Streamlining Copilot Adoption: Reducing Data Oversharing in Microsoft 365

One of the concerns I often talk to organisations about, is the fear that Copilot might surface sensitive information that it should not have access to due to IT/Compliance teams not really knowing who has access to what. The phrase “Security through obscurity” is often what we heard being used.

The primary cause of this is the over-permissioning and sharing of files, which is a growing concern for organisations and one of the “blockers” often cited in Copilot Adoption.

The over-sharing problem

The ability to reason over employee data and shared organisational data is one of Microsoft 365 Copilot’s strengths over other Gen AI tools (that need feeding). These responses Copilot gives and the content it creates rely on access to data that the user already has access to across their organisation’s Microsoft 365 environment. And here often lies the problem. If an organisation has low levels of data governance, no data classification and labelling, combined with high levels of over-sharing can create real concerns for IT and Data Compliance teams.

One of the reasons that Copilot often has access to data that it “perhaps” shouldn’t have is not due to security flaw or issue across Copilot or Microsoft 365, but because files or sites have been shared too widely and have no (or the wrong) privacy and sensitivity set. Addressing this is no small task since many organisations will have million of files and tens of thousands of SharePoint and Teams sites.

Organisations and even teams within organisations often operate at various levels of maturity in governing SharePoint data. While some orgaanisations strictly monitor permissions and oversharing of content, others do not. The situation is further complicated because many people, teams and organisations have “legitimate” reasons to share “some” data widely within the organisation. This can mean users in your organisation may make choices that result in the oversharing of SharePoint content. As an example

  • Users may save critical files in locations accessible to a wider audience than intended.
  • Users may prefer sharing content with large groups rather than specific individuals.
  • Users might not pay close attention to permissions when uploading files.
  • Users may not understand how to use sensitivity labelling (if enabled) to control access.

Services such as Microsoft SharePoint and Microsoft Copilot for Microsoft 365 utilise all data to which individual users have at least View permissions, which might include broadly shared files that the user is unaware of. As a result, users might see these applications as exposing content that was overshared. Oversharing can lead to sensitive information being exposed to unintended recipients. Users, while well intentioned, might not always grasp the implications of their sharing choices. They might overlook permissions or opt for convenience over security.

As a result, it’s important to use the permission models in SharePoint to ensure the right users or groups have the right access to the right content within your organisation. The following sections describe the key steps that administrators can implement to configure their SharePoint permissions model to help prevent data oversharing.

Dealing with Oversharing

The good news is that Microsoft is adding new features to SharePoint and Purview to make it easier to see, understand and control over sharing across Microsoft 365 with a hope to help adoption efforts and wider roll out of Microsoft 365 Copilot. This includes new Data Security Posture Management (DSPM) and enhancements for Data Loss Prevention policies in Microsoft 365 Copilot, and SharePoint Advanced Management. These can help automate site access reviews at scale and add controls to restrict access to sites if they contain highly sensitive information.

Microsoft have also released a blueprint guide for organisations planning to or deploying Copilot. These are nicely tailored to adjust to those with mainly Microsoft 365 E3 and E5 licenses respectively.

These new tools IMO are going to be vital to help organisation understand and address oversharing so they feel more feel confident in their employees adopting AI tools like Microsoft 365 Copilot.

AI is really good at finding information, and it can surface more information than you would have expected. This is why it’s really important to address oversharing. Typically, these issues are a by-product of good collaboration, particularly across Teams, SharePoint sites and OneDrive.

Alex Pozin | Director of Product Marketing | Microsoft

From early 2025, Microsoft will make access to SharePoint Advanced Management (SAM) available at no extra cost to Microsoft 365 Copilot subscriptions. Outside of this, SharePoint premium (which includes SAM ) will be available at a cost of around $3 per user each month.)

New Capabilities in SharePoint Advanced Management

There are also new features for SAM that Microsoft says will provide greater control over access to SharePoint files. 

  • New permission state reports (available now) can identify “overshared” SharePoint sites. The site access review feature can then provide a easy way to ask site owners to review and address permissions.
  • Restricted Content Discovery – which should start to roll out this month in public preview (December 2024), will allow IT admins to prevent Copilot from searching and processing data in specific sites for content and result generation. This does not prevent direct access to the site meaning that users can access the content directly as normal. This feature builds on the SharePoint Restricted Access Control, which was released last year, and lets IT admins restrict site access to specific sites to just “site owners” only, while also preventing Copilot from indexing and summarising files in these sites.

