Copilot for Microsoft 365: Governance & Security considerations

Microsoft Copilot for Microsoft 365 is a powerful AI tool that can help you create and edit content across various Microsoft 365 apps, such as Word, PowerPoint, Teams, and Outlook. It uses large language models (LLMs) to generate natural language responses based on your prompts, context, and organizational data. However, before you start using Copilot for Microsoft 365, you need to be aware of some governance and security considerations that can affect your data privacy, compliance, and protection.

Data privacy

Microsoft Copilot for Microsoft 365 is compliant with existing privacy and compliance commitments to Microsoft 365 commercial customers, including the General Data Protection Regulation (GDPR) and European Union (EU) Data Boundary. Prompts, responses, and data accessed through Microsoft Graph are not used to train foundation LLMs, including those used by Copilot for Microsoft 365. However, you should still review your data privacy policies and practices to ensure that you are comfortable with how Copilot for Microsoft 365 accesses and uses your organizational data.

Copilot for Microsoft 365 accesses content and context through Microsoft Graph, which includes user documents, emails, calendar, chats, meetings, and contacts that you have permission to access. It can generate responses anchored in your organizational data or public web content. You can control whether Copilot for Microsoft 365 can use public web content in its responses by using the Allow public web content setting in the Microsoft 365 admin center. You can also use Microsoft Purview to discover, classify, and protect sensitive data across your organization and apply data governance policies to Copilot for Microsoft 365.

Data security

Microsoft Copilot for Microsoft 365 protects your organizational data by ensuring that it always remains within your tenant and is not shared with external parties. It also respects the existing permissions and policies that you have configured in your Microsoft 365 environment. This means that Copilot for Microsoft 365 can only access data for which the user has at least view permissions. However, this also means that you need to be careful about how you grant permissions to your users and how you manage access to sensitive data.

Overly broad permissions can pose a security risk if Copilot for Microsoft 365 surfaces potentially confidential documents that users have access to but were previously unaware of. For example, documents stored in overly permissive OneDrive folders or SharePoint sites. To prevent this, you should review your permissions settings and ensure that they follow the principle of least privilege. You should also use tools such as Entra ID Privileged Identity Management (PIM) and Entra Conditional Access to enforce granular and dynamic access controls.

Data compliance

Microsoft Copilot for Microsoft 365 meets regulatory compliance requirements by adhering to the existing compliance boundary of your Microsoft 365 tenant. This means that it respects the data residency commitments that you have made with your customers and regulators. For example, if you have opted into the EU Data Boundary for the Microsoft Cloud, Copilot for Microsoft 365 will only process your data within the EU. However, you should still verify that the use of Copilot for Microsoft 365 aligns with your industry-specific or regional compliance obligations.

Some compliance regulations may require you to audit or monitor the activities of Copilot for Microsoft 365. For example, you may need to track who used Copilot for Microsoft 365, when they used it, what prompts they entered, and what responses they received. To do this, you can use the Audit log search feature in the Microsoft 365 compliance center or the Office 365 Management Activity API. You can also use the Content explorer feature in the Microsoft 365 compliance center to view the content that Copilot for Microsoft 365 has created or modified.

Conclusion

Microsoft Copilot for Microsoft 365 is a game-changing AI tool that can boost your productivity and efficiency within M365 applications. However, before you deploy it in your organization, you need to consider some governance and security aspects that can affect your data privacy, security, and compliance. Let’s discuss how my team of Microsoft 365 Advisors at Thrive can help you on this journey.