Merge branch 'main' into docs-editor/manage-saas-apps-1752066086

Author: cmcatee-MSFT

.openpublishing.redirection.copilot.json

@@ -9,6 +9,11 @@
          "source_path": "copilot/microsoft-365-copilot-search-privacy.md",
          "redirect_url": "/copilot/microsoft-365-copilot-search",
          "redirect_document_id": false
+      },
+      {
+         "source_path": "copilot/pin-copilot.md",
+         "redirect_url": "/copilot/microsoft-365/pin-copilot-chat-navbar",
+         "redirect_document_id": false
       }
    ]
 }

copilot/TOC.yml

@@ -65,8 +65,10 @@ items:
       href: microsoft-365-copilot-app-admin-settings.md
     - name: Set up Organizational Asset Library
       href: enterprise-brand-manager.md
+  - name: Pin the Copilot app to the Windows taskbar
+    href: pin-copilot-taskbar.md
   - name: Pin Copilot Chat to the navigation bar
-    href: pin-copilot.md
+    href: pin-copilot-chat-navbar.md
   - name: Copilot in Microsoft 365 admin centers
     href: copilot-for-microsoft-365-admin.md
   - name: Multiple account access for work and school documents

copilot/copilot-agent-install.md

@@ -4,7 +4,7 @@ f1.keywords:
 ms.author: erikre
 author: ErikRe
 manager: dansimp
-ms.date: 06/25/2025
+ms.date: 07/10/2025
 audience: Admin
 ms.topic: concept-article
 ms.service: microsoft-365-copilot
@@ -54,6 +54,10 @@ Users can install agents that are available in Agent Store based on the policies
 
 Organizations can govern these agents in the Copilot Control System section of the Microsoft 365 admin center. Administrators have a full set of lifecycle management tools for these agents. Microsoft offers granular controls that enable administrators to install and block agents. Additionally, administrators can remove shared and custom agents for some or all of the users in their tenant.
 
+### Microsoft-built agent licensing 
+
+Some agents built by Microsoft, including Researcher and Analyst, are governed by [Supplementary Terms of Service](https://support.microsoft.com/office/supplementary-terms-of-service-for-teams-apps-powered-by-microsoft-365-services-and-applications-bc6027fe-68c3-4758-a70d-cfe97c43b4e2) which refers to the Microsoft 365 [Product Terms](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/all), and by reference, includes the Data Protection Addendum (DPA). The same Product Terms and DPA also govern the Microsoft 365 Copilot service. 
+
 ## Related content
 
 - [Manage agents for Microsoft 365 Copilot in the Microsoft 365 admin center](/microsoft-365/admin/manage/manage-copilot-agents-integrated-apps)

copilot/employee-self-service/customize.md

@@ -26,13 +26,13 @@ Customization is how you make the Employee Self-Service (ESS) agent work in the
 
 |Role |Activities to perform |Configuration area |
 |-----|----------------------|-------------------|
-|Environment Maker </br>Service owner of ESS agent |- Set up user context </br>- Customize ESS agent |Microsoft Copilot Studio |
+|Environment Maker </br>Owner of ESS agent |- Set up user context </br>- Customize ESS agent |Microsoft Copilot Studio |
 |ISV Administrators </br>Service owners of specific applications |Provide configuration inputs such as URLs, OAUTH tokens, and more |ISV configuration |
 |HR </br>IT </br>Legal </br>Privacy |-Identify knowledge sources </br>-Provide frequent queries </Identify sensitive queries> | N/A |
 
 ## Understanding components
 
-Before continuing with configuring the ESS Agent, the service owner who will manage the ESS agent going forward must have a thorough understanding of its architecture.  
+Before continuing with configuring the ESS Agent, the agent owner who will manage the ESS agent going forward must have a thorough understanding of its architecture.  
 The ESS agent is built with the following components:
 
 ### Topics

copilot/employee-self-service/deploy-overview-alm.md

@@ -80,7 +80,7 @@ You need to work with your organization’s Power Platform administrator to esta
 
 The ESS Agent has three distinct persona experiences:
 
-1. Administrator: Prepare the tenant to deploy, configure, and operate the ESS agent with the correct roles assigned to identified service owners.
+1. Administrator: Prepare the tenant to deploy, configure, and operate the ESS agent with the correct roles assigned to identified administrators.
 
