Protect your Microsoft 365 Copilot data with Microsoft 365 security tools

Completed

Many organizations have concerns that their users overshare internal or personal information. To address these concerns, Microsoft provides powerful security tools within its Microsoft 365 and Azure ecosystems. These tools help organizations tighten permissions and implement "just enough access." The policies and settings that administrators define in these tools are used not only by Microsoft 365 and Azure to prevent data oversharing, but also by Microsoft 365 Copilot. Administrators should verify their organization's security practices as they relate to permissions, sensitivity labeling, and data access to help prevent potential oversharing of proprietary and sensitive business data.

Microsoft recommends the "just enough access" approach to addressing this situation. In this approach, each user can access only the specific information required for their job. This approach entails tightly controlling permissions so users can't access documents, sites, or data they shouldn't see.

To prevent oversharing, organizations should consider implementing the following best practices:

  • Conduct an access review for sites, documents, emails and other content. Identify any overexposed assets. Have data owners inventory SharePoint sites, document libraries, email mailboxes, and other data assets. Identify areas where user permissions are broader than required. For example, an "HR Benefits" SharePoint site visible to all employees instead of just HR team.
  • Tighten permissions on overexposed assets so only authorized users have access. Using the example in the previous item, restrict the "HR Benefits" site access to only HR department members. Similarly, limit confidential product roadmap documents to relevant product managers only. To limit exposure, configure external sharing and access expiration on emails and documents.
  • Validate that restricting access doesn't impede any users' ability to do their jobs. Survey and interview users of restricted assets to confirm they still have access to all necessary information for their role. For example, ensure Sales can still access client contact information and project specs even if the company restricted HR data.
  • Test search functionality to confirm users can only access information relevant to their roles. Perform searches on sampling of documents, sites, emails as different internal roles. Confirm finance staff can't access HR data. Validate cross-department teams retain access to shared project resources. Tuning permissions is an iterative process.
  • Implement Microsoft SharePoint Advanced Management tools. As noted in previous training, SharePoint Advanced Management (SAM) includes several tools to help organizations prevent oversharing, including:
    • Data access governance reports. These reports identify sites that contain potentially overshared or sensitive content. These reports also provide insights into the top over-permissioned sites within your organization. When administrators use the Data access governance reports to identify these sites, administrators can take corrective actions to ensure that sensitive data isn't being accessed by unauthorized users. This proactive approach helps organizations maintain a secure data environment and prevent accidental data leaks.
    • Restricted access control for SharePoint and OneDrive. You can prevent sites and content from being discovered at the site-level by enabling the Restricted access control for SharePoint sites policy. Site access restriction allows only users in the specified security group or Microsoft 365 group to access content. You can also limit access to shared content of a user's OneDrive to only people in a security group with the Restricted access control for OneDrive policy. Once the policy is enabled, anyone who isn't in the designated security group can't access content in that OneDrive even if it was previously shared with them.
    • Site access review. This tool helps administrators regularly review and manage who has access to specific SharePoint sites. This feature enables IT administrators to delegate the review process of data access governance reports to site owners, who are best positioned to understand the context and necessity of the shared content. This tool is useful for addressing oversharing issues identified in data access governance reports. When a site is flagged for potential oversharing, administrators can initiate a site access review, prompting site owners to verify and manage access permissions.
    • Restricted content discovery. This feature prevents sensitive content from being discovered by unauthorized users, enhancing data security by limiting visibility based on user permissions. This feature restricts the visibility of certain content based on user permissions, ensuring that only those with the appropriate access levels can find and view sensitive information. Restricted content discovery is important for maintaining data security and compliance, as it helps to control who can see and interact with confidential data. This tool limits content discoverability, which helps organizations manage their data more securely and prevent accidental oversharing.

Microsoft tools for securing data

Microsoft 365, Microsoft 365 Copilot, and connected services all use the policies and settings that administrators define to tighten permissions and implement "just enough access." They do so through plugins and Microsoft Graph connectors to prevent data oversharing. The following list provides a brief summary of some of the tools that administrators can use to define these policies and settings:

  • Microsoft Purview Information Protection. Classify and optionally encrypt documents and emails based on sensitivity. You can create policies to restrict access to only authorized users. For example, you can:

    • Classify documents or emails containing employee salaries as "Highly Confidential" and restrict access only to the HR team.
    • Classify client data as "Confidential" and only allow sales reps assigned to that client to access it.
    • Classify financial reports as "Internal Only" and automatically encrypt them to prevent external sharing.
    • Classify executive communications as "Internal Eyes Only" and restrict access to members of the leadership team.
  • Microsoft Purview sensitivity labels. Classify and label SharePoint sites, documents, and emails with sensitivity tags like "Confidential" or "Internal use only." You can create policies to limit access to assets with specific sensitivity tags. For example, you can:

    • Label employee performance reviews with an "HR Confidential" sensitivity tag and limit access only to HR managers.
    • Label customer data with a "Customer Confidential" tag and configure policies to block downloads, prints, or shares of items with that tag.
    • Label customer data with "Confidential" and configure to automatically encrypt files that have this label applied.
    • Label accounting spreadsheets "Finance Confidential" and limit access to only finance team members.
  • Microsoft Entra conditional access policies. Grant or restrict access to Microsoft 365 information and services, including SharePoint, based on conditions like user location, device, or network. These policies are useful for limiting access when the system detects risks or user credentials become compromised. For example, you can:

    • Require multifactor authentication to access SharePoint sites containing financial data when connecting remotely.
    • Block external sharing of sites containing internal presentations unless users are connecting through managed devices on the corporate network.
    • Require managed devices to access sites containing proprietary source code.
    • Block access to sites containing press releases before public announcement date.
    • Block access or require step-up authentication with another factor in cases where the system detects impossible travel, which is often an indicator of credential theft.
  • Microsoft Entra Privileged Identity Management (PIM). Provide just-in-time admin access, enforce the principle of least privilege, and limit permanent standing privileges by only granting a user the permissions they need when needed. For example, you can:

    • Grant privileged roles like SharePoint admin or Global admin only for approved business hours to minimize standing access.
    • Require multifactor authentication and justification to activate privileged access to data or apps.
    • Limit privileged access like Billing Administrator to five hours per week maximum.
    • Require approval to activate Microsoft 365 Global Administrator role access.
  • SharePoint Advanced Management (SAM) Site Access Reviews. This SAM tool requires and automates access reviews of site owners, members, and access requests, to revoke permissions that users don't need or no longer require. This tool was examined earlier in this unit as a means of helping organizations prevent data oversharing. It also helps organizations ensure that only authorized users have access to sensitive information, which in turn reduces the risk of data breaches. Site access reviews ensure users only retain the access they need for their role. For example, you can:

    • Automatically revoke permissions to HR or financial systems after 90 days unless reviewed and approved.
    • Require business justification each quarter for external user accounts to validate ongoing need for access.
    • Require quarterly reviews of user access and remove access for departed employees.
    • Enforce policy time limits to external user access for collaboration sites.
  • Microsoft Graph connectors and plugins. Limit access to connected external data using Microsoft Graph connectors or plugins. For example, you can:

    • Define the access scope that users and groups require to access connected data providers.
    • Require user account-based service authentication for connected services and data used with Microsoft 365 Copilot plugins.
    • Limit extended search capabilities to external content indexed through Graph connectors to only users who should have access.

Using combinations of these tools to tighten access and implement least privilege allows organizations to limit exposure of sensitive data and prevent oversharing to keep sensitive information secure. These tools are powerful mechanisms for enabling "just enough access." By ensuring each employee has just enough access to get their work done without excessive privileges, you can also keep Microsoft 365 Copilot focused only on appropriate data needed for helpful recommendations.

Additional reading. For more information on securing your data and user devices, see the following training offerings:

Knowledge check

Choose the best response for the following question.

Check your knowledge

1.

Holly Dickson is the Microsoft 365 administrator for Contoso. Holly is preparing for Contoso's launch of Microsoft 365 Copilot. As such, Holly is reviewing the company's existing policies and settings to prevent data oversharing in Microsoft 365 Copilot. Holly wants to provide just-in-time administrator access and enforce the principle of least privilege by only granting users the permissions they need when needed. Which security tool should Holly review that provides these security features?