August 28, 2025 • 39 mins
Welcome to Episode 409 of the Microsoft Cloud IT Pro Podcast. In this episode, Ben and Scott explore the configuration decisions tenant administrators face when preparing their Microsoft 365 environment for Copilot deployment. They dive into the key questions every IT professional should be asking: How do you identify and remediate oversharing in SharePoint sites before Copilot can access that content? What governance controls should be in place to prevent sensitive data from being discoverable through organization-wide search? The hosts examine practical tools for identifying high-risk sites and content, how to control which sites appear in Copilot results, and other configuration options that allow you to optimize how Copilot processes organizational content.
Your support makes this show possible! Please consider becoming a premium member for access to live shows and more. Check out our membership options.
Show Notes
Data, Privacy, and Security for Microsoft 365 Copilot
Apply principles of Zero Trust to Microsoft 365 Copilot
Get started with data explorer
Data access governance reports for SharePoint sites
Semantic indexing for Microsoft 365 Copilot
Restrict discovery of SharePoint sites and content
A glimpse into the future of file sharing in Microsoft 365
About the sponsors
Would you like to become the irreplaceable Microsoft 365 resource for your organization? Let us know!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:03):
Welcome to episode 409
of the Microsoft Cloud IT Pro podcast recorded
live on 08/22/2025.
This is a show about Microsoft three sixty
five in Azure from the perspective of IT
pros and end users, where we discuss a
topic or recent news and how it relates
to you. In this episode, we explore the
configuration
(00:23):
decisions tenant administrators
face when preparing their Microsoft three sixty five
environment for Copilot.
And, really, just in general, when thinking about
data security in Microsoft three sixty five, we
dive into some of the key questions every
IT professional should be asking when it comes
to users' access to content within the Microsoft
(00:44):
three sixty five tenant. So let's dive in.
Welcome back from vacation, Ben. Thanks. It was
fun all the up until the part where
I got back from vacation.
I kinda did the same thing. I'm looking
forward. We have a US holiday, Labor Day,
coming up next week. So Is that next
(01:04):
week? Yeah. I'm looking forward to having an
extended weekend. That's kind of our last national
holiday, federal holiday, for a little while here
in The US, so enjoy it while it
lasts. No. Vacation was good. Like, we got
to go up to Michigan, spend some time
up there,
then had a family reunion. This is a
lot of people's scout. Went out to Denver
for, like, a long weekend for a family
reunion. With my wife's family, there were 58
(01:25):
people that were all out there. So that
was kinda fun. Lot of family.
It is. But it was cool. Like, there
must have been, like, 10 or 12 kids
all between the ages of, like, six and
10, which are close
to our boys' age. And, I mean, it's
Colorado. Right? Weather's beautiful. We're out in the
woods. The mountains of boys are just outside
playing with all the other kids. Sticks and
(01:47):
rocks and yeah.
Exactly. Made up games with, like, I don't
even know what they were doing with volleyballs
and throwing them up on the roof of
one of the houses we were staying at.
Let them go at it and do what
they need to do. Yep. One of my
wife's cousins is actually big into, like, he
lives out near Denver, big into rock climbing,
hiking.
So he actually, one day, took us
(02:10):
we took the rental Jeep. He's like, oh,
we can make it here. It's a rental
Jeep.
I hope he got his did not get
charged extra for that run rental Jeep, but
took it on a road that we didn't
think was that bad. Let's just say there
was one point in time where I think
only two tires of the Jeep were on
the ground. The other two were, like, up
in the air, but then went to our
Jeeps have solid axles. Right? You need two
(02:31):
eighteen millimeter wrenches and hop under and disconnect
that sway bar. They you're all good. You
have to have those two wrenches or the
sway bar disconnect on there, but,
yeah, that that's funny. We did a similar
thing on our vacation.
We we drove through the Red Redwoods in
California.
There's a road in Jedidiah State Forest, it's
called Holland Hills Road. Okay. But you you
(02:51):
kinda read about it, and some people say,
like, oh, don't take your rental car on
there, don't do that. But when you go
to the park station in the morning and
you say, like, hey, like, we're here for
these types of experiences, where should you go?
They just ask you. Like like the rangers,
they ask. They say, hey, what kind of
car do you have? And as long as
you have a car with four wheels and
you're not towing a trailer,
they give you directions to this random To
(03:12):
go on this road? Dirt forest Service road.
