Forum Discussion
Stopping Copilot Access to SharePoint Online Sites and Document Libraries
Two methods exist to exclude a SharePoint sites from Copilot being able to use its contents – you can exclude the site (or document library) from search results or use sensitivity labels. Given the c...
The problem is that Microsoft doesn't have another way to exclude data from Copilot. Microsoft Search is the cornerstone for many features and is the all-encompassing index for Microsoft 365 data. If you want to exclude data from Copilot, which by definition will go searching for information to satisfy user prompts, then by definition you must exclude the sites from search results. To be fair to Microsoft, they have improved the situation recently by making sure that data in excluded sites is not blocked for Purview solutions like eDiscovery and DLP, which also rely on Microsoft Search.
As to sensitivity labels, the problem here is that Copilot is a new element dropped into the information protection mix that was unanticipated by those who designed the label deployment for organizations. This leads to predefined usage rights being assigned in labels that can result in inadvertent disclosure. For example. many labels include the right for anyone in an organization to read protected content. If this pattern of usage right assignment persists, then Copilot has free rein to access that content on behalf of the signed in user.
Like anything else, it will take time for the community to understand all aspects of these scenarios and for Microsoft to improve their technology to make things work smoother/better/more securely.
churlebaus
Microsoft
MicrosoftTonyRedmond we are soon releasing the ability for a sensitivity label to have copilot restricted permissions as a part of the access controls.
- Block Copilot Access to Individual Office Documents
A new sensitivity label setting blocks access to content services for Office applications. In effect, this stops any feature that depends on the ability to send content to Microsoft for processing, including Copilot for Microsoft 365, DLP, text prediction, and so on. It's a precise item-level block that protects sensitive documents from being consumed and used by Copilot in the text that it generates.
https://practical365.com/block-access-to-content-services/Thank you for your article!
I agree the hard needed controls are starting to get there, I don't think privacy officers will be fully content yet, but it's improving slow but steady I guess 😉
- You mean the block access to content service advanced setting for sensitivity labels? I have a Practical365.com article on the topic coming soon to explore what a label can do and what it cannot.
