web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Copilot Studio / Data Security and Cont...
Copilot Studio
Suggested Answer

Data Security and Controlled Access to SharePoint and Dataverse

(0) ShareShare
ReportReport
Posted on by AskAlma 15
How can we govern and control Copilot deployments across multiple environments to ensure data security and avoid unintended access to sensitive SPO or Dataverse content?
Categories:
Bot administration
Topic creation & management
General topics
I have the same question (0)
  • Prasad-MSFT Profile Picture
    Prasad-MSFT Microsoft Employee on at
    Governing and controlling Copilot deployments across multiple environments is essential for data security and compliance, especially when sensitive SharePoint Online (SPO) or Dataverse content is involved. Here are best practices and controls you should implement:
    1. Use Separate Environments
    Dev, Test, Prod:
    Create distinct Power Platform environments for development, testing, and production.
    Environment Security:
    Restrict who can create, modify, or publish Copilot agents in each environment.
    2. Environment-Level Data Policies
    Data Loss Prevention (DLP) Policies:
    Use Power Platform DLP policies to control which connectors (e.g., SharePoint, Dataverse) can be used together and to block risky data flows.
    Connector Restrictions:
    Limit access to sensitive connectors in non-production environments.
    3. Role-Based Access Control (RBAC)
    Environment Roles:
    Assign roles (Admin, Maker, User) carefully in each environment.
    Least Privilege:
    Only grant access to those who need it.
    4. Secure Knowledge Sources
    SharePoint/Dataverse Permissions:
    Ensure that only authorized users and service principals have access to sensitive sites, lists, or tables.
    Row-Level Security:
    Use Dataverse security roles and field-level security to restrict data access.
    5. Monitor and Audit
    Audit Logs:
    Enable auditing in Power Platform, SharePoint, and Dataverse to track access and changes.
    Usage Analytics:
    Regularly review who is using Copilot agents and what data is being accessed.
    6. Review and Approve Deployments
    Change Management:
    Require peer review and approval before publishing Copilot agents to production.
    Solution Packaging:
    Use managed solutions to move agents between environments, ensuring only approved versions are deployed.
    7. Limit Knowledge Base Scope
    Curate Knowledge Sources:
    Only add necessary SharePoint sites, lists, or Dataverse tables as knowledge sources.
    Regular Review:
    Periodically review and remove outdated or unnecessary knowledge sources.
  • Suggested answer
    11manish Profile Picture
    11manish 2,286 on at
    Governing Copilot across environments (DEV / TEST / PROD) is now a critical architecture responsibility—especially with risks around SharePoint (SPO) and Dataverse data exposure in Microsoft Copilot Studio and Microsoft Power Platform.
     
    Below is a practical, enterprise-grade governance model you can implement.
     
    1. Environment-Level Governance
    • Managed Environments: Use the Power Platform Admin Center to enable Managed Environments. This allows you to restrict which users can publish apps with Copilot capabilities and provides "Usage Insights" to see where AI is being used.
    • Environment Routing: Direct new makers to a "Developer" environment with strict Data Loss Prevention (DLP) policies, preventing them from accidentally building Copilot tools against Production Dataverse tables.
    • Tenant Settings: In the M365 Admin Center, you can toggle Copilot for specific security groups. This allows for a "Ringed Deployment" (e.g., IT first, then HR, then Finance) rather than a tenant-wide "big bang" release.
    2. Controlling SharePoint (SPO) Content Access
    • The "Over-sharing" Audit: Use Microsoft Purview to run a "Data Access Report." This identifies sites shared with "Everyone except external users," which is the most common cause of sensitive data leaking into Copilot responses.
    • Restricted SharePoint Search: You can exclude specific highly sensitive sites (like Payroll or Legal) from being indexed by Copilot entirely, even if the user has access.
    • Sensitivity Labels: Apply Sensitivity Labels (via Purview) to documents. You can configure Copilot to ignore files labeled as "Highly Confidential" or prevent it from summarizing them.
    3. Securing Dataverse Content
    • Row-Level Security: Ensure your Security Roles are tightly defined. If a user shouldn't see "Salary" rows in a table, Copilot won't see them either.
    • Column-Level Security: Use Column-Level Security for sensitive fields (e.g., SSNs). Copilot will return a null value or a "Permission Denied" if it tries to access a masked column.
    • DLP Policies (Connectors): Configure DLP policies to categorize the "Microsoft Copilot" and "HTTP" connectors. This prevents users from building custom Copilots that "leak" Dataverse data to non-authorized external services.
    4. Monitoring and Auditing
    • Purview Audit Logs: Monitor the Copilot Interaction events in the Unified Audit Log. This tells you who asked what, and which files Copilot accessed to provide the answer.
    • AI Hub (Preview): Use the new AI Hub in the Power Platform Admin Center. It provides a centralized dashboard to see which AI models are active, which DLP policies are impacting them, and identifies potential security risks.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the April Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Copilot Studio

#1
Valantis Profile Picture

Valantis 813

#2
Vish WR Profile Picture

Vish WR 313

#3
Haque Profile Picture

Haque 271

Last 30 days Overall leaderboard

Featured topics

Announcing the "Microsoft Copilot Studio ❤️ MCP" lab
Block PII/PCI in Copilot Studio agent user prompt

Product updates

Microsoft Power Platform Community release plans