Skip to main content

Copilot Inherits Every Permission Mistake You Ever Made. Fix Them First.

Nick Ross9 min read

TL;DR

  • Copilot for Microsoft 365 respects existing access controls, which means it faithfully surfaces every document and channel a user was granted by accident.
  • As of January 2024, Copilot is available to businesses of all sizes with no seat minimums, so the governance work can no longer wait for an enterprise budget.
  • A compromised account with Copilot becomes a search engine for sensitive data, collapsing the time an attacker needs to find payroll files or financials.
  • Sensitivity labels block Copilot from answering questions about a document even when the user has access to the repository it lives in.
  • Without Microsoft 365 E5 or similar enterprise licensing there is no automated way to discover where sensitive data lives, so we would not deploy Copilot on Business Standard at all.

Copilot for Microsoft 365 does not create new access. It indexes what each user can already reach, in mailboxes, SharePoint repositories, Teams chats, and more, and serves it back on demand. That design is the product's security story and its security problem at the same time, because most tenants are carrying years of permission decisions nobody remembers making.

The timing matters. As of January 2024, Microsoft removed the seat minimums (opens in new tab) and opened Copilot for Microsoft 365 to businesses of all sizes. Every MSP now has customers who can buy it tomorrow. Reselling it without a data governance plan transfers their permission debt straight into an AI that answers questions. Done right, the same engagement becomes both a revenue stream and a real improvement in the client's security and data management posture. Here is how we would approach it.

Permission-aware is not the same as safe

When Copilot is enabled in an organization, it begins indexing data across user mailboxes, SharePoint, Teams chats, and other sources. The architecture respects existing access controls and Microsoft 365 compliance policies when deciding what to return for a prompt.

Copilot for Microsoft 365 architecture showing how prompts are grounded against tenant data

So if a user asks "Provide me a summary from all emails from Bruce Wayne over the past week," Copilot summarizes their own mailbox. Ask it to summarize the CEO's mailbox instead and it declines. The boundary holds.

The trouble starts with files, file repositories, and sensitive documents a user has inadvertent access to. In a video demonstration from January 2024 (opens in new tab), a simple request for every document and chat referencing "Live Chat" returned a citation to a document the asker never knew existed, inside a Teams channel they did not know they were a member of. That document happened to be harmless. The pattern is not. The example making the rounds is users asking Copilot for other employees' salary information and getting it, because somewhere along the way they were granted access to the file.

Start asking the uncomfortable questions:

  • What if someone got access to sensitive HR documents?
  • What if someone had access to key IP or financial information about the company?
  • As a healthcare company, what if someone was able to access medical records?

Your mind can keep going from there, for your own business and for every business you manage.

Who actually exploits inherited access?

Three scenarios turn quiet oversharing into an incident:

  • The insider. Any employee with inadvertent access to sensitive data can sit on that knowledge and choose not to disclose it. When they leave, they can exploit it.
  • The accidental exfiltrator. Users with rights to a document can save copies or share it onward, internally or externally, into unsecured and unauthorized locations. Nothing stops them, because the permissions say they are allowed.
  • The threat actor. Consider a compromised account. The speed at which a bad actor can locate sensitive information has increased exponentially: they can open Copilot chat and prompt their way to what they need, or use what they find as social engineering material to move laterally through the organization. Copilot is a powerful weapon in those hands.

For scoping, here is the current list of supported file types for the user-level and tenant-level Copilot indexes:

Supported file types for the Copilot user-level and tenant-level semantic index

Check the licensing before you promise anything

Copilot for Microsoft 365 is an add-on with the following prerequisite licenses:

  • Microsoft 365 E5
  • Microsoft 365 E3
  • Office 365 E3
  • Office 365 E5
  • Microsoft 365 A5 for faculty
  • Microsoft 365 A3 for faculty
  • Office 365 A5 for faculty
  • Office 365 A3 for faculty
  • Microsoft 365 Business Standard
  • Microsoft 365 Business Premium

The catch: a majority of the advanced access control and compliance features live in licenses like E5. On Business Standard alone, we would not touch Copilot. There is no automated way to govern data management in that tenant, full stop.

