Support

Configuring AI tools

Define which AI tool requires monitoring for your organization for accurate visibility, labeling, and categorization of AI usage. Involve application and security stakeholders early to help streamline adoption and visibility of your AI portfolio.

Choosing AI tools to configure in Nexthink

The system automatically monitors preconfigured AI tools out of the box—such as ChatGPT—through traffic pattern recognition, endpoint activity, and employee feedback.

You can manually configure more AI tools for monitoring in Nexthink.

1

Identify AI tools available for configuration in Nexthink:

  • Review telemetry or traffic data from the Nexthink Collector or your network security stack.

  • Consult your SSO provider or identity management platform to list active AI services.

  • Interview product owners to understand user segments and associated risks.

2

Prioritize the tools that require configuration by evaluating:

  • Widely used GenAI tools like ChatGPT, Microsoft Copilot, Gemini, or Claude.

  • Internal or custom AI agents, such as virtual assistants or chatbots developed for specific business functions.

  • AI applications embedded in productivity or communication platforms such as Copilot in Outlook or MS Teams.

  • Tools with rising adoption but uncertain compliance or business value.

Configuring AI tools for Nexthink monitoring

To configure a new AI tool:

  1. Navigate to AI Tools > Manage AI tools from the main navigation.

  2. Click the New AI Tool button on the top-right corner (or select an existing tool from the table to edit).

To access and edit the configuration of existing AI tools, click on the AI tool hyperlink located in the table on the Manage AI tools page. Then, continue to follow the steps listed below.

  1. From the AI Tools configuration page, fill in the fields:

    • An AI tool name, such as KanopyGPT.

      • The system automatically generates NQL ID of the AI tool based on the name. In this case: #kanopygpt

    • Description to provide AI tool details for internal use.

  1. Choose one or both Application types: Web or Desktop.

  • For Web AI applications, Add URL:

    • URL Name is a free-text label to identify the configuration. Example: KanopyGPT

    • URL pattern is the main domain of the web application. Defines where the AI tool is accessed. Example: kanopygpt.com

    • Conversation endpoint URL pattern is the specific path used to detect interactions with the AI tool. Nexthink supports these formats:

      • A fully qualified URL such as kanopygpt.com/backend-api/conversation

      • A pattern such as backend-api/conversation.

You can add up to 5 conversation endpoints for the same web AI application.

Refer to the Determining the Conversation endpoint URL pattern using your browser section below.

  • For Desktop AI applications define their respective Binaries.

    • Desktop applications represent binaries grouped with their associated subprocesses. As a result, application-related metrics, dashboards and AI insights include all subprocesses.

    • The system estimates AI usage on Desktop-type applications using the focus_time field from the execution.events table in the NQL data model.

      • If the focus_time opt-in field is not enabled, Nexthink cannot monitor user interactions with AI tools on desktop applications.

  1. Add available Licenses for the AI tool, if available.

  2. Enable employee experience campaign to monitor employee perception of the specific AI tool from the dedicated dashboard.

    • If needed, you can modify campaign settings for AI tools to exclude specific users from campaigns or disable the campaign entirely.

    • Once activated, allow up to seven days for the campaign data to appear in the AI tool dashboard.

  3. Save AI tool configuration.

Determining the Conversation endpoint URL pattern using your browser

When configuring AI tools, follow these steps to discover and determine the Conversation Endpoint pattern.

You can extract either a path (pattern) or a fully qualified URL.

From your browser:

  1. Open your AI tool web application.

  2. Navigate to the webpage to chat with the AI Tool.

    • Nexthink recommends opening a new conversation with no chat history.

  3. Open the developer tools in your browser by pressing F12 or by right-clicking to Inspect, depending on the case.

  4. Click and open the Network tab.

  5. Use the newly opened chat to send an easily identifiable message to the AI tool: Hey, let’s chat.

    • Copy the sent message to your clipboard.

  6. Click again on the Network tab to search the sent message—in this case, Hey, let’s chat.—by pressing ctrl+F or command+F, depending on your OS.

  7. Click on the found result and open the Headers subtab within the Network tab.

  8. Find the Request URL field to copy/extract the Conversation endpoint required to configure the AI tool in Nexthink. Nexthink supports these two formats:

    • A fully qualified URL such as kanopygpt.com/backend-api/conversation

    • A pattern such as backend-api/conversation

    Choose the format that best fits your configuration. See the image below.

