Introduction
Over 2024 I’ve had the pleasure of delivering this session at several different events. For those who have attended and those who haven’t here it is in blog post format. As the feature set has evolved so have the feature coverage. This blog was written on December 1st, 2024 and uses the latest information available at the time.
A note about ALT text in this article. Where images are described in the main text, no ALT text description has been added.
The Wave
First let me define what I mean by ‘The Wave’
We exist in a world where we manage or work with a continuously changing landscape consisting of new tools being released, an Evergreen feature set with new features rolling out regularly and where the adoption of these tools & features are regularly user driven. This presents a challenge for data security and implementing good governance.
Image by Copilot in PowerPoint using the prompt “Generate an image of really big wave dwarfing all the other waves around it. Do not add any land or boats, just the waves in a sunny ocean scene”
Are you Swamped by the Wave?
An in terms of the evergreen nature, let’s put some numbers on this. These stats are taken from a regular review of the M365 public roadmap taken at intervals over the past year looking back up to 3 months. Over that time there has been an average of approx. 125 items added and 101 features rolled out every month with Microsoft Teams, Microsoft 365 Apps and Purview making up approx. 60% of the updates on the roadmap at any one time.
| Review | Items Added | Rolled Out | Total Items |
| Nov 2023 | 372 | 312 | 1,753 |
| Feb 2024 | 318 | 214 | 2,022 |
| June 2024 | 399 | 297 | 1,747 |
| Sept 2024 | 246 | 331 | 1,717 |
| Nov 2024 | 287 | 167 | 1771 |
Graph created using an image of the Stockholm City Hall Towers images as drawn by Copilot to give show total items on roadmap and is not to scale.
What is Purview?
Fortunately, in facing the wave of change and the challenges we have a partner in Microsoft Purview.
Purview is a combination of Microsoft 365 compliance and governance solutions and Azure purview features which can be deployed across your Microsoft Cloud implementation and beyond to help you discover, govern, protect, and manage your data. The aim being to increase data security and mitigate risks associated with the data we hold in our systems.
Image Source: https://learn.microsoft.com/en-us/purview/purview?WT.mc_id=M365-MVP-5004583
The key features of Purview when considering Microsoft 365 based tools are:
- Data Lifecycle Management/Records Management
- Data Loss Prevention
- Information Protection
- eDiscovery
- Audit
- Insider Risk Management
- Communication Compliance
- Data Security Posture Management for AI (previously AI Hub)
6 Key Considerations
For each conference this section has been themed. In the final delivery of 2024, I used Swedish Folklore as the event took place in Stockholm, Sweden.
In Swedish Folklore Nacken and Huldra are mythical beings both of whom are fabled to guide people into danger however today they are helping us with the 6 key things we need to consider when addressing governing any tool in M365
- Where is the data stored?
- Which Microsoft 365 compliance, security, privacy and access controls work with the product & its data storage?
- Which of those features are included in our licences?
- What technical controls we want to place on our users using the Microsoft 365 features?
- Are there any additional controls we need in place, e.g. via usage policies and procedures?
- Will this survive the users? Training!!!
Image created with Copilot using the prompt “An image of Näcken and Huldra using a dark blue and yellow theme”
Verifying the statements with Copilot:
Is this a true statement based on information on the web about Swedish Folklore “In Swedish Folklore Nacken and Huldra are mythical beings both of whom are fabled to guide people into danger”
Yes, the statement is true based on information available on the web. In Swedish folklore, both Nacken and Huldra are mythical beings known to guide people into danger. The Huldra, a forest spirit with unparalleled beauty and an elusive cow’s tail, captivates unwary travellers with her charm. Similarly, the fabled Näcken, haunting Sweden’s streams and rivers, plays enchanting melodies on his violin, luring listeners to a watery fate.
