Microsoft 365 Copilot admin guide for E3 + SAM licenses

When you're preparing your organization for Microsoft 365 Copilot or you're ready to start using Copilot, there are features in your E3 + SAM licenses that can help get your data ready.

When users enter a prompt, Copilot can respond with data that the user has permission to access. Overshared and outdated data can lead to inaccurate results from Copilot.

This article provides guidance for IT admins with Microsoft 365 E3 and SharePoint Advanced Management (SAM) licenses. With the features included in these licenses, you:

  • Use SharePoint Advanced Management (SAM) to help prevent oversharing, declutter data sources, restrict SharePoint searches, and monitor SharePoint site changes.
  • Use Microsoft Purview to create sensitivity labels, identify and protect sensitive data, and delete the content you don't need.

When you use the features described in this article, your organization is better prepared for Copilot, including getting more accurate results from Copilot.

This article applies to:

  • Microsoft 365 Copilot
  • Microsoft SharePoint Premium - SharePoint Advanced Management (SAM)
  • Microsoft Purview

Note

If you have an E5 license, then see Microsoft 365 Copilot admin guide for E5 licenses. For a comparison of the features in the licenses, see Compare Microsoft 365 Copilot license feature overview.

Before you begin

SharePoint admin task - Use SharePoint Advanced Management (SAM) features

There are features in SharePoint Advanced Management (SAM) that can help you get ready for Copilot.

Copilot goals with SAM:

  • Declutter data sources by finding and removing inactive SharePoint sites.
  • Identify SharePoint sites with overshared or sensitive content.
  • Use policy to restrict access to SharePoint sites that are business critical or have sensitive content.
  • Monitor site changes.

This section walks you through different SAM features that can help you get your organization and your data ready for Copilot.

To learn more about SAM + Copilot, see Get ready for Copilot with SharePoint Advanced Management.

Ensure all sites have valid owners

Run a Site Ownership policy that finds any sites that don't have at least two owners

A Site ownership policy automatically detects sites that don't have at least two owners and can help find potential owners. Set up the policy in simulation mode to identify owners based on your desired criteria. Then, upgrade the policy to Active mode to enable notifications to site owner candidates.

You need site owners to help confirm the site is still active, perform Site access review, update content permissions, and control access when needed.

  1. Sign in to the SharePoint admin center as a SharePoint administrator.
  2. Expand Policies > select Site lifecycle management.
  3. Select Create a policy, enter your parameters, and finish your policy.
  4. When the policy runs, the report shows the number of sites that are noncompliant. You can also download the report.

To learn more about this policy and report, see Site ownership policy.

Find and cleanup inactive sites

Create a site lifecycle management policy that finds inactive sites

A site lifecycle management policy automatically detects inactive sites and sends a notification email to the site owners. When you use the email, the site owners can confirm that the site is still active.

Copilot can show data from these inactive sites in user prompts, which can lead to inaccurate and cluttered Copilot results.

The policy also creates a report that you can download and review. The report shows the inactive sites, the last activity date, and the email notification status.

  1. Sign in to the SharePoint admin center as a SharePoint administrator.
  2. Expand Policies > select Site lifecycle management.
  3. Select Create a policy, enter your parameters, and finish your policy.
  4. When the policy runs and finds inactive sites, the policy automatically emails the site owners. The site owners should confirm if the site is still active.
  5. If the site owners confirm the sites aren't needed, then put inactive sites in read-only mode with SAM, or move the sites to Microsoft 365 Archive with SAM.

To learn more about this policy and report, see site lifecycle management policy.

Best practices for managing inactive SharePoint sites

This action helps reduce outdated content that clutters Copilot's data source, which improves the accuracy of Copilot responses.

Tip

Sites moved to Microsoft 365 Archive are no longer accessible by anyone in the organization outside of Microsoft Purview or admin search. Copilot won't include content from these sites when responding to user prompts.

Identify sites with overshared or sensitive content

Run Data access governance (DAG) reports in the SharePoint admin center

The DAG reports give more detailed information about site sharing links, sensitivity labels, and the Everyone except external users (EEEU) permissions on your SharePoint sites. Use these reports to find overshared sites.

