In This Article
Out of the box, Microsoft 365 Copilot Cowork is genuinely useful. It can send emails, schedule meetings, draft reports, and run multi-step tasks across your Microsoft 365 environment. But it does not know that your institution calls the pre-underwriting document set a "UW packet," or that your member service team routes tier-2 complaints through a specific SharePoint queue, or that your loan officers follow a seven-step closing checklist your compliance team spent three years refining.
SKILL.md files fix that. They are the mechanism Cowork provides for giving the AI your institution's specific vocabulary, workflows, and step sequences so it stops returning generic answers and starts working the way your team actually works.
This article covers what SKILL.md files are, how they work technically, a worked example built for a credit union member inquiry workflow, the starter skills Microsoft ships with Cowork, how plugins extend the picture further, and what to review before you deploy custom skills in a regulated environment.
Why This Matters for Financial Institutions
Financial institutions operate workflows that general-purpose AI cannot guess: tiered escalation models, regulatory reporting cadences, institution-specific document naming conventions, and compliance-gated step sequences. SKILL.md files are the mechanism that closes that gap without requiring developers or custom-built integrations.
What Is a SKILL.md File?
A SKILL.md file is a plain text file in Markdown format that you place in a specific folder inside your OneDrive. Cowork reads it at the start of each conversation and uses the instructions inside to shape how it handles certain tasks.
The file has two parts. The first is a short YAML block at the top, called the frontmatter, which tells Cowork the skill's name and what it does. The second is the body, written in plain Markdown, which contains the actual instructions. You do not need a developer to write one. You need someone who understands the workflow you want Cowork to follow.
Where the File Lives
Custom skills go inside the user's OneDrive at this path:
/Documents/Cowork/Skills/<skill-name>/SKILL.mdFor example, a skill for handling member inquiry routing might live at /Documents/Cowork/Skills/member-inquiry-routing/SKILL.md. Cowork discovers custom skills automatically at the start of each new conversation. There is no installation step and no admin panel to update.
The File Structure
A minimal SKILL.md file opens with a YAML frontmatter block that provides the skill name and a one-sentence description. Below that frontmatter, you write the instructions in plain text: the workflow steps, the categories, the tiebreaker rules, and any institution-specific context Cowork needs to act correctly. The name and description fields are required. The description appears when a user browses available skills inside Cowork, so write it as a clear one-sentence explanation of what the skill does.
Limits to Know Before You Plan
- Each user can have up to 50 custom skills.
- Custom skills are user-level. An individual creates them in their own OneDrive. There is no admin-pushed SKILL.md that automatically lands in every employee's folder.
- Microsoft does not validate the content of custom skills. Cowork executes whatever instructions are in the file. Your compliance team should review skill instructions before they go into production.
Work with the team member who owns the workflow. Write the routing criteria, step sequences, or document patterns in plain language. No coding required.
Wrap the instructions with the required name and description fields at the top of the file, delimited by triple dashes.
Save the file at /Documents/Cowork/Skills/<skill-name>/SKILL.md in the user's OneDrive. Cowork picks it up automatically on the next conversation.
Have your compliance team review the skill instructions before sharing them across the team. Document which skills exist and who owns them for audit purposes.
A Worked Example: Credit Union Member Inquiry Routing
This example is illustrative. It is not copy-paste-ready without review and testing against your institution's actual workflows. Treat it as a starting point, not a finished product.
The Problem
A credit union's member service team receives roughly 200 inquiries per day through three channels: secure message, branch walk-in notes, and a shared inbox. Tier-1 staff handle account questions, balance disputes, and card issues. Tier-2 handles complaints, fraud reports, and hardship requests. Tier-3 handles legal holds, subpoenas, and regulatory inquiries. Without custom context, Cowork gives generic routing suggestions based on the inquiry text it can read.
A member service representative asks Cowork "where should this go?" and receives a generically reasonable answer based on the inquiry text. Staff must double-check the output against the institution's tier model before acting.
Cowork follows the institution's specific three-tier model, outputs in the exact format used for queue notes, applies the tiebreaker rule (when in doubt, escalate to Tier 2), and reminds the user not to include sensitive identifiers in routing output.
What the SKILL.md File Contains
The skill for member inquiry routing starts with the YAML frontmatter naming the skill and describing its purpose. The body then defines the routing criteria for each tier: Tier-1 handles balance questions, card disputes under $500, PIN resets, and standard loan payment questions with a two-hour target response time. Tier-2 covers formal complaints, fraud reports, disputes over $500, hardship requests, and any inquiry that has already gone through Tier-1 without resolution, with a 24-hour target. Tier-3 handles anything involving legal action, regulatory inquiries from the NCUA or CFPB, BSA flags, or deceased member accounts, with a same-day response requirement.
The skill also specifies the output format: tier assignment, the specific routing reason, the target response time, and a one-sentence summary for the queue note. A standing instruction tells Cowork never to include member account numbers or Social Security numbers in routing notes.
That is not a trivial difference between a generic AI response and a skill-driven one. It is the difference between an AI tool your staff has to double-check and one your team can actually rely on.
The Starter Skills Microsoft Includes with Cowork
Microsoft ships Cowork with a set of built-in skills covering common productivity tasks. Understanding what is already available helps you decide where to invest in custom skills and where the defaults are sufficient.
Built-in skills handle things like drafting stakeholder communications, preparing daily briefings, conducting deep research across your Microsoft 365 content, managing calendar scheduling, creating documents in Word, Excel, and PowerPoint, and posting updates to Teams channels. These built-in skills are available to every Cowork user without any setup. They cover general-purpose work patterns but carry no institution-specific knowledge. They do not know your document naming conventions, your regulatory reporting cadence, your loan stage names, or your internal escalation paths.
