Secure Microsoft 365 Copilot for small businesses

This article explains the differences in security and compliance controls between Microsoft 365 Copilot in Microsoft 365 Business Basic, Microsoft 365 Business Standard, and Microsoft 365 Business Premium. This article doesn't attempt to describe the full capabilities of Microsoft 365 Copilot, or the full security and compliance features in Business Basic, Business Standard, and Business Premium.

The following sections contain scenarios to help you better understand how security features in Business Basic, Business Standard, and Business Premium can help protect you when you're using Microsoft 365 Copilot.

Enable new levels of employee productivity while safeguarding company data and resources

How can companies enable new levels of employee productivity with tools like Microsoft 365 Copilot while safeguarding company data and resources?

  • Use the following capabilities in Business Basic or Business Standard to make sure that unauthorized employees can't use Microsoft 365 Copilot to gain access to information or confidential data in files that they don't have access to:

    • Sign in without a password using multifactor authentication and help ensure only authorized users have access to data.
    • Ensure only enrolled, compliant devices can access Microsoft 365 resources with device-based conditional access.
    • Wipe all work content, including content generated by Copilot if a device is lost, stolen, or compromised.
    • Revoke work access on noncompliant devices except Windows devices
  • Business Premium extends protection in the following scenarios:

    • Further prevent external bad actors from getting access to Microsoft 365 resources.
    • Protect against employee misuse of Microsoft 365 Copilot by creating conditions to grant internal access.
    • Reduce the ability for employees or external parties from inappropriately saving or leaking data outside the organization.

    The following capabilities in Business Premium lead to results in those scenarios:

    • Use biometrics to sign in to your Microsoft 365 account using Windows Hello for Business (enabled through Windows 11 Pro, which is available to Business Premium licenses).
    • Only grant access to Microsoft 365 resources when specific conditions (identity, device, and location) are met using user-based conditional access.
    • Require employees or guests to accept the terms of use policy before getting access to resources.
    • Restrict the use of the Microsoft 365 apps and Teams (and Copilot in these apps) on personal devices.
    • Prevent saving files to unprotected apps.
    • Restrict the ability to copy and forward confidential business information with data loss prevention for emails and files.

Keep sensitive or personal data from being exposed

How can companies ensure that sensitive or personal data isn't exposed when using Microsoft 365 Copilot?

  • Use the following capabilities in Business Basic or Business Standard to make sure that unauthorized employees can't use Microsoft 365 Copilot to gain access to information or confidential data in files that they don't have access to:

    • Change default sharing options in SharePoint and OneDrive.
    • Prohibit Microsoft 365 Copilot from including sensitive data that users don't have permissions to view in generated responses.
    • Exclude sensitive files that users don't have permissions to view from being processed by Copilot.
  • Business Premium further extends the protection of sensitive data by requiring sensitivity labels for Microsoft 365 content. These labels help ensure that only employees with specific permissions can use Microsoft 365 Copilot to access, generate, or share sensitive data. Matching sensitivity labels are automatically applied to any content generated by Microsoft 365 Copilot.

    The following capabilities in Business Premium lead to those protections:

    • Protect Microsoft 365 data from being accessed by unauthorized users by implementing manual, default, and mandatory content labeling.
    • Microsoft 365 Copilot automatically inherits and applies sensitivity labels that match any queried material or references.

Support regulatory compliance and eDiscovery requests

How can companies monitor interactions with Microsoft 365 Copilot and support related regulatory compliance or eDiscovery requests?

  • In Business Basic or Business Standard, companies can achieve the following results:

    • Monitor, search, and export employee interactions with Microsoft 365 Copilot, and any content generated by Microsoft 365 Copilot.
    • Define how long content generated by Microsoft 365 Copilot should be retained within Microsoft 365.

    The following capabilities in Business Basic or Business Standard lead to these results:

    • Search for and export Copilot interactions by content and keyword search.
    • Maintain a log of all Microsoft 365 Copilot interactions within the organization.
    • Apply retention or deletion policies for Copilot interactions and any generated content.
  • Business Premium further extends the support for investigations or other legal processes by asserting a legal hold on material associated with Microsoft 365 Copilot.

    In Business Premium, use eDiscovery (Standard) to search for Copilot interactions by content, keyword search, create cases, assign managers, apply legal hold, and export the search results to investigate incidents and respond to litigation.

Appendix

The available security and compliance features related to Microsoft 365 Copilot in Business Basic, Business Standard, and Business Premium is summarized in the following tables:

  • Identity and Access Management (Microsoft Entra ID):

    Scenario Business
    Basic
    Business
    Standard
    Business
    Premium
    Sign in to Microsoft 365 Copilot with a single identity
    Enforce MFA when accessing Microsoft 365 to use Copilot
    Enable end-user password reset, change, and unlock when accessing Microsoft 365 Cloud users Cloud users
    Implement Conditional Access policies based on identity, device, and location when accessing Microsoft 365 to use Copilot
    Enable near real-time access policies enforcement, evaluate critical events, and immediately revoke access to Microsoft 365
    Require employees or guests to accept terms of use policy before getting access
  • Endpoint Management (Basic Mobility and Security or Intune):

    Scenario Business
    Basic
    Business
    Standard
    Business
    Premium
    Push/deploy Microsoft 365 apps to devices and grant access to Copilot in those apps
    Manage Microsoft 365 app updates
    Restrict the use of Microsoft 365 apps and Teams (and Copilot in those apps) on personal devices
    Prevent saving files (including files generated by Copilot) to unprotected apps
    Wipe all work content (including content generated by Copilot) if a device is lost, stolen, or compromised
    Revoke work access on noncompliant devices iOS, Android
  • Data Security and Compliance (Information Protection):

    Scenario Business
    Basic
    Business
    Standard
    Business
    Premium
    Search for Copilot generated data and interactions with eDiscovery capabilities Search and export results Search and export results + Case management and legal hold
    Audit logs for Copilot interactions Audit (Standard) Audit (Standard) Audit (Standard)
    Apply a manual retention policy for Copilot interactions
    Data loss prevention (DLP) policies to protect sensitive data generated by Copilot and saved in Microsoft 365 locations from exfiltration Files and email
    Inherit sensitivity labels and cite sensitivity labels in output and references in Copilot
    Prohibit Copilot from including sensitive data that users have no extract permissions for
    Exclude sensitive files that users have no permission to view from being processed by Copilot
    Manually label and protect Microsoft 365 content used by Copilot Files and email