References: Swedish Folklore Creatures: Enchanting Beings from Nordic Myths
Let’s look at each of these in respect of Viva, Loop & Copilot
Microsoft Viva
When considering governing Microsoft Viva with Purview, it’s important to remember that Viva builds on top of the existing Microsoft 365 tools (Microsoft Teams, Exchange Online, SharePoint Online, Viva Engage Cloud Storage and Azure).
As Viva builds on these services it is correct to assume that the majority of the governance options we have for Viva are the same as for these tools. But’s let’s not forget the key considerations. For each organisation Licences, business requirements, policies & procedures as well as user training will be a case-by-case basis, but we can consider globally the data locations and Purview features which apply.
Primary Data Locations for Viva Tools
This table and image show primary storage locations used. The table is taken from https://learn.microsoft.com/viva/viva-privacy?WT.mc_id=M365-MVP-5004583#data-residency
| Viva app | Where the data resides |
| Viva Amplify | Data is stored in the data center where the associated Microsoft 365 tenant resides. If your organization is using SharePoint, Amplify follows the SharePoint data residency policy. |
| Viva Connections | Data is stored in the data center where the associated Microsoft 365 tenant resides. For tenants located in Germany or the EU, none of the data is transferred to a third country. Note: Data from third-party apps is governed by the data and privacy agreements for those apps. This information applies to data from Microsoft apps. |
| Viva Engage | Committed to storing message bodies and files attached to messages at rest within a specific geographical area (Geo). Data is stored in either Engage cloud storage or SharePoint. Files saved in SharePoint are stored in SharePoint Online per your SharePoint Online data residency policy. Mobile push notifications require sending data to a third-party notification service (Apple or Google), which might be outside your Geo. |
| Viva Glint | The data region for Viva Glint is determined by the default geography of the tenant, not individual users, and is stored in US or EU data centers based on central tenant location. |
| Viva Goals | Data for customers located in the European Union Data Boundary (EUDB) or the United Kingdom is stored in data centers located in the EU. The data for all other tenants is stored in data centers located in the United States. |
| Viva Insights | Personal insights – Processed and stored in the employee’s Exchange Online mailbox. Data residency is based on the employee’s mailbox location. Manager/Leader/Advanced Insights – The data region for Manager/Leader and Advanced is determined by the Default Geography of the tenant, not individual users. Data at Rest (header info and metadata sourced from Exchange Online and Teams, but not message content or attachments) is stored in US, EU, EMEA, APAC based on central tenant location. |
| Viva Learning | Viva Learning doesn’t store any personal data since usage and consumption data is aggregated. Integration with SharePoint is currently only supported for sites hosted from the home geography of the tenant. For example, a French tenant can only link SharePoint sites hosted in France to Viva Learning. |
| Viva Pulse | Data for customers located in the European Union Data Boundary (EUDB) is stored in data centers located in the EU. The data for all other tenants is stored in data centers located in the United States |
When exploring further into Viva Pulse you find that Pulse instances and the responses are stored in Microsoft Forms, where the data residency for Microsoft Forms becomes applicable. PLUS that templates are stored in an Azure Cosmos DB with is either in West US or EU, “depending on tenant hosrting location”. https://learn.microsoft.com/en-us/viva/pulse/get-started/data-residency-for-viva-pulse?WT.mc_id=M365-MVP-5004583
Purview Features Which Apply – Microsoft Viva
| Feature / Product | Viva Connections | Viva Learning | Viva Insights | Viva Amplify | Viva Pulse | Answers in Viva | Viva Engage |
| Data Lifecycle Management / Record Management | Y | Y | Y | Y | Y | Y | |
| Data Loss Protection | Y | Y | Y | Y | |||
| Information Protection | Y | Y | Y | Y | |||
| eDiscovery | Y | Y | Y | Y | Y | Y | Y |
| Audit | Y | Y | Y | Y | Y | Y | |
| Insider Risk Management | Y | Y | Y | Y | Y | Y | |
| Communication Compliance | Y | Y | Y | Y |
Viva Glint & Goals are not included in table as none apply.
