What about Governance in Copilot?

We're back on Copilot Your Day with a special guest! We've heard about the importance of technical readiness and seen some specific use cases in Copilot for M365. You have become a prompting pro! So guess what's also important? Governance! Today we are going to take a closer look at governance with Copilot.

For the first time ever, I've invited a guest author for today's episode. Who better to provide insights than my dearest colleague and fellow Microsoft MVP Ragnar Heil from Rencore . Let's discover Ragnar's insights and the possibilities with Rencore. And at the very end we get a gift from Microsoft MVP Patrick Feninger ??.

???????????? Guest-Blog starts here ????????????

The relevance of Governance

Many customers are already looking forward to the introduction of Copilot, in whatever form it takes. However, in order to maximise the benefits of Copilot, it is important to consider the governance aspects. Copilot can leave scorched earth behind too quickly or drive a Copilot project to the wall. This is exactly what we want to avoid.

What is Microsoft 365 Governance?

M365 governance is a set of processes and structures used to manage and control an M365 tenant. In the context of Copilot for Microsoft 365, this means that organisations need to establish policies and automated procedures to control the use of Copilot and ensure that it meets the organisation's compliance requirements and security standards.

Why is governance important for Copilot and how can it be implemented?

Copilot has access to a wide range of data and information, including sensitive company data, thanks to the Microsoft Graph API and its Copilot extensions. It is therefore important that companies regulate the following aspects:

Data security through policies

?Organisations need to ensure that the data used by Copilot is protected from unauthorised access, loss or damage. Copilot uses existing and already assigned permission structures, for example in SharePoint, OneDrive or Microsoft Teams. However, no matter how well-designed your permissions are, they will be broken the moment your users press the popular 'Share' button. Have you ever found documents in Delve that should not be seen? This is the litmus test.

A simple example: Adele Vance creates sensitive documents about salary increases and reorganisations in a private 'Payroll HR' team with very few members.

Then, through ignorance or sabotage, these documents are shared in a public team with a large number of members who can instantly access the documents - simply by 'copying and pasting' the document URL.

How 3rd Party Tools like Rencore Copilot Dashboard can support you

The Rencore Government Copilot Dashboard can help by listing these sensitive documents.

The "SharePoint files shared with everyone in the tenant" report (above right) is built as follows in the Report Builder and reads SharePoint file sharing (of course it also works at the OneDrive level. Teams uses both):

It is important to highlight that we do not want to stop at dashboards and reports. Automated processes take the work out of our hands and help us not to forget about security and compliance-related tasks. As a firm believer in change management, I first recommend proactive communication with users to show them the best practices around Governance & Copilot and inform them that they are not yet doing it perfectly. This can also be done to an entire team via a message in the Microsoft Teams channel. Only if the users do not show any change in behaviour is it advisable to stop sharing automatically. All 3 activities can be automated as follows when a threshold is reached in the reports

Improve compliance with privacy labels

Organisations need to ensure that the use of Copilot meets all relevant compliance requirements, such as the General Data Protection Regulation (GDPR), and the Microsoft Purview portfolio of applications is central to this, especially the Data Loss Prevention (DLP) tools with manual and automatic sensitivity labelling. The use of access control lists (access checks in Entra ID Identity Governance or third party providers) helps to regularly correct access permissions and members in SharePoint, Teams and M365 groups. It's better to do this quickly and easily once a month than once a year. Your compliance and security team, and most importantly your users, will thank you.

Cost transparency & control

Copilot comes with a price tag that is often considered not too low. This is where M365 governance solutions can help to control exactly which users are not using Copilot, or which users with licences are 'disabled'. The action after these measurements is clear: offer Copilot training or "Copilot training snacks" such as Pascal Brunner's newsletter to whet the appetite, and don't be afraid to calculate the ROI. Each department will find its own use cases and specific benefits.

The interaction between dashboards, (compliance) reports, Copilot subscription inventory and automation can be visually summarised as follows:

A free demo of Rencore Governance can be activated in 2 minutes here, filled with data as a sandbox: https://rencore.com/de/get-started

???????????? End of Guest-Blog ????????????

Ragnar Heil, M365 Apps & Services MVP and Global Director Partners and Alliances, email: [email protected]. His Copilot blog posts can be found here:

Personal Thoughts

It's me again, Pascal ?? - Thanks Ragnar Heil for your insights, much appreciated! It's definitely worth following Ragnar on LinkedIn.

Of course, topics like governance have been relevant for many years and not only for Copilot. I often have the discussion with customers: "Well, this is not directly related to Copilot, e.g. sensitivity labelling. So why should we do it now?" - Yes, that's true! But it comes up again. We have all known for years how important permission policies are, or that sensitivity labelling has a great use case, even to support employees. The difference today is that access to information has become easier by 'just' formulating your needs.

Copilot just brings it back to the surface. And it's important to talk about it, even if you decide to use labels or not, it has to be a clear decision. But there is a clear recommendation.

Tools like SharePoint Premium and/or Rencore can help you and your organisation in your daily work. But the real challenge often isn't tool based.

Find all relevant information about SharePoint Premium here

How to make an internal pitch for your Copilot project

Patrick Feninger , Microsoft MVP, gives you the answer with a self-made pitch deck. Please check out his post where you can easily download the slidedeck. I really appreciate the work that Patrick does for the community. His designs are always on point and the contributions he makes are of great value. Thank you Patrick!

Lifehack: Never forget to turnon your transcript

Who forgot to turn on the transcript? ?? Yep, that's me! ?? Check out the following lifehack ??

Wait a minute. Wasn't Viva such an important topic a few months ago?

Indeed! And next week we are going to discover how Viva can help you to drive your Copilot initiatives. As a Viva Explorers I really looking forward to share my thoughts about it in the next week. Stay tuned and see you next Tuesday! ??

As always, let me know if you're interested in any of the Copilot topics and drop me a DM.

Thank you for being part of this amazing journey! ?? I am a Microsoft MVP in M365 Apps & Services and a LinkedIn Top Voice. Follow me and get all the relevant information about Microsoft 365, Copilot and Microsoft Viva. I also share my personal thoughts on Connecting The Dots between personal and business life.