Control 4.7: Microsoft 365 Copilot Data Governance - Portal Walkthrough
This playbook provides portal configuration guidance for Control 4.7.
Prerequisites
Before starting, ensure you have:
- Microsoft 365 Admin role assigned
- Microsoft 365 Copilot licenses assigned to target users
- SharePoint site inventory with sensitivity classification
- Sensitivity labels deployed
Step 1: Configure Copilot Settings in M365 Admin Center
- Navigate to admin.microsoft.com
- Go to Settings > Microsoft 365 Copilot
- Configure settings based on governance level:
| Setting | Baseline | Recommended | Regulated |
|---|---|---|---|
| Copilot enabled | Yes | Yes | Yes |
| Web search | Enabled | Review | Disabled |
| Plugin marketplace | Enabled | Limited | Disabled |
| Usage analytics | Enabled | Enabled | Enabled |
Step 2: Configure Content Exclusions
Exclude sensitive sites from M365 Copilot via Restricted Content Discovery:
- Navigate to SharePoint Admin Center
- Go to Sites > Active sites
- Select the sensitive site
- Click Settings
- Under Microsoft 365 Copilot, set to Restricted
EEEU Risk — Discovery Amplification
Microsoft 365 Copilot can surface content shared with "Everyone except external users" (EEEU) across the organization. This discovery amplification means that content previously obscure (but technically accessible) becomes easily discoverable through natural language queries. Review and remediate EEEU sharing before enabling Copilot for sensitive sites. Use Control 4.2 (Site Access Reviews) DAG reports to identify affected sites.
Categories to Exclude:
| Content Category | Risk Level | Recommendation |
|---|---|---|
| Executive compensation | High | Exclude |
| M&A / Deal rooms | Critical | Exclude |
| Legal/Compliance investigations | Critical | Exclude |
| HR confidential | High | Exclude |
| Board materials | High | Exclude |
| Draft content | Medium | Consider exclusion |
Step 3: Configure Plugin Governance
- Navigate to admin.microsoft.com
- Go to Settings > Integrated apps
- Review installed plugins
- Configure plugin approval workflow:
- Block unapproved plugins
- Require security review for new plugins
- Maintain allowlist for approved plugins
Plugin Risk Assessment:
| Risk Factor | Low Risk | Medium Risk | High Risk |
|---|---|---|---|
| Data access | Read-only, public | Read org data | Read/write sensitive |
| Vendor | Microsoft first-party | Established vendor | Unknown vendor |
| Certification | M365 certified | SOC 2 | No certification |
Step 4: Configure Usage Monitoring
- Navigate to admin.microsoft.com
- Go to Reports > Usage > Microsoft 365 Copilot usage
- Review key metrics:
- Active users
- Feature usage by app
- Queries per user
Monitoring Cadence:
| Metric | Review Frequency |
|---|---|
| Active users | Weekly |
| Feature usage | Monthly |
| Queries per user | Monthly |
| Feedback submitted | Weekly |
Step 5: Establish User Behavior Guardrails
Publish acceptable use policy covering:
- Permitted uses (drafting, summarizing, analysis)
- Prohibited uses (regulatory filings without review, investment recommendations)
- Output review requirements by content type
- Over-reliance prevention guidelines
Governance Level Configurations
Baseline (Level 1)
| Setting | Value |
|---|---|
| License management | Track Copilot assignments |
| Access control | Rely on existing permissions |
| Awareness | User communication |
| Review | Quarterly usage review |
Recommended (Level 2-3)
| Setting | Value |
|---|---|
| Content exclusions | Exclude sensitive sites via RCD |
| Plugin governance | Approval workflow |
| Usage monitoring | Monthly analytics review |
| Training | Mandatory Copilot training |
Regulated (Level 4)
| Setting | Value |
|---|---|
| Comprehensive exclusions | Default-deny for unlabeled content |
| Plugin control | Allowlist-only model |
| Output review | Formal review for external communications |
| Audit trail | Full logging with 6+ year retention |
Validation
After completing the configuration, verify:
- M365 Copilot settings configured in Admin Center
- Sensitive sites excluded via Restricted Content Discovery
- Plugin governance workflow established
- Usage monitoring reports accessible
- Acceptable use policy published and communicated
- Test query against excluded content returns no results
- Usage analytics showing Copilot adoption metrics
Expected Result: M365 Copilot respects content exclusions, plugins are governed through approval workflow, and usage is tracked for governance reporting.
Monitor AI Subprocessor Changes
- Navigate to Microsoft 365 Admin Center
- Go to Settings > Microsoft 365 Copilot > Data and privacy
- Review the list of AI subprocessors
- Track changes at: Microsoft Copilot AI Subprocessor
Subprocessor Change Monitoring
As of January 2026, Anthropic was added as an AI subprocessor. FSI organizations should incorporate subprocessor tracking into their third-party risk management cadence and update vendor risk registers when changes are detected.
Back to Control 4.7 | PowerShell Setup | Verification Testing | Troubleshooting
Updated: February 2026 | Version: v1.2