Oversharing and Microsoft 365 Copilot
While we briefly talked about Copilot earlier, most of this guide is focused on general security and oversharing best practices that you should follow, whether you use Copilot or not. While oversharing was always a problem, most companies only started prioritizing it when they tried to implement Microsoft 365 Copilot and realized that it returns results that it shouldn’t for users.
Remember that Microsoft 365 Copilot is one of the most secure enterprise AI solutions. It will never show content to users when they don’t have access to it, but the big problem companies have is users have access to things they shouldn’t. You might ask yourself why it matters more now that we have Copilot, compared to when we just had Search, as technically it’s the same problem.
It matters more now because AI is the great amplifier. Before, users needed to know what to search for, while with Copilot, users can ask for something ultimately part of their workday, and content from an overshared site can show up, as in the image below.
In this section of the handbook, we will discuss some best practices and additional features specific to Microsoft 365 Copilot.
Propper security should be your #1 priority
Before we go into other features, we would like to emphasize that having proper permissions and users only having access to the content they need is the best and only way to guarantee a secure Copilot deployment. Every other tool and feature we will mention is either a band-aid solution or an additional refinement, but nothing replaces having the proper permissions.
Restricted SharePoint search
Restricted SharePoint Search is often proposed as a solution, but there are reasons why it isn’t worth your time and why you should never use it.
Restricted SharePoint Search allows you to limit the number of sites that SharePoint Search and Microsoft 365 Copilot have access to, and it allows you to set a maximum of 100 sites. This means that, instead of allowing people to search and use Copilot on all your organizational content, you create an “allow list” of up to 100 sites that SharePoint search and Copilot can use.
This is a great “panic button” if your permissions are so bad that you need to stop people from being able to find overshared content right away. However, by limiting the number of sites that SharePoint search/Copilot can access, you greatly reduce the value that both those solutions bring to your users, ultimately defeating the entire purpose of both tools. Just imagine not being able to find project files because your admin only added the intranet in your allowed sites. When enabled, users will see a warning such as the one below.
It is understandable why Microsoft had to build this feature (some organizations have BIG oversharing problems), but we firmly believe in prioritizing fixing your permissions and using other features, such as Restricted Access Control / RCD, which we’ll talk about in the next paragraph, as a better way to fix the problem without impacting users’ productivity. If you want to configure it, you can find the PowerShell cmdlets here.
Restricted Content Discoverability
Restricted Content Discoverability (RCD for short) is one of the latest features in the SharePoint Advanced Management suite of products. Contrary to Restricted SharePoint Search. which is an “allow list” of up to 100 sites, Restricted Content Discoverability allows you to select the sites you want to remove from SharePoint Search and Copilot (but there’s a catch, more on that in a minute). This allows you to configure anywhere from 1 site you never want to be shown in Copilot to, well, 300 if you want to, but remember, the more sites you remove from Copilot, the more value you take away from your organization.
To configure RCD, you can run the following PowerShell cmdlet, and then wait for the site to be reindexed, which can take up to 72 hours.
Set-SPOSite –identity <site-url> -RestrictContentOrgWideSearch $trueTo see it in action, check out the response from Copilot without RCS about upcoming organizational changes it created from a Confidential location:
After turning on RCD on that site and a few days later, that location isn’t shown anymore in Copilot’s response, even if we still have access to that document.
Now, remember when we mentioned there was a catch? RCD is really meant to protect your organization against accidental oversharing, but at the same time, limit the loss of productivity. Therefore, RCD will remove results from Copilot and Search unless the user has interacted with them in the past 30 days. So, if the user knows that a document exists and is using it, RCD will still enable the user to be productive and use Copilot with it, but if the user has no idea a document exists, it will not be shown.
Microsoft Purview sensitivity labels
Sensitivity labels in Microsoft Purview can be used for many things, from preventing content from being printed to adding watermarks or even encrypting it outside of SharePoint. We could have a full-week class only discussing Microsoft Purview, but in this section of the handbook, we will focus on a specific feature: You can use sensitivity labels to control what Copilot can access.
One of the currently available actions for files in SharePoint and OneDrive, you can prevent Copilot from processing that piece of content.
This allows you to remove your most sensitive files from being used in Microsoft 365 Copilot, and becomes even more powerful when you think at auto-labelling policies based on content inside. You could just create a rule that all documents with a social security number, or a credit card number are excluded in Copilot and this would be done for you automatically.
Final words on oversharing
Everything that we have learned in this guide so far is about securing your content and the source and making sure nothing is overshared, and that remains the best practice to get your company ready for an AI deployment. In this section of the handbook, we looked at a few additional tools, such as Sensitivity labels and Restricted Content Discoverability, that allow you to further control what is available in Copilot, but remember, Securing items at the source is still what your main focus should be.