Compliance / Data classification / Data loss prevention / Information protection / Microsoft Information Protection / Sensitivity labels

Copilot and sensitivity labeled documents

Albert Hoitingh's avatarPosted by

Reading time: 2 minutes

On November 1st, 2023, Microsoft 365 Copilot became General Available. And to my great pleasure, Microsoft published information on Copilot and Microsoft Purview. In this blog, I want to add some more information to this…

Microsoft 365 Copilot

Unless you haven’t followed any Microsoft news recently, it will come as no surprise that Copilot has been released as General Available for enterprise customers of Microsoft 365. And it is an amazing set of functions that you can use. Just look at this example. The example shows us how a document can be created based on another document.

Compliance concerns

As we’ve seen when enterprise search became mature and Microsoft Delve was introduced, security/privacy and compliance people become jittery when information systems can access information by themselves. I’ve worked with companies that wanted to shut down either the enterprise search in SharePoint and/or Delve because too much information became available.

Of course, this is not the root cause and it’s basically shooting the messenger. When searching for information in Microsoft 365, and more specifically SharePoint Online, the results are so-called “security trimmed”. You only see what you are entitled to see. If the permissions to the information are too lenient, then Search (or Delve or Copilot) will make this abundantly clear. People will start seeing information they probably do not need to see.

So, take good care of your permissions and access management for information in Microsoft 365. This was and still is a very good practice. It also fits within your zero-trust model for Microsoft 365.

It’s great to see that Microsoft already anticipated these kinds of questions and has released an excellent article on Purview and Microsoft 365 Copilot. A definite good read!

Sensitivity labels

The article mentions that user rights are respected by Copilot. It also mentioned which Information Rights Management (IRM) permissions (as used by Information Protection) Copilot needs to use any information. And these are the VIEW and EXTRACT permissions.

So what do these mean? When you configure a Microsoft Information Protection sensitivity label for encryption, you can choose from a variety of options. These start with the users that need the permissions.

And these end with the permissions themselves. And this is where the VIEW and EXTRACT permissions come into play. When you assign permissions to a specific set of users, you can either choose to use the built-in roles or create a custom set of permissions.

The build-in roles are (from most permissive to least permissive):

  • Co-owner
  • Co-author
  • Reviewer
  • Viewer

All roles come with specific permissions. The GUI explains these in simple terms, for example, “Edit content”. Under the (IRM) hood other terms are used. “Edit content” becomes “DOCEDIT”. And “Copy and extract content” becomes “EXTRACT”.

So what can Copilot access?

In short, the user that uses Microsoft Copilot, cannot access labeled documents where he/she has not been added to the permissions for the label. When the user has been added to the permissions, with either Reviewer or Viewer permission, then the document can also not be accessed.

Or, in short, the user needs to have either Co-author permissions or a customer role with the “View content” and “Copy and extract content” permissions. By the way: when you create a document and this is labeled, then you automatically get the Co-owner permission.

What does this mean?

In effect, Microsoft 365 Copilot is more stringent when handling encrypted documents with a sensitivity label. As you will need either custom permissions or at least the Co-author role, sensitive information is safeguarded. Provided, of course, that:

  1. you have sensitivity labels employed within the enterprise;
  2. you have set the right level of permissions to the labels;
  3. you are protecting your most sensitive information using labels.

Want to learn more?

As I’ve said earlier, I’m very pleased to see a lot of information available on this subject. For example:

2 comments

  1. Pingback: Key requirements to be Copilot ready
  2. Pingback: Information Protection 101: permission levels and why users cannot change the label – Information security and compliance

Leave a comment