For SMB customers, Business Premium has the best mix of governance features:

  • Information protection labels
  • Data loss prevention policies
  • Retention policies
  • Dynamic groups
  • The on-premises file share scanner

Even Business Premium gives you no automated discovery of where sensitive data lives without stepping up to an enterprise plan, which is why we expect many organizations to reach for a cheaper third-party tool for sensitive data discovery.

MSPs, who likely hold Entra ID P2 licensing themselves, should also review the Entra ID Governance licensing fundamentals (opens in new tab) for the advanced access control features by license.

The nine-step governance audit, in three phases

The silver lining of Copilot is that it forces a data governance strategy on organizations that never had one. Most businesses, especially in SMB, cannot answer questions like:

  • How does your organization define sensitive data within the business?
  • Do you know how data flows through your organization?
  • Where does sensitive data exist within your organization?
  • How are users granted access to sensitive data or documents?
  • What are your sharing policies within your Microsoft environment?

These definitions belong in any AI readiness assessment. The protections themselves come down to two things: access controls and data protection. Mapped to the CIS Controls (opens in new tab), that is Control 3 (Data Protection) and Control 6 (Access Control Management). What follows is a hypothetical assessment an organization can run to audit itself and start building a data governance framework that fits its business.

Phase one: define and discover

1. Define what sensitive data means to your business. Sensitive data at a healthcare company looks nothing like sensitive data at a small business that repairs iPhones. Think about internal information and external customer or patient information:

  • Where is our HR, payroll, and expense information stored?
  • Where are the company financials located?
  • Do we have any PII such as credit card info, social security numbers, or routing numbers?
  • What data would we be concerned about getting into the wrong hands?

Run this exercise with key executive peers, not alone at a keyboard.

2. Identify where sensitive data lives in Microsoft 365. This is the hard one. SharePoint is the backbone of both SharePoint sites and Teams channel document repositories, so it is the key auditing location: all shared documents live there. Depending on licensing, Microsoft Purview's advanced features can automate document scanning, but most business licensing (including Microsoft 365 Business Premium) does not include them, and even where it does, the built-in classifiers look for traditional PII rather than what your business considers confidential. Our recommended sequence:

  • Start with the key departments (HR, Finance, Legal, and so on)
  • Identify the Teams channels and SharePoint sites those departments use
  • Audit those locations first, as a priority
  • Document any sensitive files and folders

Weigh time against impact: hours spent in these locations buy the broadest protection. Many companies will end up evaluating a third-party tool for sensitive data discovery; we have no solid recommendation to offer yet.

Phase two: restrict and label

3. Evaluate existing sharing policies, internal and external. By default, Microsoft's settings let users share files with anyone, inside or outside the organization. That default minimizes friction and maximizes exfiltration risk.

Default SharePoint external sharing settings set to Anyone

Review these settings in the SharePoint admin center, and then per-site for every location flagged in your audit.

4. Formulate a data classification taxonomy. Microsoft Purview's information protection labels (opens in new tab) ship with licenses like Microsoft 365 Business Premium. Labels tag documents by sensitivity and carry custom controls: encryption, blocked external sharing, limited visibility, and more. Public, Private, and Confidential is a perfectly good starter set.

Labels are also a Copilot-specific control. A labeled document is off limits to Copilot answers even for users with access to the repository. Worked example: Bruce Wayne works the help desk but was inadvertently added to a group that belongs to the Finance Teams channel, so he can see the Finance document repository. Flash Gordan actually works in Finance. Flash creates a document detailing the company's 2023 financials, tags it Confidential with protections limiting it to three named people, and saves it to the channel. When Bruce asks Copilot about 2023 financials, Copilot returns nothing, because it honors the label. Simple mechanism, real protection.

Two recommendations if you are starting from zero:

  • Start simple. One Confidential label already protects your most important data, and you can add more over time. Even mature, we would cap the taxonomy at five labels so users are not confused.
  • Add granular protections gradually. Label adoption is a people problem. You can make labeling mandatory on save, but without proper training first it creates chaos.