Overshared sites are sites that are shared with more people than needed. Copilot can show data from these sites in responses.

  1. Sign in to the SharePoint admin center as a SharePoint administrator.

  2. Select Reports > Data access governance. Your report options:

    Report Description Task
    Sharing links Shows the sites that have sharing links, including links shared with Anyone, shared with People in your organization, and shared with Specific people outside of your work or school. Review these sites.

    Make sure the sites are shared with only the users or groups that need access. Remove sharing for unneeded users and groups.
    Sensitivity labels applied to files Shows sites with Office files that have sensitivity labels. Review these sites.

    Make sure the correct labels are applied. Update the labels as needed. To learn more, see Identify and label sensitive data (in this article).
    Shared with Everyone except external users (EEEU) Shows the sites that are shared with everyone in your organization except external users. Review these sites.

    Determine if EEEU permissions are appropriate. Many sites with EEEU are overshared. Remove the EEEU permission and assign to the users or groups as needed.
    Oversharing Baseline Report for Sites, OneDrives and Files Scans all sites in your tenant, and lists sites that share content with more than a specified number of users (you specify the number). Sort, filter or download the report, and identify the sites with potentially overshared content.

You can run any of these reports individually or run all of them together. To learn more about these reports, see Data access governance (DAG) reports.

Best practices for managing the DAG reports

  • Run these reports weekly, especially in the beginning stages of adopting Copilot. As you become more familiar with the reports and the data, you can adjust the frequency.

    If you have an admin team, create an admin task to run these reports and review the data.

    Your organization is paying for the license to run these reports and use the data to make decisions. Make sure you're getting the most out of it.

  • Select Get AI insights to generate a report that helps you identify issues with the sites and possible actions to address these issues.

Control access to overshared SharePoint sites

Initiate Site access reviews for site owners

In a Data access governance (DAG) report, you can select sites with oversharing risks. Then, initiate site access reviews. Site Owners receive notification for each site that requires attention. They can use the Site reviews page to track and manage multiple review requests.

The site owner reviews access in two main areas: SharePoint groups and individual items. They can determine if broad sharing is appropriate, or if a site is overshared and requires remediation.

If the site owner determines that the content is overshared, they can use the Access Review dashboard to update permissions.

Use restricted access control policy (RAC) in the SharePoint admin center

A restricted access control policy restricts access to a site with overshared content. It can restrict access to SharePoint sites and content to users in a specific group. Users not in the group can't access the site or its content, even if they previously had permissions or a shared link.

When users in the group have permissions to the content, then that content can show in Copilot results. Users not in the group don't see this info in their Copilot results. You can set up restricted access control for individual sites or OneDrive.

Use restricted content discoverability policy (RCD) in the SharePoint admin center

A restricted content discoverability policy (RCD) doesn't change the site access. Instead, it changes the site's content discoverability. When you apply RCD to a site, the site's content isn't discoverable by Copilot or organization-wide search results for all users.

The SharePoint Admin can set restricted content discoverability on individual sites.

Best practices for control access to overshared SharePoint sites

  • If your organization has a Zero Trust mindset, then you can apply restricted access control (RAC) to all sites. Then, adjust the permissions as needed. If you have many sites, this action can help you quickly secure your sites. But, it can cause disruptions to users.

  • If you use RAC or RCD, make sure you communicate the changes and the reasons for the changes.

Tip

For business-critical sites, you can also:

Monitor changes

Run the change history report in the SharePoint admin center

The change history report tracks and monitor changes, including what changed, when the change happened, and who initiated the change. The intent is to identify recent changes that could lead to oversharing, which impacts Copilot results.

Use this report to review the changes made to your SharePoint sites and organization settings.

  1. Sign in to the SharePoint admin center as a SharePoint administrator.

  2. Expand Reports > select Change history > New report.

  3. Your report options:

    Report Description Task
    Site settings report Shows the site property changes and actions ran by Site Administrators and SharePoint Administrators. Review the changes and actions. Make sure the actions meet your security requirements.
    Organization settings report Shows changes made to organization settings, like when a site is created and if external sharing is enabled. Review the changes and actions. Make sure the changes meet your security requirements.

