?? Microsoft Search & Copilot for Microsoft 365 support for Sensitivity Labels, Data Loss Prevention Policies and Restricted SharePoint sites with SAM

I have been experimenting with how Microsoft Search & Copilot for Microsoft 365 work with Sensitivity Labels, Data Loss Prevention and Restrict SharePoint site access with SharePoint Advanced Management in the past few weeks and in this article, I will share with you the final results of my tests and validation with some intriguing finding I discovered along the way.

Before we start, I need to review some key points with you.

?Important Notes:

? Sensitivity Labels used here are labels that apply encryption and assign permissions to control who can access the labeled files.

? Sensitivity Labels can generally limit access to SharePoint files, but they cannot grant more access. This means that if you have access through the SharePoint site but not the sensitivity label permissions, you cannot access the file. Likewise, if you have access through the sensitivity label permissions but not the SharePoint site, you still cannot access the file because you will be blocked at the container level (The SharePoint site)

? Data Loss Prevention policies used here are policies with “Restrict access or encrypt the content in Microsoft 365 locations, Block everyone” action

Now let's examine this more closely!

?? Microsoft Search

The Microsoft Search use cases below are based on my testing only and there is no official documentation from Microsoft about them (At least I couldn't find any!), so if you have a different opinion or experience with them, please share it in the comments below ?? until we get something official from Microsoft.

?? Microsoft Search support for Sensitivity Labels

Based on many tests, I can conclude that “Microsoft Search supports sensitivity labels” to some extent, with some consideration about the indexing speed and constraint for supporting the Rights Management owner (The person who applies the label). Below you could check the current support considerations.

?Important Notes:

? Microsoft Search respects the sensitivity labels permission (Trim results based on it), but there is a delay before it takes effect. It seems that for performance reasons there is a specific timer job that runs periodically to apply this, and this is not included in the normal indexing pipeline. Based on my testing, it took about 3-4 hours on CDX tenants.

? The person applying the encryption are the Rights Management owner. This special role automatically includes all the sensitivity label usage rights. Microsoft Search currently is not respecting this and trim results for this person when he is not part of the label permissions assignment.

?? Microsoft Search support for Data Loss Prevention Policies

For performance reasons Microsoft Search doesn’t post-process policies and for this (Based on my testing!) data loss prevention policies are not supported currently by Microsoft Search.

?? Microsoft Search support for Restrict SharePoint site access with SharePoint Advanced Management

For performance reasons Microsoft Search doesn’t post-process policies and for this (Based on my testing!) restrict SharePoint site access with SharePoint advanced management is not supported currently by Microsoft Search.

?? Copilot for Microsoft 365

On the other side all the Copilot for Microsoft 365 use cases already documented by Microsoft. So, if you have a different experience with them, you can just open a support ticket with the Microsoft support team.

?? Copilot for Microsoft 365 support for Sensitivity Labels

Copilot for Microsoft 365 fully supports sensitivity labels. You can only get the files as a result if you have at least view permissions based on the sensitivity labels permission (Combined with SharePoint permissions). And if you don't have the EXTRACT usage right, you might get the file as a part of the Copilot response, but Copilot will not examine the file content and take anything from it to add to the response.

?Important Note:

From my testing, it seems that Copilot for Microsoft 365 relies on the Microsoft Search index to recognize the labels assigned to files, and this means there is a small lag between changing labels on a file and Copilot honoring the new label until the file gets reindexed and the label assignments get updated (In normal load time: couple of minutes). This means that if Microsoft Search at your tenant has some indexing lag in one day, this could also affect Copilot's ability to enforce the labels permissions.

? Copilot for Microsoft 365 support for Data Loss Prevention Policies

Copilot for Microsoft 365 fully supports Data Loss Prevention Policies. This means that if a file falls under a Data Loss Prevention policy that has the action “Restrict access or encrypt the content in Microsoft 365 locations, Block everyone”, only the owner, the last editor, and the site admin can access the file through SharePoint & Copilot for Microsoft 365. The enforcement of the Copilot DLP Policies happens within a few seconds after the policy is applied to the file.

? Copilot for Microsoft 365 support for Restrict SharePoint site access with SharePoint Advanced Management

Copilot for Microsoft 365 fully supports restricting SharePoint site access with SharePoint Advanced Management. I haven't tried this myself, but Microsoft clearly documented the support.

Summary

My recent exploration into the support of Microsoft Search and Copilot for Microsoft 365 for Sensitivity Labels, Data Loss Prevention Policies, and Restrict SharePoint site access through SharePoint Advanced Management has provided insightful findings.

Microsoft Search exhibits partial support for Sensitivity Labels, with notable delays in applying permissions and limitations in recognizing the Rights Management owner role. Unfortunately, it does not currently support Data Loss Prevention Policies or Restrict SharePoint site access for performance reasons.

On the contrary, Copilot for Microsoft 365 offers comprehensive support for Sensitivity Labels, enforcing access based on view permissions and EXTRACT usage rights, although with a minor potential lag between label changes and recognition. Notably, Copilot fully supports Data Loss Prevention Policies and SharePoint Advanced Management, with quick enforcement of policy actions.

Sharing Is Caring!

#MicrosoftCopilotTips #ModernWorkplaceAI #CopilotForMicrosoft365 #MicrosoftSearch