Organizations want to leverage the productivity enhancements Microsoft Copilot for Microsoft 365 may enable, but want to avoid unintentional over-exposure of organizational information while users are accessing these Copilot experiences. Our Microsoft team is fielding many questions from customers about how to secure and govern Microsoft Copilot for Microsoft 365. These organizations want to ensure maximum productivity benefit while minimizing their risk. This article will describe the key considerations an organization should address.
Microsoft Copilot for Microsoft 365 context
First, a quick point of clarification. Microsoft has released several instances of Copilot for use in different contexts. At this writing Copilot instances include Microsoft Copilot (integrated in Bing and the Edge Browser), Microsoft Security Copilot, Github Copilot, and more. In this article I address Microsoft Copilot for Microsoft 365, an instance of the Copilot technologies integrated with Microsoft 365 tenants and applications, via Microsoft Graph. Microsoft Copilot for Microsoft 365 requires add-on licensing on top of other Microsoft 365 licensing.
Microsoft Copilot for Microsoft 365 is also extensible to non-Microsoft 365 sources of data. Out of the box, “web grounding” is enabled at the tenant level and disabled at the user level (user can enable). Web grounding allows Copilot to include web-based searches and the resulting information to be included in responses. Additionally, via Copilot Studio, organizations can customize Microsoft 365 based experiences and can extend Copilot responses to include non-Microsoft 365 sources of information.
Microsoft 365 Security and Governance control the Microsoft Copilot experience
Here is the primary consideration your organization must understand and act upon in order to minimize unintentional over-exposure of your information via Microsoft Copilot for Microsoft 365: By design, Microsoft Copilot for Microsoft 365 is accessing and including the information that your users already have access to in your tenant and within the bounds of existing Microsoft commitments. Microsoft Copilot for Microsoft 365 is providing an additional interface for exposing this information, and is doing some of the heavy lifting for your users in finding, compiling, and contextualizing that information. But, ultimately, it is exposing information that a user could have accessed on their own using their existing permissions, and given sufficient skill in using Microsoft 365 tools and applications for searching, querying, or accessing that information. In this article I am not addressing any potential failure of Copilot to follow the published design parameters. Monitoring and reporting on usage are advised to address this (unlikely) possibility.
Microsoft Copilot for Microsoft 365 is the latest, and possibly most advanced, tool for surfacing Microsoft 365 data to users. In a sense, Microsoft Copilot is the next iteration of Microsoft Search and Microsoft Delve. Each of these tools have some administrative controls that allow administrators to limit the information that is returned to a casual user of the tools. However, using them in this way is somewhat like patching over a structural problem with a layer of drywall mud. Your primary approach should be securing the underlying access controls and membership of your Microsoft 365 assets. These assets include SharePoint Online sites, OneDrive for Business sites, Microsoft 365 Groups and Teams, Exchange Online mailboxes, and other Microsoft 365 assets. Microsoft Purview sensitivity labels and their access controls can also be part of your solution to securing information and restricting access to the appropriate users.
The bottom line here is that there is no Microsoft Copilot for Microsoft 365 quick fix for information over-exposure. Organizations who find that their existing Microsoft 365 usage and architecture has made information too widely available need to do the heavy lifting of properly adjusting permissions and memberships of the underlying assets, adjusting various Microsoft 365 workload settings and policies, and considering a well-planned crawl/walk/run approach for deployment of Microsoft Purview controls such as Sensitivity Labels (and others) to address additional scenarios. Your organization should address information access controls at the foundational level first. Once the foundation is secure then optimize controls around the specific access methods such as Microsoft Copilot.
Key Considerations for Microsoft 365 Readiness for Microsoft Copilot
The key considerations your organization should address when considering a Microsoft Copilot for Microsoft 365 deployment include:
Tier 1 Considerations
- Microsoft 365 Groups (and Teams)
- Are you overly using public groups and Teams? Unless permissions are customized, all of the file content in public groups and teams is available to anyone in the organization. Anyone in the organization can access this information via direct navigation to the underlying SharePoint Online site, or via Microsoft Search, Microsoft Delve, or Microsoft Copilot for Microsoft 365. (This does not apply to Private Channels and Shared Channels.)
- SharePoint Online Sites
- Are your site permissions too broad?
- Is the “Everyone” or “Everyone except External Users” group over-used in any sites?
- SharePoint and OneDrive Sharing Permissions
- Have you set the restrictions and defaults for sharing links appropriately at the global level?
- Have you configured per-site sharing link controls appropriately for the site?
- Web Grounding
- Have you considered whether web grounding should stay enabled at the tenant level? With web grounding enabled some organizational information may be submitted to Bing in a search query.
- Microsoft Purview
- Consider using Container labels (sensitivity labels specifically for applying policy at the Group/Team/Site level) to enforce organizational standards at the Group/Team/Site level.
- Do you have an Enterprise information taxonomy and classification system? Have you implemented your taxonomy as Sensitivity Labels? There are legitimate tactical use cases for Sensitivity Labels but most organizations need a strategic “crawl, walk, run” multi-month or year rollout to achieve long-term effectiveness and user adoption.
Tier 2 Considerations
- Purview Data Lifecycle
- Have you implemented or are you implementing information lifecycle policies in Microsoft Purview? To make quality output from Microsoft Copilot for Microsoft 365 more likely you should address information ROT (Redundant, Outdated, or Trivial) in your tenant while also preserving important and relevant records that may contribute to quality output. Retention and deletion policies and labels will likely be part of the solution to the problem of ROT. Appropriate deletion actions can also reduce the likelihood of over-exposure of older but still sensitive information.
- User activity monitoring
- Are you capturing and reviewing user activity in your tenant? Specifically for Copilot, are you monitoring the Microsoft Copilot usage reports? Have you enabled the telemetry capture that provides more detailed usage information?
The list above does not include all considerations for securing your Microsoft 365 tenant. For example, we did not address conditional access or multi-factor authentication scenarios. However, the above considerations are most directly related to Microsoft Copilot consumption.
Conclusion
Microsoft 365 may add additional Copilot specific configuration and governance controls in the future. However, the best approach is to ensure that your underlying Microsoft 365 assets are properly permissioned and configured. As new Microsoft 365 features and controls are released, these actions will continue to pay dividends.
Our Perficient Microsoft team has extensive experience helping organizations like yours to analyze current state, identify gaps, and take action to secure and govern their Microsoft tenant. This work directly impacts the Microsoft Copilot for Microsoft 365 experience. Our engagements range from road-mapping, to foundational security and governance implementations, to extended migration and/or enablement and support offerings and we are able to customize these engagements to your particular areas of concern. We love partnering with customers to help them achieve the best possible Microsoft 365 service adoption and governance outcomes.