# Configuring AI tools

Define which AI tool requires monitoring for your organization for accurate visibility, labeling, and categorization of AI usage. Involve application and security stakeholders early to help streamline adoption and visibility of your AI portfolio.

## Choosing AI tools to configure in Nexthink

{% hint style="info" %}
The system automatically monitors preconfigured AI tools out of the box—such as ChatGPT—through traffic pattern recognition, endpoint activity, and employee feedback.

You can manually configure more AI tools for monitoring in Nexthink.
{% endhint %}

{% stepper %}
{% step %}
Identify AI tools available for configuration in Nexthink:

* Review telemetry or traffic data from the Nexthink Collector or your network security stack.
* Consult your SSO provider or identity management platform to list active AI services.
* Interview product owners to understand user segments and associated risks.
  {% endstep %}

{% step %}
Prioritize the tools that require configuration by evaluating:

* Widely used GenAI tools like ChatGPT, Microsoft Copilot, Gemini, or Claude.
* Internal or custom AI agents, such as virtual assistants or chatbots developed for specific business functions.
* AI applications embedded in productivity or communication platforms such as Copilot in Outlook or MS Teams.
* Tools with rising adoption but uncertain compliance or business value.
  {% endstep %}
  {% endstepper %}

## Configuring AI tools for Nexthink monitoring

To configure a new AI tool:

1. Navigate to **AI Tools** > **Manage AI tools** from the main navigation.
2. Click the **New AI Tool** button on the top-right corner (or select an existing tool from the table to edit).

{% hint style="info" %}
To access and edit the configuration of existing AI tools, click on the AI tool hyperlink located in the table on the **Manage AI tools** page. Then, continue to follow the steps listed below.
{% endhint %}

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-6f6d4e7917f381a32fac8cf878107f3b138e5585%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

3. From the AI Tools configuration page, fill in the fields:
   * An **AI tool name,** such as **KanopyGPT.**
     * The system automatically generates **NQL ID** of the AI tool based on the name. In this case: `#kanopygpt`
   * **Description** to provide AI tool details for internal use.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-8e9b319fcc6634ed4143f24f77dee60b92124985%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

4. Choose one or both **Application** types: **Web** or **Desktop.**

* For **Web** AI applications, **Add URL**:
  * **URL Name** is a free-text label to identify the configuration. Example: `KanopyGPT`
  * **URL pattern** is the main domain of the web application. Defines where the AI tool is accessed. Example: `kanopygpt.com`
  * **Conversation endpoint URL pattern** is the specific path used to detect interactions with the AI tool. Nexthink supports these formats:
    * A fully qualified URL such as `kanopygpt.com/backend-api/conversation`
    * A pattern such as `backend-api/conversation`.

{% hint style="info" %}
You can add up to 5 **conversation endpoints** for the same web AI application.&#x20;

Refer to the [#determining-the-conversation-endpoint-url-pattern-using-your-browser](#determining-the-conversation-endpoint-url-pattern-using-your-browser "mention") section below.
{% endhint %}

* For **Desktop** AI applications define their respective **Binaries.** You can add up to 5 binaries for the same desktop AI application.
  * Desktop applications represent [binaries grouped](https://docs.nexthink.com/platform/references/database-information-and-organization/binary-grouping/) with their associated subprocesses. As a result, application-related metrics, dashboards and AI insights include all subprocesses.
  * The system estimates **AI usage** on **Desktop**-type applications using the `focus_time` field from the `execution.events` table in the NQL data model.
    * If the `focus_time` opt-in field is not enabled, Nexthink cannot monitor user interactions with AI tools on **Desktop** applications.

5. Add available **Licenses** for the AI tool, if available.
6. **Enable employee experience campaign** to monitor employee perception of the specific AI tool from the dedicated dashboard.
   * If needed, you can [modify campaign settings for AI tools](https://docs.nexthink.com/platform/user-guide/managing-ai-tools#configuring-campaign-setups-for-ai-tools) to exclude specific users from campaigns or disable the campaign entirely.
   * Once activated, allow up to seven days for the campaign data to appear in the AI tool dashboard.
   * If you disable a campaign, no new employees are targeted. However, employees who had already been targeted continue to receive the campaign until they respond, cancel, or the campaign expires.
7. **Save AI tool** configuration.

