Microsoft Copilot (Microsoft 365): Dataverse data connected to Microsoft 365 Copilot

🚨 The Signal: Microsoft 365 Copilot can now query Dataverse business data. This expands Copilot's data access, increasing the risk of sensitive business data exposure if not properly governed and secured.

The Impact

All Copilot users are affected, with a high risk of sensitive Dataverse business data exposure if access controls are not meticulously managed.

• Copilot users: Risk of over-privileged access to sensitive Dataverse information.
• Data owners: Increased risk of data exfiltration from Dataverse via Copilot.
• Security teams: New attack surface for data exposure and compliance breaches.
• Compliance officers: Potential for non-compliance with data handling regulations.

The Action

1. Review and refine Dataverse security roles and profiles to enforce least privilege.
2. Implement Data Loss Prevention (DLP) policies in Microsoft Purview to detect and prevent sensitive Dataverse data exfiltration via Copilot.
3. Monitor Copilot usage logs for unusual queries or access patterns to Dataverse data.
4. Educate users on responsible Copilot usage and data handling best practices.
5. Assess existing Information Protection policies for Dataverse data sensitivity labels.

Domain: Agentic-AI · Impact: high · Workload: Microsoft Purview