Microsoft Copilot (Microsoft 365): Library in the Microsoft 365 Copilot app

🚨 The Signal: Copilot now centralises user-generated and shared AI content in a 'Library'. This increases discoverability and potential for unintended data exposure if existing M365 permissions are not correctly applied and monitored.

The Impact

All users are affected, with a moderate security risk due to increased content visibility and potential for sensitive data exposure.

• End-users: Increased visibility of Copilot-generated content, potentially exposing sensitive information.
• Security Teams: New central repository requires review for data loss prevention (DLP) and access controls.
• Data Owners: Content generated by Copilot is now more discoverable, requiring stricter permission management.
• Compliance Teams: Potential for non-compliance if sensitive data is inadvertently shared via the Library.

The Action

1. Review existing Microsoft 365 data loss prevention (DLP) policies to ensure they cover Copilot-generated content.
2. Audit SharePoint Online and OneDrive for Business sharing settings to restrict broad access to sensitive documents.
3. Educate users on responsible sharing practices for Copilot-generated content, emphasising data sensitivity.
4. Monitor Microsoft Purview audit logs for unusual sharing activities related to Copilot content.
5. Implement sensitivity labels for Copilot-generated content to enforce data protection policies.

Domain: M365-Apps · Impact: medium · Workload: M365 Apps