 2. Environment maker: Install, configure, and publish the agent, including third-party ISV packages.
 

copilot/employee-self-service/known-issues-limitations.md

@@ -54,7 +54,7 @@ Applies to:
 |-----|-----------|------------|----------------------|
 |Domain support |Limited to a single domain per environment (either HR or IT). |Multi-domain support within the same environment is planned for release in the second half of CY2025. |Begin with the domain that will deliver the most immediate value to your organization—either HR or IT. If you need both, consider creating separate Power Platform environments: one for HR and another for IT. |
 |Third-party connector setup |Power Platform connectors can’t be used with on-premises gateway connections at this time. |There are no plans to include this in the future roadmap. |If needed, consider moving your key content to a cloud platform like SharePoint or ServiceNow. |
-|Third-party connector setup |Hierarchical Permissions in ServiceNow Graph Connector doesn't work currently. |Support for hierarchical permissions is planned for release in the second half of CY2025. |If you need support for Hierarchical Permissions in ServiceNow Knowledge for ESS Agent, fill [this form](https://forms.office.com/r/BVvQktxXw1). This feature isn't Generally Available, and we're allowlisting tenants on request basis. |
+|Third-party connector setup |Hierarchical Permissions in ServiceNow Graph Connector doesn't work currently. |Support for hierarchical permissions is planned for release in the second half of CY2025. |If you need support for Hierarchical Permissions in ServiceNow Knowledge for ESS Agent, fill [this form](https://forms.office.com/r/Cu7DTDg0uz). This feature isn't Generally Available, and we're allowlisting tenants on request basis. |
 |Third-party connector setup |Third-party connector setup (like Workday, ServiceNow, or SuccessFactors) takes time, can be complex, and typically needs someone with deep technical expertise. |By design - there are no plans to include it in the future roadmap. |To work around this, carefully follow the setup documentation and involve someone with subject matter expertise in configuring third-party systems. Alternatively, consider starting with SharePoint as your initial knowledge source. You can add ISV connectors once your IT team has the necessary expertise and capacity to manage the integration effectively. |
 |Third-party connector setup |The ESS Agent only includes prebuilt 'read' scenarios for supported connectors. If you want to enable actions like time-off requests or approvals, wait for those to be supported |Support for more read/write scenarios is planned for release in the second half of CY2025. |Start with agent’s knowledge retrieval scenarios first. For advanced task completion scenarios, wait for those to be supported or set-up custom Topic workflows. |
 |Third-party connector setup |Only supports User Principal Name (UPN) based user mapping for third party integrations |Support for non-UPN based mapping is under evaluation and targeting for post-July 2025 |Work with the third party provider to have UPN based user-mapping for integrations |

copilot/employee-self-service/prepare.md

@@ -36,7 +36,7 @@ Preparation is the first step to deploying the Employee Self-Service (ESS) agent
 1. Sign in as a Global admin to your [admin center](https://admin.microsoft.com).
 1. Select **Roles**, then choose **Role assignments**.
 1. In the **Microsoft Entra ID** section, find the **Power Platform Administrator** role.
-1. Add the users you've chosen as service owners for the ESS agent in the **Assigned** section.
+1. Add identified users in the **Assigned** section.
 
 ## Set up your Power Platform environment and assign the Environment Maker role
 
@@ -48,7 +48,7 @@ Preparation is the first step to deploying the Employee Self-Service (ESS) agent
     1. Add a **Dataverse data store**.
 1. Under **Access**, select **Security roles**.
 1. From the list of security roles, select **Environment Maker**. Choose **Members** in the top ribbon.
-1. Select **Add people** in the ribbon to add the designated person who can configure and publish the ESS agent. This person is typically the service owner in your organization.
+1. Select **Add people** in the ribbon to add the designated person who can configure and publish the ESS agent. This person is typically the agent owner in your organization.
 
 >[!NOTE]
 >Environment Makers can't install new agents. Only the environment administrators can install new agents.

copilot/employee-self-service/prerequisites.md

@@ -132,7 +132,7 @@ The ESS Agent includes several different technical components and configuration
 |-----|------------|---------------------|-------------------|
 |Global admin |User who has permissions to configure and delegate other roles |Assign user roles |Microsoft admin center |
 |Power Platform administrator |User who has power to configure Power Platform environments and assign roles within Power Platform |- Create environments </br> - Assign user roles </br> - Install ESS agent |- Power Platform </br> - Microsoft Copilot Studio |
-|Power Platform maker |User who has permission to make changes in a specific Power Platform environment. It’s recommended to have the service owner for this agent perform this role. |Configure ESS agent |- Power Platform </br> - Microsoft Copilot Studio |
+|Power Platform maker |User who has permission to make changes in a specific Power Platform environment. It’s recommended to have the agent owner for this agent perform this role. |Configure ESS agent |- Power Platform </br> - Microsoft Copilot Studio |
 |ISV administrators |Users who manage third-party solutions |Provide configuration inputs for ISV applications |ISV application's administration and configuration interface |
 |Information security |Infrastructure team who manage and control enterprise application security policies |- Allowlist inbound requests for ISV endpoints </br> - Manage single sign-on configurations |- Network firewall policies </br> - Signle sign-on applications |
 |Change control board |Team that manages changes in an organization relating to deploying an enterprise application |- Approve technical architecture </br> - Approve data security, compliance, and governance policies </br> - Approve responsible AI polices |N/A |

