Deploying Microsoft 365 Copilot with Confidence: Overcoming Data Security and Governance Challenges

Post Date: 11/29/2024
feature image

As everyone digests all the news that came out of Microsoft Ignite 2024, one thing is clear: the excitement around the continued evolution of Microsoft 365 Copilot is palpable. From new AI agents to transform business processes to upgrades in how Microsoft 365 Copilot can make teamwork even easier, the future for this technology is bright.

The other main takeaway from what I heard live at the McCormick Center in Chicago and in conversations with our customers and partners is the importance of data security and data governance prior to deploying Microsoft 365 Copilot. GenAI like Microsoft 365 Copilot can highlight gaps in data governance and security that will result in overexposure of data, and it’s a point that is causing significant delays in full adoption. Gartner found at least 30% of GenAI projects will be abandoned after proof of concept due to poor data quality and inadequate risk controls, and by 2026, 60% of organizations won’t realize the value of their AI investments due to incohesive governance frameworks.

To that end, during Ignite 2024 Microsoft announced several updates to its SharePoint Advanced Management (SAM) solution which will be available starting in early 2025 to help manage content sprawl, oversharing, Copilot content access, and content lifecycle. For those who already have Microsoft 365 Copilot licenses, SAM will come at no additional cost. While this is a step in the right direction, there are still several important questions you must ask as you’re preparing your data and environment for Microsoft 365 Copilot to ensure you can maximize the full potential of this technology safely and effectively.

Let’s dive into these questions, discuss how SharePoint Advanced Management can address them and why AvePoint’s data security, governance, and resilience solutions are uniquely positioned to ensure you can deploy Microsoft 365 Copilot with confidence.

Which new capabilities for securing SharePoint are now available in SharePoint Advanced Management?

SAM includes some useful tools in the form of “policies” that can be applied to sites. Two of those policies that specifically address challenges SharePoint administrators have struggled with for many years are the Block Download and Restricted Access Control policies. Let’s say you have a site and you want to provide access to files, but you want to make sure those files don’t get downloaded and put somewhere else – where you can lose control of permissions applied to them – or worse, attached to an email and sent outside of the organization. SharePoint has long had the ability to set up a “view only” permission level, but it took some configuring and was not a standard permission level like “read” that exists by default for every site. 

The Block Download policies in SAM allow you to set a blanket restriction for specific SharePoint or OneDrive sites that restricts any download of files, while still allowing users to read the files online. This can even be further tuned to restrict the download of certain types of files like meeting recordings, a welcome assurance for compliance teams worried about exfiltration sensitive meeting histories. Likewise, the concept of “explicit deny” for SharePoint sites – where it is possible to define a set of users that should never have access to a particular site no matter how careless site owners are in managing permissions – has been something SharePoint administrators have struggled with for ages. Using the Restricted Access Control policies in SAM can achieve this kind of result, as only users who are members of groups explicitly named in the policy will be allowed to access the site. Think of it as an additional “firewall” around a site. If the user is allowed to access the site via the access control policy, only then will their SharePoint permissions be considered. These are two examples of site-wide policies that SAM can bring to the table to allow SharePoint admins powerful new controls for access permissions.

Can I find and fix specific files that are sensitive and overshared?

As useful as the policies I just discussed are, they are only as valuable as the ability to visualize if and where they need to be applied. For most organizations, the most important set of capabilities they need is to understand the current access permissions to their content – especially sensitive content – and then initiate actions that can mitigate any risks found. While SAM has “data governance” reports intended to highlight sites containing potential risk, they only report summary data at the SharePoint Site level (e.g. number of files that were shared). The reports do not show you a list of the specific files that may be overshared and provide no way to discover which files caused the sites to appear in the reports. Further, when prioritizing your efforts to mitigate oversharing, the correlation of SENSITIVE + OVERSHARED + SENSITIVE is key, however SAM data access governance reports only report sensitivity in the form of files already labeled with a Purview sensitivity label. If files are sensitive but not yet labeled – which is the primary area of concern as these files are not yet protected – they will not show as “sensitive" on the SAM reports.

AvePoint addresses this by automatically monitoring and remediating risky sharing behaviors at the file level, providing immediate action and comprehensive reporting to maintain data security. AvePoint Policies empowers administrators with detailed file-level insights, including all the vital combination of sensitivity, sharing scope, and protected status, allowing them to modify or remove settings as needed. New MyHub enhancements enable data owners to participate in data security and governance, ensuring a collaborative approach. Additionally, SharePoint Advanced Management only reports on pre-labeled sensitive files, potentially missing issues if labeling isn’t comprehensive. AvePoint assesses every file in your Microsoft 365 environment, labeled or not, identifying sensitive files even if Data Loss Prevention or labeling policies are undeveloped. Organizations can also tailor sensitivity definitions to ensure relevant reporting.

AvePoint Policies

How often are reports updated?