Viva Connections content is all SharePoint so that content is covered
Viva Goals content is stored in Azure but no direct management of the content via Purview.
Viva Learning custom content is SharePoint & fully covered. No Viva Learning specific controls, incl over user data. Usage data is stored for 6 months and reporting is available see https://learn.microsoft.com/en-us/viva/learning/reports?WT.mc_id=M365-MVP-5004583
Viva Amplify content is sent as emails/teams messages/SharePoint pages (Viva Engage messages coming soon). Therefore, the controls for those objects apply once created and published using Viva Amplify. The campaign is a Team, and it can be managed using the M365 groups/teams controls.
Viva Glint content is stored in Azure but no direct management of the content via Purview
Viva Pulse used Microsoft Forms. No direct control for Forms data in Purview but some coverage of Forms data with eDiscovery See: https://support.microsoft.com/en-gb/office/gdpr-information-e9fe9fac-20cf-4298-a138-d6a1b8dc6108
Viva Engage and Answers in Viva, which is Viva Engage feature, are covered by eDiscovery and Data Retention; sensitivity labels and data loss prevention aren’t supported for Viva Engage Communities. Messages in Viva Engage can be included in Insider Risk and Communication Compliance policies
Microsoft Loop
Microsoft Loop is a collaborative tool designed to enhance teamwork and productivity. I often think of it a cross between OneNote and Teams and find it fits perfectly into collaborative note taking and research style activities. It provides a platform where users can create, manage, and share content in a seamless and organized manner but without a predefined structure like that of a document, spreadsheet or database.
It consists of several key features:
- Loop App. The Loop app a unified interface to access all Loop components, workspaces, and pages.
- Workspaces. A workspace can contain multiple pages, links and components.
- Pages. Within a workspace, pages act as individual documents or sections where users can create, edit, and collaborate on content.
- Components. Components are the building blocks of Microsoft Loop. They include various elements such as text, tables, lists, and more, which can be embedded within pages, Teams messages, emails, whiteboard and documents. Components are dynamic and can be updated in real-time, ensuring that all collaborators have access to the latest information.
Where does Loop store its data?
Where Loop content is stored impacts the features and management capabilities available. Microsoft Loop uses SharePoint, OneDrive, and SharePoint Embedded, which means that most of these capabilities work just like existing files in your ecosystem.
Where the Loop content was originally created determines its storage location:
| Loop content originally created in | Workspace SharePoint Embedded | Team SharePoint Site | User’s OneDrive | SharePoint Embedded (User Dedicated) |
| Loop app | in Loop workspace | |||
| Teams channel meeting | in Channel folder | |||
| Teams channel | in Channel folder | |||
| Teams private chat | in Microsoft Teams Chat files folder | |||
| Teams private meeting | in Meetings folder | |||
| Outlook email message | in Attachments folder | |||
| OneNote for Windows or for the web | in OneNote Loop files folder | |||
| Whiteboard | in Whiteboard\Components folder | |||
| Microsoft 365 Copilot Business Chat – Copilot Page | .loop file in a per user container |
To read more about Loop storage visit Microsoft Learn | Summary of governance, lifecycle, and compliance capabilities for Loop
Purview Features Which Apply – Microsoft Loop
The coverage of Microsoft Loop with Purview features has extended significantly over 2024. Full details are available on Learn. https://learn.microsoft.com/en-us/microsoft-365/loop/loop-compliance-summary?view=o365-worldwide&WT.mc_id=M365-MVP-5004583#loop-storage
With Microsoft Purview only Insider Risk Management and Communication Compliance do not directly apply to Loop, though actions involving Loop content which matches policies in those tools is detected.
| Feature / Product | Component in OneDrive | Component in SharePoint | SharePoint Embedded |
| Data Lifecycle Management / Record Management | Y | Y | Y |
| Data Loss Protection | Y | Y | Y |
| Information Protection | Y | Y | Y |
| eDiscovery | Y | Y | Y |
| Audit | Y | Y | Y |
| Insider Risk Management | |||
| Communication Compliance |
With retention and records management both policies and labels work with Loop files. However, to apply a retention policy to a SharePoint Embedded container you must find the URL from the SharePoint Admin Center first (under Containers, not sites). It is also important to note that contents in SharePoint Embedded Containers are covered by automatic labelling policies for both retention/records labels and sensitivity labels, however there is currently no user experiences to apply retention/records labels to items in SharePoint Embedded containers.
