Here’s why this is such a big problem. Microsoft recommends blocking Copilot from accessing sensitive information in emails, meetings, documents, and related content by assigning a label to those items and creating a DLP policy that defines the block. This bug renders the system unusable for the affected emails. You simply can’t provide a governance tool that doesn’t deliver the governance it claims to provide. It’s a bad look, Microsoft. It doesn’t help build customer trust.
No, Copilot did not make these emails public or access private information and make it non-private. It accessed information in response to your prompt that it should ignore. That creates a risk that many users might assume does not exist. That is a significant issue, but it’s not equivalent to a data breach. There is another check in place before data leaks out: the end user.
I think there are some opportunities in AI for completing tasks, but I also think there is a serious risk in taking action without proper oversight. I’ll be very interested in seeing how Microsoft gets this out to business customers.
We may never know if Microsoft is delaying this in response to privacy concerns voiced by its customers, but we do know that many customers had strong reservations about this feature. Yet another thing for law firms and other industries where confidential information is discussed in meetings to be aware of.
There is more detail in the announcement above, but the bottom line is this. You can get Defender and a range of e5 Purview tools for an additional $15 USD per month per user. With Business Premium costing $22 per month per user when paid annually, that’s a significant savings over a full E5 license if you have fewer than 300 users.
One of the tools he mentions is the Audit log, and I agree. It can be difficult in SharePoint and OneDrive to determine who saw a document and who didn’t, because there are often so many changes being made at once. It’s easy to get lost in an avalanche of versions and permissions that leave doubt as to whether something was even shared with a user during the time in question.
That’s where the audit log comes in. However, just because events are logged doesn’t mean they will still be there months from now. If you’re in a highly litigious industry, the retention and preservation of audit log data might be something worth considering.
This is a pretty significant change for many of us who had been concerned about vetting data protection agreements with Anthropic before allowing user access to the Claude option in Coiplot Chat, and who’ve also watched new agents for Word, Excel, and PowerPoint rollout, but not to our tenants with Anthropic model access disabled.
Reposts