Reports in SharePoint Advanced Management are updated infrequently, with automatic updates occurring only once every 28 days, leading to significant delays in identifying oversharing activities and potentially leaving sensitive data exposed. In contrast, AvePoint provides daily updates without manual intervention, ensuring that permission and sharing changes are always current. AvePoint also allows for pre-defined policies to automatically monitor and remediate risky sharing behaviors in real-time, providing immediate reporting and alerts to admins and data owners. This ensures that data security is consistently up-to-date and potential issues are promptly addressed.

Can I perform site access reviews at scale?

SharePoint Advanced Management offers limited and overly granular reviews triggered by reports without centralized oversight, whereas AvePoint provides a comprehensive and sustainable solution. AvePoint supports access reviews across various collaboration assets, including SharePoint, Teams, and more, with the ability to schedule reviews or trigger them based on specific events. These reviews encompass permissions, data access, ownership, business context, and site necessity, all within a single, auditable process. AvePoint ensures scalability with configurable review durations, automated escalation options, and detailed tracking of review activities. Additionally, MyHub enables data owners to proactively manage their data by identifying oversharing risks and problematic files, enhancing the overall efficiency and effectiveness of access reviews.

Who can access the reports?

Access to SharePoint Advanced Management reports is restricted to users with the SharePoint Administrator role, which grants broad administrator authority and poses significant security risks. This limitation means only a few highly privileged users can access the reports, creating bottlenecks and hindering scalable data governance. In contrast, AvePoint offers extensive Role-Based Access Control (RBAC) and delegation options, allowing the right people to access reports based on their specific roles. This flexibility enables regional or business-unit administrators to participate in data governance, enhancing scalability and security across the organization.

How can I manage data ownership at scale?

Managing data ownership at scale with SharePoint Advanced Management relies heavily on manual intervention. SharePoint Advanced Management requires emails to be sent to current administrators or active members to claim or add site owners, with a lengthy process that can result in sites being converted to “read-only” if not addressed within three months. In contrast, AvePoint offers a more streamlined and automated approach. Administrators can define a minimum number of site owners, with continuous compliance checks and automatic promotion of members to owners if needed. For a more formal approach, AvePoint allows for named primary and secondary data owners for all supported objects, with ownership defined at creation and maintained through automated monitoring and periodic confirmations. If a data owner leaves, AvePoint initiates an election process to appoint a new owner, ensuring data ownership is always current and responsibilities are clear.

Can I manage inactive sites?

Managing inactive sites with SharePoint Advanced Management is challenging due to its fragmented approach and lack of centralized reporting. SharePoint Advanced Management’s Inactive Site Policies operate separately from other tasks, requiring manual certification from site owners or admins, and if ignored, sites are eventually converted to “read-only” and archived. This process is cumbersome and lacks a unified overview, making it difficult for admins to manage inactive sites efficiently. In contrast, AvePoint offers a more integrated and efficient solution. It provides centralized reporting and allows for delegation to departmental teams, ensuring a streamlined review process. Ownership review tasks can be automatically initiated, combining ownership and sharing/permissions reviews into a single task. If sites are deemed unnecessary, they can be archived during the review or after a “read-only” period. This cohesive approach ensures effective management of inactive sites with better visibility and flexibility, enhancing overall efficiency.

Bringing it All Together

In order to deploy Microsoft 365 Copilot with confidence, organizations require a truly holistic data security and data governance approach. By offering detailed file-level visibility, accurate permission reporting, comprehensive sensitivity assessments, real-time risk level reporting, and the ability to take direct action from reports, AvePoint ensures that your data is secure and well-governed.

Additionally, AvePoint’s sustainable access reviews, centralized reporting, flexible data ownership management, and efficient handling of inactive sites provide a robust framework for managing your data governance needs with the scale to meet organizations no matter where they are in their data governance journey. These features, combined with automated controls and extensive RBAC and delegation options, make AvePoint the solution organizations aiming to deploy Microsoft 365 Copilot with confidence.

Explore AvePoint’s solutions to ensure your data management is robust, secure, and ready for the future. With AvePoint, you can be confident that your organization is prepared to leverage the full potential of Microsoft 365 Copilot while maintaining the highest standards of data security and governance.

John Peluso is AvePoint’s Chief Technology Officer. In this role, he aligns the Company’s technology and product roadmaps to grow AvePoint’s market share, and accelerate the ideation, development, and launch of innovative software products tailored to anticipate customer needs. Prior to this role, John held multiple leadership roles over his 13-year tenure at AvePoint, including Chief Product Officer, SVP of Product Strategy, Director of Education, and Chief Technology Officer, Public Sector.

Before joining AvePoint, John served in a variety of technology and business roles at New Horizons Northeast and New Horizons of Central and Northern NJ. He earned his undergraduate degree from The New School.

View all posts by John Peluso
Share this blog

Subscribe to our blog