Copilot Actions in Edge

​​​​​What security consideration should I be aware of?

Actions in Edge introduces helpful new capabilities in the browser to handle tasks on your behalf so you can be more productive. However, this feature is in preview and it can introduce risks you should be aware of:

• Prompt Injection: Malicious sites may try to trick Copilot into performing unintended actions. For example, you might ask Copilot to order ingredients from a recipe webpage. While processing the page, it could encounter hidden malicious text designed to override your request, for instance, directing it to visit another site to collect sensitive information instead.

• Unintended actions: Copilot may misinterpret your request or act differently than you expect. Please monitor its activity closely.

• Financial risks: Using Copilot for purchases or banking could expose sensitive information or result in unauthorized actions.

• Privacy risks: Copilot may interact with sites that contain personal, sensitive, or confidential data.

Copilot includes safeguards designed to help reduce risks, but you should exercise caution and closely monitor Copilots work.

How do I use Copilot Actions in Edge safely?

Agentic browsing comes with unique risks. Consider these best practices before using:

1. Choose trusted sites: Only grant Copilot access to websites you’re familiar with and trust. 

2. Avoid sensitive tasks: Don’t use actions for sensitive activities like financial transactions, medical info, or password entry.

3. Don’t share private information: Never type sensitive details such as passwords, addresses, or financial information directly into Copilot. When needed to complete an action, fill these details in yourself.

4. Monitor unexpected behavior: Stop the action if Copilot starts behaving unexpectedly or takes actions you didn’t intend.

What safety measures does Microsoft Edge have? 

Microsoft Edge includes several safety measures to help reduce these risks:

• Edge Blocklists: Edge can prevent Copilot from accessing high-risk sites, such as adult content or gambling websites.

• Edge Security lists: Enhanced security settings let you control how much access Copilot has on certain sites. You can also specify sites that Copilot should never be allowed to visit in your Edge Settings.

• Restricted Edge profile information: While Copilot is completing Actions and interacting with webpages in Edge, it cannot access autofill data, saved passwords, or wallet information.

What Microsoft Edge data can Copilot access?

Copilot uses the following data in Edge to do its job:

• Screenshots: Copilot captures screenshots of the webpage it is using solely to browse and act on your behalf. These screenshots are never used for training.

• Edge profile data access: Copilot uses your current browser window to perform tasks, which includes limited information within your Edge profile, it does not have unrestricted access to all your data.

• Cookies: Copilot can access cookies, which means if you’re already signed into a site that Copilot has access to, it will also be signed in automatically. To avoid this, you can either delete all cookies before testing Actions in Edge or start with a brand-new browser profile. View how you can manage your cookies. 

• Open tabs in browser window: With Actions in Edge Preview, Copilot has access to the tabs currently open in your browser window to help with tasks. For example, summarizing multiple tabs and performing an action based on that summary. It can also work directly in an existing tab if you explicitly ask, such as reformatting a document you already have open.

• Site Permissions: when you ask Copilot to perform a simple action like going to a web site, the web site that is opened by Copilot will have the same permissions to device capabilities such as camera, location, or microphone, that it would as if you navigated to the site yourself. So, if you have granted a site permissions previously, these permissions still apply. When Copilot is interacting with a site, such as clicking, searching, scrolling, then these permissions are temporarily suspended.

Does Actions in Edge capture and store images of what it is looking and working on?

Yes—when Copilot is performing an action, Copilot takes screenshots of the pages it visits to “see” and interact with them. These screenshots are limited to the tabs Copilot is working on in the current browser window. They are saved with the conversation in your history, allowing you to review Copilot’s work.

Screenshots are not used for training. When you delete a conversation, the associated screenshots are also deleted. Otherwise, screenshots are retained for up to 30 days.

Do Actions in Edge Preview store or log user inputs, screenshots and outputs?

As part of Copilot Actions in Edge Preview, your text prompts and Copilot's responses are saved in the conversation history, along with a record of Copilot’s work it did on your behalf. The information that you enter directly into a webpage, such as personal data in a form, is not saved by Copilot but it may be saved in Edge. While Copilot is in control, it takes screenshots of the pages it visits. If you stop the Action, you will now be in control, so Copilot will not capture or send any screenshots until you start the Action again. This information is stored so there is a clear history to help troubleshoot and review Copilot’s work. Copilot Actions in Edge Preview responses are monitored to help prevent unsafe interactions and outputs.

If a task requires your input, such as personal details or payment information, Copilot will ask you to provide it, and you can take control of the tab and enter it yourself. When entering the information on the page, Copilot does not save it, though Edge may save it. 

When will Actions in Edge Preview ask for confirmation, supervision, or for the user to take control?

Copilot will ask for your attention and supervision for certain actions such as buying an item, booking a reservation, sending an email, or deleting an event from a calendar. For certain websites, it will ask you to monitor the work or take control, specifically on higher-risk sites like banking or email. It may also ask you to approve a site if it doesn’t seem directly related to your task. 

Do Actions in Edge Preview work with every site?

No—they do not work with every site. There are also a few important examples where Actions in Edge will not work, by design: 

• Policy-blocked sites: Sites that don’t align to Copilot’s policies, such as sites containing offensive content, will not be accessible. For more information on our policy see Terms of Use and Content Policy.

• Your Allow and Block lists: Actions in Edge are limited to a curated set of sites that are approved. If a site isn’t on this allow list, Copilot won’t be able to interact with it until you approve it.  You can also create your own list of sites that Copilot is blocked from accessing when using Actions in Edge. To add sites to the allow or block list in Edge settings, go to Settings > AI Innovations > Actions in Edge Preview.  Then, select Manage what URLs can or cannot be access by Actions in Edge.  There you can add sites to either of these lists.

What prevents Actions in Edge Preview from being used for harmful, offensive, or illegal purposes?

Security, digital safety, and responsible AI are top priorities for Microsoft. Actions will not be available to work with sites that Copilot has determined to contain harmful content or content not aligned with policies. Actions may not be used for harmful, offensive, or illegal activity. Copilot will refuse these tasks. Serious or repeated violations of Code of Conduct may result in your suspension from using Actions.

To learn more, visit Transparency Note for Microsoft Copilot, Responsible AI at Microsoft and Terms of Use and Content Policy.

How do I adjust permissions in Microsoft Edge?

You can adjust Copilot permissions by going to Settings > AI innovations in Edge. These settings control how Copilot handles site security and permissions, and there are three levels: 

• Light (least secure): Apply minimal protections, allowing Copilot to navigate and act on most sites without asking for your permission. Using this mode increases the risk of malicious activity.

• Balanced (recommended): Copilot can work on popular, commonly trusted websites without asking for your confirmation. For unfamiliar or less common sites, it will ask for your approval before continuing.

• Strict (most secure): Copilot will always ask for your permission before working on any site.

Additionally, in Settings, you can add sites to an allow list where Copilot is permitted to act, or to a block list where Copilot will never be able to act. 

When Copilot needs access to a site it doesn’t already have permission for it will ask you in a prompt within the chat. You can choose from the following options: 

• “Always allow” grants Copilot ongoing permission for this site for multiple actions. It won’t ask again. Only use this for sites you trust.

• “Allow once” grants Copilot access to this site for a single action. Copilot will ask again next time. This is the safest option.

• “Cancel” prevents Copilot from taking this action and stops the action.