Microsoft Copilot (Microsoft 365): Calendar search for email delegates

🚨 The Signal: Copilot Chat now allows email delegates to search other users' calendars for meetings. This expands data access for AI agents, increasing the risk of unintended information exposure if delegate permissions are not tightly controlled.

The Impact

Delegates with calendar access can now use Copilot to search, increasing data exposure risk if permissions are not reviewed.

• Security Teams: Increased risk of sensitive calendar data exposure via Copilot.
• Admins: Need to review and potentially restrict delegate calendar permissions.
• End Users: Calendar information may be more broadly accessible through AI agents.
• Compliance Teams: New data access vector requires re-assessment against ISM controls.

The Action

1. Review existing Exchange Online delegate permissions for calendars via PowerShell: Get-MailboxFolderPermission -Identity <Mailbox>:\Calendar
2. Audit delegate access for 'Full Access' or 'Editor' roles on sensitive calendars.
3. Implement or refine a policy for granting calendar delegate permissions based on least privilege.
4. Educate users and delegates on appropriate use of Copilot Chat with calendar data.
5. Monitor Microsoft Purview Audit logs for Copilot activities involving calendar searches by delegates.

Domain: Agentic-AI · Impact: high · Workload: Other · Essential Eight: Restrict Administrative Privileges · ISM: ISM-0445, ISM-1175, ISM-1380, ISM-1507, ISM-1508, ISM-1509, ISM-1647, ISM-1648, ISM-1650, ISM-1686, ISM-1688, ISM-1689, ISM-1883, ISM-1897, ISM-1898