Security and privacy in Topics
Topics uses existing content security features in Microsoft 365, along with administrative controls, to control what AI-generated content is shown to users in your organization. It is the combination of Microsoft 365 security settings (permissions to sites, files, and folders) and Topics admin settings that determine what a given user can see in topics.
Setting up Topics does not modify any existing access controls on content in your organization. Users can only see what they already have access to.
This article describes how Topics works from a security perspective and the options that administrators and knowledge managers have to control topic visibility. Read this article as part of your planning for Topics.
What users can see in topics
To see topics, a user must:
- Have a license that includes Topics
- Have permissions to view topics, or create, contribute to, or manage topics.
These two things give users view access to the topic center and allow them to see topic experiences in Microsoft 365.
Topic contributors additionally have create and edit permissions for topics, and knowledge managers can confirm or remove topics.
When a topic is first discovered, knowledge managers can see it in the topic center. Depending on the completeness and relevance of the topic, topic viewers may or may not see the topic presented in topic cards.
Topics can contain information generated by AI and information added or edited by topic contributors or knowledge managers.
- Information in a topic that was added by AI is only visible to people who have access to the source content.
- Text that has been manually added or edited by a topic contributor or knowledge manager is visible to everyone who can see the topic.
Topic viewers and contributors can see the list of confirmed and published topics in the topic center, but the topic details that a given person can see depends on the permissions that they have to the source material and on whether the topic has been manually edited.
The following table describes what users - topic viewers, contributors, and knowledge managers - can see in a given topic based on their permissions.
|What users can see
|Users can see the topic name of topics in the topic center. Some topics may not be visible if users don't have permissions to the source content or have a low relevancy to the user.
|AI-generated descriptions are visible only to users who have permissions to the source content. Manually entered or edited descriptions are visible to all users.
|Pinned people are visible to all users. Suggested people are only visible to users who have permissions to the source content.
|Files are only visible to users who have permissions to the source content.
|Pages are only visible to users who have permissions to the source content.
|Sites are only visible to users who have permissions to the source content.
Users' personal and private data
Topics only discovers topics in the SharePoint sites that you specify. Users’ personal storage such as personal mail or OneDrive is not included.
Topics presents information to users based on their existing permissions to content. Microsoft 365 provides a variety of ways to ensure that sensitive content is restricted to appropriate users. Beyond standard team or site permissions, you can use sensitivity labels or data loss prevention to restrict access to content and access reviews to periodically review user access to sensitive information.
We recommend that you use these tools to ensure that your content permissions are set appropriately inside your organization. Topic experiences can then provide useful and appropriate information to your users.
If there are topics that you want to exclude entirely from topic experiences, you can also:
Exclude sensitive SharePoint sites from topic discovery. Content in these sites will not appear in topic experiences.
Exclude topics by name. Topics explicitly excluded will not appear in topic experiences.
Have knowledge managers remove topics in the topic center.
A topic, when removed, can take up to 24 hours to stop appearing to users in your organization.
Additionally, we recommend these best practices:
Recruit knowledge managers from different areas of your organization. Having knowledge managers with a variety of expertise - and access to the underlying content used by AI - can help you curate the most useful knowledge for your users and remove sensitive information if found.
Set up a workflow for requesting changes. Knowledge managers or team or site owners should have a process by which they can request exclusion of topics or sites as new projects are started within your organization or if they find content with inappropriate permissions settings.
Be aware of the audience and the sensitivity of information when creating topic descriptions. These descriptions may be visible to users who don't have permissions to the source content for the topic.
While you can change the permissions on individual topic pages to narrow access to a specific group of users, we don't recommend this approach because of the high degree of administrative effort required.