<details>

<summary>Determining the <strong>Conversation endpoint URL pattern</strong> using your browser</summary>

When configuring AI tools, follow these steps to discover and determine the **Conversation Endpoint pattern.**

You can extract either a path (pattern) or a fully qualified URL.

From your browser:

1. Open your AI tool web application.
2. Navigate to the webpage to chat with the AI Tool.
   * Nexthink recommends opening a new conversation with no chat history.
3. Open the **developer tools** in your browser by pressing F12 or by right-clicking to **Inspect,** depending on the case.
4. Click and open the **Network** tab.
5. Use the newly opened chat to send an easily identifiable message to the AI tool: *Hey, let’s chat.*
   * Copy the sent message to your clipboard.
6. Click again on the **Network** tab to search the sent message—in this case, *Hey, let’s chat.*—by pressing **ctrl+F** or **command+F**, depending on your OS.
7. Click on the found result and open the **Headers** subtab within the **Network** tab.
8. Find the **Request URL** field to copy/extract the **Conversation endpoint** required to configure the AI tool in Nexthink. Nexthink supports these two formats:

   * A fully qualified URL such as `kanopygpt.com/backend-api/conversation`
   * A pattern such as `backend-api/conversation`

   Choose the format that best fits your configuration. See the image below.

{% hint style="info" %}
You can add up to 5 conversation endpoints for the same web AI application in Nexthink.
{% endhint %}

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-592886b2c656b26609d1d7312ee0f681f787da33%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

</details>

{% hint style="info" %}
To learn about the AI Tools campaign content, conditions and interpretation, refer to [#campaigns-for-monitoring-perception](https://docs.nexthink.com/platform/user-guide/monitoring-ai-tools#campaigns-for-monitoring-perception "mention") .
{% endhint %}

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-1a4084785ee9337f2627c9c7cf0581f362813607%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

### Exception: Configuring Microsoft Copilot using API credentials

{% hint style="warning" %}
Nexthink AI Tools collects user-license data for Microsoft Copilot by default, even if you do not configure Microsoft Copilot in AI tools.

When monitoring usage of Microsoft Copilot, you can filter data by **Copilot type**:

* The **Microsoft 365 Copilot** filter displays tool-specific data for licensed Copilot usage.
* The **Copilot chat** filter displays tool-specific data for unlicensed Copilot usage.
  {% endhint %}

Nexthink supports **API**-based setup only for Microsoft **Copilot.** The system uses the Entra ID connector—which you must configure—to collect user-license data and tag interaction events based on whether the employee uses a free or licensed version of Microsoft Copilot.

After setting up the [Entra ID connector](https://docs.nexthink.com/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/integrating-nexthink-with-third-party-tools/inbound-connectors/connector-for-microsoft-entra-id-azure-ad) in Nexthink, follow these steps to configure Microsoft Copilot in **AI Tools**:

1. Navigate to **AI Tools** > **Manage AI tools** from the main navigation.
2. Click on the **Microsoft Copilot** hyperlink listed in the table on the **Manage AI tools** page, or use the item's action menu to **Edit** Copilot settings.
3. From the AI tools configuration page, fill in the **Description** to provide AI tool details for internal use.
   * For Microsoft Copilot, the **name** and **NQL ID** fields are predetermined—not editable.
4. From the **API credentials** dropdown, select the corresponding **connector credentials** you should preconfigure in Nexthink for Microsoft Copilot.

<details>

<summary>Configuring <strong>connector credentials</strong> for Microsoft Copilot.</summary>

{% hint style="info" %}
This section references external sources. Nexthink does not control the accuracy of third-party documentation or any external updates or changes that might create inconsistencies with the information presented on this page. Please report any errors or inconsistencies to [Nexthink Support](https://support.nexthink.com/).
{% endhint %}

Remember, configuring Microsoft Copilot in Nexthink **AI Tools** requires both Copilot credentials (described below) and [the Entra ID connector](https://docs.nexthink.com/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/integrating-nexthink-with-third-party-tools/inbound-connectors/connector-for-microsoft-entra-id-azure-ad).

