Posey's Tips & Tricks
Sensitivity Labels for Microsoft 365 Copilot, Part 1: Setup
Before you can exclude or protect certain data from Copilot, first you must label it correctly.
Sensitivity labels and label policies have been a part of Microsoft 365 for quite some time. Even so, organizations might consider revisiting the feature now that Microsoft Copilot has been released. Using sensitivity labels is one of the best options for preventing Copilot from referencing data that it shouldn't.
In Microsoft 365, sensitivity labels are essentially just tags that identify the sensitivity of your data. For example, you might tag data as being public, confidential, extremely sensitive or whatever. Once you have created sensitivity labels, you can publish those labels through label policies. It is worth noting that although users can manually apply sensitivity labels to their documents, it's also possible to make Microsoft 365 label content automatically. I will show you how this works later on.
To get started, sign into Microsoft 365 with administrative access and open Microsoft Purview. From there, expand the Information Protection folder and then click on Labels. Next, click the Create a Label button and the Microsoft 365 portal will open the New Sensitivity Label screen, which you can see in Figure 1.
As you can see in the figure, the first thing that you will have to do is to assign a name and description to the label that you are creating. You can also assign a color to the label if you like. For example, if you were creating a label for restricted content then you might make the label red.
Another thing that you can do on this screen is to assign a label priority. This is useful in situations in which you have created multiple labels and need to determine which label will take precedence in the event of a conflict.
Click Next and you will be taken to a screen that asks you to define a scope for the label that you are creating, as shown in Figure 2. This typically means specifying the types of data that the label can apply to. For example, you might intend the label to be used for email messages, files, or even something else.
Click Next and you will be taken to the Items screen. This screen lets you control how the label will be used. As you can see in Figure 3, you can use the labels to control access to resources and / or to apply custom markings to data (such as adding a watermark to a document).
At the beginning of this post, I mentioned that one of the main reasons for using sensitivity labels is to prevent Copilot from accessing anything that it shouldn't. If you want to use sensitivity labels to restrict Copilot, then what you will need to do is to select Control Access and then click Next. This takes you to a sub-screen where you can define the access control settings that should be associated with the label. Click the Assign Permissions link and then click Choose Permissions and select the Custom option from the drop down list. As you can see in Figure 4, there are a variety of permissions that you can select.
To be perfectly clear, Copilot will respect the permissions that you already have in place. Your users will never see content through Copilot that they do not already have access to. Even so, privacy concerns may warrant preventing Copilot from accessing certain content. The way that you can do that using sensitivity labels is to remove the Copy and Extract Content (EXTRACT) permission. Copilot requires this permission in order to use content. In other words, you can still allow a user to view, edit, save and print a document, but if you remove copy and extract permissions, Copilot will be unable to reference the document.
Click Next, and you will be taken to a screen that asks if you want to automatically apply the label that you are creating. To automatically apply a label, you will need to specify a condition. For example, you might make it so that the label is automatically applied if the document contains a credit card number or a social security number.
When you are done, click Next and you will see a screen asking about any additional controls that you might want to put into place for teams, groups, and sites. Make any necessary selections and then click Next, followed by Create Label.
Although you have created a label, the label does not do anything by itself. You are going to need to create a label policy, which is the mechanism that will publish the label. I will show you how to create the label policy in Part 2.
About the Author
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.