(music) How is your data protected
when using Microsoft Copilot, and how do you get ready for it? Well, in the next few minutes, with Copilot for Microsoft 365, now more broadly available to
organizations of all sizes, I'll unpack how you can
securely take advantage of generative AI across
Microsoft 365 app experiences. And I'll also go through the steps and resources to deploy it at scale. Now, if you're new to
Copilot for Microsoft 365, it lets you use natural language prompts to interact with your organization's data and generate personalized
content and responses with relevant insights that are
unique to your work context. While you only see the generated response in your original prompt, behind the scenes
Copilot for Microsoft 365 interprets your request, and if necessary, will find information you have access to within your organization
from your work files sitting in SharePoint and OneDrive, as well as email and calendar
via the Microsoft Graph. And it presents this information
as additional context along with your original prompt
to the large language model to generate a personalized
and informed response. And even though none of
this information is retained by the large language model, to securely take full
advantage of generative AI, you can and should protect
data at every stage from the information
contained in the user prompt to the information retrieved based on user access permissions, and the generated response itself so that sensitive data is
not inadvertently exposed when it shouldn't be. And the good news is controls for security and privacy over your
data exist at every stage, and will leverage the sensitivity labels and the corresponding policies that you've already got in place. Now, I'll start by showing
you a couple of examples of the benefits of these data
protection controls in action, and then I'll show you how to configure them yourself as an admin. In this case, I'm using
Copilot in microsoft365.com. I'll prompt it to list the key points from the Contoso purchase agreement, and the information
that was retrieved shows the sensitive label for the
document that it referenced. Now to be clear, this is a file that I
have explicit access to. And if I move over to the
source document itself, you can also see the
confidential sensitivity label was previously applied to it. So you saw how Copilot
was able to inform me of the sensitivity of the
document that it retrieved all as part of its response. Now, let's see how it works for content generation
using Microsoft Word. So here I'm going to
prompt Copilot in Word to generate a confirmation letter that's based on the
same purchase agreement with the sensitivity
label that we saw before. And right after I referenced
that protected document, you'll see that with
this shield icon here, it immediately recognizes
this as a sensitive file. So now I'm going to hit generate, and it will author a
draft confirmation letter for the purchase agreement. Notice that when it's completed
the confirmation letter, because the originating document
has a confidential label, that same label is automatically applied to the generated file as shown in the information
bar above the document. So the protection is inherited from the labeled source material. So as an admin, what are the steps then it
takes to protect your data? Well, it all starts by looking at your data access permissions and applying the principles
of just enough access as well as least privileged for information across
your entire data estate. And one of the first recommended steps that you can take as a
Microsoft 365 administrator is to review SharePoint site access, prioritizing the sites containing the most sensitive information. Now, here you can start
by looking for sites that have their privacy set to public, which means that all employees
can discover and access them. And from there, you can require that site
owners verify ownership as well as who should
be members or visitors of these sites to limit access. Then for content
classification and labeling, one of the simplest
controls to put in place is to classify files automatically saved to sensitive locations, as you can see here with
the site owner controls for this document library. Now, that means that any
content created in that location will get the label applied automatically and corresponding policies can lock files down to the right people. Then for another easy test to see you can use Search and Microsoft 365 you can use Search and Microsoft 365 even before you deploy Copilot to evaluate whether different users can discover and access sites or files that they should not have access to. The labels and classifications
applied in those locations are configured and managed
using Microsoft Purview. In fact, let me show you those controls as well as additional
more advanced controls to protect your data
using its auto labeling and data loss prevention capabilities. The labels you apply in Microsoft Purview can automatically help you discover, limit the sharing radius, and apply encryption
directly using policies. These can also be applied
based on the content within the documents
using data loss prevention or DLP policies with
sensitive information types. So here for example,
I've started a DLP policy for personally identifiable information, and I've added a few sensitive
information types already. And I can add even more
with over 300 options here for things like banking
numbers, addresses, identification types, tax
information, and more. Additionally, using trainable classifiers, there are dozens of
built-in document types that I can choose from,
including source code, healthcare, HR, and more
to auto apply labels. Then moving on to device restrictions, I can also set up endpoint
DLP policies to prevent users from copying sensitive
data to their clipboards and then, for example, into
unapproved AI assistance sites. Next, beyond data protection policies, let me explain how Copilot
for Microsoft 365 activities can all be audited. Using content search in Microsoft Purview, all activity from Copilot for
Microsoft 365 is discoverable as you can see here. Retention policies can also be used to retain content and
prompts and responses, and then retained based
on your requirements. E-discovery is also supported
for Copilot interactions as you can see here
with this case example. And communication and compliance will likewise flag any content with
established policy matches like the one you see here
for codename Obsidian. Of course, another important consideration is how data is processed and where it resides when using
Microsoft Copilot services. Microsoft hosts and operates
large language model instances in Microsoft data centers and will never use your data
to train large language models. And data residency with Microsoft Copilot is consistent with Microsoft
365 and the locations where your data is already
stored and processed today. Which means that if your organization is based in the European Union, Copilot data is likewise stored and processed within the EU data boundary like the rest of your data. Additionally, the Microsoft
Copilot copyright commitment means that content generated using Copilot also comes with legal
protections for Microsoft. Now, let's move on to how you
can fine tune policy settings and configurations for
Copilot as an admin. And for that, we've added new controls in Microsoft 365's admin center, including links to many of the tools and concepts I've shown today. So here you can see the status
of your Copilot assignments as well as the latest
information on Copilot. Under settings, you can find what you need to manage Microsoft Copilot experiences found in Bing, the Edge
browser, and in Windows, as well as deep links to many of the data security
and compliance controls. Next, admin controls to submit feedback about Copilot for Microsoft 365
services on behalf of users, then configurations for plugins and their permissions from
the integrated apps page, as well as tenant wide controls to allow the public web to
be used as grounding data in Copilot for Microsoft 365 and more. Now, with the right protections
and configurations in place, you can take full
advantage of generative AI and start deploying Copilot for Microsoft 365 services at scale. Now, this starts with ensuring that you've got the right
Microsoft 365 services in place. And recently this was expanded
to organizations of all sizes with Microsoft 365 Business
and Enterprise Suites, as well as faculty members for Microsoft 365 Academic suites. Next, for Copilot capabilities to light up in Microsoft 365 apps, using the Microsoft 365 apps admin center at config.office.com,
you'll want to deploy either monthly enterprise,
current channel, or current channel preview. From there, from the Microsoft
365 admin center under setup, you can use the "Get ready
for Microsoft Copilot for Microsoft 365" setup guide to configure any remaining items, and it walks you through many
of the steps I just presented to prepare your organization. From here, you can even
assign Copilot licenses to users and groups in
scope for your deployment and send a welcome email to help them get started with Copilot. And with services deployed, a best practice for driving
and improving adoption is to establish an internal community of Microsoft Copilot users. And the Copilot hub at
adoption.microsoft.com/copilot gives you additional resources by role to help users learn about and
get the most from Copilot. So that was an overview of
how security and privacy with Copilot for Microsoft 365 works, and how you can get ready for
Copilot in your organization. For more deep dives on other
Microsoft Copilot tech, checkout aka.ms/M365CopilotMechanics, And keep checking back
for the latest AI updates Thanks for watching. (music)