With Sensitivity Labels the end user experience is rolling out and users will see the shield icon on loop pages to apply & change sensitivity labels. To apply to a component, you will have to follow the link to the component to view in its own page to apply the label. Currently only Admins can apply sensitivity labels to containers via the SharePoint Admin Center, though the end user functionality is currently rolling out at the time of writing for Loop workspaces.
Microsoft Copilot
AI is one of the biggest ever drivers of digital change. Since its launch Microsoft Copilot changed the discussions about Purview. It seems to me as if the launch of Microsoft 365 Copilot is doing for data security / information governance / compliance what the COVID pandemic did for Microsoft Teams. Suddenly organisations are starting to see the very real benefits of adopting and configuring the features they have available. This time it is to secure the data and other information they are responsible for.
Data Locations for Microsoft Copilot
Where data is drawn from depends on how organisations configure Microsoft Copilot graph connectors, plugins and agents etc. The information available to users is ‘security trimmed’ in that they only see information from sources they have permissions to.
However, interactions with copilot stored in a very similar fashion to Teams chat messages. Evidence for this can be seen in the fact that we are just seeing the rollout of the separation of Copilot interactions and teams chats from a retention perspective.
Purview Features Which Apply – Microsoft Copilot
In this section we’ll be looking specifically at where features apply directly to Microsoft Copilot and Microsoft 365 Copilot interactions and data access from the perspective of ‘governing’ the features. This table summarises those key benefits for the governance of Copilot and includes the icon for the feature in the new Purview Portal.
| Purview Feature | Benefits |
| Data Lifecycle Management/Records Management | •Retain Important Information, Clear Clutter •Retain Copilot Interactions |
| Data Loss Prevention | •Control Sharing of New Content •(Coming Soon) DLP For Microsoft 365 Copilot |
| Information Protection | •Restrict Availability of Content for Responses •Visual Sensitivity Markers on Responses & New Content |
| eDiscovery | •Review Copilot Interactions |
| Audit | •Monitor Copilot Interactions |
| Communication Compliance | •Detect & Review Prompt and Response for Inappropriate/Risky requests |
| Data Security Posture Management (DSPM) | •Combines DLP, MIP, IRM & Communication Compliance Insights •Recommended Actions to strengthen configurations •Usage Monitoring & Trends |
Retention
Originally the retention of Copilot interactions was managed alongside Teams Chat messages, as per this policy from January 2024.
This policy created prior to Nov 2024 covered both Teams Chats & Copilot Interactions. After Nov 2024 it could not longer be edited and showed ‘No locations’ in the locations covered.
To retain Copilot interactions going forward a new retention policy covering Microsoft Copilot Experiences is needed.
This policy offers Copilot experiences and from the details shows that it covers both the Microsoft 365 Copilot and Copilot Studio app groups by default.
So, for those of you who manage retention policies, your job now is to separate the policies by creating two new policies one which only covers Teams Chats and one which only covers Copilot experiences. Once the new policies are in place the old ones can be disabled.
Sensitivity Labels
Sensitivity labels or Microsoft Information Protection (MIP) in conjunction with permissions helps you control data security. This includes when working with Copilot. Copilot uses existing controls to ensure that data stored in your tenant is never returned to the user or used in a response to the user if the user doesn’t have access to that data. When the data has sensitivity labels from your organization applied to the content, there’s an extra layer of protection.
