Part 3: Microsoft 365 Copilot SharePoint Governance

How to approach to security and control

In brief

  • Copilot builds its responses on all the data a user has access permissions to.
  • "Just Enough Access" is the low-risk way to manage data-security.
  • Copilot benefits when related content in teams & SharePoint is grouped. 
  • Sensitivity labels help organisations follow information security policies.

In this article and our video, Preparing for Microsoft Copilot Part 3, we cover best practice in regard to SharePoint Security, the SharePoint Site / Microsoft Teams lifecycle, particularly focusing on their importance in the context of Microsoft 365 Copilot. Finally, we bring those two concepts together we go on to cover Sensitivity Labels.

Also in this series:

Understanding the requirement:

Microsoft 365 Copilot:

  • Only searches for information from the user’s tenant
  • This does include all data they have been granted access to
  • Thos does not include content from other tenants where the user has (guest) access
  • Does respect the end-user’s security/access permissions

How to Implement this:

1. Keep Security Simple:

  • As a rule, we try and set read and contribute permissions at a Site Level, occasionally at a Document Library and Folder level and very rarely at a file name.


2. Track Movers

  • It’s too easy for a mover to gain new permissions for their new role and not lose the assigned permissions for their previous role. As part of your movers process, be proactive to review existing permissions – consider dynamic membership groups.

Learn More on Access Management:

Understanding the requirement:

Microsoft 365 Copilot works best when related data is grouped together logically, that permissions reflect “Just Enough Access” and when data is no longer needed it is removed from scope of active users either through archiving or deletion.

How to Implement this:

1. Define your Information Architecture Principles

a. What needs to be true for you to create a new Hubs/Site/Team?
b. What are your standards for site /team structures?
c. What roles do metadata, labels and tags play?
d. What are your security principles (data boundaries, external users)
e. What’s your position on extending functionality (eSignatures, Document Generation, Workflow, Apps)

We recommend that end-user site requests should be triaged to establish if a new site is needed and if so, what does it look like. The answers to these questions which will help:


2. Plan the Site Life-Cycle Process

a. What is the purpose of your site? (Filling, Collaboration or Publishing?)
b. Who needs access to it (owners, contributors, visitors/viewers)
c. How long will you need it for / how will we know we can close it?
d. What should happen to the assets created?

The goal of site and team management is to give users a better experience, so it’s clear where work gets done. As one client said to us, “A place for everything, and everything in its place”.


Learn More on Site and Team Management:

Whilst retention labels control how long to keep data for, and what happens at the end of that period. Sensitivity labels, part of Microsoft Purview Information Protection, control how a document, SharePoint Site or Microsoft Team is protected from a security perspective.

An example from a Copilot perspective, you could set a sensitivity label on a Microsoft Team, to ensure that it is set to private instead of public, meaning that only Team Members will be able to access the content, as opposed to everyone in the business.

A few examples where you can use a sensitivity labels:

  • For a Microsoft Team to restrict who can have access to it
  • For a press release to restrict access before an embargo is lifted
  • To ensure that the current price list for sales staff can't be opened after a specified date

Learn More on Sensitivity Labels:

Based on our experience, the approach to security "Just Enough Access" and Site/Team Management have always been best practice when managing a SharePoint / Teams environment.

Starting with information architecture principles and planning the site life-cycle with a supporting security model creates the right user experience, in Microsoft 365 Copilot is a crucial approach, allowing users to access only the data in their tenant while keeping security straightforward by setting permissions primarily at the site level.

Additionally, effective "Site and Team Management" is all about crafting information architecture principles and planning the site life-cycle process logically. This experience-driven perspective emphasizes the importance of creating a user-friendly and organized environment.


Read Part Four on Technical Prerequisites


Rupert Squires

Client Director

2 mins read

View our other blog posts

Click through to see our other blog posts.

Policy Approval in SharePoint 

Policy Approval in SharePoint 

Within your organisation, a risk, a legal requirement or a standard has been identified, and it has been agreed that it should be addressed via a documented company policy. We can expand this approval requirement more broadly to Controlled Documents.

Manage Microsoft Office templates in SharePoint 

Manage Microsoft Office templates in SharePoint 

Utilising templates like Word Letterheads and PowerPoint Sales Proposals is essential for maintaining consistency in document creation. They help enforce branding guidelines, ensure legal compliance, and reduce friction for employees.

Microsoft 365 Copilot Licensing + Pricing

Microsoft 365 Copilot Licensing + Pricing

Microsoft 365 Copilot is an additional purchase as it is not included in any of Microsoft’s licence suites, including the “Hero SKU” Microsoft 365 E5. So, to take advantage of the new AI capabilities offered by Microsoft, you will need to budget for additional investment.

Ask how we can help you:

• First steps in helping your business do this?
• Taking a step back and building your strategy?
• Stuck in the mud and needs help getting out?

Whatever the question, you can expect a response within a business day.

Start your journey to stress-free document management right now