Best practices for managing the change history reports

  • Run these reports weekly, especially in the beginning stages of adopting Copilot. As you become more familiar with the reports and the data, you can adjust the frequency.

    If you have an admin team, create an admin task to run these reports and review the data.

    Your organization is paying for the license to run these reports and use the data to make decisions. Make sure you're getting the most out of it.

  • Create a report for the site level changes and the organization level changes. The site level reports show changes made to the site properties and actions. The organization level reports show changes made to the organization settings.

  • Review the sharing settings and access control settings. Make sure the changes align with your security requirements. If they don't align, then work with the site owners to correct the settings.

  • Apply restricted access control (RAC) to sites that appear to be overshared. Inform the site owners of the changes and why.

    If your organization has a Zero Trust mindset, then you can apply RAC to all sites. Then, adjust the permissions as needed. If you have many sites, this action can help you quickly secure your sites. But, it can also cause disruptions to users. Make sure you communicate the changes and the reasons for the changes.

SharePoint admin task - Restrict SharePoint Search (RSS)

Copilot goal: Expand the RSS allowed list

As you get ready for Copilot, you review and configure the correct permissions on your SharePoint sites. The next step is to enable Restricted SharePoint Search (RSS).

RSS is a temporary solution that gives you time to review and configure the correct permissions on your SharePoint sites. You add the reviewed & corrected sites to an allowed list.

  • If you enabled RSS, then add more sites to the allowed list. You can add up to 100 sites to the allowed list. Copilot can show data from the allowed list sites in user prompts.

To learn more, see:

Add sites to the RSS allowed list

  1. Get a list of the sites that you want to add to the allowed list.

    • Option 1 - Use the Sharing links report

      1. Sign in to the SharePoint admin center as a SharePoint administrator.
      2. Select Reports > Data access governance > Sharing links > View reports.
      3. Select one of the reports, like "Anyone" links. This report shows a list of sites with the highest number of Anyone links created. These links let anyone access files and folders without signing in. These sites are candidates to allow in tenant/org wide search.
    • Option 2 - Use the sort and filter options for Active sites

      1. Sign in to the SharePoint admin center as a SharePoint administrator.

      2. Select Sites > Active sites.

      3. Use the sort and filter options to find the most active site, including page views. These sites are candidates to allow in a tenant/organization wide search.

        In SharePoint admin center, select active sites and then use the All sites filter.

  2. Use the Add-SPOTenantRestrictedSearchAllowedList PowerShell cmdlet to add the sites to the allowed list.

    To learn more about this cmdlet, see Use PowerShell Scripts for Restricted SharePoint Search.

Purview admin tasks - Use Microsoft Purview features

There are features in Microsoft Purview that can help you get ready for Copilot.

Copilot goals with Purview:

  • Identify and label sensitive data in your Microsoft 365 and Office files.
  • Detect and protect sensitive information from unauthorized sharing or leakage.
  • Delete the content you don't need.
  • Review and analyze Copilot prompts and responses.

To learn more about Microsoft Purview, see Microsoft 365 Copilot in Microsoft Purview Overview.

Identify and label sensitive data

Create and apply sensitivity labels to protect your data

Sensitivity labels are a way to identify and classify the sensitivity of your organization's data, adding an extra layer of protection to your data.

When sensitivity labels are applied to items, like documents and emails, the labels add the protection directly to this data. As a result, that protection persists, wherever the data is stored. When sensitivity labels are applied to containers, like SharePoint sites and groups, the labels add protection indirectly by controlling access to the container where the data is stored. For example, privacy settings, external user access, and access from unmanaged devices.

The sensitivity labels can also affect Copilot results, including:

  • The label settings include protection actions, like access to sites, customizable headers and footers, and encryption.

  • If the label applies encryption, Copilot checks the usage rights for the user. For Copilot to return data from that item, the user must be granted permissions to copy from it.

