant-owned location; subject to Purview
Prompt + context sent for inference (Anthropic) No Transmitted encrypted; stateless; not stored by Anthropic
Audit trails & action logs (Cowork) Yes Logged within tenant via standard M365 logging
Model training N/A Your data is not used to train Anthropic or Microsoft models

For organisations where EUDB-only or in-country processing is a hard requirement — critical infrastructure, certain financial services, some public sector — Anthropic should remain disabled until you have written confirmation from Microsoft on the precise infrastructure path.[13]

04 — Controls

Admin Controls: What You Can Configure

Two controls govern Anthropic access in M365. They are independent and can be scoped to specific users or groups rather than applied tenant-wide.[14]

Control What it governs Default (non-EU) Default (EU/EFTA/UK)
AI providers as subprocessors Global toggle — enables or disables Anthropic (and other third-party providers) across Copilot Studio, Power Platform, and M365 services On (from 7 Jan 2026) Off — explicit opt-in required
Copilot in M365 apps with Anthropic models Separate control for Word, Excel, and PowerPoint — governs Anthropic usage specifically in these apps On Off — explicit opt-in required

Scoping options

Both controls can be assigned to specific users or security groups rather than applied tenant-wide. This means you can enable Anthropic for non-EU users or lower-risk populations while keeping it disabled for users handling sensitive or regulated data — without a blanket tenant block.[14]

What disabling Anthropic does and doesn't do

Disabling Anthropic as a subprocessor means Copilot routes those requests to other available models (Microsoft's own or OpenAI). It does not disable Copilot. It does not prevent the features from working. It changes the model used for inference — which is exactly what you need if your compliance position requires EUDB-only processing.[3]

Government and sovereign cloud exclusions

Anthropic models are not available in GCC, GCC High, DoD, or equivalent sovereign/government cloud environments. If your tenant sits in one of these clouds, this article does not apply to you — Anthropic is not an available provider in your environment.[15]

05 — Copilot Cowork

Copilot Cowork: Anthropic in the Agentic Layer

Copilot Cowork is the agentic execution layer inside Microsoft 365 Copilot. It plans and performs multi-step tasks — sending emails, scheduling meetings, creating and editing documents, posting to Teams, managing files — based on natural language instructions. It is available through the Frontier preview programme and is subject to preview terms.[16]

Cowork uses Anthropic's Claude models in a multi-model architecture for long-horizon planning and reasoning.[17] But the key point is where Cowork lives: it runs as a Microsoft-hosted service within your Microsoft 365 tenant, anchored in your Entra ID and compliance framework. Anthropic is invoked by that service as a subprocessor, not as an independently-contracted endpoint.[10]

Cowork is a Microsoft service. Anthropic is one of the models it calls. The tenant boundary holds.

Human-in-the-loop by design

Every Cowork action is visible in the conversation thread. Sensitive actions — sending email, creating calendar invites, posting to Teams — require explicit user approval before execution. The architecture is designed around human oversight, not autonomous execution.[16]

The "does data go to Anthropic?" question

At least one community source has claimed that Cowork keeps all processing within Microsoft 365 and data does not reach Anthropic. This conflicts with Microsoft's explicit EUDB-exclusion statements.[11][13] The conservative, contract-aligned position is: when Cowork uses Anthropic for planning or reasoning, a subset of tenant data — the bounded prompt and relevant context — is transmitted to Anthropic infrastructure for stateless inference, outside the EUDB, under Microsoft's DPA. Storage remains in-tenant. No training occurs. But the inference window does leave EU data centres.[12]

Distinct from Anthropic's own "Claude Cowork"

Anthropic has its own product called Claude Cowork, which operates under Anthropic's contracts and infrastructure. Microsoft Copilot Cowork is a completely separate product — a Microsoft service that uses Claude models. Do not conflate them in procurement documentation or DPIAs.[18]

06 — Board Level

The Board Framing

If you are preparing a board or CTO briefing, these are the five things the room needs to understand.

Five things the board needs to know

  • Anthropic is inside the Microsoft contract. Claude in Copilot and Cowork is consumed under Microsoft Product Terms and DPA as a subprocessor. No separate Anthropic SaaS contract is required or exists.
  • Cross-border processing happens. Anthropic processing is explicitly excluded from the EU Data Boundary and in-country guarantees. Prompts and context can be processed outside EU data centres — even for EUDB-committed tenants — when Anthropic models are used.
  • Co-processing is shared responsibility. Microsoft handles access control, grounding, and storage. Anthropic performs stateless inference. Microsoft enforces policy on outputs and actions. Neither party becomes a system of record for your data.
  • No training on enterprise data. Data processed via Anthropic in Copilot is not used to train Anthropic or Microsoft foundation models. This is contractually bound.
  • Controls exist but must be configured. Admins can disable Anthropic globally, scope it to specific users or groups, and separately govern its use in Word, Excel, and PowerPoint. These are not automatic — they require deliberate admin action.

For regulated organisations

Treat Anthropic in Copilot as a third-party subprocessor with cross-border processing. It needs to appear in your subprocessor registers and DPIAs. Mitigations include scoping Anthropic to specific user populations, disabling it where EUDB-only processing is mandatory, and codifying approved Cowork use cases with clear approval gate requirements before agentic execution is allowed.

