Bringing Microsoft Purview and Copilot Together to Protect Sensitive Data

Over the past 5 months, this blog series has covered the fundamentals of Microsoft Purview. As we have shown, Purview provides a powerful layer of data-aware visibility and protection that complements more traditional security controls like identity management, access control lists, group memberships, endpoint security, and management tools. Those traditional tools are certainly critical, and Purview provides even more layers of data protection.

It is clear that having Purview data governance policies can help protect data as it is used today, but how about in the future? In particular, how does Purview fit into the picture when it comes to the way that data is used by large language model (LLM) and generative AI tools? The Microsoft 365 Copilot offerings are the first that come to mind, but there may also be other LLM tools that will use data from your tenant as source material. 

As these new tools gain traction, many organizations that have kicked the data governance can down the road may be in for a rude awakening if they assume that their data will remain secure without a governance plan and controls in place. By design, AI tools like Copilot that are trained on your tenant data and will produce results based on all the data that the user has access to in order to answer questions or perform tasks. This magnifies the real risk—that misclassified or otherwise ungoverned sensitive data will be inadvertently exposed as people use AI tools. My colleague Chris Stegh aptly calls this, “People seeing the unseeable.” (Can Copilot Command the Coin? – eGroup | Enabling Technologies (

Access Control and Governance

Access control and governance become even more critical as Copilot or other AI tools become commonly used and the demand for them increases. The Purview features we have discussed so far can address the risk outlined above.

  • Content Explorer – Use Content Explorer and Content Searches to identify where your sensitive data is and ensure it is in the appropriate and protected locations. Remove or relocate confidential data that should not be in commonly accessible areas.

  • Information Protection – Deploy Sensitivity Labeling to provide encryption and access controls beyond traditional access control lists or Teams membership. If an employee is not allowed to see the data, Copilot won’t show it. Consider auto-labeling policies to find and protect sensitive data automatically.

  • Data Loss Prevention – Use built-in and custom data types to detect and prevent unauthorized emailing and sharing of data, even if surfaced by AI. Data Loss Prevention restrictions can be applied internally as well as externally, if needed.

  • Data Lifecycle Management – Use Retention Policies and Labels to remove stale, out of date, or sensitive data that is no longer needed. This reduces the data set that AI will have access to and gives the organization less to secure and manage overall. Consider auto-labeling policies to find and protect data automatically.

  • Compliance Manager – Use the Microsoft baseline and other security or compliance assessments to help identify and meet best practice data governance configuration requirements on an ongoing basis. Use the Compliance Score as a metric to measure your compliance posture over time.

Microsoft Cloud Features

There are a few other complementary Microsoft cloud features that bear mentioning when creating an overall data governance plan:

  • Dynamic Entra ID Groups – Use Entra ID (formerly known as Azure AD) attributes to determine group memberships. This helps automate group membership changes (especially removals) so that permissions remain appropriate to the roles people have as they move around the organization. Employees often end up carrying permissions with them that are no longer relevant to their jobs as they change departments or locations. Dynamic groups help alleviate that risk of “permission drift.”
  • Entra ID Access Reviews – Configure Access reviews to require managers and other leaders in the organization to periodically review and edit group memberships relevant to the data they are responsible for. This relieves the IT team from tracking and managing staffing changes and allows the people who authorize data access to remain aware of who actually has access, so it remains consistent.
  • Purview Adaptive Scopes – Similar in nature to a dynamic group, Adaptive Scopes can be set up in Purview and used to provide granular scoping of retention policies.

Increasingly, compliance functionality like that offered by Purview is becoming an additional required security control. Data-aware governance and protection is no longer just for regulated industries or small groups in a larger organization. You likely already have many (or all) of the tools discussed above at your disposal, and I would encourage you to explore them and see how they can be applied to your data so that the organization can get the most value out of their Microsoft investments now and in the future.

Tom Papahronis

Tom Papahronis

Strategic Advisor - eGroup | Enabling Technologies

Learn more about Microsoft Purview

Interested in learning how you can leverage of Purview and Copilot in a way that is safe and compliant? 

Contact our team of experts to get started today on your road to data governance and AI!

Last updated on December 21st, 2023 at 03:01 pm