Protect your Copilot for Microsoft 365 data with Microsoft 365 security tools

  • 8 minutes

Many organizations have concerns that their users overshare internal or personal information. To address these concerns, Microsoft provides powerful security tools within its Microsoft 365 and Azure ecosystems. These tools help organizations tighten permissions and implement "just enough access." The policies and settings that administrators define in these tools are used not only by Microsoft 365 and Azure to prevent data oversharing, but also by Copilot for Microsoft 365. Administrators should verify their organization's security practices as they relate to permissions, sensitivity labeling, and data access to help prevent potential oversharing of proprietary and sensitive business data.

Microsoft recommends the "just enough access" approach to addressing this situation. In this approach, each user can access only the specific information required for their job. This approach entails tightly controlling permissions so users can't access documents, sites, or data they shouldn't see.

To prevent oversharing, organizations should consider implementing the following best practices:

  • Conduct an access review for sites, documents, emails and other content. Identify any overexposed assets. Have data owners inventory SharePoint sites, document libraries, email mailboxes and other data assets. Identify areas where user permissions are broader than required. For example, an "HR Benefits" SharePoint site visible to all employees instead of just HR team.
  • Tighten permissions on overexposed assets so only authorized users have access. Using the example in the previous item, restrict the "HR Benefits" site access to only HR department members. Similarly, limit confidential product roadmap documents to relevant product managers only. Configure external sharing and access expiration on emails and documents to limit exposure.
  • Validate that restricting access doesn't impede any users' ability to do their jobs. Survey and interview users of restricted assets to confirm they still have access to all necessary information for their role. For example, ensure Sales can still access client contact information and project specs even if the company restricted HR data.
  • Test search functionality to confirm users can only access information relevant to their roles. Perform searches on sampling of documents, sites, emails as different internal roles. Confirm finance staff can't access HR data. Validate cross-department teams retain access to shared project resources. Tuning permissions is an iterative process.

Microsoft tools for securing data

Microsoft 365, Copilot for Microsoft 365, and connected services all use the policies and settings that administrators define to tighten permissions and implement "just enough access." They do so through plugins and Microsoft Graph connectors to prevent data oversharing. The following list provides a brief summary of some of the tools that administrators can use to define these policies and settings:

  • Microsoft Purview Information Protection. Classify and optionally encrypt documents and emails based on sensitivity. You can create policies to restrict access to only authorized users. For example, you can:
    • Classify documents or emails containing employee salaries as "Highly Confidential" and restrict access only to the HR team.
    • Classify client data as "Confidential" and only allow sales reps assigned to that client to access it.
    • Classify financial reports as "Internal Only" and automatically encrypt them to prevent external sharing.
    • Classify executive communications as "Internal Eyes Only" and restrict access to members of the leadership team.
  • Microsoft Purview sensitivity labels. Classify and label SharePoint sites, documents, and emails with sensitivity tags like "Confidential" or "Internal use only." You can create policies to limit access to assets with specific sensitivity tags. For example, you can:
    • Label employee performance reviews with an "HR Confidential" sensitivity tag and limit access only to HR managers.
    • Label customer data with a "Customer Confidential" tag and configure policies to block downloads, prints, or shares of items with that tag.
    • Label customer data with "Confidential" and configure to automatically encrypt files that have this label applied.
    • Label accounting spreadsheets "Finance Confidential" and limit access to only finance team members.
  • Microsoft Entra conditional access policies. Grant or restrict access to Microsoft 365 information and services, including SharePoint, based on conditions like user location, device, or network. These policies are useful for limiting access when the system detects risks or user credentials become compromised. For example, you can:
    • Require multifactor authentication to access SharePoint sites containing financial data when connecting remotely.
    • Block external sharing of sites containing internal presentations unless users are connecting through managed devices on the corporate network.
    • Require managed devices to access sites containing proprietary source code.
    • Block access to sites containing press releases before public announcement date.
    • Block access or require step-up authentication with another factor in cases where the system detects impossible travel, which is often an indicator of credential theft.
  • Microsoft Entra Privileged Identity Management (PIM). Provide just-in-time admin access, enforce the principle of least privilege, and limit permanent standing privileges by only granting a user the permissions they need when needed. For example, you can:
    • Grant privileged roles like SharePoint admin or Global admin only for approved business hours to minimize standing access.
    • Require multifactor authentication and justification to activate privileged access to data or apps.
    • Limit privileged access like Billing Administrator to five hours per week maximum.
    • Require approval to activate Microsoft 365 Global Administrator role access.
  • SharePoint site access reviews. Require and automate access reviews of site owners, members, and access requests, to revoke permissions that users don't need or no longer require. Access reviews ensure users only retain the access they need for their role. For example, you can:
    • Automatically revoke permissions to HR or financial systems after 90 days unless reviewed and approved.
    • Require business justification each quarter for external user accounts to validate ongoing need for access.
    • Require quarterly reviews of user access and remove access for departed employees.
    • Enforce policy time limits to external user access for collaboration sites.
  • Microsoft Graph connectors and plugins. Limit access to connected external data using Microsoft Graph connectors or plugins. For example, you can:
    • Define the access scope that users and groups require to access connected data providers.
    • Require user account-based service authentication for connected services and data used with Copilot for Microsoft 365 plugins.
    • Limit extended search capabilities to external content indexed through Graph connectors to only users who should have access.