Questions your CTO should be able to answer

  1. Where in our tenant can Anthropic be used, and for which users or groups?
  2. Which categories of data may be transmitted to Anthropic for inference, and what exclusions do we enforce?
  3. How does Anthropic processing interact with our EU Data Boundary and in-country commitments?
  4. What oversight do we have over Anthropic as a subprocessor — contractual, technical, and organisational?
  5. How are Copilot Cowork actions logged, approved, and audited across the tenant?
07 — Open Questions

What Is Still Unclear

Public sources still disagree on whether Anthropic's models for Microsoft workloads run on Anthropic-controlled infrastructure or on Azure under Anthropic's management. Community posts assert one or the other without authoritative sourcing.

Because Microsoft explicitly excludes Anthropic processing from the EU Data Boundary while listing Anthropic as a subprocessor, the safest working assumption is that some processing occurs on Anthropic-controlled infrastructure under Microsoft's contractual oversight — not within Azure regions.[13]

Where this distinction materially affects your risk posture — national security workloads, critical infrastructure, MoD or equivalent — obtain written clarification from Microsoft directly. Request up-to-date subprocessor listings and data-flow diagrams. Do not rely on community commentary or this article for high-stakes decisions. It is a starting framework, not a legal opinion.

Sources

Citations

All sources verified against Microsoft public documentation and Microsoft Learn as of 28 May 2026.

  1. Microsoft Learn — Manage Anthropic Claude models in Copilot (independent processor settings). Describes the deprecated independent processor path and transition to subprocessor model. learn.microsoft.com/en-us/copilot/microsoft-365/manage-anthropic-claude
  2. Microsoft Learn — Manage AI providers as subprocessors for Copilot. Documents the 1 May 2026 decommission of the independent processor option and the transition to subprocessor-only model. learn.microsoft.com/en-us/microsoft-365/admin/misc/copilot-ai-providers
  3. Microsoft Learn — Microsoft 365 Copilot: EU Data Boundary and AI providers. States the January 7 2026 default-on date for non-EU commercial tenants and EU/EFTA/UK opt-in requirement. learn.microsoft.com/en-us/microsoft-365/admin/misc/copilot-ai-providers
  4. Microsoft Product Terms and Data Protection Addendum (DPA) — governs all online services subprocessors including Anthropic. microsoft.com/en-us/licensing/product-licensing/products
  5. Microsoft — Microsoft 365 Copilot: Data, Privacy, and Security. Confirms enterprise data is not used to train foundation models, including when Anthropic models are used. learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-privacy
  6. Microsoft — Microsoft Online Services Subprocessor List. Lists Anthropic as an authorised subprocessor for inference in Copilot-enabled services. aka.ms/subprocessors
  7. Microsoft Learn — Microsoft 365 Copilot architecture overview. Describes the grounding and orchestration layer, Graph-based context retrieval, and permission scoping before model invocation. learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-architecture
  8. Microsoft Learn — Manage AI providers as subprocessors. Describes the encrypted, bounded prompt sent to Anthropic infrastructure for stateless inference. learn.microsoft.com/en-us/microsoft-365/admin/misc/copilot-ai-providers
  9. Microsoft Learn — Copilot Cowork: overview and actions. Describes output filtering, action approval gates, and tenant-side logging. learn.microsoft.com/en-us/copilot/microsoft-365/
  10. Microsoft Learn — Microsoft 365 Copilot: Data, Privacy, and Security — section on data storage and retention. Confirms Anthropic is a processor, not a controller, and holds no persistent copies of customer data. learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-privacy
  11. Microsoft Learn — Copilot in Microsoft 365 apps with Anthropic models. Direct quotation: "data processing for these models occurs outside of the Microsoft EU Data Boundary (EUDB)". learn.microsoft.com/en-us/microsoft-365/admin/misc/copilot-ai-providers
  12. Microsoft — EU Data Boundary documentation. Confirms storage remains in-region even when inference crosses the boundary. learn.microsoft.com/en-us/privacy/eudb/eu-data-boundary-learn
  13. Microsoft — AI providers subprocessor FAQ. Recommends written clarification from Microsoft for national security or critical infrastructure workloads where infrastructure details are material to risk posture. learn.microsoft.com/en-us/microsoft-365/admin/misc/copilot-ai-providers
  14. Microsoft 365 admin centre — Copilot settings: AI providers. Documents both controls, default states by geography, and the scoping options for individual users or security groups. admin.microsoft.com
  15. Microsoft Learn — Microsoft 365 Copilot availability. Lists government and sovereign cloud exclusions for Anthropic model access. learn.microsoft.com/en-us/microsoft-365/admin/misc/copilot-ai-providers
  16. Microsoft Learn — Copilot Cowork overview (Frontier preview). Describes the agentic execution capability, the human-in-the-loop approval model, and the multi-step action scope. learn.microsoft.com/en-us/copilot/microsoft-365/
  17. Multiple practitioner analyses via Microsoft Frontier partner briefings. Describe the multi-model orchestration layer that routes planning tasks to Claude and other tasks to other models within Cowork.
  18. Anthropic — Claude Cowork product page. Anthropic's own Cowork SaaS product, operating under Anthropic's contracts — distinct from Microsoft Copilot Cowork. anthropic.com

AI-assisted research: this issue was researched and drafted with the assistance of Claude (Anthropic). All claims have been checked against cited sources. Where sources are paywalled or require Microsoft tenant access, the citation describes the document and its canonical URL. This article does not constitute legal advice. Obtain your own professional guidance for DPIA, GDPR, and contractual compliance decisions.