When it comes to safeguarding sensitive information, Microsoft Copilot adheres to a strict principle: it can only access content for which the user has proper permissions. Just like other security-trimmed features in Microsoft 365, Copilot ensures that confidential data remains well-protected.

But let’s move beyond theory and explore a practical scenario:

The Scenario: A Private team and a Classified File

Imagine a secluded corner of Microsoft Teams—the Project Westeros private team. As you might expect, files within this team are off-limits to users outside the team (the broader M365 Group).

Now, picture a file labeled as Classified residing within this team. It automatically applies encryption and grant Co-Editor permissions to the entire organization. But here’s the twist: these permissions aren’t tied to mere access.

Role-Based Access Controls (RBAC) and Sensitivity Labels join forces to determine access. Here’s the bottom line: You either need team membership or explicit sharing to access the file. While the label ensures that only authorized users can open it, it doesn’t bypass the team membership requirement.

Stay with me—we’ll dive deeper into these concepts and clarify any lingering questions.

Encryption & Permissions

Copilot respects existing data protection measures. When content is encrypted, Copilot can only access it if the user has the EXTRACT usage right, which allows copying of text, in addition to VIEW.

So, what does that really mean?

The concept of individual usage rights, like EXTRACT, has been in use for a long time, evolving from Windows Server Rights Management to Active Directory Rights Management, and now to Azure Information Protection (AIP) with the Azure Rights Management service.

This service is part of AIP and provides encryption capabilities beyond Sensitivity Labels. AIP laid the groundwork for data protection, and Microsoft Purview Information Protection expands that foundation to address the challenges of managing data at scale. Together, they form a powerful duo for securing and governing sensitive information across the entire data landscape.

So, Copilot checks for VIEW and EXTRACT rights before returning data, ensuring compliance with organizational policies.

Do we even need Sensitivity Labels then?

Sensitivity Labels are the best option going forward. They are deeply integrated with Copilot, providing an additional layer of protection. When a file with a Sensitivity Label is used to create new content, the label and its protection settings are automatically inherited by the new content. And when you retrieve data from the M365 Chat, you will be notified about the most sensitive data you are working with.

Limitations without EXTRACT:

If content is encrypted with S/MIME or password protection, or does not include the EXTRACT usage right, Copilot cannot extract information from it. Copilot can interact with such files only if they are already open in the Office app (data in use).

Encryption Options in Microsoft Purview Information Protection

Microsoft Purview Information Protection offers a range of encryption options to safeguard your data. When configuring a sensitivity label to apply encryption, you have the option to Let users assign permissions when they apply the label, but more commonly you decide the permission level for a certain Sensitivity Label. You can choose predefined permission levels or custom permissions to control the usage rights.

For instance, the commonly used Co-Author permission level includes the EXTRACT right, allowing Copilot to display text from encrypted content.

You might want to use Viewer in a specific RnD-scenario where you want to protect Intellectual Property (IP), and ensure the content can’t be copied or extracted.

Label Inheritance in Word

When creating new content based on an item with a sensitivity label, the label and its protection settings are automatically inherited. For example, if a user drafts with Copilot in Word and references a labeled file, the new content will carry the same label, ensuring consistent protection.

Sensitivity in M365 Chat with Copilot

When using Microsoft 365 Chat with Copilot, the system displays the highest priority sensitivity label from the data used in the chat.

This feature helps users understand the level of sensitivity of the data they’re interacting with, reinforcing the importance of handling such information with care.

Summary

In the realm of productivity and security, Microsoft Copilot stands as a reliable ally. Remember, Copilot can only access what you can, adhering to strict permissions to safeguard sensitive information.

Sensitivity Labels seamlessly integrate into Copilot, ensuring that only authorized individuals can access protected data. As organizations navigate the landscape of data protection, aligning Copilot usage with robust policies becomes paramount.

Stay informed about updates and best practices concerning Copilot and Sensitivity Labels to maximize productivity while upholding responsible data handling practices. Embrace Copilot as a powerful tool, knowing that its functionality is grounded in both efficiency and security. 🚀🔒

Thank you for reading
/Simon