Microsoft Copilot (Microsoft 365): People connectors for Microsoft 365 Copilot

🚨 The Signal: Copilot will now integrate and enrich people data from various external sources via Graph connectors. This expands Copilot's knowledge base, potentially exposing more sensitive personnel information through AI interactions and profile cards.

The Impact

All users are affected, with a high risk of unintended sensitive data exposure through Copilot and profile cards.

• End Users: Risk of oversharing personal or sensitive information via Copilot interactions.
• Security Teams: Increased complexity in monitoring and preventing data leakage.
• Admins: New data sources require careful configuration and access control.
• Compliance Teams: Potential for non-compliance with data privacy regulations due to expanded data ingestion.

The Action

1. Review existing Graph connector configurations to understand all ingested data sources.
2. Assess data classification and sensitivity labels for all data flowing into Graph connectors.
3. Implement or refine Microsoft Purview Data Loss Prevention (DLP) policies to detect and prevent sensitive information exposure via Copilot.
4. Educate users on responsible Copilot usage and the potential for sensitive data exposure.
5. Regularly audit Copilot interactions and data access logs for anomalous activity.

Domain: Agentic-AI · Impact: high · Workload: Other