You can add up to 5 conversation endpoints for the same web AI application in Nexthink.

To learn about the AI Tools campaign content, conditions and interpretation, refer to Built-in campaigns for monitoring employee perception of AI tools .

Exception: Configuring Microsoft Copilot using API credentials

The system uses the Entra ID connector—that you must configure—to collect user-license data and tag interaction events based on whether the employee uses a free or licensed version of Microsoft Copilot.

Nexthink AI Tools collects user-license data for Microsoft Copilot by default, even if you do not configure Microsoft Copilot in AI tools.

When monitoring usage of Microsoft Copilot, you can filter data by Copilot type:

  • The Microsoft 365 Copilot filter displays tool-specific data for licensed Copilot usage.

  • The Copilot chat filter displays tool-specific data for unlicensed Copilot usage.

Nexthink supports API-based setup only for Microsoft Copilot.

After setting up the Entra ID connector in Nexthink, follow these steps to configure Microsoft Copilot in AI Tools:

  1. Navigate to AI Tools > Manage AI tools from the main navigation.

  2. Click on the Microsoft Copilot hyperlink listed in the table on the Manage AI tools page, or use the item's action menu to Edit Copilot settings.

  3. From the AI tools configuration page, fill in the Description to provide AI tool details for internal use.

    • For Microsoft Copilot, the name and NQL ID fields are predetermined—not editable.

  4. From the API credentials dropdown, select the corresponding connector credentials you should preconfigure in Nexthink for Microsoft Copilot.

Configuring connector credentials for Microsoft Copilot.

This section references external sources. Nexthink does not control the accuracy of third-party documentation or any external updates or changes that might create inconsistencies with the information presented on this page. Please report any errors or inconsistencies to Nexthink Support.

Remember, configuring Microsoft Copilot in Nexthink AI Tools requires both Copilot credentials (described below) and the Entra ID connector.

Step 1 - Configure the Azure application

Configure the application from the Azure page to retrieve AI-employee interaction data:

  1. Sign in using your Azure credentials.

  2. Register a new application.

    • During the registration process, select the Single tenant option.

  3. For the Redirect URL, select Web.

    • If the application already exists in the Azure portal, you can reuse the application to assign the permissions to retrieve AI-employee interaction data.

  4. Register the application.

  5. Access the API Permissions option from the left-side menu.

  6. Add permission for Microsoft Graph.

    • Select AiEnterpriseInteraction.Read.All and add the API permission. See the images below.

    The Status column on the permissions list indicates if the Azure account you are using lacks proper privileges. Refer to the Register an application with the Microsoft identity platform documentation from Microsoft for more information on the steps listed above.

  7. Access the Overview section of the configured application to copy and save Azure AD credentials for the Nexthink connector configuration.

    • Application (client) ID

    • Directory (tenant) ID

    • Generate and copy the client secret Value in the Azure portal using the Certificates and secret option for the Nexthink tool configuration.

      • Select New client secret.

      • Fill in the Description and Expiration values.

      • Select Add and copy the Value.

After the expiration date, you need to update the client secret in the Azure portal and for the Nexthink connector credentials.

Step 2 - Configure the Microsoft Copilot connector credentials in Nexthink

From the connector credential configuration page, fill out the fields using the information from the connection you created in Azure.

  1. Choose the HTTPS option from the Protocol drop-down.

  2. Paste the Microsoft API https://graph.microsoft.com into the URL address field.

  3. Choose the OAuth 2.0 - Client Credentials option from the Authorization drop-down.

  4. Copy the Directory (tenant) ID from the Copilot connection and paste it into the Access token URL field—include the whole URL string:

    • https://login.microsoftonline.com/<<Tenant ID>>/oauth2/v2.0/token

    • Example: https://login.microsoftonline.com/2efa03d5-62e6-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/token

  5. Enter the Client ID and Client secret you obtained from configuring the Azure application.

  6. Add https://graph.microsoft.com/.default in the Scope field.

  7. Select Header under Authorization information. Nexthink advises against selecting Body based on Request for Comments (RFC) standards.

