[Security: Microsoft Copilot] Secure And Keep Your Data Searchable

01-07-2025

In this blogpost we're going to talk about Microsoft Copilot and security vs content discoverability.

Many organizations are using some form of AI nowadays. Some are using Chat-GPT and others Microsoft Copilot or both. Today I'm writing this blogpost to give some tips on how to setup and configure Microsoft 365 Copilot securely in your tenant with security in mind. Not every option will likely be suited for your organization, but I will give you as many options that I know.

*note: You will need a M365 Copilot license. With this license you will get SharePoint Advanced Management features

Sensitivity labels

Maybe the first thing you want to implement are sensitivity labels. With these labels you can make sure that only the results that you want your organization to see will be displayed in the results. Microsoft Copilot works together with these labels, so when you apply a label Copilot will check the rights of the user. This blogpost will not contain setting up sensitivity labels. When you enabled these labels, Copilot will show you the following in the results:

Sensitivity labels are included in Copilot's output, enabling users to evaluate whether the referenced content complies with their audience's data-sharing requirements.

For items protected with labels, Copilot validates the user's usage rights; content from such sources is only returned if the user has explicit permissions to extract or reuse it.

When creating new documents with Copilot, Copilot wil automatically set the correct sensitivity label for that specific document.

Reporting

Second up we're going to run some reports from the SharePoint Admin Center. With these reports you can see if you have any over-sharing or content shared with 'Everyone except external users'.

Browse to your SharePoint Admin Center and select "Reports", following "Data access governance"

On this page you are able to run some reporting regarding above. The first time you want to create a report please keep in mind that this will take about 24 hours.

When you, for example select "Sharing Links", you will see reports that you can run.

These reports are very helpfull if you want to implement Copilot and see if your organization has any "sharing issues".

Block Search Index For Specific Sites

The next option you can consider is blocking the search index for specific sites. This way Copilot will not be able to index searches from this specific SharePoint site. Please keep in mind that all your content in this site will no longer be indexed.

If you don't mind indexing you can turn it off via "Site Settings"

Restrict content from Microsoft 365 Copilot

With this option you can enable or disable Copilot for searching trough your content for a specific site.

To achieve this, follow these steps:

Browse to the Sharepoint Admin Center and select the site you want to exclude:

or set this via Powershell:

set-sposite -Identity *yoursharepointsite* -RestrictContentOrgWideSearch $true

Pros and cons regarding this option:

Pros: You can limit the ability to search for files in a specific SharePoint site and searching from the site context will still work.
Cons: This cannot be applied to OneDrive and you can have more latency times when you apply this to more sites.

RSS (Restrict SharePoint Search)

The restrict SharePoint Search option will give you more control on your files. Please keep in mind that this will work up to 100 SharePoint sites and that you need to create "allowed list of curated Sharepoint sites"

If you have a large organization please keep the 100 sites in mind. If you have a smaller organization or less SharePoint sites you want Copilot to search in you can consider this method. Copilot shows results from OneDrive, mails, calendar, chats and SharePoint sites that are in the curated list.

To configure RSS in your tenant:

Connect-SPOService -Url *yoursharepointadminurl*
Set-SPOTenantRestrictedSearchmode -Mode Enabled

When enabled you will see the following when you want to use Copilot

Use "restricted site access"

With restricted site access you can set security groups to a specific SharePoint site. This functionality enforces access restrictions to ensure that site content is only available to authenticated users within a defined security group.

When you want to configure this, the first thing you need to do is enable restricted site access on tenant level (make sure you have enough rights to enable this feature like GA):

Set-SPOTenant -EnableRestrictedAccessControl $true

After enabling this feature at the tenant level, you can configure site-specific restriction policies through the SharePoint Admin Center. Navigate to "Active sites," select the desired site. In the site details pane, go to the "Settings" tab. Under the "Restricted site access" section, click "Edit" to modify access configurations.

Site Access Restriction policies are triggered when users attempt to access the site or open files within it. While users with direct file-level permissions may see those files in search results, access is denied unless they are part of the associated Microsoft 365 group. Only members and owners of this specific group are authorized to interact with site content.