Microsoft 365 Copilot is a revolutionary productivity assistant that leverages large language models (LLMs) and your organisational data to help you create, communicate, and collaborate more effectively across Microsoft 365 apps.
Copilot can assist you with various tasks, such as drafting emails, making presentations, processing data, and finding insights. But to make the most of this game-changing technology, you must master three key aspects: adoption, data security, and governance.
In this two-part session, a Microsoft 365 expert, Nikki will guide you through these aspects and show you how to use Copilot to boost your productivity, creativity, and confidence.
In the second part of the session, Nikki will concentrate on data security and governance. She will explain that implementing Microsoft 365 Copilot requires a strategic approach beyond just adopting the technology. To truly unlock its potential, you must prioritise governance and data security. Without these crucial components, you risk oversharing and surfacing outdated information.
Key takeaways:
– The risks of not addressing data security and governance as part of your Microsoft 365 Copilot transformation
– How to configure Microsoft 365 for “just enough access” to safeguard your sensitive data
– How to improve data governance to deliver more accurate and relevant recommendations
3. Agenda
• The risks of not addressing data security and governance as part of
your Microsoft 365 Copilot transformation
• How to configure Microsoft 365 for “just enough access” to safeguard
your sensitive data
• How to improve data governance to deliver more accurate and
relevant recommendations
5. Essentials for Copilot success
Nominate and
activate your
Copilot executive
sponsors, in
partnership with
your AI Council
Define initial high
value scenarios
and target a
critical mass of
users for rapid
value
Define your
path to secure
your data for
compliance
and peace of
mind
6. Copilot for Microsoft 365 implementation
Copilot
implementation
Sponsor
Scenarios
Security
Copilot essentials
checklist
User Enablement
Prepare organization and employees for the AI
transformation journey
Workstreams support each other for maximum value and ROI
Technical Readiness
Address technical deployment and optimization,
including governance, security, compliance, and
management
Leadership journey
7. 1
6
2
3
5
3
4
Data flow ( = all requests are encrypted via HTTPS)
User prompts from Microsoft 365 Apps are sent to Copilot
Copilot accesses Graph and Semantic Index for pre-processing
Copilot sends modified prompt to Large Language Model (LLM)
Copilot receives LLM response
Copilot accesses Graph and Semantic Index for post-processing
Copilot sends the response, and app command back to Microsoft 365 Apps
1
2
3
4
5
6
Microsoft 365 Trust Boundary
Customer’s Microsoft 365 Tenant
Semantic
Index
Azure
OpenAI
RAI
Azure Open AI
instance is
maintained by
Microsoft. Open
AI has no access
to the data or the
model.
RAI is performed
on input prompt
and output results
Customer data is
not stored or used
to train the model
8. Improve your data quality with Data Lifecycle
Management
8
• Restrict access
• Delete
redundant,
obsolete, or
trivial (ROT) data
• Access
permissions
• Sharing links
• Naming
conventions
• Metadata
Create
Store
and Use
Archive
Delete
10. Copilot for Microsoft 365 basic architecture
6
2
3
5
3
4
Microsoft 365 Service
Boundary
Customer Microsoft 365 Tenant
Semantic
Index
Azure
OpenAI
RAI
Azure OpenAI
instance is
maintained by
Microsoft. OpenAI
has no access to the
data or the model.
RAI is performed on
input prompt and
output results
Prompts, responses, and data
accessed through Microsoft
Graph aren't used to train
foundation models
1
Data flow (lock) = all requests are encrypted via HTTPS and wss://)
1 User prompts from Microsoft 365 Apps are sent to Copilot
2 Copilot accesses Graph and Semantic Index for pre-processing
3 Copilot sends modified prompt to Large Language Model
4 Copilot receives LLM response
5 Copilot accesses Graph and Semantic Index for post-processing
6 Copilot sends the response, and app command back to Microsoft 365 Apps
11. Microsoft’s approach to privacy
You control
your data
You know
where your
data is located
We secure
your data at rest
and in transit
We defend
your data
12. Common questions
we hear from
customers
How do we know our data is secure?
When will we be able to audit Copilot usage?
What can I do to avoid overexposing our data?
Where is my data processed?
