Microsoft Copilot (Microsoft 365): Graph Connectors in CIQ

🚨 The Signal: Copilot will soon allow grounding prompts with third-party data via Graph Connectors. This expands Copilot's data access, increasing the attack surface for sensitive information if not properly governed.

The Impact

All Copilot users are affected, with a high security risk due to expanded access to third-party data, increasing potential for unauthorized disclosure.

• Security Teams: Increased risk of data exposure from third-party sources.
• Data Owners: New considerations for data classification and access controls.
• Compliance Officers: Greater complexity in meeting data privacy regulations.
• End Users: Potential for inadvertent exposure of sensitive information.

The Action

1. Review and classify all data exposed via Graph Connectors for sensitivity.
2. Implement strict access controls and permissions for Graph Connector data sources.
3. Develop and enforce Copilot usage policies regarding third-party data interaction.
4. Monitor Copilot audit logs for unusual access patterns to Graph Connector data.
5. Educate users on responsible prompting and data handling with third-party data.

Domain: Agentic-AI · Impact: high · Workload: Microsoft Purview