copilot/employee-self-service/publish.md

@@ -26,7 +26,7 @@ Publishing the Employee Self-Service (ESS) agent makes it available to your user
 
 |Role |Activities to perform |Configuration area |
 |-----|----------------------|-------------------|
-|Environment Maker/ Service owner of the ESS agent |- Deploy customization solution to target environment</br> - Set up authentication</br> - Publish ESS agent |Microsoft Copilot Studio |
+|Environment Maker/ Owner of the ESS agent |- Deploy customization solution to target environment</br> - Set up authentication</br> - Publish ESS agent |Microsoft Copilot Studio |
 |Administrator |- Approve the ESS publish request</br> - Deploy it to selected users |Microsoft admin center |
 |Business stakeholders/ champions |Identify test users |N/A |
 

copilot/employee-self-service/servicenow-hrsd-itsm.md

@@ -73,7 +73,7 @@ Refer to the ESS Agent deployment guide for installation of the agent and subscr
 | **Application Developer** (*minimum privileged role*)  | User who can register an application | Create an App registration - *if using Microsoft Entra OAuth for ServiceNow connector* | Microsoft 365 Admin Center |
 | **Environment Maker** | User who can customize ESS Agent | Configure & Customize ESS Agent | Microsoft Copilot Studio |
 
-### ServiceNow configuration
+## ServiceNow configuration
 
 This section outlines the tasks required to be configured in ServiceNow by an administrator.  ServiceNow integration supports three types of authentications as follows:
 
@@ -88,7 +88,86 @@ This section outlines the tasks required to be configured in ServiceNow by an ad
 > [!TIP]
 > Without elevating access, the new security objects can't be created. If **New** button in the top right of configuration pane is missing, then the role isn't elevated to "`security_admin`”.
 
-#### Option 1: Using OAuth2 authentication - Create an OAuth Application Registry
+### Basic authentication
+
+This method of authentication involves a ServiceNow username and password to authenticate API requests.  This method is simple to use and is primarily suggested for testing purposes, as it offers lower security compared to other authentication methods.
+
+### Microsoft EntraID OAuth using Certificate
+
+This authentication uses app tokens, allowing a registered Entra ID application to access ServiceNow with a token specifying the ServiceNow Entra ID app as the resource.
+
+#### Task 1: Register an application in Microsoft Entra ID for OIDC integration with ServiceNow
+
+[Learn how to register an app in Microsoft Entra ID.](/entra/identity-platform/quickstart-register-app)
+
+1. Sign into the Microsoft Entra admin portal as a global administrator or cloud app administrator.
+1. Go to **Applications** then **App registrations**.
+1. Select **New registration.**
+1. In the new registration form, fill in the following fields:
+    1. **Name:** Any name that represents the purpose of app registratio
+    1. **Redirect URL:** Not needed
+1. Choose **Register** to complete the creation of the new app registration.
+1. Select **Token configuration** then **Add optional claim** for adding claims setting.
+1. Select **Token type** as **Access** and choose the following claims:
+    1. *aud* - for audience validation
+    1. *email* - addressable email for user
+    1. *upn* - an identifier for the user
+1. Select **Add** to complete adding the claims.
+1. If this is the first time OpenId Connect being setup using claims like email, upn, there’ll be a confirmation to turn on the Microsoft Graph permissions, please check the box and select **Add**.
+1. This flow completes the Microsoft Entra piece of configuration.
+
+#### Task 2: Register OIDC provider in ServiceNow
+
+1. Login to the ServiceNow instance that needs to be integrated with ESS Agent.
+1. Elevate access permissions using **Elevate role**. Refer to the section **Error! Reference source not found.** – only the first part and not the tasks.
+1. Click **All** in the top navigation bar.
+1. Search for “OAuth” in the search box within dropdown navigation menu.
+1. Select **System OAuth à Application Registry** from the search results (if you don’t see this option, then you don’t have sufficient privileges).
+1. Select **New** in the configuration section pane.
+1. Select **Configure an OIDC provider to verify ID tokens**.
+1. Fill in the following information for the new application registry:
+
+|Configuration |Description |
+|--------------|------------|
+|Name |a meaningful name to identify that this OIDC provider was created for ESS Agent |
+|Client ID |The client ID of Entra Application created in Task 1 above |
+|Client secret |This value will not be used; can be any value |
+|OAuth OIDC provider configuration |Add a new OIDC provider configuration by selecting the search icon and choosing **New** in the search popup. Fill in the fields as follows:</br> **OIDC Provider:** A name that represents the Microsoft Entra tenant from task 1 above.</br> **OIDC Metadata URL:** `login.microsoftonline.com/<tenant ID>/.well-known/openid-configuration`</br> Replace < tenant ID > with the Entra tenant ID from task 1 above.</br> **OIDC Configuration Cache Life Span:** 120</br> **Application:** Global</br> **User Claim:** oid</br> **User Field:** User ID</br> **Enable JTI claim verification:** disabled</br> Select **Submit** and update the OIDC Entity form. |
+
+#### Task 3: Register an Application in Microsoft Entra ID for connector usage
+
+This is the application which plays the role of a user with elevated permissions in the ServiceNow instance.
+
+1. Login to Entra administration portal as global administrator (or) cloud app administrator.
+1. Go to **Applications** > **App registrations**.
+1. Select **New registration**.
+1. In the new registration form, fill in the following fields:.
+    1. **Name:** any name that represents the purpose of app registration.
+    2. **Redirect URI:** Not needed.
+1. Click **Register** to complete the creation of new app registration.
+1. Select **Certificates & secrets** then upload the .cer file of the certificate. In case of SNI certificate, just add trustedCertificateSubjects in the manifest of the application with the relevant authorityId and subjectName.
+
+#### Task 4: Create a System User in ServiceNow
+
+This is the Application created in the above task 3 which is a user in ServiceNow instance.
+
+Go to **User Administration** > **Users** to create a new user.
+
+**User ID:** The object ID of the service principal of Application created in Task 3 above.
+
+Check **Web service access only**.
+
+### Microsoft Entra ID OAuth User Login
+
+This is user-token based authentication where the end user can sign into Entra ID 1st party application i.e. ServiceNow connector 1st party app and get an access token with scope for the ServiceNow representative Entra ID app.
+
+Perform Task 1 & Task 2 from the previous section Microsoft Entra ID OAuth using Certificate.
+
+In the Task 1 – add the 1st party application i.e., ServiceNow connector to the permission scope – Client ID = c26b24aa-7874-4e06-ad55-7d06b1f79b63.
+
+In the Task 2 – update the user claim to upn or any other custom claim property from the token in ServiceNow.  The user field should match the ServiceNow system user table field containing the upn or user ID.
+
+### Using OAuth2 authentication - Create an OAuth Application Registry
 
