Forum Discussion

FooReady's avatar
FooReady
Copper Contributor
Mar 13, 2024

Restrict Copilot from accessing OneDrive Files.

A recent question I was asked about copilot for Microsoft 365 is: "Can I restrict Copilot from accessing or 'Analysing' certain documents on OneDrive/SharePoint or does it read everything by defau...
  • Michel-Ehlert's avatar
    Michel-Ehlert
    Brass Contributor
    Mar 14, 2024

    Although Restricted SharePoint Search (RSS) will be part of the solution of the ask of OP, Onedrive files are (still) excluded and not meeting the ask.

    I appreciate Microsoft listening to the community on Copilot M365 feedback, but I feel this is still too big of a gun for the ask. The ask is to provide a way to exclude certain specific content from Copilot (across the Microsoft Graph).

    This RSS-gun also and still kills the Enterprise Search capability, and equals earlier given/received advice to turn off (for certain high sensitive SP-sites), the SP-search-indexing off to exclude it from Copilot (and therefore Enterprise search).

    Another option would have been to use Double Key Encryption (DKE) or other forms of encryption that Copilot/Microsoft do not control, but it gives you maybe more hassle than you likely want.

    Not meeting the full ask of the OP, but these are the current options to exclude info from Copilot M365
    1) Take it out the Microsoft Graph/Tenant and store elsewhere (maybe searchable through other implemented solutions) ... not really useful.
    2) Turn SP-search-indexing off ... not really useful either.
    3) DKE as discussed above ... too much hassle.
    4) RSS ... not a complete solution yet

    RSS is a start though!
    My 2 cents

    • FooReady's avatar
      FooReady
      Copper Contributor
      Mar 14, 2024

      Michel-Ehlert 

      Thank you for you Input!

       

      I must say we already considered the RSS option however it does not cover (as you mentioned) our main concern which is OneDrive. And the cons seems to outweigh the pros on that front anyways.

       

      The DKE. option, brilliantly named by the way, is something we had in mind, we just called it an extra layer of encryption. This option although seems most reasonable raised 2 concerns:

       

      - Is there any encryption solution that would provide end to end encryption-decryption services seamlessly for users ?

       What would that look like in terms of cost, efficiency/speed , integration with microsoft services.

      specifically when it comes to preserving the collaboration capabilities of M365.

      8t is simply not viable

       

      -Will the encrypted data in OneDrive or elsewhere in the tenant affect copilot. since it is basically gibberish (after encryption) if indexed or ran through the underlying LLMs will it cause any unexpected behavior down the line .

      (poorly articulated point but I hope you get my intent)

       

      -taking it out of microsoft : it is the most obvious solution, but would counter what we want, which is to preserve M365 collaboration and cloud storage capabilities for the files to be “obscured for copilot”.

       

      No matter how you put it, the solution should be native to microsoft, either through labeling by introducing in option such as “restrict copilot access” or having a location in each OneDrive and sharepoint site which is restricted to copilot and where users can choose to save files.

       

      Just adding to the discussion since as of now there are no concrete solutions for this and only microsoft would have a way of dealing with this topic.

       

       

Resources