It's a four it's like a 11 mile
forest service road, and then it's got yank
pull offs for some of the various, like,
redwood groves and things like that. But
we did that, like, halfway through our road
trip on on the West Coast.
And from the day we did that on,
that car was never clean again. Like, it
had a layer of thick dust on it
(03:35):
just going through. I was totally expecting to
get, like, a ding from the rental car
company.
Thankfully, it rained, like, at the hotel we
were staying at before we flew back the
next day to get it, and that cleaned,
like, most of it up. But up until
that last day, it had, like, a good
like, it felt like a this is an
exaggeration, but it felt this
this way. It felt like it had a
(03:55):
half inch of dirt on it, right? Just
like everything. You could only see through the
windshield, and the only part you could see
out of the back windshield was where it
had the rear windshield wiper.
I had gone to gas stations and tried
to clean it up, and it was like,
this is just a lost cause. So Not
gonna work. Jeeps are tough. Yeah. You'll be
fine. All good. So we did fun. But
once we got to the end of that,
it was to a rock climbing spot where
there were routes set up. So he, like,
(04:17):
set up routes for us with the ropes,
and he had all the harnesses for the
kids, so he got to do, like, some
real rock climbing because we live in Florida
where the biggest rock you climb is, like,
a boulder in the front yard of some
place Yep. Where you have to do a
gym. So it was a good trip. And
then from there, I went I came home
and was home for, like, sixteen hours and
then flew to Atlanta for TechCon three sixty
(04:38):
five. That leads us into today's topic.
So we've been kinda going back and forth
between maybe talking about, like, Copilot and how
to enable it in your organization, maybe some
things your users can use it for. We
just got done kinda talking
through MCP and that's how that's helpful and
maybe some agentic workflows and stuff like that.
(04:59):
But it's been a little bit, and we've
never really taken a deep dive on it.
So so you had this talk at TechCon
about securing Copilot.
So so really kind of like, you have
to prepare for Copilot in certain ways. There's
licenses you need to turn on, there's things
you might want to
think about within your organization and who has
(05:19):
access to what and things like that.
But there's more than just lighting up a
license to think about. Kinda like when you
maybe did, like, SharePoint search back in the
day or you do, like, an m three
sixty five search thing today, there's all this
security trim stuff out there and the these
experiences, they have access to a lot of
data per user.
So you did a talk at TechCon called
Preparing for Copilot Securing your Microsoft three sixty
(05:42):
five Data and Beyond
and I think this is a good one
to dive into.
It's Copilot
centric but a lot of the concepts in
here, right, like like just kind of thinking
about and taking a step back and, hey,
like, let's take a beat and think about
what type of data is in my Microsoft
three sixty five environment, like what's the sensitivity
(06:03):
of that data, maybe I need licensing for
things that give me capabilities like sensitivity labels,
all that. And then
once you've put it together, how do you
have to tweak it, what does that look
like, and kind of maintenance and everything beyond.
So I figured it'd be a good kind
of topic to hop into, and since it's
been top of mind for you,
(06:24):
it's certainly like fresh and right there. And
you've got all the context from the conference
and questions attendees asked you and things like
that. So be a fun little whirlwind tour.
It is, and it'll definitely be whirlwind because
this was a seventy five minute session. Granted,
there were demos and stuff in there, but
it has been. It's been an interesting topic,
and not only did I I kind of
(06:45):
did a session on it because
I don't even know how many clients I've
had ask me about this recently. Like, hey,
we want to deploy Copilot.
What should we be thinking about? What does
our environment look like? How do we prepare
for it? And to your point, it's an
interesting one because it's like, well, technically, this
is stuff you should have been doing all
along. But Copilot is just bringing it to
(07:06):
the forefront to that point of that we've
talked about before, is Copilot doesn't necessarily
introduce any new security vulnerabilities. Like, I I
don't know how many times I've talked about
this. It just it brings to the forefront
quicker and easier mistakes that maybe you've done
in the past
with your Microsoft three sixty five environment. And
(07:27):
that's kinda where even this slide is, like
and I'm sharing kind of the slides that
I did at the presentation. We can work
through those as we talk through it. But
it all starts with what should you be
thinking about when it comes to Copilot, and
a lot of these bullet points too. The
things I think through are like, what types
of data do you have in Microsoft three
sixty five? In particular,
(07:47):
SharePoint. What type of data do you put
in SharePoint? Because Copilot has access
to Exchange or Outlook, your Teams, conversations, all
of that stuff. But by and large, that's
already secured. Right? Like It should be. It
should be. And I don't think Copilot actually
even has access yet to share mailboxes. I
think that's one limitation is if someone shared
their mailbox with you, they have access to
(08:08):
a shared mailbox.