  8. Save the credential.

  1. Add available Licenses for Microsoft Copilot, if available.

  2. Save AI tool configuration.

Only valid connector credentials enable saving the Microsoft Copilot settings in AI tools. Otherwise, Nexthink displays the existing errors:

Please correct the following Issues:

  • Credential error: Invalid client id.

F.A.Q about Microsoft Copilot data retrieval

Why is the Copilot dashboard not showing any data, even after successful credential configuration?

The Microsoft notification system is not sending the validationTokens property in the subscription notifications. Without these tokens, Nexthink cannot securily verify and ingest incoming events—resulting in an empty Copilot dashboard in Nexthink AI Tools.

Root cause

The appRoleAssignmentRequired is likely set to true In the Azure registered application used to configure the Copilot connector credential.

When this setting is active—appAssignmentsRequired=true—Microsoft omits the validationTokens property from subscription notifications, preventing Nexthink from validating the events.

How to fix it

Option 1—recommended: Disable appRoleAssignmentRequired

  1. Sign in to the Azure portal.

  2. Navigate to Azure Active Directory > Enterprise Applications.

  3. Select the application used for the Copilot connector.

  4. Go to Manage > Properties.

  5. Set Assignment required to No.

This ensures Microsoft includes the validationTokens in subscription notifications, enabling Nexthink to securely verify and process the data.

Option 2: Assign an App Role

If disabling appRoleAssignmentRequired is not possible due to internal policy:

  1. Follow Microsoft guidance to manually assign users or service principals to the Azure application.

  2. Ensure all relevant users or systems are assigned roles in the Enterprise Application.

Microsoft then includes the validationTokens in the push notifications.

If you continue to experience issues after applying these changes, please contact Nexthink support.

Do I always need the connector for Microsoft Entra ID to retrieve Copilot-employee interaction data?

Yes, the connector for Microsoft Entra ID is needed to correctly retrieve AI interaction data from Microsoft Copilot.

How can I verify that I have properly configured the subscription?

When saving the Microsoft Copilot settings in Nexthink AI tools for monitoring, the system automatically checks the connector credentials.

Only valid credentials enable saving the Microsoft Copilot settings in AI tools. Otherwise, Nexthink displays the existing errors.

How often is the Copilot AI interaction data refreshed? Is it instant?

The current mechanism uses a subscription to receive the data from Graph API. Every time an AI interaction happens, the system pushes the interaction details to the Nexthink platform.

The process is not instant, as the data typically arrives less than 1 minute after the interaction happens, but Microsoft Graph API has a maximum latency of 60 minutes for AI interactions.

What Microsoft Graph API permissions does Nexthink require for monitoring Copilot?

Monitoring Copilot requires AiEnterpriseInteraction.Read.All permission to enable the collection of Copilot-interaction data.

Unfortunately, the current Microsoft Graph API endpoint copilot/interactionHistory/getAllEnterpriseInteractions only supports the aforementioned permission. This means you cannot have more granular or restrictive permissions.

What information does Nexthink process from the Copilot API response?

Currently, the Copilot API does not allow the selection or filtering of specific payload elements and instead returns additional information that Nexthink does not require for functionality.

Therefore, Nexthink processes only the necessary high-level metrics and neither accesses nor stores the remainder of the payload. As a result, this additional information is discarded.

Nexthink exclusively accesses the following fields.

  • appClass

  • conversationType

  • createdDateTime

  • from

  • interactionType

  • requestId

  • sessionId

Refer to Microsoft Copilot API documentation for field descriptions and details.

Nexthink neither accesses nor stores the remainder of the payload.

Configuring custom filters for AI Tools dashboards

After setting up AI tools in Nexthink, you can leverage the System configuration to add custom filters for AI Tools dashboards based on your organization employee groups—as defined by your company hierarchy or holacracy.

To set custom filters for AI Tools dashboards, as a Nexthink Administrator, follow the steps described in the Product Configuration documentation to configure user organization fields.

After successfully enriching the created user organization field, the system automatically displays this field as a custom filter at the top of all AI Tools dashboards.

To prevent conflicts with the organizational structure defined using user organization fields, custom filters replace the default Department filter in all AI Tool dashboards.

You should enrich user organization fields as new fields are present in the data model, but without values.

RELATED TASKS

Last updated

Was this helpful?