Understand access controls and data security

  • 7 minutes

Access control lists (ACLs) are essential for securing data in Microsoft 365. They define who can access specific content, ensuring that permissions are properly managed when importing external content. This unit explores the purpose of ACLs, their configuration, synchronization with external systems, and application in various scenarios.

Understand the purpose of access control lists (ACLs)

Access control lists (ACLs) are used to secure data by defining who can access specific content. An ACL is an array of access control entries, and each entry includes:

  • Access type: Specifies whether access is granted or denied.
  • Type: Identifies the entity type, such as a Microsoft Entra user, group, or everyone in the tenant.
  • Value: Represents the specific entity described by the entry.

ACLs ensure that only authorized individuals or groups can access imported content, maintaining security and compliance within Microsoft 365.

Diagram of a schematic view of an access control list.

Note

Each imported item must include at least one access control entry, and multiple entries can be added to grant access to different groups.

Configure access control lists for imported content

When importing external content into Microsoft 365 using Copilot connectors, ACLs are created based on the permissions stored in the external system. These ACLs are included with the imported items to ensure proper access control.

To configure ACLs:

  • Retrieve permissions from the external system.
  • Build ACLs for each piece of content.
  • Include the ACLs with the imported items to maintain the same access permissions as in the external system.

For example, if the external content is accessible to everyone in the organization, you can use the following ACL entry:

  • Access type: grant
  • Type: Everyone
  • Value: Everyone

If the content is accessible only to specific groups, you can define entries based on Microsoft Entra users or groups, specifying their object IDs.

Diagram that illustrates how a custom Copilot connector works.

Apply access control lists to different scenarios

ACLs can be applied to various scenarios to meet organizational needs. Common examples include:

  • Granting access to everyone: Use an ACL entry with "Access type: grant," "Type: Everyone," and "Value: Everyone."
  • Restricting access to specific groups: Define entries for Microsoft Entra users or groups, specifying their object IDs.
  • Securing content from external systems without single sign-on: Use external groups to reflect memberships defined in the external system while mapping them to Microsoft Entra users or groups.

These configurations ensure that imported content is accessible only to the intended individuals or groups, maintaining security and compliance.

Synchronize external permissions with access control lists

To ensure consistent security, external system permissions must be synchronized with ACLs in Microsoft 365. The external system serves as the primary reference for permissions.

Synchronization methods include:

  • Event-based updates: If the external system raises events when permissions change, update the ACLs immediately.
  • Scheduled scans: If events aren't supported, implement a process to frequently scan for changes and update permissions.
  • On-demand refresh: Allow instant permission updates when needed.

These methods help maintain accurate and up-to-date access control for imported content.