Sensitivity Label Display on Responses
When Copilot uses content with a sensitivity label applied as a source for the response, the label is displayed on the response. Where multiple labels are used across the information sources used the highest priority label is displayed.
When Copilot uses content with a sensitivity label applied as a source for the response, the label is displayed on the response. Where multiple labels are used across the information sources used the highest priority label is displayed. Here I created a new (demo) file and manually assigned a high priority sensitivity label called Contains Personal Data which has the words ‘Microsoft Purview’ on the title page. As you can see the list of files is the same except for the Demo_SuperSensitive presentation, which has the label assigned and this means the whole response gets that label displayed.
Where a file is created based on one or more files, the label is applied to the newly created file. Where multiple labels are used across the information sources used the highest priority label is applied.
Sensitivity Labels to Control Access
There are a lot of nuances to these options and it is important for admins to familiarise themselves with the guidance and keep up to date with any changes in this. See https://learn.microsoft.com/en-us/purview/ai-microsoft-purview-considerations?WT.mc_id=M365-MVP-5004583#information-protection-considerations-for-copilot for details.
First Copilot uses the Extract permission. If a Sensitivity Label assigns permissions other than view. Functionality is limited. When a user has this content open in an app, they won’t be able to use Copilot. Copilot won’t summarize this content but can reference it with a link so the user can then open and view the content outside Copilot.
In June 2024 Microsoft also introduced a sensitivity label option to block content services. This setting restricts Copilot’s access. The setting is supported by Microsoft 365 Apps v2406 and later.
Note that other services including PowerPoint Designer, Automatic Alt Text and DLP Policy Tips also use the content analysis service. So, these services will be impacted by applying this label.
This is an advanced protection setting which are primarily set with PowerShell. See https://learn.microsoft.com/en-us/purview/sensitivity-labels-office-apps?WT.mc_id=M365-MVP-5004583#prevent-some-connected-experiences-that-analyze-content
Please note that this sensitivity label feature only blocks the use of Copilot within this specific file. Copilot can still reference this file, so other apps can reference the file including the Copilot app itself.
| Connected experiences | Apps |
| Acronyms | Word |
| Automatic alt txt | Word, PowerPoint, Excel, Outlook |
| Automatically apply or recommend sensitivity labels | Word, PowerPoint, Excel, Outlook |
| Microsoft 365 Copilot | Word, PowerPoint, Excel, Outlook |
| Microsoft Purview Data Loss Prevention policy tips | Outlook |
| PowerPoint Designer | PowerPoint |
| Similarity checker | Word |
| Suggested replies | Outlook |
| Translator | Word, PowerPoint, Excel, Outlook |
The third way Sensitivity Labels can be used to control access for Copilot is by applying Double Key Encryption to the content. Files and emails protected with DKE will automatically prevent content in use from being sent to analysis services.
Also note that there is a Data Loss Prevention feature to create a policy which block Copilot from accessing content labelled with a specified label. At the time of writing this feature is rolling out to public preview with full release due March 2025. See https://techcommunity.microsoft.com/blog/microsoftsecurityandcompliance/simplify–scale-data-protection-in-the-era-of-ai-with-microsoft-purview-data-los/4297106?WT.mc_id=M365-MVP-5004583 for the announcement.
Auditing Copilot Interactions with eDiscovery & Audit Log
Both eDiscovery and Audit Log include Copilot interactions. Though as shown later in this blog, the Activity Explorer in DSPM is an easier experience to navigate. In the screen shots here you will see the outputs from each experience looking at the same interaction.
eDiscovery
Copilot interactions can be searched with eDiscovery. To focus on Copilot interactions include Exchange data in your search locations and specify the item type. This can be done in KQL or if you choose Type > Copilot Interaction in the Query builder this achieves the same effect.
In eDiscovery the prompt and response are separate and need to be downloaded to be viewed, currently.
