Architecture Diagrams: Microsoft 365 Copilot Data Protection, Oversharing & Auditing

Microsoft 365 provides robust data protection and auditing capabilities, ensuring compliance and security across its ecosystem. Key features such as Microsoft Purview sensitivity labels, encryption, and SharePoint oversharing controls directly influence how Microsoft 365 Copilot interacts with and safeguards data.

Microsoft 365 Copilot fully adheres to security and data protection policies, preventing unauthorized access while offering tools for auditing usage data.

Microsoft 365 Copilot and Data Protection: Sensitivity Labels & Encryption

Microsoft 365 Copilot integrates with Microsoft Purview sensitivity labels and encryption to enhance data security. The following diagram illustrates how Copilot adheres to information protection controls, ensuring sensitive data is managed and safeguarded effectively.

• Opening a file in Office apps: Sensitivity label names and content markings are displayed when a labeled file is accessed.
• Encryption controls: If a sensitivity label applies encryption, users must have EXTRACT and VIEW usage rights for Copilot to summarize the data.
• Azure Rights Management encryption: Files encrypted without sensitivity labels still require EXTRACT or VIEW rights for Copilot to process them.
• Copilot Chat interaction: Sensitivity labels are displayed in responses, prioritizing the highest security classification.
• Generating new content: Copilot inherits the highest-priority sensitivity label and its protection settings when creating content based on labeled files.
• Data protection beyond Microsoft 365: Labeled files remain protected when stored outside the Microsoft 365 tenant, including on personal devices, network shares, or cloud storage—ensuring security wherever accessed.

 Oversharing controls with M365 Copilot

 Microsoft 365 Copilot includes oversharing controls to help organizations manage data access and prevent unintended exposure. The architecture diagram illustrates key features available in Microsoft 365 E3+ and SharePoint Advanced Management licenses, which provide enhanced security measures.

1. Restricted SharePoint Search

• Restricted SharePoint Search enables organizations to control search visibility and Copilot experiences by limiting access to specific SharePoint sites. By default, this setting is turned off, and no sites are included in the allowed list. It functions as a temporary solution, allowing administrators to review site permissions and ensure proper access configurations before broader implementation.

2. Built-in SharePoint Controls

• Use Specific people links instead of organization-wide sharing by default.
• Hide broad-scoped permissions, such as the Everyone Except External Users claim.
• Site admins can restrict member sharing and ensure Site Owners manage access requests.

3. Data access governance reports help identify sites with overshared or sensitive content (available in SharePoint Advanced Management).

4. Restricted Content Discovery

• Allows organizations to flag sites, preventing them from being discovered via Copilot or Org-wide search.
• Does not change existing permissions—users with access can still visit sites and open files.

5. Inactive Site Management (SharePoint Advanced Management)

• Enables organizations to create inactive site policies to automatically reduce and manage unused sites.

6. Restricted Access Control Policy (SharePoint Advanced Management)

• Limits SharePoint and OneDrive access to specific user groups.
• Users outside the group cannot access sites or content, even if they previously had permissions or a shared link.
• Applicable to Microsoft 365 Group-connected, Teams-connected, and non-group connected sites.

7. Microsoft Purview Sensitivity Labels & Encryption

• Sensitivity labels with encryption restrict which files Copilot can access.
• Users must have EXTRACT and VIEW usage rights for Copilot to summarize the data.
• Data Loss Prevention (DLP) for Microsoft 365 Copilot Prevents Copilot from accessing content that has specific sensitivity labels applied.

Storage and Auditing of Microsoft 365 Copilot Usage Data

Microsoft 365 Copilot usage data is stored across multiple locations, allowing organizations to discover, audit, and apply retention policies using tools available in Microsoft 365 E5.

The accompanying diagram illustrates the various features within the Microsoft 365 E5 license that enable efficient searching and auditing of Copilot data.

1. Use Microsoft Purview audit logs to track Copilot interactions, including accessed items and their sensitivity labels.
2. Use Microsoft Purview eDiscovery to search Copilot prompts and responses for keywords, flag inappropriate content, and retain data for legal investigations.
3. Use Microsoft Purview Communication Compliance to detect and alert users about inappropriate or sensitive Copilot prompts and responses, such as personal or highly confidential information.
4. Use Microsoft Purview retention policies to store or delete Copilot conversations based on compliance requirements, ensuring data remains available for eDiscovery or is removed after a defined period.

5.      During a Copilot interaction, embedded cloud attachments provide links to source files. If a retention label is applied, the specific version of these attachments is preserved, even if the original file is edited or deleted from SharePoint or OneDrive. The retained version is stored in the Preservation Hold Library, ensuring continued accessibility for eDiscovery searches.

6.      During a Copilot interaction, users can upload local files, which are automatically stored in the Microsoft Copilot Chat Files folder within their OneDrive. Like other OneDrive files, these Copilot-related files remain accessible for eDiscovery searches and can be retained or deleted based on applied retention policies.

7.      Copilot Pages content is stored in a user-owned SharePoint Embedded container, with one dedicated container per user. Like other SharePoint files, this content remains accessible for eDiscovery searches and can be automatically retained or deleted based on applied retention policies.

Copilot Supports Conditional Access and MFA Compliance

 Copilot honors Conditional Access policies and multifactor authentication (MFA).

• Ensure that users have access to Microsoft 365 services when enabling Conditional Access policies. You can define access conditions, including enforcing device compliance policies based on your configurations.

For organizations using Microsoft Intune, Intune compliance policies can be integrated with Conditional Access to enhance security.

• Copilot leverages the same multifactor authentication (MFA) settings configured for your Microsoft 365 tenant, ensuring secure access. Like other Microsoft 365 services, users must verify their identity using multiple authentication factors before accessing Copilot.

If your tenant has security defaults enabled, MFA is automatically enforced. If MFA is not yet activated, Microsoft strongly recommends enabling it to enhance security and protect user accounts.