Home > Blog > How to Simplify Microsoft 365 Copilot Security Setup

How to Simplify Microsoft 365 Copilot Security Setup

Maintaining a solid understanding of establishing and optimizing Microsoft 365 Copilot security can help you set a strong foundation when integrating AI into your environment.

Microsoft Copilot is designed to operate within your existing security framework, ensuring that sensitive data remains protected while enhancing productivity. In this blog, we’ll cover three simple, yet key security considerations, including setting up Multi-factor Authentication (MFA), managing SharePoint indexing, and controlling web access—helping you simplify security without sacrificing control.

Before diving into implementation, it’s essential to align on how Copilot functions within M365, where it operates, and what data it can access.

Copilot’s Service Boundary and Security

Before diving into specific security considerations, it’s crucial to understand how Copilot operates within M365 and why it is important to be responsible and thoughtful when implementing AI. Embedded within the M365 service boundary, Copilot functions entirely within the Microsoft cloud, accessing data from your Outlook emails, OneDrive files, Teams chats, and SharePoint repositories through the Microsoft Graph. While Copilot interacts with a large language model (LLM), your data never leaves Microsoft’s secure environment—it remains encrypted in transit and is never exposed to external internet services.

Equally important, Copilot adheres to existing user permissions. It can only retrieve information that a user is already authorized to access. For instance, if someone doesn’t have permission to view payroll data in SharePoint, Copilot won’t be able to access or surface that information. This ensures that security and compliance controls remain intact while enabling AI-driven productivity.

With Copilot operating within your M365 environment, ensuring that only authorized users can access data is critical. This starts with verifying user identities at sign-in, which is why Multi-factor Authentication (MFA) is a must-have security measure.

Strengthening Security with Multi-factor Authentication

MFA adds an extra layer of protection by requiring users to verify their identity beyond just a password. This ensures that only legitimate users can access your M365 environment, reducing the risk of unauthorized access. Setting up MFA is straightforward and can be done through the M365 Admin Center:

Enabling MFA in Microsoft 365

1. Go to the M365 Admin Center: Navigate to the “Users” section and select “Active Users”.
   
   
2. Access MFA Settings: Click the “Multi-factor Authentication” link to open the Entra ID portal.
   
3. Enable MFA for Users: Select the users you want to enable MFA for and click “Enable”.
   
   
4. User Setup Prompt: Once enabled, users will be prompted to configure MFA the next time they sign in.

For enhanced security, consider using “Conditional Access” policies to enforce MFA based on device trust, location, or the specific application the user is accessing.

While MFA ensures only verified users can access your M365 environment, you must also control what data Copilot can access. Managing data visibility within Copilot helps protect sensitive information while maintaining productivity.

Controlling Copilot’s Access to Data

Copilot can only access data stored in the cloud, primarily within SharePoint and OneDrive. If certain sites contain sensitive information—such as financial records, personal data, or confidential projects—you can exclude them from Copilot’s search results to prevent that data from appearing in responses.

How to Exclude a SharePoint Site from Copilot Search

1. Open the SharePoint Admin Center: Navigate to the site containing sensitive data.
2. Access Site Settings: Click “Site Information”, then select “View All Site Settings”.
   
   
3. Modify Search Availability: Choose “Search and Offline Availability” in the Search section.
   
4. Exclude from Search: Set “Allow this site to appear in search results” to No, then click OK.
   

This prevents Copilot from indexing or retrieving data from that site while allowing authorized users to access it directly in SharePoint. You can also apply these settings to specific document libraries within a site if you want more granular control.

By proactively managing search visibility, you can ensure Copilot enhances productivity without exposing sensitive information. The next step to consider is managing web access within Copilot. By default, users can toggle between "Work" (your M365 tenant) and "Web" (Bing search) when using Copilot in Teams and other apps. Configuring web access ensures users can securely leverage external information while maintaining data security.

Configuring Web Access in Copilot

Admins can control whether users can access web results within Copilot by enabling or restricting web searches in the Copilot Admin Center.

How to Enable or Restrict Web Search in Copilot

1. Open the Microsoft 365 Admin Center: Navigate to the “Copilot Admin Center” under “Settings”.
   
   
2. Locate Web Search Settings: Scroll to the “Web Search for M365 Copilot” option.
   
3. Create a Cloud Policy: If no policy exists, create a new one:
   1. Name it (e.g., M365 Copilot Web).
   2. Add a brief description.
   3. Set the scope (apply to all users or specific groups).
      
      
      
4. Configure Web Search Settings: Use the filter to find "Allow Web Search in Copilot", then choose one of the following:
   1. Enabled: Allows users to search both work and web data.
   2. Disabled: Restricts Copilot to M365 tenant data only.
   3. Disabled in Work Mode: Allows web search only when the user selects "Web" mode.
      
5. Review and Publish the Policy: Apply the changes, and wait for the settings to propagate across user devices.

Enabling web search lets users pull in external insights and secure data, ensuring Copilot delivers a well-rounded AI experience.

Why Establishing a Strong Microsoft 365 Copilot Security Setup Matters

Securing Microsoft Copilot doesn’t have to be complex: By enabling MFA, managing SharePoint search indexing, and configuring web access, you can strike the right balance between security and productivity. These straightforward steps ensure Copilot operates within your security framework while empowering users with AI-driven insights. With the right security measures, your organization can confidently leverage Copilot’s capabilities without compromising data protection.

Get In Touch With Stoneridge Experts to Harness the Game-Changing Abilities of Copilot in Microsoft 365!

Talk to the Stoneridge team today to learn more about responsibly implementing and using Copilot in your organization. Our team is ready to partner with you to ensure your organization maximizes the benefits of Copilot while maintaining a strong security posture.

Under the terms of this license, you are authorized to share and redistribute the content across various mediums, subject to adherence to the specified conditions: you must provide proper attribution to Stoneridge as the original creator in a manner that does not imply their endorsement of your use, the material is to be utilized solely for non-commercial purposes, and alterations, modifications, or derivative works based on the original material are strictly prohibited.

Responsibility rests with the licensee to ensure that their use of the material does not violate any other rights.