How to get started with Data Governance for Copilot for Microsoft 365

A summary of the key takeaways from the Copilot Governance OnPoint session on July 24, 2024 

Copilot for Microsoft 365 is a powerful tool that can help you ideate, create, and deliver your daily work using natural language, speech, and vision. It can answer your questions, generate content, execute commands, and access information across your Microsoft 365 tenant and the web. But how can you ensure that your data is secure and compliant when using Copilot? And how can you prepare your data to get the best results from Copilot? 

In this blog post, I will share some of the highlights from the Copilot Governance OnPoint webinar 24th July 2024, where we discussed the Copilot for Microsoft 365 architecture, governance, and best practices. We will also provide some helpful links and resources to help you get started with Copilot and optimise your data security. 

Copilot for Microsoft 365 Architecture 

Copilot for Microsoft 365 is built on a sophisticated orchestration engine that leverages large language models (LLMs), Microsoft Graph, Bing, and other services to provide intelligent and relevant responses to your prompts. The Copilot for Microsoft 365 architecture consists of six stages: 

• Stage 1: User prompt. This is where you enter your query or command in your favourite canvas, such as Teams, Word, PowerPoint, or Copilot on Bing. 

• Stage 2: Pre-processing. This is where Copilot processes your prompt through an approach called grounding, which improves the specificity of the prompt and ensures that you get answers that are relevant and actionable to your specific task. 

• Stage 3: Retrieval. This is where Copilot retrieves the right content from Graph, Bing, and other sources to provide the LLM with the information it needs to generate a response. 

• Stage 4: Generation. This is where Copilot uses a technique called retrieval-augmented generation to produce a response based on the user prompt, the grounding data, the chat history, and the system prompt. 

• Stage 5: Post-processing. This is where Copilot performs responsible AI checks, security, compliance, and privacy reviews, and command generation. 

• Stage 6: Copilot response. This is where Copilot returns a recommended response and commands back to the apps where you can review and assess the suggested response. 

  
  

Copilot for Microsoft 365 respects your data privacy and security and does not use your business data to train the foundation models. It also honours the user identity-based access boundary, so that it only accesses content that you are authorised to access. Furthermore, it supports data protection and governance features such as sensitivity labels, data loss prevention, retention policies, information barriers, and more. 

Copilot for Microsoft 365 Governance 

To get the most out of Copilot for Microsoft 365, you need to have a strong foundation of data security and governance in your Microsoft 365 tenant. This means that you need to review and audit your data sources, permissions, external sharing, and business policies to ensure that your data is not unintentionally leaked or overshared. You also need to apply appropriate data protection and compliance controls to your data, such as sensitivity labels, data loss prevention policies, retention policies, and more. 

To help you with this process, Microsoft have created a Copilot for Microsoft 365 Optimisation Assessment, which is a questionnaire that evaluates your data governance maturity and data security controls. You can access the assessment here - https://www.microsoft.com/en-us/solutionassessments/safeedbackform.  

Based on the outcomes of the assessment, you can determine your path forward and follow the recommended activities to optimise your data security. There are three paths: Baseline, Core, and Best-in-Class. 

• Baseline: This is the minimum requirement to deploy Copilot for Microsoft 365. You need to have Office 365 E3 or higher license and complete the Copilot for Microsoft 365 setup guide. If you have any concerns about your data security, you can enable Restricted SharePoint Search, which limits Copilot experiences and organisation-wide search to a select set of SharePoint sites, as well as your individual files and content. 

• Core: This is the recommended path to further optimise your data security controls. You need to have Office 365 E3, Microsoft 365 Business Standard/Premium, or higher license, and SharePoint Advanced Management license. You can use SharePoint Advanced Management features such as Data Access Governance reports, Restricted Access Control, Block Download Policy, Inactive Site Policy, and more to restrict data oversharing and data leaks. You can also use Microsoft Purview features such as sensitivity labels, data loss prevention policies, retention policies, content explorer, and more to protect, retain, and dispose of your data. 

• Best-in-Class: This is the top-tier path to achieve the highest level of data security and compliance. You need to have Microsoft 365 E5 license and SharePoint Advanced Management license. You can use advanced features such as automatic sensitivity labelling, adaptive protection policies, endpoint data loss prevention, communication compliance, eDiscovery Premium, and more to dynamically protect, detect, and respond to data risks and incidents. 

In addition to optimising your data security, you also need to prepare your data to get the best results from Copilot. This means that you need to archive or delete old or irrelevant data, structure your files, folders, and sites logically, tag your content with labels and metadata, use consistent and descriptive file names, and retain only the final version of documents. You also need to educate your users on good data hygiene habits and best practices for using Copilot. 

Conclusion

Copilot for Microsoft 365 is a game-changer for your productivity and creativity. It can help you with a variety of tasks and scenarios, such as drafting emails, creating presentations, generating reports, finding answers, and more. But to use Copilot effectively and securely, you need to have a solid data security and governance strategy in place. You also need to prepare your data to make it easy for Copilot to access and reference. By following the steps and resources we shared in this blog post, you can get started with Copilot and optimise your data security in no time. 

If you want to learn more about implementing security and data governance for Copilot for Microsoft 365, you can check out the following links and resources: 

• Best practises for setting up SharePoint for Copilot 

• Microsoft’s guidance for deploying Copilot for M365 in four chapters 

• Learn how to apply the principles of Zero Trust for Copilot for Microsoft 365 

• Learn about the data, privacy, and security foundations of Copilot for Microsoft 365 

• Get ready for Copilot for M365 from an information security perspective 

If you have any questions or feedback, please feel free to contact me at lauren.nobbs@dickerdata.co.nz.