5. Evaluate existing access controls. Group membership, not individual user assignment, is the preferred way to grant rights to sites and document repositories. That forces a look at change management: onboarding, offboarding, and lateral moves. Within Entra ID, the preferred mechanism is dynamic groups (requires Entra ID P1), which automate access based on attributes like job title, department, or whether the account is enabled, granting and removing access to documents, Teams channels, and SharePoint sites as people change roles.

Review the membership of every sensitive site and Teams channel for members who do not need access. If Entra ID P2 is in play (rare in SMB, common for MSPs, and included in enterprise licensing like E5), look at catalogs and entitlement management (opens in new tab) in Entra ID Governance (opens in new tab).

Phase three: act and operationalize

6. Apply sensitivity labels to the most sensitive data first. With the audit and prep done, take action where it counts: label the most sensitive information you discovered. This is the single biggest move in preparing the company for AI and Copilot.

7. Update access controls. Depending on what the audit surfaced, this can include:

  • Removing users from repositories, Teams channels, and SharePoint sites
  • Updating group memberships
  • Creating new dynamic groups
  • Archiving stale Teams channels and SharePoint sites
  • Defining a new SOP for change management: onboarding, offboarding, lateral moves, Teams access, SharePoint site access

8. Apply sharing and repository-creation restrictions. Tighten internal and external sharing beyond the defaults. And if everyone in the company can create a new Teams channel, that is a problem: beyond the sprawl, it is an easy path to data exfiltration. Useful references:

9. Build the lifecycle, not just the cleanup. Everything above is a one-time win unless an ongoing process and a written data governance policy follow it. Run a gap analysis against today and set dated goals:

  • One label today, three defined by the end of the year
  • Manual group membership reviews today, automated access reviews (opens in new tab) in Entra ID later
  • Optional labeling today, mandatory labeling after proper end-user training
  • Automatic labeling later, if the business handles document-heavy PII

Fold retention policies (opens in new tab) into the lifecycle as well. CIS Control safeguards call for a data destruction definition, and keeping data forever quietly expands both the privacy and the security footprint. Decide how long data lives, and enforce it.

Tighten the edges: DLP, privileged roles, and on-prem files

A few controls that did not fit the audit flow but belong in the plan:

  • Data loss prevention policies. Included with Microsoft 365 Business Premium, DLP policies help stop sensitive data from moving across the organization to users who should not have it.
  • Privileged Identity Management. Highly privileged roles (SharePoint admin, Teams admin, and similar) see more through Copilot simply because their accounts can reach more. Our recommendation is twofold: keep these roles on service accounts rather than actively licensed users, and either way make the roles eligible-on-activation with PIM, which applies just-in-time, just-enough access instead of standing rights. PIM requires Entra ID P2.
  • On-premises file shares. The Microsoft Purview Information Protection scanner (opens in new tab) extends document scanning to on-prem shares.

Further reading from Microsoft:

Frequently asked questions

Can Copilot show a user data they do not have permission to access?

No. Copilot's architecture respects existing Microsoft 365 access controls and compliance policies. The risk runs the other way: it surfaces everything the user technically can access, including documents and Teams channels they were granted by mistake and never knew about.

Do sensitivity labels stop Copilot from reading a document?

A label with protection settings restricts Copilot from analyzing or answering questions about that document, even for users who have access to the site or channel where it is stored. That makes labels one of the strongest Copilot-specific controls available.

Is Microsoft 365 Business Premium enough to govern Copilot data?

It covers the essentials: information protection labels, DLP policies, retention policies, dynamic groups, and the on-premises scanner. What it lacks is automated discovery of sensitive data across the tenant, which stays behind enterprise plans like E5, so the discovery work is manual or third party.

Find the oversharing before Copilot does

CloudCapsule checks sharing defaults, guest access, and the permission sprawl that turns Copilot into a liability, across every tenant you manage. 250+ controls, results in about 60 seconds.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading