Microsoft MVP Jasper Oosterveld discusses communication risks with Copilot for Microsoft 365 prompts and steps for creating a policy using Microsoft Purview Communication Compliance.
You’ve rolled out Copilot for Microsoft 365 in your organization. Your colleagues use it to draft documents, find and share information, and collaborate like never before—that’s great!
But as someone who’s always tuned into data security and governance, my radar is buzzing. There’s a risk that sensitive or unauthorized information might be exposed with Copilot for Microsoft 365 prompts.
This is where Microsoft Purview Communication Compliance leaps into action and can help minimize communication risks. Let’s get into it.
In this article:
The challenge with Copilot for Microsoft 365 prompts
Let’s look at how communication risks can arise using a hypothetical company, Contoso Electronics, and a hypothetical product called DG-2000, as examples.
You work for Contoso Electronics and are part of the launch team for the company’s flagship product, DG-2000. To get information on the product, you use Copilot for Microsoft 365 which provides a summary of it. But there’s a risk Copilot could accidentally reveal restricted information:
Even if you’re allowed to see this information with all the right permissions, Contoso still needs to be aware of these prompts to ensure sensitive information is handled carefully.
What is Microsoft Purview Communication Compliance?
Microsoft Purview Communication Compliance is an insider risk solution. Meaning it helps you spot and manage potentially inappropriate messages within your organization, minimizing communication risks. Recently, Microsoft extended this tool to Copilot for Microsoft 365 interactions, offering the following out-of-the-box policy:
To fully leverage these capabilities, make sure you consider the licensing requirements for Microsoft Purview Communication Compliance, outlined in the following figure:
Let’s dive into setting up your first Copilot for Microsoft 365 policy with Microsoft Purview Communication Compliance.
Create a Copilot for M365 policy with Microsoft Purview Communication Compliance
To create a policy, follow these steps:
1. Sign in to the compliance portal with an admin account in your M365 organization
2. Go to the Communication compliance solution
3. Select the Policies tab
4. Select Create policy, and then select Custom policy
5. Give the policy a name. You can also include a description.
6. On the Choose users and reviewers page, you’ll see the sections for:
Users and groups
To improve the quality and management of your policy, focus your policy on a specific group of people within your organization. If you don’t, you’ll face an overload of alerts, making your policy hard to manage. You can manually select users or use adaptive scope. For larger groups with varied roles and departments, adaptive scope is recommended.
Reviewers
Employees assigned the reviewer role need one of the following roles to execute their tasks:
- Communication Compliance Analysts
- Communication Compliance Investigators
Assign these roles within the Microsoft Purview Administration Portal by going to the Roles & scopes tab:
7. On the Choose locations to detect communications page, set “Copilot for Microsoft 365” as the default communication channel:
8. On the Choose conditions and review percentage, choose the communication direction to detect. I’ve stuck with the default options (inbound, outbound, and internal):
9. In the Conditions section, you’ll find various options. I recommend starting with detecting sensitive information types, which I covered in a previous ShareGate article. These types are key for your Communication Compliance policy. For example, you can set it to flag any mentions of the DG-2000 product.
10. Next is the Optical character recognition (OCR) section. You can select “Use OCR to extract texts from images” if you want to identify embedded or attached images in messages that match policy conditions:
11. In the Review percentage section, you can adjust the slider to change the amount of content to review. This is useful when your policy generates too many reviews for your reviewers to handle.
Skip the Filter email blasts section. You’re all done! Now, let’s explore your review options!
Monitor and act
Once you submit your query about the new DG-2000 product in Copilot for Microsoft 365, the reviewer receives a notification to begin the review process.
Is everything okay with the message? Click “Resolve” and add a comment for other reviewers:
The alert will be moved to the resolved tab:
Note: If you have a license for Copilot for Security, you can review a summary of the alert.
Send a notice allows the reviewer to get in touch with the employee(s) detected in the alert:
You can create your own notice template. For example:
If a reviewer can’t resolve an alert, another reviewer can be contacted for support:
Use the Escalate for investigation option to take things to the next level. This option connects with Microsoft Purview eDiscovery to build a case for potential lawsuits. Your organization must have the appropriate license for this solution and assign employees the roles of eDiscovery Manager and eDiscovery Administrator:
The last option integrates with Power Automate, allowing you to connect custom workflows to support your review process using Microsoft Purview Communication Compliance.
Lessons learned from Microsoft Purview Communication Compliance
Are you currently rolling out Copilot for Microsoft 365, or already done? Using Microsoft Purview Communication Compliance can help prevent data leaks and monitor unauthorized access to sensitive information. I recommend starting with a pilot to familiarize yourself with how Purview works, and its impact on your organization.
During our pilot, for example, we faced challenges when we activated the service to monitor interactions involving sensitive information. This resulted in a flood of alerts that overwhelmed our Security Operations Center (SOC) and slowed down our pilot.
Beyond the technical aspects, it’s essential for your organization to grasp how the service will be used and how it influences your daily operations.