**Step 1 - Configure the Azure application**

Configure the application from the [Azure](https://azure.microsoft.com/es-es/free/search/?ef_id=_k_EAIaIQobChMIodqLx8ichgMVu5xQBh2GnA_UEAAYASAAEgJxevD_BwE_k_\&OCID=AIDcmm68ejnsa0_SEM__k_EAIaIQobChMIodqLx8ichgMVu5xQBh2GnA_UEAAYASAAEgJxevD_BwE_k_\&gad_source=1\&gclid=EAIaIQobChMIodqLx8ichgMVu5xQBh2GnA_UEAAYASAAEgJxevD_BwE) page to retrieve AI-employee interaction data:

1. Sign in using your Azure credentials.
2. Register a new application.
   * During the registration process, select the **Single tenant** option.
3. For the **Redirect URL**, select **Web**.
   * If the application already exists in the Azure portal, you can reuse the application to assign the permissions to retrieve AI-employee interaction data.
4. **Register** the application.
5. Access the **API Permissions** option from the left-side menu.
6. Add permission for **Microsoft Graph**.

   * Select **`AiEnterpriseInteraction.Read.All`** and add the API permission. See the images below.

   <div align="left"><figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-699a770de28efc3c13fd30d8f74674caf0148341%2FUntitled-1.png?alt=media" alt="" width="563"><figcaption></figcaption></figure></div>

   <figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-013f34c3f37c80bfc4687f6ecd52bd826f2db926%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

   The **Status** column on the permissions list indicates if the Azure account you are using lacks proper privileges. Refer to the [Register an application with the Microsoft identity platform](https://learn.microsoft.com/en-us/graph/auth-register-app-v2) documentation from Microsoft for more information on the steps listed above.
7. Access the **Overview** section of the configured application to copy and save Azure AD credentials for the Nexthink connector configuration.

   * **Application (client) ID**
   * **Directory (tenant) ID**

   <div align="left"><figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-7cd429a17763db4a6b3e6b0164ef9db75c449a33%2Fimage.png?alt=media" alt="" width="563"><figcaption></figcaption></figure></div>

   * Generate and copy the client secret Value in the Azure portal using the **Certificates** and **secret** option for the Nexthink tool configuration.

     * Select **New client secret**.
     * Fill in the **Description** and **Expiration values**.
     * Select **Add** and copy the **Value**.

     <div align="center"><figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-151927d2f371ced064bcd54cc51048576164ea26%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure></div>

{% hint style="info" %}
After the expiration date, you need to update the client secret in the Azure portal and for the Nexthink connector credentials.
{% endhint %}

**Step 2 - Configure the Microsoft Copilot connector credentials in Nexthink**

From the [connector credential](https://docs.nexthink.com/platform/integrations/outbound-connectors/connector-credentials) configuration page, fill out the fields using the information from the connection you created in Azure.

1. Choose the **HTTPS** option from the **Protocol** drop-down.
2. Paste the Microsoft API `https://graph.microsoft.com` into the **URL address** field.
3. Choose the `OAuth 2.0 - Client Credentials` option from the **Authorization** drop-down.
4. Copy the **Directory (tenant) ID** from the Copilot connection and paste it into the **Access token URL** field—include the whole URL string:
   * `https://login.microsoftonline.com/<<`**`Tenant ID`**`>>/oauth2/v2.0/token`
   * Example: `https://login.microsoftonline.com/2efa03d5-62e6-XXXX-XXXX-XXXXXXXXXXXX/oauth2/v2.0/token`
5. Enter the **Client ID** and **Client secret** you obtained from configuring the Azure application.
6. Add `https://graph.microsoft.com/.default` in the **Scope** field.
7. Select **Header** under **Authorization information**. Nexthink advises against selecting **Body** based on Request for Comments (RFC) standards.
8. **Save** the credential.

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-2f96b03e174ef769795a1bc820e7e8505329ec80%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

</details>

5. Add available **Licenses** for Microsoft Copilot, if available.
6. **Save AI tool** configuration.

Only valid connector credentials enable saving the Microsoft Copilot settings in AI tools. Otherwise, Nexthink displays the existing errors:

{% hint style="danger" %}
*Please correct the following Issues:*

* *Credential error: Invalid client id.*
  {% endhint %}

<figure><img src="https://268444917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxJSUDk9NTtCHYPG5EWs3%2Fuploads%2Fgit-blob-140627a5b13a7e6e49fff46c928d4c95f6589d67%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

#### F.A.Q about Microsoft Copilot data retrieval <a href="#configuring-the-tool-in-the-nexthink-web-interface" id="configuring-the-tool-in-the-nexthink-web-interface"></a>

<details>

<summary>Why is the Copilot dashboard not showing any data, even after successful credential configuration?</summary>

The Microsoft notification system is not sending the `validationTokens` property in the subscription notifications. Without these tokens, Nexthink cannot securily verify and ingest incoming events—resulting in an empty Copilot dashboard in Nexthink AI Tools.

