Forum Discussion
Stopping Copilot Access to SharePoint Online Sites and Document Libraries
Two methods exist to exclude a SharePoint sites from Copilot being able to use its contents – you can exclude the site (or document library) from search results or use sensitivity labels. Given the c...
Hi Tony, while I appreciate your response on an issue that many customer worry about, I feel I must add either option is not truly viable for most organizations... well, what they want to achieve that is: Exclude (really) sensitive information from Copilot while letting everything else stay the same.
If you remove sites from search indexing it does hurt the ordinary way of finding documents as well (Microsoft Search), for everyone, even those that are the right people with access. Organization want to exclude it from Copilot, but most likely not from being found at all. Unfortunately there is no way to achieve either one separately, https://learn.microsoft.com/en-us/microsoftsearch/semantic-index-for-copilot#excluding-sharepoint-online-sites
Also leveraging sensitivity labels does not provide a solution to prevent Copilot from using the data through graph-grounding a prompt of the user who has access to that particular piece of data.
The right solution is the hardest one: Companies need to have a proper data governance in place to ensure data is managed effectively and securely.
A lot of my Copilot customers have concerns here. So while I support your 'removing sites from search indexes is easier to implement', it does have a significant drawback.
If you remove sites from search indexing it does hurt the ordinary way of finding documents as well (Microsoft Search), for everyone, even those that are the right people with access. Organization want to exclude it from Copilot, but most likely not from being found at all. Unfortunately there is no way to achieve either one separately, https://learn.microsoft.com/en-us/microsoftsearch/semantic-index-for-copilot#excluding-sharepoint-online-sites
Also leveraging sensitivity labels does not provide a solution to prevent Copilot from using the data through graph-grounding a prompt of the user who has access to that particular piece of data.
The right solution is the hardest one: Companies need to have a proper data governance in place to ensure data is managed effectively and securely.
A lot of my Copilot customers have concerns here. So while I support your 'removing sites from search indexes is easier to implement', it does have a significant drawback.
The problem is that Microsoft doesn't have another way to exclude data from Copilot. Microsoft Search is the cornerstone for many features and is the all-encompassing index for Microsoft 365 data. If you want to exclude data from Copilot, which by definition will go searching for information to satisfy user prompts, then by definition you must exclude the sites from search results. To be fair to Microsoft, they have improved the situation recently by making sure that data in excluded sites is not blocked for Purview solutions like eDiscovery and DLP, which also rely on Microsoft Search.
As to sensitivity labels, the problem here is that Copilot is a new element dropped into the information protection mix that was unanticipated by those who designed the label deployment for organizations. This leads to predefined usage rights being assigned in labels that can result in inadvertent disclosure. For example. many labels include the right for anyone in an organization to read protected content. If this pattern of usage right assignment persists, then Copilot has free rein to access that content on behalf of the signed in user.
Like anything else, it will take time for the community to understand all aspects of these scenarios and for Microsoft to improve their technology to make things work smoother/better/more securely.
- churlebaus
Microsoft
TonyRedmond we are soon releasing the ability for a sensitivity label to have copilot restricted permissions as a part of the access controls.
- Block Copilot Access to Individual Office Documents
A new sensitivity label setting blocks access to content services for Office applications. In effect, this stops any feature that depends on the ability to send content to Microsoft for processing, including Copilot for Microsoft 365, DLP, text prediction, and so on. It's a precise item-level block that protects sensitive documents from being consumed and used by Copilot in the text that it generates.
https://practical365.com/block-access-to-content-services/Thank you for your article!
I agree the hard needed controls are starting to get there, I don't think privacy officers will be fully content yet, but it's improving slow but steady I guess 😉
- You mean the block access to content service advanced setting for sensitivity labels? I have a Practical365.com article on the topic coming soon to explore what a label can do and what it cannot.
- Absolutely.
Fortunately many customers are already vocal on which improvements are needed.