  • A prompt session with Copilot (called Business Chat) can reference data from different types of items. Sensitivity labels are shown in the returned results. The latest response displays the sensitivity label with the highest priority.

  • If Copilot creates new content from labeled items, the sensitivity label from the source item is automatically inherited.

This section walks you through the steps to create and use sensitivity labels in Microsoft Purview. You create your own label names and configurations. To learn more about sensitivity labels, see:

1. Create sensitivity labels

  1. Sign into the Microsoft Purview portal as an admin in one of the groups listed at Sensitivity labels - permissions.
  2. Select Solutions > Information protection > Sensitivity labels > Create a label.
  3. In the scope, select Files and other data assets. This scope allows your labels to be applied to documents and emails.
  4. Continue creating the sensitivity labels you need.

To learn more, see:

2. Publish your labels and educate your users

  1. Add your labels to a publishing policy. When they're published, users can manually apply the labels in their Office apps. The publishing policies also have settings that you need to consider, like a default label and requiring users to label their data.

    To learn more, see Publish sensitivity labels by creating a label policy.

  2. Educate your users and provide guidance on when to apply the correct sensitivity label.

    Users should change the label if needed, especially for more sensitive content.

    To help you with this step, see End-user documentation for sensitivity labels.

  3. Monitor your labels. Select Information protection > Reports. You can see the usage of your labels.

3. Enable sensitivity labels for files in SharePoint and OneDrive

This step is a one-time configuration that is required to enable sensitivity labels for SharePoint and OneDrive. It's also required for Microsoft 365 Copilot to access encrypted files stored in these locations.

As with all tenant-level configuration changes for SharePoint and OneDrive, it takes about 15 minutes for the change to take effect. Then users can select sensitivity labels in Office on the web and you can create policies that automatically label files in these locations.

You have two options:

  • Option 1: Select Information Protection > Sensitivity labels. If you see the following message, select Turn on now:

    In Microsoft Purview Information Protection, turn on sensitivity labels for SharePoint and OneDrive.

  • Option 2: Use the [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant) Windows PowerShell cmdlet.

To learn more about this configuration, see Enable sensitivity labels for files in SharePoint and OneDrive.

4. Apply a sensitivity label to your SharePoint document libraries

You can use a sensitivity label on your SharePoint document libraries, and make this label the default label that applies to all document libraries. This configuration is appropriate when your document libraries store files with the same level of sensitivity.

The SharePoint site admin can do this task.

  1. In your SharePoint site, select Documents > Settings icon > Library settings > More library settings.
  2. In Default sensitivity labels (Apply label to items in this list or library), select your custom sensitivity label from the drop-down list.
  3. Save your changes.

When set:

  • SharePoint automatically applies the label to the files, which can include files with a lower sensitivity label.
  • It provides a baseline level of protection that's specific to the document library. It doesn't require content inspection and doesn't rely on end users.

To learn more, see:

Detect sensitive information and protect it from unauthorized sharing or leakage

Use data loss prevention (DLP) policies to help protect against unintentional sharing

Microsoft Purview Data Loss Prevention (DLP) helps organizations protect sensitive information by helping guard against unauthorized sharing or leakage. The intent is to dynamically protect sensitive information, like financial data, social security numbers, and health records, from being overshared.

You can create DLP policies to protect sensitive information with your Microsoft 365 services, like Exchange, SharePoint, and OneDrive accounts.

This section introduces you to the DLP policy creation process. DLP policies are a powerful tool. Make sure you:

  • Understand the data you're protecting and the goals you want to achieve.
  • Take time to design a policy before you implement it. You want to avoid any unintended issues. We don't recommend you create a policy, and then only tune the policy by trial-and-error.
  • Work through Data loss prevention - Before you begin before you start designing a policy. This step helps you understand the concepts and the tools you use to create and manage DLP policies.

1. Open the Microsoft Purview portal

  1. Sign into the Microsoft Purview portal as one of the admins listed at Create and deploy DLP policies - Permissions.
  2. Select Solutions > Data Loss Prevention.

