Stopping Copilot Access to SharePoint Online Sites and Document Libraries

MVP

Two methods exist to exclude a SharePoint sites from Copilot being able to use its contents – you can exclude the site (or document library) from search results or use sensitivity labels. Given the choice, sensitivity labels are more flexible and powerful, but removing sites from search indexes is easier to implement.

 

https://office365itpros.com/2024/02/21/exclude-sharepoint-site-from-copilot/

5 Replies
Hi Tony, while I appreciate your response on an issue that many customer worry about, I feel I must add either option is not truly viable for most organizations... well, what they want to achieve that is: Exclude (really) sensitive information from Copilot while letting everything else stay the same.

If you remove sites from search indexing it does hurt the ordinary way of finding documents as well (Microsoft Search), for everyone, even those that are the right people with access. Organization want to exclude it from Copilot, but most likely not from being found at all. Unfortunately there is no way to achieve either one separately, https://learn.microsoft.com/en-us/microsoftsearch/semantic-index-for-copilot#excluding-sharepoint-on...

Also leveraging sensitivity labels does not provide a solution to prevent Copilot from using the data through graph-grounding a prompt of the user who has access to that particular piece of data.

The right solution is the hardest one: Companies need to have a proper data governance in place to ensure data is managed effectively and securely.

A lot of my Copilot customers have concerns here. So while I support your 'removing sites from search indexes is easier to implement', it does have a significant drawback.

@Michel Ehlert 

 

The problem is that Microsoft doesn't have another way to exclude data from Copilot. Microsoft Search is the cornerstone for many features and is the all-encompassing index for Microsoft 365 data. If you want to exclude data from Copilot, which by definition will go searching for information to satisfy user prompts, then by definition you must exclude the sites from search results. To be fair to Microsoft, they have improved the situation recently by making sure that data in excluded sites is not blocked for Purview solutions like eDiscovery and DLP, which also rely on Microsoft Search.

 

As to sensitivity labels, the problem here is that Copilot is a new element dropped into the information protection mix that was unanticipated by those who designed the label deployment for organizations. This leads to predefined usage rights being assigned in labels that can result in inadvertent disclosure. For example. many labels include the right for anyone in an organization to read protected content. If this pattern of usage right assignment persists, then Copilot has free rein to access that content on behalf of the signed in user. 

 

Like anything else, it will take time for the community to understand all aspects of these scenarios and for Microsoft to improve their technology to make things work smoother/better/more securely. 

Absolutely.

Fortunately many customers are already vocal on which improvements are needed.
Well this will help a lot

Introducing Restricted SharePoint Search
As previously disclosed, Restricted SharePoint Search will start rolling out next month for customers with Copilot for Microsoft 365 licenses. Designed for organizations particularly concerned about unintentional oversharing of content, Restricted SharePoint Search allows you to disable organization-wide search and limit Copilot to selected SharePoint sites. This feature is intended as a temporary solution to give you time to review and audit site permissions while implementing robust data security with Microsoft Purview and manage content lifecycle with SharePoint Advanced Management. If you are interested in this feature, you can follow the status of the rollout on the public roadmap. https://techcommunity.microsoft.com/t5/copilot-for-microsoft-365/what-s-new-in-copilot-for-microsoft...