One of the use cases for this, are for where there are data locations containing information that needs to be contained to a set of people – such as financial reports, M&A planning, amnd other secret stuff. IT need to be confident that these locations and files will not show up in SharePoint searches and will be well out the reach of Copilot or other AI tools, essentially making sure that nobody can accidently or unintentionally be aware of, see or access the content. This is where Restricted Content Discovery comes in – locking down and hiding this information from plain site and from Copilot’s retrieval augmentation and indexing.

New Capabilities in Microsoft Purview

Microsoft are also adding new capabilities in Purview too. Purview is available as standalone or is part of Microsoft 365 E5.

/

Microsoft Purview is a centralised hub within Microsoft 365 that helps organisations meet regulatory and compliance requirements. It helps organisations manage their compliance obligations, protect sensitive data, and mitigate risks within their Microsoft 365 environment. 

Here, there are new tools to help identify “overshared files” that can be accessed by Copilot. These includes oversharing assessments for Microsoft 365 Copilot in the Data Security Posture Management (DPSM) tool which is now in Public Preview (from December 2024) and can be accessed via the newly revamped Purview portal.

DSPM Portal in Microsoft Purview

The oversharing assessments are designed to highlight data that may present exposure risk by scanning files for sensitive data and identifying data repositories such as SharePoint and Teams sites where access permissions appear to be too wide and broad. The tool will also provide recommendations to admins and site owners for ways to mitigate oversharing risk, such as adding sensitivity labels or restricting access from SharePoint.

For example, DSPM can detect and help you deal with controlling ethical behaviour in AI (example demo environment below). For all the recommendation, Microsoft provides a simple step by step “wizard” to help IT and Compliance add policies.


Microsoft Purview Data Loss Prevention for Microsoft 365 Copilot, also in public preview, enables IT and security admins to create data loss prevention (DLP) policies to exclude certain documents from being processed by Copilot based on a the file or sites sensitivity label. This applies to files held in SharePoint and OneDrive, but can be configured at other levels, such as group, site, and user, to provide more flexibility around who can access what.

Insider Risk Management has also been updated to detect “risky AI usage.” This even includes user prompts that contain sensitive information and attempts by users to access unauthorised sensitive information. What’s key to note here is that this feature is not just limited to Microsoft 365 Copilot and also also covers Copilot Studio, and ChatGPT Enterprise.

Oversharing Blue Prints

I really like this. Microsoft’s new blueprint resource pages on Microsoft Learn provide recommended approaches and guidance for organisations to help them understand, mitigate and manage oversharing during what they define as the three main stages of Microsoft 365 Copilot deployment.

  • Pilot [Pilot]
  • Wider Deployment [Deploy at Scale]
  • Organisational Rollout [Operate]

Microsoft provide two blueprint designs. A “foundational path” and what they call an “optimised path” that uses some of the more Microsoft 365 advanced data security and governance tools found in Microsoft 365 E5 subscriptions.

Is there funding available to help?

It depends – but most likely!

Microsoft have a Cyber Security Investment Program open to select/specialist partners like Cisilion. These provide funded workshops, assessments and proof of value deployments across key Security workloads including Microsoft Purview as well as structured Copilot pilot deployments, vision and value

Organisations should speak to their Microsoft Solutions Partner for more information. You can contact Cisilion here should you need to.

Conclusion

In many of the discussions I and my team at Cisilion have with customers, we see that almost all of the organisations we work still have concerns over data governance in the realm of AI access. Of these most expect Microsoft to help them address these whilst some have already invested in third party tools to help them get a “grip” on their data and sharing.

We have seen a plethora of customers invest/upgrade to high-tier Microsoft 365 plans (including E5 Security and Compliance) or full Microsoft 365 E5 in order to gain access to Microsoft Purview. Some argue these tools should be provided as part of their Copilot investment, so it is great to see Microsoft meeting customers in the middle and at least providing some of these tools as part of this license investment.

The issue is not Copilot per-say, but it is that Copilot with it’s ability to access compnay data is causing more organisations to double down and look at the existing issues they have of too many SharePoint Sites, too much over sharing, orphaned data (data with no owner) inadequate data classification and labeling.

By addressing security and data governance and levering the new tools available, this at least should solve one of the blockers to AI adoption.

The second is Adoption and Change Management – more on that in the next blog post!


Useful links.

Leave a Reply