?? Copilot for Microsoft 365 Data Ready – Where “Everyone except external users” group is more risky than “People in your organization” links!
Mahmoud Hassan
Microsoft MVP | Empower enterprises to thrive with Microsoft Copilot & Modern Workplace AI solutions
The Just Enough Access is a security principle that ensures users have access only to the information they need to perform their tasks and nothing more. In practice, Just Enough Access helps to prevent oversharing and overprivileged access by enforcing the correct permissions to files, folders, Teams, etc. It’s a way to maintain a strong security posture while allowing Microsoft 365 Copilot to interact with your organization’s data through the Microsoft Graph, generating personalized experiences with related context. This ensures that Copilot generates responses based on information that users explicitly have permission to access, respecting user-specific permissions.
One of the current topics we discuss in getting data ready for Copilot for Microsoft 365 is the “People in your organization” or “Anyone” links and how they pose a risk of oversharing that needs to be managed and controlled, but the reality is “Everyone except external users” group is much more dangerous, and this is what I will attempt to clarify in today.
?? When SharePoint data will be added to the Semantic Index for Copilot? And what the “Everyone except external users” group risk?
Semantic Index for Copilot will include the text-based SharePoint Online files that are shared with two or more people in your organization through site inheritance (I believe this means that you have to add people directly to the site, not with a sharing link).
And this means that all text-based SharePoint Online files in all the sites that have “Everyone except external users” group will be added to the Semantic Index, and it will be available for everyone by default. And this is definitely too dangerous!
One of the best practices Microsoft shared with us is to hide "Everyone Except External Users" group from people picker, but I'm not 100% agreeing with it. We might need this group to grant access to everyone for some sites like public intranet sites for the whole organization. I think we should teach our users how to use it instead of hiding it.
? SharePoint Advanced Management’s new data access governance reports can help here, with the new EEEU (Everyone except external users) report. with the EEEU report, you can view the list of all sites that were shared with EEEU group. This report can be run for OneDrive and SharePoint sites.
?? People in your organization links
Now to the “People in your organization” links you could think it also a huge risk as all the files shared with this link will be available also for everyone, correct? But this not the truth!
Creating a People in your organization link doesn't make the associated file or folder appear in search results, be accessible via Copilot, or grant access to everyone within the organization. For individuals to access the file or folder, they must possess the link and it needs to be activated through redemption. A user can redeem the link by clicking on it, or in some instances, the link can be automatically redeemed when sent to someone via email, chat, or other communication methods. Also in this case only the user who redeemed the link will have access to the file, and the file will be added only to his user-level Semantic Index.
For sure There is still a risk of someone sharing the link with another person who is not authorized to view the content. And this means that we still need to governance this types of links.
领英推荐
? Again SharePoint Advanced Management’s “Sharing links” reports can help here, The Sharing links reports help you identify potential oversharing by seeing the sites where users created the most new sharing links “Anyone, People in the organization, Specific people”
?? Specific people links
Just recently Microsoft shared with us some updates regarding the handling of “Specific people” links with regards to Copilot for Microsoft 365 and interestingly its different than the “People in your organization” links.
Unlike other links, "Specific people" links makes the associated file or folder appear in search results and is accessible via Copilot for all user and security group members added to the sharing link. Off course only people in your organization can access the file with this link from Copilot. External people can't use their Copilot to access it, unless the file is shared in a Microsoft Teams Shared channel.
?you can also find and governance those links using the SharePoint Advanced Management’s “Sharing links” reports
Summary
The Just Enough Access principle is crucial for maintaining security by ensuring users only access necessary information. This is especially important with Copilot for Microsoft 365, which relies on user-specific permissions to generate contextually relevant responses. Managing permissions, particularly the “Everyone except external users” group, is essential to prevent oversharing. Tools like SharePoint Advanced Management’s reports help monitor and control access effectively. By educating users and using these tools, organizations can balance accessibility and security, maximizing the benefits of Copilot for Microsoft 365 while protecting their data.
Resources
Sharing Is Caring!
CEO & Janitor @ Orchestry | Microsoft 365 Governance, Adoption and Automation for Copilot readiness
5 个月Awesome article. Well done!