I don't believe Copilot can reason over that.
So I try to frame it as what
types of data are out there. You wanna
think about should Copilot have access to sensitive
data.
And this is one that maybe you haven't
thought about before, but it's maybe you need
access to sensitive data for your day to
day work. Right? Like, you're in finance,
(08:29):
you're in education,
maybe there's data around
bank accounts out there, there's
financial spreadsheets out there, there's
student data that's in your environment.
People legitimately need access to some of that
to do work, but do you want Copilot
to have the same access to it that
a user does if they just go open
(08:49):
a particular file? So that's another thing to
think about. And then one is just who
has access to your content. Where has stuff
been overshared? This one's been talked about a
ton. And then thinking through, so how do
you start fixing it, and how do you
maintain it once you've done it? You have
ten years of bad practices.
You go spend six months fixing it. How
do you keep those bad practices from continuing
(09:10):
after you fix it? It's this kinda, like,
whirlwind thing, and
as I get more into the world
in my day job of thinking about
agentic
AI and, like, some of the MCP stuff
that we talked about, So if you look
at tools like Copilot,
you can go create your own declarative agent,
(09:32):
you can maybe go create an agent in
Copilot Studio,
there's tools out there or there's services out
there like Azure AI Foundry that then have
their own tool integrations, all these kinds of
things. So we're kind of on this weird
cusp again of
you have to rationalize things like Copilot and
the value and TCO and all that for
your organization,
(09:53):
but now we're kind of looping back around
to
user access plus agent access or agentic access.
So like what's the right way to build
those things? What does that look like and
how does that come together?
Because
eventually, it's like these things are all just
going to be like talking to each other.
Like that finance example that you have, it
(10:15):
might be somebody going in and having access
to a
a fine tuned model, right, that helps them
spit out a financial report at the end
of the quarter. Like, use this template. Here's
good examples. Here's how these are legally compliant.
All these kinds of things, but, you know,
those agents are going to either interact as
real applications within the environment, so now you're
(10:36):
back to like application access and thinking about
scoping things, maybe like permissions
for,
for those, and what are the rights that
you give them within the environment. It could
be user access. It could be a mix
of both depending on what was going on
and how it composed and what came together.
And then
you further kind of muddy the waters there
(10:56):
with, like, oh, like, maybe that's not an
agent that's just or a user even that's
interacting with, like, data in a single system
like SharePoint.
What happens when they're using the SAP connector
or they're using the Dynamics connector, like, and
you have these other systems that are talking
to each other on the back end and
these agentic workflows. And I think it does
become, like, an important consideration
(11:18):
along the way,
and it's an it's an interesting thought exercise.
I actually think it's a little scary too
depending on, like, where you sit organizationally
and how things are composed in your environment
today,
just to think about
where we are today and where the world's
gonna be in
the the future. And the future could be
(11:38):
really short. Like, it could be the next
couple months, it could be maybe the next
year.
I don't think you can take you have
the advantage of thinking ahead to five years
from now kind of thing. And speaking of
scary, can I go completely off topic about
a scary, like Squirrel? Squirrel. Yeah. Okay. Squirrel.
So but thinking about Copilot and AI and
how you're asking it, I did see a
really funny I think it was on Instagram
(11:58):
where it was two people walking into a
room or, like, somebody rang the doorbell of
a door, and a guy picked up his
phone and said, hey, ChatGPT, someone's knocking at
my door. What should I do?
And Chad GPT tells him to open it.
And then he opens it, and the lady
outside the door says, Hey, Chad GPT. He
opened the door for me. Now what should
I do? And it was, You should say
(12:19):
hello or walk in the door and say
hello. It was these people that literally were
using their phones to have chat gbt tell
them how to interact with each other, but
I think it does highlight, like, how much
we're asking
AI and, again, a little bit of a
rabbit hole, but how much are we becoming
dependent on it and how it could actually
be one of those scary environments where we,
(12:39):
like, yeah, how it's going to change how
we work, interact,
live, etcetera. I think it can be scary.
