Microsoft Copilot (Microsoft 365): Scope delegated mailbox access for emails in Business Chat

🚨 The Signal: Copilot's Business Chat now respects delegated mailbox permissions when querying emails. This prevents Copilot from accessing emails in delegated mailboxes if the user's permissions do not allow it, reducing potential overexposure of sensitive information.

The Impact

Users with delegated mailbox access are affected, reducing the risk of Copilot exposing sensitive emails beyond intended permissions.

• Users: Copilot will no longer show emails from delegated mailboxes if they lack direct access, reducing unintended data visibility.
• Security Teams: Reduced risk of Copilot-driven data exposure from delegated mailboxes, improving data governance.
• Compliance Teams: Enhanced adherence to 'need-to-know' principles for email access via Copilot.
• Admins: No direct administrative action required, but awareness of this improved security posture is beneficial.

The Action

1. Review existing delegated mailbox permissions in Exchange Online to ensure they align with 'least privilege' principles.
2. Communicate to users that Copilot's email search results will now strictly adhere to their delegated mailbox access.
3. Monitor Copilot usage logs for any unexpected access patterns, although this change reduces risk.

Domain: Agentic-AI · Impact: medium · Workload: M365 Apps