Using combinations of these tools to tighten access and implement least privilege allows organizations to limit exposure of sensitive data and prevent oversharing to keep sensitive information secure. These tools are powerful mechanisms for enabling "just enough access." By ensuring each employee has just enough access to get their work done without excessive privileges, you can also keep Copilot for Microsoft 365 focused only on appropriate data needed for helpful recommendations.

Additional reading. For more information on securing your data and user devices, see the following training offerings:

Implement a Zero Trust security model

If there’s one thing that recent events show, it’s that security isn’t getting any easier. Recent high-profile breach activities underscore the growing sophistication of today’s threat actors. They also highlight the complexity of managing business risk in an increasingly connected world. It’s a struggle for organizations of every size and for the public and private sector alike. Microsoft addresses these concerns with its Zero Trust security model, which addresses all types of threats—both outside in and inside out.

Zero Trust is a security strategy for all your Microsoft services, including Microsoft 365, Azure, and Copilot for Microsoft 365. Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes every request is a potential breach. As such, organizations must verify every request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted before granting access. The Zero Trust model applies microsegmentation and least privileged access principles to minimize lateral movement. It uses rich intelligence and analytics to detect and respond to anomalies in real time.

The underlying principles that provide the foundation of the Zero Trust model include:

  • Verify explicitly. Always authenticate and authorize based on all available data points. For example, user identity, location, device health, service or workload, data classification, and anomalies.
  • Use least privileged access. Limit user access with just-in-time (JIT) and just-enough-access (JEA), risk-based adaptive policies, and data protection to help secure both data and productivity.
  • Assume breach. Minimize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and app awareness. Verify all sessions are encrypted from start to finish. Use analytics to get visibility and drive threat detection and improve defenses.

Additional reading. An in-depth analysis of the Zero Trust model is beyond the scope of this training. However, to learn more about Microsoft's Zero Trust security model and how to implement it in your organization, see Explore the Zero Trust security model.

Knowledge check

Choose the best response for the following question. Then select “Check your answers.”

Check your knowledge

1.

Holly Dickson is the Microsoft 365 administrator for Contoso. Holly is preparing for Contoso's launch of Copilot for Microsoft 365. As such, Holly is reviewing the company's existing policies and settings to prevent data oversharing in Copilot for Microsoft 365. Holly wants to provide just-in-time administrator access and enforce the principle of least privilege by only granting users the permissions they need when needed. Which security tool should Holly review that provides these security features?