Like, it can be exciting, but I also
think it kinda raises the priority or the
importance of, like, thinking about these questions and
thinking through them and making sure that
as
Microsoft three sixty five customers,
(13:00):
could be Azure customer, really, like any kind
of, like, SaaS cloud based product that's adopting
these kinds of things, or even if you're
bringing them into your internal environments, right, like
these are all like I think they're common
sense considerations, like there's nothing in here that's
like,
oh my gosh, like, but you have to
really take the time and be intentional
(13:22):
and go down the path of looking at
all of them. Like it's not just a
one dimensional kind of thing, it's this multidimensional
kind of exercise
to
to get in. So,
like, it's always kinda fun to do these
things with you because I get access to
the decks and your talks and everything, and
we get to talk and plan it out
(13:42):
ahead of time. So, like, I know a
little bit about where the story's going. So
why don't we keep kind of getting in
that and kind of Yeah. Yeah. So I
think, yeah, like, good place to start. Yeah.
Just like, I've got the data out there.
How do I figure out, like, what's out
there and what's going? And like you said,
like, for folks listening here, like, oh my
gosh, these, like, crackpots are talking about Copilot
and AI again. A lot of these concepts
(14:04):
broadly apply to Microsoft March,
and they might apply to,
heck, your on prem SharePoint environment. Right? There
was a CVE for SharePoint on prem last
month. A lot of organizations had to go
through this kind of, like, patching workflow due
to a hack for on prem SharePoint that
came out of China.
All these things are broadly applicable.
(14:24):
And, yeah, it sounds like common sense, but
I encourage you, stick with us, and maybe
you'll hear something in here that says, Oh,
I didn't think about that, or, Oh, you
know what? That one was on the back
burner for me. Maybe I kinda need to
lift it up the priority list and go
spend a little bit more time on it.
Yeah. And I would say some of these
even are more broad
(14:45):
than just SharePoint. And
this first one, it's tools related to SharePoint,
but it's concepts you need to think about
for any
data that maybe AI has access to. And
when I start thinking about exploring the content,
it's somewhat what I hit at before, but
it's looking at sensitive data.
Where is this sensitive data? What sensitive data
is out there? And to your point, I
(15:07):
was working with one client, and they have
certain policies around what should be in SharePoint
and what shouldn't be. And this was not
even a Copilot exercise. This was just, like,
overall data governance.
And I used Data Explorer, so we'll tie
this in a little bit, Data Explorer in
Microsoft three sixty five. But however you do
this, it's we found data. We're like, did
you know you have these Social Security numbers
(15:29):
in your SharePoint environment? We're like, no. We
had no idea. So they went in and
cleaned that up right away. But that's one
of the first things is how do you
explore this content? Whether it's Data Explorer in
Microsoft three sixty five or there's
what is it? There's I'm drawing a blank
on it. It's is it part of Azure
Information Explorer? It's,
you can use it on a file share
(15:50):
to actually explore the file share and scan
all your content on a file share, and
it has some ties into Purview. Azure Data
Explorer. Yeah. And then Yeah. That ties into
this weird
weird I mean, it is what it is.
Its name's like per Purview,
Activity Explorer, something like that, but that's that
kinda large data volume. Hey. Let me go
and scan that thing. So it's part of
(16:11):
Purview and the compliance stack. Yeah. So there's
that. And then the next one is just
oversharing.
And again, Microsoft three sixty five,
I talk about the data access governance insights.
This one's another one. There's some PowerShell commandlets.
It's start SPO
data access governance insight. We'll put links to
(16:31):
this PowerShell commandlet in the show notes. But
you can go run this particular
report and look at OneDrive for business
and look at SharePoint and
spit out a summary
of how many different types of sharing links
exist in your environment. I was looking at
one client. We looked at OneDrive. We found
(16:53):
out this particular individual
had content in their OneDrive, and one of
the aspects of this report is how many
people it's shared with. He had content shared
with almost 2,500
different people
hosted in his OneDrive. There's also some data
access governance reports in the SharePoint admin center
that get included with Copilot now. I've written
some custom PowerShell scripts where
(17:15):
it actually goes through and looks at all
the content in SharePoint and spits out sharing
links and URLs and the title of the
files and all of that. But this is
really going back to
where is content shared
with people that shouldn't have access to it,
whether it was laziness and just putting in
I mean, not a file share, putting in,
oh, we'll just share this with domain users
(17:36):
and then not realizing
what people have maybe dropped in that particular
folder that shouldn't be there
or forgetting that it was shared with everybody
or somebody meant to do it at a
subfolder and accidentally did it at the parent
folder.
