Microsoft Copilot (Microsoft 365): Copilot uses enterprise assets hosted on SharePoint OAL when creating presentations with Copilot

🚨 The Signal: Copilot can now use images from SharePoint Organization Asset Libraries (OALs) to create presentations. This expands Copilot's access to internal visual assets, increasing the risk of sensitive image exposure if OALs are not properly secured.

The Impact

Content creators and security teams are affected, with a risk of sensitive organizational images being exposed if OAL permissions are misconfigured.

• Content creators: Easier presentation generation, but risk of using unapproved or sensitive images if OALs are not curated.
• Security Teams: Increased surface area for data leakage if SharePoint OAL permissions are not strictly managed.
• Data Owners: Risk of sensitive visual data exposure if OAL content is not classified and access controlled.
• Compliance Officers: Potential for non-compliance if organizational assets in OALs are not handled according to data protection policies.

The Action

1. Review all SharePoint Organization Asset Libraries for sensitive or unapproved content.
2. Implement strict access controls (e.g., Entra ID groups) for all SharePoint OALs.
3. Classify content within OALs using Microsoft Purview sensitivity labels.
4. Educate users on appropriate use of Copilot with organizational assets and OAL content.
5. Monitor SharePoint OAL access and usage for anomalous activity.

Domain: SharePoint · Impact: high · Workload: SharePoint