**Root cause**

The `appRoleAssignmentRequired` is likely set to `true` In the Azure registered application used to configure the Copilot connector credential.

When this setting is active—`appAssignmentsRequired=true`—Microsoft omits the `validationTokens` property from subscription notifications, preventing Nexthink from validating the events.

**How to fix it**

**Option 1—recommended: Disable** `appRoleAssignmentRequired`

1. Sign in to the Azure portal.
2. Navigate to **Azure Active Directory > Enterprise Applications**.
3. Select the application used for the Copilot connector.
4. Go to **Manage > Properties**.
5. Set **Assignment required** to **No**.

This ensures Microsoft includes the `validationTokens` in subscription notifications, enabling Nexthink to securely verify and process the data.

***

**Option 2: Assign an App Role**

If disabling `appRoleAssignmentRequired` is not possible due to internal policy:

1. Follow Microsoft guidance to manually assign users or service principals to the Azure application.
2. Ensure all relevant users or systems are assigned roles in the **Enterprise Application**.

Microsoft then includes the `validationTokens` in the push notifications.

{% hint style="info" %}
If you continue to experience issues after applying these changes, please contact Nexthink support.
{% endhint %}

</details>

<details>

<summary>Do I always need the connector for Microsoft Entra ID to retrieve Copilot-employee interaction data?</summary>

Yes, the [connector for Microsoft Entra ID](https://docs.nexthink.com/platform/configuring_nexthink/bringing-data-into-your-nexthink-instance/integrating-nexthink-with-third-party-tools/inbound-connectors/connector-for-microsoft-entra-id-azure-ad) is needed to correctly retrieve AI interaction data from Microsoft Copilot.

</details>

<details>

<summary>How can I verify that I have properly configured the subscription?</summary>

When saving the [Microsoft Copilot settings ](#exception-configuring-microsoft-365-copilot-using-api-credentials)in Nexthink **AI tools** for monitoring, the system automatically checks the connector credentials.

Only valid credentials enable saving the Microsoft Copilot settings in AI tools. Otherwise, Nexthink displays the existing errors.

</details>

<details>

<summary>How often is the Copilot AI interaction data refreshed? Is it instant?</summary>

The current mechanism uses a subscription to receive the data from Graph API. Every time an AI interaction happens, the system pushes the interaction details to the Nexthink platform.

The process is not instant, as the data typically arrives less than 1 minute after the interaction happens, but [Microsoft Graph API](https://learn.microsoft.com/en-us/graph/change-notifications-overview#latency) has a maximum latency of 60 minutes for AI interactions.

</details>

<details>

<summary>What Microsoft Graph API permissions does Nexthink require for monitoring Copilot?</summary>

Monitoring Copilot requires `AiEnterpriseInteraction.Read.All` permission to enable the collection of Copilot-interaction data.

Unfortunately, the current Microsoft Graph API endpoint `copilot/interactionHistory/getAllEnterpriseInteractions` only supports the aforementioned permission. This means you cannot have more granular or restrictive permissions.

</details>

<details>

<summary>What information does Nexthink process from the Copilot API response?</summary>

Currently, the Copilot API does not allow the selection or filtering of specific payload elements and instead returns additional information that Nexthink does not require for functionality.

Therefore, Nexthink processes only the necessary high-level metrics and neither accesses nor stores the remainder of the payload. As a result, this additional information is discarded.

Nexthink exclusively accesses the following fields.

* `appClass`
* `conversationType`
* `createdDateTime`
* `from`
* `interactionType`
* `requestId`
* `sessionId`

Refer to [Microsoft Copilot API](https://learn.microsoft.com/en-us/microsoft-365-copilot/extensibility/api/ai-services/interaction-export/resources/aiinteraction?pivots=graph-v1) documentation for field descriptions and details.

{% hint style="warning" %}
Nexthink neither accesses nor stores the remainder of the payload.
{% endhint %}

</details>

***

RELATED TASKS

* [monitoring-ai-tools](https://docs.nexthink.com/platform/user-guide/ai-tools/monitoring-ai-tools "mention")
* [managing-ai-tools](https://docs.nexthink.com/platform/user-guide/ai-tools/managing-ai-tools "mention")