2. Create DLP policies

For Exchange Online, SharePoint Online, and OneDrive, you can use DLP to identify, monitor, and automatically protect sensitive information across emails and files, including files stored in Microsoft Teams file repositories.

3. Test and monitor your policies

For DLP policies, you can:

  • Test your policies using simulation mode. Simulation mode allows you to see the effect of an individual policy without enforcing the policy. Use it to find the items that match your policy.

  • Monitor your policies with alerts and built-in reports, including risky user activities outside of DLP policies.

To learn more, see:

Delete the content you don't need

Use data lifecycle management for automatic data retention or deletion

Data lifecycle management uses retention policies and optionally, retention labels. They're typically used to retain content for compliance reasons and can also automatically delete stale information.

For example, your organization might have regulatory requirements that require you to keep content for a certain period of time. Or, you might have content that you want to delete because it's old, outdated, or no longer needed.

If you have stale data in your organization, then create and use retention policies. These policies help Copilot return more accurate information from your documents and emails.

Settings in a retention policy apply at the container level, like a SharePoint site or an Exchange mailbox. Data in that container automatically inherits these settings. If you need exceptions for individual emails or documents, then use retention labels. For example, you have a retention policy to delete data in OneDrive if the data is older than one year. But, users can apply retention labels to keep specific documents from automatic deletion.

  1. To create retention policies, sign into the Microsoft Purview portal as a Compliance Administrator.

    To learn more about the permissions, see Data Lifecycle Management - Permissions.

  2. Select Solutions > Data Lifecycle Management > Policies > Retention policies.

  3. Select New retention policy and follow the instructions.

    Retention policies manage automatic retention and deletion for Microsoft 365 workloads & Microsoft 365 Copilot interactions. To learn more, including the steps to create the policy, see Create and configure retention policies.

  4. Optional. Use retention labels when you need an exception to a retention policy. If you don't need an exception to a retention policy, then you don't need to create a retention label.

    • In Data Lifecycle Management, select Retention labels > Create a label.

    Follow the configuration instructions. To learn more, including the steps to create the policy, see How to create retention labels for data lifecycle management.

    After you create the retention labels, publish the labels and apply the labels to documents and emails. To learn more, see Publish retention labels and apply them in apps.

  5. If you applied retention labels, monitor them to see how they're being used.

    1. Sign into the Microsoft Purview portal as one of the admins listed at Content explorer - Permissions.

    2. Use content explorer to get information on the items using retention labels.

      There are a few ways to open content explorer:

      • Data Lifecycle Management > Explorers
      • Data Loss Prevention > Explorers
      • Information protection > Explorers

To learn more, see:

Review and analyze Copilot prompts and responses

Use eDiscovery to analyze Copilot user prompts and responses

When users enter a prompt and get a response from Copilot, you can view and search these interactions. Specifically, these features help you:

  • Find sensitive information or inappropriate content included in Copilot activities.
  • Respond to a data spillage incident when confidential or malicious information is released through Copilot-related activity.

eDiscovery uses cases to identify, hold, export, and analyze content found in mailboxes and sites. You can this feature to analyze Copilot prompts and responses.

  1. Sign into the Microsoft Purview portal as an admin in one of the groups eDiscovery - Permissions.

  2. Select Solutions > eDiscovery > Cases.

  3. Create a case and a search query. A search query searches in-place content, like email, documents, and instant messaging conversations.

    When you create a search query, you enter the Data sources that have Copilot data.

  4. The data returned is the Copilot prompts and responses. You can review and export this information. If the data contains sensitive information, you can also delete it.

To learn more, see Search for Copilot interactions in eDiscovery.

Technical and deployment resources available to you

  • Organizations with a minimum number of Copilot licenses are eligible for a Microsoft co-investment in deployment and adoption through eligible Microsoft Partners.

    To learn more, see Microsoft 365 Copilot Partner Directory.

  • Eligible customers can request technical and deployment assistance from Microsoft FastTrack. FastTrack provides guidance and resources to help you plan, deploy, and adopt Microsoft 365.

    To learn more, see FastTrack for Microsoft 365.