(Updated) Microsoft Copilot Analytics: Data export public preview for Copilot metrics in the Copilot dashboard

🚨 The Signal: Microsoft Copilot Dashboard now allows exporting de-identified usage data for deeper analysis. This provides new visibility into AI adoption but requires careful access management to prevent data misuse.

The Impact

Copilot Dashboard users with company-level access can export de-identified usage data, posing a risk if access is not appropriately restricted.

  • Security Teams: Risk of data exfiltration if Copilot Dashboard access is over-privileged.
  • Admins: New data export capability requires review of existing access controls for Copilot Dashboard.
  • Compliance Teams: Need to update data handling policies for exported Copilot usage metrics.

The Action

  1. Review Entra ID roles and group memberships for all Copilot Dashboard users.
  2. Verify that only authorised personnel have 'full company-level data access' to the Copilot Dashboard.
  3. Implement or update data loss prevention (DLP) policies to monitor export of de-identified Copilot usage data.
  4. Communicate updated data handling guidelines to all personnel with Copilot Dashboard access.
  5. Regularly audit access logs for the Copilot Dashboard and Viva Insights web app.

Domain: Agentic-AI · Impact: medium · Workload: Other · Essential Eight: Restrict Administrative Privileges · ISM: ISM-0445, ISM-1175, ISM-1380, ISM-1507, ISM-1508, ISM-1509, ISM-1647, ISM-1648, ISM-1650, ISM-1686, ISM-1688, ISM-1689, ISM-1883, ISM-1897, ISM-1898