Table of Contents
Compliance through Sensitivity Labels, Audit Events, and Compliance Records
Now that the fuss around the general availability of Microsoft 365 Copilot (November 1) is fading, organizations face the harsh reality of deciding whether to invest a minimum of $108,000 (300 Copilot licenses for a year) to test the effectiveness of an AI-based digital assistant is worthwhile. Before deploying any software, companies usually have a checklist to validate that the software is suitable for their users. The checklist might contain entries such as:
- Training available and suitable for users and administrators.
- Requisite software (like Outlook Monarch) and licenses in place.
- Users to receive licenses are identified.
- Success factors quantified and documented.
- Support for compliance technology available.
In MC686593 (updated 6 November, 2023), Microsoft addresses the last point by laying out how Purview compliance solutions support the deployment of Microsoft 365 Copilot. Rollout of the capabilities are due between now and mid-December 2023.
Sensitivity Labels Stop Microsoft 365 Copilot Using Content
Microsoft 365 Copilot depends on an abundance of user information stored in Microsoft 365 repositories like SharePoint Online and Exchange Online. With information to set context and provide the source for answering user prompts, Copilot cannot work. The possibility that Copilot might include sensitive information in its output is real, and it’s good to know that Copilot respects the protection afforded by sensitivity labels. The rule is that if a sensitivity label applied to an item allows a user at least read access, its content is available to Copilot to use when responding to prompts from that user. If the label blocks access, Copilot can’t use the item’s content.
Audit Events Record Microsoft 365 Copilot Interactions
Recent changes in the Microsoft 365 unified audit log and the surrounding ecosystem have not been good. The Search-UnifiedAuditLog cmdlet doesn’t work as it once did, a factor that might impact the way organizations extract audit data for storage in their preferred SIEM. Some will not like the removal of the classic audit search from the Purview compliance portal in favor of the asynchronous background search feature. Both changes seem to be an attempt by Microsoft to reduce the resources consumed by audit searches. This tactic is perfectly acceptable if communicated to customers. The problem is the deafening silence from Microsoft.
On a positive note, the audit log will capture events for Copilot prompts from users and the responses generated by Copilot in a new Interacted with Copilot category. These events can be searched for and analyzed using the normal audit retrieval facilities.
Compliance Records for Microsoft 365 Copilot
The Microsoft 365 substrate captures Copilot prompts and responses and stores this information as compliance records in user mailboxes, just like the substrate captures compliance records for Teams chats. Microsoft 365 retention policies for Teams chats have been expanded to process the Copilot records. If you already have a policy set up for Teams chat, it processes Copilot records too (Figure 2).
Although it’s easier for Microsoft to combine processing for Teams chats and Copilot interactions, I can see some problems. For example, some organizations like to have very short retention periods for Teams chat messages (one day is the minimum). Will the same retention period work for Copilot interactions? It would obviously be better if separate policies processed the different data types. Perhaps this will happen in the future.
Because the substrate captures Copilot interactions, the interactions are available for analysis by Communication Compliance policies. It should therefore be possible to discover if someone is using Copilot in an objectionable manner.
Block and Tackle Support for Microsoft 365 Copilot
None of this is earthshattering. SharePoint Online stores protected documents in clear to support indexing, but it would be silly if Microsoft 365 Copilot could use protected documents in its response. Gathering audit events treats Copilot like all the other workloads, and compliance records make sure that eDiscovery investigations can include Copilot interactions in their work. However, it’s nice that Microsoft has done the work to make sure that organizations can mark the compliance item on deployment checklists as complete.
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.