Lilly Tech Systems
Intermediate
Security for Microsoft Copilot
Microsoft 365 Copilot inherits the security model of Microsoft 365, but AI amplifies both the benefits and risks of your existing data governance posture. Pre-deployment security preparation is critical.
Security Architecture
M365 Copilot's security relies on several layers:
- Entra ID authentication: All Copilot interactions are authenticated through Microsoft Entra ID
- Microsoft Graph permissions: Copilot can only access data the user already has permission to access
- Azure OpenAI boundary: Data is processed in your Microsoft tenant boundary; not used for model training
- Sensitivity labels: Microsoft Purview sensitivity labels are respected by Copilot
- DLP policies: Existing Microsoft Purview DLP policies apply to Copilot interactions
The oversharing problem: Copilot makes data access problems visible. If a user has access to an HR document they should not see because SharePoint permissions are too broad, Copilot will surface that document in responses. Audit and fix permissions before deploying Copilot.
Pre-Deployment Security Checklist
| Task | Priority | Details |
|---|---|---|
| SharePoint permissions audit | Critical | Review site and document permissions; remove "Everyone" and "Everyone except external users" sharing |
| Sensitivity labels | High | Deploy Microsoft Purview sensitivity labels for confidential and restricted content |
| DLP policies | High | Configure DLP policies to prevent sensitive data exposure through Copilot |
| Conditional access | Medium | Configure conditional access policies for Copilot-enabled users |
| Information barriers | Medium | Implement information barriers for regulated industries |
| Retention policies | Medium | Define retention for Copilot interaction logs and generated content |
Compliance Considerations
- Data residency: M365 Copilot processes data within your tenant's geographic region
- eDiscovery: Copilot interactions are captured and searchable through Microsoft Purview eDiscovery
- Audit logging: All Copilot activities are logged in the Microsoft 365 unified audit log
- Regulatory compliance: Copilot supports compliance with GDPR, HIPAA, SOC 2, and other frameworks
Microsoft Purview for Copilot
Microsoft Purview provides the governance backbone for Copilot security:
- Sensitivity labels: Classify and protect documents; Copilot respects these labels
- Data Loss Prevention: Prevent sensitive information from being shared through Copilot
- Information Protection: Encryption and access controls that persist across Copilot interactions
- Insider Risk Management: Detect risky user behavior patterns with Copilot
Start with SharePoint: The single most impactful security action before Copilot deployment is auditing SharePoint Online permissions. Use SharePoint Advanced Management or third-party tools to identify and remediate overshared content.