Custom skills fill that gap. They teach Cowork the institutional layer on top of the general-purpose foundation Microsoft provides.
How Plugins Extend the Picture
Plugins are different from custom skills. A custom SKILL.md file gives Cowork instructions written by your team for your workflows. A plugin connects Cowork to an external system or adds a specialized capability built by a third-party developer. Plugins are available through the Microsoft 365 App Store. From inside Cowork, users access them through the "Browse plugins" menu. Once installed, a plugin's capabilities appear alongside Cowork's built-in skills.
The admin controls for plugins mirror the controls for other Microsoft 365 app deployments. IT administrators can deploy specific plugins to the organization or to defined user groups through the Microsoft 365 admin center. Plugins deployed by admins are automatically available to those users and cannot be removed by the user. Admins can also restrict which plugins appear in the App Store. When a plugin is removed, either by the user or by admin revocation, its skills and connectors are removed from the next conversation. Conversations already in progress continue without interruption.
Plugin Governance for Regulated Institutions
For regulated institutions, the admin control layer matters. Your IT team should review any plugin before it is available to staff, applying the same standard you would use for any other third-party connection to your Microsoft 365 environment. ABT manages Microsoft 365 tenants for more than 750 financial institutions and can assess whether a plugin meets your institution's security and compliance requirements before it is deployed.
What Carries Over from Copilot Chat
If your institution is already using Microsoft 365 Copilot Chat, some context carries into Cowork and some does not. Work IQ, the organizational intelligence layer that gives Copilot context about who your staff works with and what they work on, powers both experiences. Your organization's data connections, sensitivity labels, and DLP policies also carry over. Cowork operates within the same Microsoft 365 security boundary as Copilot Chat.
What does not carry over: custom instructions set in Copilot Chat, saved memories from Copilot Chat sessions, and conversation history. Cowork maintains its own conversation history separately from Copilot Chat. A skill file your staff sets up in Cowork is also separate from any custom instructions configured in Copilot Chat. For institutions planning an upgrade, see our guide on what Microsoft 365 Copilot Chat personalization settings actually do before reconfiguring for Cowork.
Governance Before You Deploy: What Regulated Institutions Should Review
SKILL.md files run within the same Microsoft 365 security boundary as the rest of Cowork. The instructions in a SKILL.md file are designed to respect your tenant's DLP policies and sensitivity label configurations rather than override them. Cowork honors the permissions your users already have. If a file has a sensitivity label that restricts access, Cowork is designed to display that label and not surface the file to users who do not have access. That said, three things are worth reviewing before custom skills go into production at a regulated institution.
Three Reviews Before Custom Skills Go Live
- Have compliance review the skill instructions. A SKILL.md file that contains incorrect escalation criteria, outdated regulatory thresholds, or inaccurate product descriptions will cause Cowork to act on incorrect information. The AI follows the instructions in the file. Treat a new SKILL.md the same way you would treat an update to an internal procedure document.
- Document which skills exist and who owns them. Because custom skills are user-level, there is no centralized inventory by default. Establishing a process for employees to register custom skills they create gives the institution a clear picture of what is running in whose Cowork sessions. This supports the kind of AI audit posture that may inform supervisory expectations from NCUA and FFIEC-supervised institutions.
- Connect Cowork deployment to your AI governance framework. The U.S. Treasury's Financial Services AI Risk Management Framework, published in February 2026, includes control objectives that may inform supervisory expectations in the period ahead. Custom skill deployment is exactly the type of AI customization activity those frameworks ask institutions to document and govern.
Cowork is more useful when your tenant is governed correctly before staff starts writing custom skills. If DLP policies are not scoped to Copilot interactions, if sensitivity labels are not configured, or if audit logging is not capturing Copilot activity, custom skills are running in a tenant that is not ready for them. For a closer look at the compliance gaps most institutions miss, read our article on Copilot memory and data governance gaps that banks and credit unions need to address. ABT manages Microsoft 365 tenants for more than 750 financial institutions. Before deploying Copilot or Cowork for any customer, we run a readiness review that confirms the underlying tenant configuration is in place: Guardian hardening, DLP policy scope, Microsoft Purview Audit configuration, sensitivity label setup, and Conditional Access policies that apply to Copilot sessions.
Is Your Tenant Ready for Copilot Cowork?
Custom skills amplify what is already configured in your Microsoft 365 tenant. If your tenant is not ready, a SKILL.md file will not fix it. ABT's Copilot Readiness Assessment checks your DLP policy scope, Microsoft Purview Audit configuration, sensitivity label setup, and Conditional Access policies before you deploy Cowork for your staff.
Frequently Asked Questions
No. Custom skills are user-level only. A SKILL.md file that one employee creates lives in their OneDrive and is available only in their Cowork sessions. There is no admin-pushed SKILL.md mechanism that drops a skill into every employee's folder. If you want a consistent set of instructions available across your team, you have two options: establish a process for employees to copy an approved SKILL.md file into their own OneDrive skill folder, or build a Copilot Studio agent, which is a separate approach with broader deployment options and its own governance requirements.
No. Cowork inherits the user's existing Microsoft 365 permissions. A SKILL.md file that instructs Cowork to pull from a specific SharePoint library will not work if the user does not already have access to that library. Instructions in a skill file are designed to respect sensitivity labels and DLP policies rather than override them. They shape how Cowork works within the user's existing access, not beyond it.
Up to 50. For most workflows, institutions find that a handful of carefully written skills covers the main use cases. Ten focused, well-tested skills will get more use than 40 loosely written ones.
Yes. Cowork uses consumption-based billing. Every Cowork task consumes Copilot Credits regardless of whether the task was triggered by a built-in skill, a custom SKILL.md file, or a plugin. Admins can set consumption limits per user or per group in the Microsoft 365 admin center to manage overall usage.