13. Copilot for Microsoft 365
Built on Microsoft’s comprehensive approach
Security Compliance Privacy Responsible AI
16. Most data stored outside Microsoft 365
and users work in email
3rd Party data
storage
Ungoverned - access Ungoverned – no access
Location hidden from scope –
Excluded
SharePoint
Your
OneDrive
Others
OneDrives
17. Use of OneDrive increases but emailing files
not sharing files - no adoption or training
Ungoverned - access Ungoverned – no access
Location hidden from scope –
Excluded
Your
OneDrive
SharePoint
3rd Party data
storage
Your
OneDrive
Others
OneDrives
18. Pioneers create ungoverned Teams & Sites
Ungoverned - access Ungoverned – no access
Location hidden from scope –
Excluded
Your
OneDrive
Others
OneDrives
SharePoint
3rd Party data
storage
19. 3rd Party
data
storage
We create public Teams with default configuration
Ungoverned - access Ungoverned – no access
Location hidden from scope –
Excluded
Others
OneDrives
Your
OneDrive
20. 3rd Party
data
storage
SPO
There is ungoverned file sharing
Ungoverned - access Ungoverned – no access
Location hidden from scope –
Excluded
Others
OneDrives
Your
OneDrive
21. 3rd party data is migrated into Microsoft 365
- increasing sprawl
3rd
party
Your
OneDrive
Ungoverned - access Ungoverned – no access
Location hidden from scope –
Excluded
22. Govern Access - Admins added as owner of all
groups, Teams & sites by default
SPO
Your
OneDrive
Ungoverned - access Ungoverned – no access
Location hidden from scope –
Excluded
23. Govern groups, Teams and sites
Data Lifecycle management
Ungoverned - access
Ungoverned – no
access
Governed location –
No access
Governed location –
have access
Your
OneDrive
24. Copilot for Microsoft 365 Optimization Assessment
Data Security readiness
score
License profile Deployment path
0% - 66% Office 365 E3, Microsoft 365 Business
Standard/Premium, or higher
Core
67% - 100% Microsoft 365 E5 Best-in-Class
Determine your deployment path
Solution Assessment Program (microsoft.com)
26. 5
If used,
disable
Restricted
SharePoint
Search
Apply appropriate Data Security controls
Get started quickly and continue to optimize along the way
*Restricted SharePoint Search will limit Copilot for Microsoft 365 experiences and organization-wide search. It is a temporary option which gives you time to address oversharing concerns while getting started on your Copilot journey.
4
OPTIMIZE
FURTHER
AS NEEDED
Core
Restrict data oversharing and data leaks with
manual labeling and policies
Required licenses:
Office 365 E3, Microsoft 365 Business
Standard/Premium, or higher
Best-In-Class
Prevent data oversharing, data leaks, and detect
non-compliant usage at scale with auto labeling and
policies
Required licenses:
Microsoft 365 E5; and
SPP-SharePoint Advanced Management
YES
3
Deploy Copilot
for Microsoft 365
2b
Enable
Restricted
SharePoint
Search*
NO
2a
Ready to
deploy?
Get started
Copilot for
Microsoft 365
Optimization
Assessment
Determine path
(26 questions; 30 minutes)
1
27. SPO
1. Temporary measure - Restricted SharePoint Search
Ungoverned - access
Ungoverned – no
access
Governed location –
No access
Governed location –
have access
Your
OneDrive
Add up to 100 sites
Frequently visited
sites
Your OneDrive
Shared files with you
& you have accessed
This disables
organization-wide search
No impact on Purview
e.g. DLP
28. 2. User adoption so users know they can
revoke access to their shared OneDrive files
Your
OneDrive
Ungoverned - access
Ungoverned – no
access
Governed location –
No access
Governed location –
have access
Relies on user
adoption
29. SPO
3. Convert Public workspaces to Private
workspaces
Ungoverned - access
Ungoverned – no
access
Governed location –
No access
Governed location –
have access
Your
OneDrive
All users in the
tenant can access
content in Public
Groups
Use Container
sensitivity labels to
restrict Public Teams
being created
Identify Viva
Engage/ Teams that
need to be Public e.g All
staff or social
30. SPO
4. Regularly review workspace membership
Ungoverned - access
Ungoverned – no
access
Governed location –
No access
Governed location –
have access
Your
OneDrive
Manual reviews
Dynamic groups
(Entra ID P1)
Entra ID
Groups/Teams/Viva
Engage Access
Reviews (Entra ID P2
licence)
SAM reviews for Sites
31. SPO
5. Implement workspace provisioning controls
and sensitivity labels
Ungoverned - access
Ungoverned – no
access
Governed location –
No access
Governed location –
have access
Your
OneDrive
Container
sensitivity labels to
control access
permissions
Build or Buy e.g.
Orchestry
32. 6. Govern Teams - Use private/shared
channels to restrict access
Ungoverned - access
Ungoverned – no
access
Governed location –
No access
Governed location –
have access
SPO
Your
OneDrive
Control who can
create
Shared channel
bi-directional config
33. SPO
7. Restrict who can share files and folders and
sharing links
Ungoverned - access
Ungoverned – no
access
Governed location –
No access
Governed location –
have access
Your
OneDrive
Use container
labels (feature
enabled via
PowerShell)
34. SPO
8. Govern Site Access - Block site access to non-
members
Ungoverned - access
Ungoverned – no
access
Governed location –
No access
Governed location –
have access
Your
OneDrive
SharePoint
Advanced
Management
licenses $3 PUPM
for all users
35. 9. Govern Content - Use DLP and or encrypted
sensitivity labels to restrict access
Ungoverned - access
Ungoverned – no
access
Governed location –
No access
Governed location –
have access
Teams
SPO
Automated
labelling & default
label on Document
Library requires E5
IP&G licencing for all
users
36. SPO
10. Govern Content - Retention policies/labels
to keep what you need and delete the rest
Others
OneDrive
Teams
Teams
Ungoverned - access
Ungoverned – no
access
Governed location –
No access
Governed location –
have access
Automated
requires E5 IP&G
licencing for all
users
37. SPO Archive
SPO
11. Govern Content - Externally archive
inactive content
Others
OneDrive
Ungoverned - access
Ungoverned – no
access
Governed location –
No access
Governed location –
have access
Your
OneDrive
Microsoft now
has a SharePoint
archive service