Since the announcement of Microsoft Copilot, the number one question I’ve gotten from security teams wanting to adopt it is how to secure their environment to protect against their users accessing things that they shouldn’t.
Copilot and data access
First things first – Copilot doesn’t grant access to any more than what your users can currently access today.
This means that if Anna from accounts can’t access HR data today, Copilot won’t grant her access to that data.
If your org has spent the time to ensure permissions are set correctly on SharePoint sites and has rolled out automatic (or manual) labelling of content too, there’s nothing to be concerned about here.
If, however you’ve been operating more of a “Security by Obscurity” model, there could be a bit of work involved to ensure users can’t query Copilot about documents and data that they shouldn’t have access to.
How Do I Know What Users Have Access To Today?
Your main focus should be checking Active SharePoint sites to see who the owners and members of those sites are.
You’re probably thinking “hang on a sec Craig, how am I meant to know who should have access to a SharePoint site?”. Unless you’re across this in your org, your best friend is going to be the Access Review tool in Azure AD.
Access reviews allow you to ask the owner(s) of an M365 Group to review its members and then remove any that shouldn’t have access.
To conduct an access review:
- Sign in to portal.azure.com
- Browse to Identity Governance > Access Reviews
- Click New Access Review and select Teams + Groups
- Select at least one group you wish to run the access review on (I’m running mine on the IT Service Desk group.
- Set the scope to All Users and click Next
On the Reviews page:
- Select whether you want the review to be multi-staged, or not.
- Select the Reviewers that will review the access request – typically this would be the Group Owners
- Set the duration of the review and start date, and click Next
On the Settings page:
- Decide if you want to automatically apply what the reviewer applies to each user (i.e – remove a user if the reviewer says so), and what happens if the reviewer doesn’t respond.
- Decide if you want to enable the helpers, and advanced settings, then click Next
On the Review page, give the review a name, and click Create
Now you’ll need to give your group owners time to run through each review you’ve sent them. You can keep track of each review within the Access Reviews page under Identity Governance in Azure.
Once the access review is complete, if you enabled Auto Apply, any changes the reviewer made to the team will be automatically carried out. If not, you’ll need to review those changes within the portal and approve them yourself.
What About Users Who Have Been Directly Added to SharePoint Sites?
While access reviews can help you with M365 Groups, you’re going to need to check each SharePoint site in your environment for users who have been directly added.
The Easiest way of doing this would be via the SharePoint Admin Center > Sites > Active Sites
Open the properties of each site by clicking its name, and then check the members list under Membership
How about Sensitivity Labels?
Labels are a way of classifying documents based on their content, to ensure only the right audience has access to the document content.
There’s two methods to deploying labels within M365 – manual labelling and automatic labelling.
This is where the end user manually selects the label to apply to each document. The decision firmly rests with the end user to ensure the document is correctly labelled.
As the name suggests, automatic labelling is where M365 automatically applies the correct label based on the contents of the document. For example, the document contains an internal product code project name, and therefore gets automatically labelled as internal only.
Labelling and permissions
It’s important to note that a label by itself wont do anything, unless you’ve configured it to do a specific thing – such as encrypt the file and only allow access to certain users/groups.
Ensure you check your label settings to ensure that they meet your requirements.
Checking your SharePoint Sites
If you use sensitivity labels within your environment, you can check to see which content has what specific label assigned to it.
To do this, open the SharePoint admin center > Reports > Data Access Governance tab, and click Add Report
Go ahead and run each report shown in the list for each Sensitivity label you have configured in your environment.
Depending upon your environment, these reports may take a while to run. Once finished though, each report produces an excel spreadsheet with file, site and label information for you to review.
How can I exclude a certain SharePoint site from Copilot?
You can exclude a SharePoint site from Copilot by opening the site as a Site Admin (add yourself under Memberships if you aren’t already a site admin), then:
- Click the Settings gear cog in the top right and click Site Settings > Search and offline availability
- Check No under Allow this site to appear in search results
Note that doing so will also remove the site from SharePoint search results as well as Copilot indexing.
Anything else to consider?
Most importantly, enable the tool when you’re given access to it, and have a play!