 1. Log in to the ServiceNow instance that needs to be integrated with ESS Agent.
 2. Elevate access permissions using **Elevate role**.
@@ -104,7 +183,7 @@ This section outlines the tasks required to be configured in ServiceNow by an ad
     | **Name** | a meaningful name to identify that this application registry is created for ESS Agent |
     | **Client ID** | autogenerated code <br><div class="alert">**Note**</br>This value is used in Microsoft 365 Copilot Connector configuration, if no Advanced Scripting is used. |
     | **Client Secret** | leave it blank to automatically generate a string <br><div class="alert">**Note**</br>This value is used in Microsoft 365 Copilot Connector configuration, if no Advanced Scripting is used. |
-    | **Redirect URL** | a required callback URL that the authorization server redirects to </br>For Microsoft 365 Enterprise:</br>`https://gcs.office.com/v1.0/admin/oauth/callback`</br>For Microsoft 365 Government:</br>`https://gcsgcc.office.com/v1.0/admin/oauth/callback`|
+    | **Redirect URL** | a required callback URL that the authorization server redirects to </br>For Microsoft 365 Enterprise:</br>`https://gcs.office.com/v1.0/admin/oauth/callback`</br>For Microsoft 365 Government:</br>`https://gcsgcc.office.com/v1.0/admin/oauth/callback` Refer to the note after the table for more information.|
     | **Logo URL** | A URL that contains the image for the application logo |
     | **Active** | Set to active |
     | **Refresh token lifespan** | The number of seconds that a refresh token is valid. </br>By default, refresh tokens expire in 100 days (8,640,000 seconds). Recommended value is 31,536,000 (one year) |
@@ -113,6 +192,9 @@ This section outlines the tasks required to be configured in ServiceNow by an ad
     | **Accessible from** | All application scopes |
     | **Client Type** | Integration as a Service |
 
+>[!NOTE]
+>[Please use the actual callback URL from the sign-in popup window during connection configuration by following the steps below, when the URL redirection fails with the error **Invalid redirect_uri**:</br> Copy/paste the complete URL from the authorization popup window</br> Extract redirect_uri parameter.</br> Example: `redirect_uri=https%3a%2f%2ftip1-shared.consent.azure-apim.net%2fredirect`</br> After decoding the URL – replacing %3a with : and %2f with /</br> Update the Redirect URL field.]
+
 9. Select **Submit** or **Update** button to save the changes.
 
 ### Install ServiceNow HRSD extension pack