Pro

Providing Tips

, , , , , , , , , , , , , ,

Why Microsoft 365 Security matters for Microsoft 365 Copilot and why it should be prioritized.

Published by

Magnus Goksöyr

on

Why Microsoft 365 Security matters for Microsoft 365 Copilot and why it should be prioritized.

Think of Microsoft 365 Copilot as hiring the fastest employee in the world who has the ability and capacity to read every email, every document, every chat, and every meeting note in the company, in seconds, and consolidate the results of these into detailed answers and summaries. That’s incredibly powerful and productivity-enhancing but there’s also a challenge.

Most companies today have a bit of a “messy office” problem when it comes to data access. Your employees often have keys to rooms they do not need — finance folders, HR- and strategy documents. Mostly neither you nor they are aware of it and thus normally this isn’t noticed because no human being has neither the time nor patience to go open every door in the office building. But fortunately (or at worst unfortunately) Microsoft 365 Copilot does.

Introducing Microsoft 365 Copilot is not just a productivity project — it is a security and governance initiative.

“Rolling out Microsoft 365 Copilot without understanding both the benefits and risks is like giving an employee (or multiple employees) the master key to the office building.”

Microsoft 365 Copilot is a great productivity tool, so it would be wrong to consider Microsoft 365 Copilot a risk. In fact, it is the “unlocked doors” of the office building that is the risk. (Here, for the sake of clarity, I would like to repeat that Microsoft 365 Copilot does not create new permissions or access to data sources or its content. It simply uses whatever access already exists in your organization.) That’s why Microsoft recommends a “Zero Trust approach”. In short, this means “Never trust, always verify.” (Microsoft Learn) and that every door is checked, every identity verified, and people only get access to the rooms they actually need.

  • No user, device, or system is automatically trusted
  • Every request must be verified
  • Access should be limited to the minimum required

In order to reduce the risk of accelerating the exposure of sensitive and/or confidential data through AI, organizations that want to deploy Microsoft 365 Copilot successfully should therefore:

  1. Implement Zero Trust security
  2. Fix overly broad data access and “oversharing”
  3. Strengthen identity and device controls
  4. Apply data protection and monitoring

Introduce Microsoft 365 Copilot in stages

Microsoft recommends introducing Microsoft 365 Copilot in stages, starting with basic protections and then adding deeper controls as the system gains access to company data. (Microsoft Learn). Key areas that must be secured include:

  • Identity (Multi-factor authentication, Risk-based access policies)
  • Devices (Only trusted and compliant devices can access data)
  • Data (Data loss prevention, Data classification and permissions)
  • Threat protection (Monitoring cloud apps and suspicious activity)

All of the above is important, but start with the most basic steps

Identity and Access Management (IAM) and Device management are fundamental and something that everyone should get in place as soon as possible, so if this is not already done, it must be prioritized as own projects. Implementing Information Protection with Data classification, Sensitivity Labels and Data loss Prevention requires a lot of planning and preparation and you need to start this as soon as possible.

What you can and should start doing already now and which doesn’t require such careful planning is to start to mitigate overly broad data access and “oversharing”.

Here are some common risks and suggestions on how to address them:

Too many members in Teams in Microsoft Teams

Teams often include entire departments, former project members, or external guests who were never removed. Since every team stores its files in SharePoint, these users gain unnecessary access.

Risk:
Mitigation:
  • Quarterly membership reviews, enforce team owner responsibility, remove inactive users and guests, use dedicated private teams for sensitive material.
Public Teams (organization‑wide access)

Public Teams allow all employees in the tenant, without being a member of the teams, to access shared files by default. Many organizations unintentionally use Public Teams as “open forums”, not realizing the file exposure this creates.

Risk:
  • All employees automatically gain access to the team’s SharePoint files.
  • Microsoft 365 Copilot can use these files as part of prompts, summaries, or generated content since they are broadly accessible.
  • Sensitive and/or confidential information can unintentionally become discoverable for the entire organization.
Mitigation:
  • Convert Public Teams to Private unless there is a clear business need to keep them Public.
  • Use Viva Engage for open organizational communication instead of Teams.
  • Use SharePoint Communication Sites with read access for open controlled documents instead of Teams.
  • Establish governance rules defining when Public Teams are allowed.
  • Require an approval workflow for creating Public Teams.
SharePoint sites, libraries or folders with “Everyone” access

Broad access often comes from inherited permissions or old project areas left open.

Risk:
Mitigation:
  • Replace “Everyone” and “Everyone except external users” permissions with least‑privilege access, use separate sites for sensitive documents.
 Sharing links (“Anyone links”)

“Anyone with the link” and outdated external links can unintentionally expose files.

Risk:
Mitigation:
  • Disable or restrict “Anyone links”, prefer “People in your organization” or “Specific people”, run regular reports.
Viva Engage Communitues with open discussions

Many communities are open to all employees and could include sensitive discussions.

Risk:
  • Copilot may summarize or access information from threads that should have been restricted.

Mitigation:
  • Make communities private when needed, use private Teams for sensitive discussions, define rules for what may be discussed publicly.
Shared inboxes or calendars in Exchange

Old or overly broad permissions are common in shared mailboxes and calendars.

Risk:
  • Copilot may use email or calendar content that too many people have access to.
Mitigation:
  • Prefer read‑only over full access, remove old delegates, use role‑based access groups.

SharePoint Advanced Management (SAM) as a useful tool in the work of becoming Copilot Ready

To easily identify oversharing, it is beneficial to use SharePoint Advanced Management (SAM). More about SAM in an upcoming blog post. Follow along here on my blog so you don’t miss it. 😊

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Hello,

I’m Magnus

I am the one who runs this blog whose purpose is to spread and share experiences, wisdom, news, information, good advice, tips & tricks, constructive feedback and reviews. All of this related, in one way or another, to Microsoft 365 in general and Microsoft Teams in particular.

I am passionate about testing and evaluating new applications, functionality and solutions, but I am just as passionate about ensuring how to put it to use in the right way.

Recent posts