Audit Log
Assuming Audit is enabled in your tenant, then the audit log is already collecting information about Copilot interactions and the Audit log search tool, or the Office 365 Management Activity API can be used to access and analyse the audit data.
The Audit Log response does show case items like the content searched and the model used. Full log for this interaction shown below.
Whilst the activity explorer in DSPM gives the prompt and response displayed on screen and the links to the files referenced easily accessible. However, no details on the model used.
Microsoft Purview Data Security Posture Management (DSPM)
The Microsoft Purview Data Security Posture Management (DSPM) formerly called AI Hub, provides tools and reports to help manage generative AI tools.
See also https://techcommunity.microsoft.com/t5/microsoft-security-copilot-blog/securing-data-in-an-ai-first-world-with-microsoft-purview/ba-p/3981279?WT.mc_id=M365-MVP-5004583 and https://learn.microsoft.com/purview/ai-microsoft-purview?WT.mc_id=M365-MVP-5004583
Formerly known as AI Hub, Data Security Posture Management (DSPM) works in conjunction with existing Microsoft Purview features (where they available in your tenant) and helps get you started assessing your data security posture with guidance and recommendations to strengthen that posture then continuously track trends in usage to identify emerging risks.
DSPM provides tools, analytics and reports to help manage generative AI tools including
To get the most from DSPM your will need to ensure the following:
- Microsoft Purview Audit is enabled
- Users have the Microsoft Purview Browser Extension Installed
- Devices are onboarded to Microsoft Purview
- Pre-configured policies are activated
More details on these prerequisites are available at https://learn.microsoft.com/en-us/purview/ai-microsoft-purview-considerations?WT.mc_id=M365-MVP-5004583#prerequisites-for-the-ai-hub
As we saw earlier DSPM also includes an Activity Explorer view customised to show AI interactions, with a graphical view of interactions plus details of each, this is an easy way to audit interactions with Copilot.
Copilot Pages
Copilot Pages are a new feature which allow users to save, edit and share AI-generated content, collaborate in real-time, and organize information. Offering similar features to Loop pages, Copilot pages are created from an Edit in Pages button under the response. They can be accessed from the same conversation using the pages icon at top right of the Biz Chat interface, via Loop App or from the Pages App on the Microsoft 365 app rail. Pages can be shared with other users as a page or as Loop components into other apps. Remember Microsoft 365 Copilot is available inside Loop so M365 Copilot licensed users can see each other’s prompts if content is created within the page rather than just responses copied from Biz Chat
A Copilot Page is a .loop file in a new user-owned SharePoint Embedded container. Therefore, the Purview features we discussed earlier as pertains to SharePoint Embedded apply to Copilot pages. However, any policies set to govern OneDrive automatically apply to Copilot Pages and the user dedicated SharePoint Embedded container.
For admin details on Copilot Pages see: https://techcommunity.microsoft.com/t5/microsoft-365-copilot/copilot-pages-for-it-admins-sep-2024-update/ba-p/4241521?WT.mc_id=M365-MVP-5004583
Defender XDR, SAM & Entra ID
However, this is just Purview! Please don’t forget that Defender XDR, SharePoint Advanced Management and Entra ID all have roles to play in keeping your data secure, but this session isn’t long enough to go into everything! There is also the good news from Ignite 2024 that Microsoft 365 Copilot includes SharePoint Advanced Management from early 2025. See https://techcommunity.microsoft.com/blog/microsoft365copilotblog/accelerate-microsoft-365-copilot-adoption-with-built-in-content-governance/4298951?WT.mc_id=M365-MVP-5004583 for more details on the announcement.
Image created by Copilot with Prompt: Please create me a cartoon image of a knight defending a computer system
To keep up to date with me on socials, blogs & speaking engagements you can find all the relevant links at https://linktr.ee/sfennah
Copilot Queen Blog 
One response to “Taming the Wave of New Tools in Microsoft 365: Purview for Viva, Copilot and Loop”
[…] The Blog Post Version […]
LikeLike