Best Practices for Integrating Microsoft Copilot with SharePoint in Microsoft 365

As businesses increasingly adopt AI in their daily operations and leverage platforms like Microsoft 365 for employee collaboration and information sharing, ensuring the security of these environments becomes essential.

Furthermore, with the advent of Microsoft Copilot for Microsoft 365 in the modern workplace, which utilizes AI to integrate Large Language Models (LLMs) with your organizational data, and as more businesses are adopting these advanced platforms, proper SharePoint permissions has never been more important.

Here’s a look into the best practices that help you identify and remediate overshared content in SharePoint.

The Evolution and Importance of Microsoft Copilot in Business Operations

Microsoft Copilot for Microsoft 365 provides value by connecting LLMs to your organizational data. It accesses content through Microsoft Graph, generating responses based on documents stored in SharePoint and OneDrive, in addition to emails, calendars, chats, meetings, and contacts. To ensure that Copilot only surfaces data users are permitted to see, it's essential to use the right permission models in SharePoint.

Reflecting on the evolution of office assistants, from the iconic Office Clippy to today's Microsoft 365 Copilot, it's clear that the landscape has dramatically shifted. Now, with pay-as-you-go pricing from Microsoft, many new customers, including small to medium-sized businesses, are signing up for Microsoft 365 apps and services. One example is a small legal services firm I am currently working with, where we are automating their processes using Microsoft 365 and SharePoint with the Power Platform's AI Builder. This shift shows that not only large corporations, but also smaller businesses have significant needs for efficient, automated solutions to optimize their operations.

These newer smaller and medium-sized businesses often require a tighter level of B2B collaboration than their larger, well-funded corporate counterparts. This is why many organizations are turning to SharePoint, Teams, and OneDrive. Many are joining to use the Microsoft 365 ecosystem and its apps and services to facilitate client information requests and help resolve business-related problems efficiently. The integration of AI and Copilot further extends their capabilities, making it easier for businesses to cross-collaborate, manage their data and work stream effectively.

In an era where AI, such as Microsoft Copilot, is becoming integral to business operations and cross-business collaboration is increasingly common, securing your SharePoint environment has now become more important than ever. With the addition of external guests and the potential for oversharing, using the right permission models in SharePoint and OneDrive, ensuring that Copilot only surfaces data users are permitted to see, protects sensitive information and improves overall data security.?

How SharePoint Permissions Affect Your Users’ Copilot Experience

Organizations have varying levels of maturity when it comes to governing SharePoint data. While some enterprises rigorously monitor permissions and prevent oversharing, others are less stringent. This complexity is further heightened because many enterprises need to share certain data widely within the organization. Often, end users might make choices that inadvertently result in oversharing SharePoint content. For instance, users may not always consider the permissions of the site/library/folder where they're uploading files, potentially saving business-critical content in locations accessible to others, including external users. Additionally, it's common for users to prefer sharing files in SharePoint with large groups rather than individuals, which can lead to oversharing.

Copilot for Microsoft 365 utilizes all the data a user can access, which may include broadly shared files that the user is unaware of. Consequently, users might perceive Copilot for Microsoft 365 as exposing overshared content. To identify and address oversharing in SharePoint, it is important to follow best practices for managing permissions and access.

Before Enabling Copilot for Microsoft 365

Organizations operate at various levels of maturity in governing SharePoint data. Here are some initial steps to consider:

Organizations operate at various levels of maturity in governing SharePoint data. Here are some initial steps to consider:

1. Start by reviewing site-level sharing controls. Educate site admins on using site-level controls to restrict members from sharing broadly. Ensure that site owners are the recipients of access requests and consider hiding broad-scope permissions to reduce accidental misuse. ?This example by Microsoft hides the "Everyone Except External Users" in the People Picker control so that no end user can use it.?
2. Classify inactive sites. Use the Inactive Site Policies in SharePoint Advanced Management to identify and restrict access to or delete inactive sites. This reduces the surface area for potential oversharing.
3. Identify potentially overshared content. Run reports in the SharePoint Admin Center to discover broad sharing activity. Utilize SharePoint Advanced Management’s new data access governance reports to find usage of broad sharing links and take action accordingly. A SharePoint admin can build custom reports by using Microsoft Graph Data Connect for SharePoint or run template reports on:

• Usage of "Everyone Except External Users" in the last 28 days
• Usage of broad org-wide "People in your organization" sharing links in the last 28 days
• Usage of "Anyone" sharing links in the last 28 days

Remediation Actions to Address Oversharing

Once you’ve identified overshared content, take these remediation actions:

1. Configure restricted access control policies for sites with oversharing issues, restrict access to only necessary users. This ensures that only the appropriate group sees the content in the Copilot for Microsoft 365 experience.
2. Use the change history feature for high-profile instances, determine the who, how, and when of the oversharing to understand and address the root cause.
3. Consult with Site Owners to review and adjust permissions on overshared files and folders. Use the upcoming "Site Access Review" feature in SharePoint Advanced Management to facilitate this process.

#TechNote: The site access restriction policy requires Microsoft SharePoint Premium - SharePoint Advanced Management.?

Proactive Measures

To proactively protect against oversharing in your SharePoint environment, it is important to implement a variety of security measures. Here are some key steps:

1. Set restricted access controls: Apply these controls to business-critical sites to prevent unauthorized access. By restricting access to sensitive data, you can safeguard that only authorized users can view and interact with critical information. For more details, visit: https://learn.microsoft.com/en-us/sharepoint/restricted-access-control-policy
2. Block file downloads: Implement policies to block downloads from specific sites or for certain types of content, such as Teams meeting recordings. This helps to prevent the unauthorized distribution of sensitive files. For more information, see: https://learn.microsoft.com/en-us/microsoftteams/block-file-download
3. Apply encryption: Use encryption actions with "extract rights" enforced on sensitive office documents. Encryption ensures that even if data is accessed without authorization, it cannot be read or used without the appropriate decryption rights. Learn more about encryption in SharePoint here: https://learn.microsoft.com/en-us/microsoft-365/compliance/protect-information-with-encryption

Summary

By following these best practices, you can ensure your SharePoint environment remains secure, thereby allowing Microsoft Copilot for Microsoft 365 to provide the most relevant and safe responses to your users. Responsibly managing SharePoint permissions is crucial to harnessing the full potential of AI in your organization, ensuring that only authorized users have access to sensitive data and reducing the risk of data leaks.

Implementing these strategies protects your data and optimizes overall operational efficiency by streamlining data access and collaboration. As AI and collaborative tools become more integral to business operations, maintaining stringent security measures will support smoother, more effective workflows and foster a secure digital workplace.

Editor’s Note: This article was revised on June-23rd 2024 to change the title from “Best Practices for Securing SharePoint with Copilot” to “Best Practices for Integrating Microsoft Copilot with SharePoint in Microsoft 365.”

About the Author: With over two decades of experience as a Microsoft consultant, Sousouni Bajis specializes in solutions architecture and development consultancy. His expertise lies in developing and deploying web-based Microsoft 365 and SharePoint solutions for large-scale enterprise clients. ?