All those same things apply to file shares,
to SharePoint.
I mean, technically, it can apply to Dropbox,
(17:57):
Box.
Anywhere where you have content is really thinking
through,
and how do you report on where is
content shared more broadly than it should be,
or where are folders? This is the other
interesting one. Where are folders shared more broadly
than they should be? And people can just
drop content into it, and all of a
sudden it becomes shared because they just dropped
(18:17):
it in a folder or a SharePoint site
Mhmm. Or a Teams SharePoint site, any of
those.
Do you feel overwhelmed by trying to manage
your Office three sixty five environment? Are you
facing unexpected issues that disrupt your company's productivity?
IntelliJunk is here to help. Much like you
take your car to the mechanic that has
(18:38):
specialized knowledge on how to best keep your
car running, Intelligent helps you with your Microsoft
cloud environment because that's their expertise. Intelligent keeps
up with the latest updates in the Microsoft
cloud to help keep your business running smoothly
and ahead of the curve. Whether you are
a small organization with just a few users
up to an organization of several thousand employees,
they want to partner with you to
implement
(19:00):
and administer your Microsoft cloud technology. Visit them
at inteligink.com/podcast.
That's intelligink.com/podcast
for more information or to schedule a thirty
minute call to get started with them today.
Remember, Intelligink focuses on the Microsoft cloud so
(19:22):
you can focus on your business.
So that was one of,
configuration
changes, again, where somebody accidentally changes permissions,
sets up permissions the wrong way. One interesting
thing that came out, I hadn't thought of
this before,
but somebody else brought it up at the
conference and I was like, oh, that's an
interesting one, is comparing sites or duplicate content.
(19:45):
How many companies have you been in, Scott,
where, like, somebody creates a file and then
creates that file v two and v three
and v four and v five and v
six and v seven, all the way up
to whatever, and now you have, like, 20
copies of a nearly identical file all out
there? Guess what gets really confused
about pulling accurate information when you have 10
or 20 nearly identical files? Doctor. Nearly identical
(20:08):
and also mixed in with identical identical, right?
Doctor. Right.
Doctor. I do this sometimes
where
somebody writes a paper and I'm like, Oh,
I want to save that as an example
for later. So I take that and put
it in my OneDrive and it's still like
the canonical version still sits, but I want
like that point in time snapshot maybe to
reference back to you later
as a doc, a PDF, a PowerPoint, whatever.
(20:31):
So my OneDrive is like just
absolutely littered with things like that. I can
tell you very specifically what does not do
a good job here is Copilot notebooks,
which we talked about.
I actually did this recently where I had
a couple iterations of not the same document,
but similar documents. It was more like there
was a section in this one,
(20:58):
limitations of Copilot notebooks
because what the notebook was doing was while
it was grounded in the information that was
available in there, right, I added these, like,
I actually went beyond the limit. I had
to take docs out because you can only
have, like, up to 20
documents in a Copilot notebook right now or
combination of documents and OneNote
and things like that. So I was at,
(21:19):
like, 28 or something. So I was really
trying to confuse it, but it was getting,
like, extra confused because not only were the
documents in the Copilot notebook where I'd said,
hey. Here they are. Like, here's the canonical
version,
but other people had copies of them out
there, like you said. Like, they had the
like, they've done the thing I did, right,
where they made a copy in their own
space. But when they made a copy in
(21:39):
their own space, like, some folks put those
in other public areas that I have access
to, or they might have emailed it to
me. So, like, figuring out how to wrangle
the prompts and get things to where, like,
oh, I actually can do what I wanna
do with this, super hard to do. I
wasted more time in the Copilot notebook trying
to get it to behave the right way
when I literally could've just
walked over to my 32 inch monitor and
(22:01):
pulled up five docs on the top row
and five docs on the bottom row and
just started, like, scrolling through.
I I would've been better off for the
amount of time that I was trying to
fight that process and have it come through.
But it was a good lesson for me,
like, hey. Right tool for the right job.
Here's the limitation of this thing.
But it it did kinda
get the back of my head tingling, like
the Spidey sense going, right, to say, like,
(22:23):
I wonder, like, what happens to other people
or how this is out here. So it
it was one of those things I saw
it in the presentation here. I was like,
like, good. Ben Ben's thought about this too.
I'm not crazy. Doctor. I'm thinking about this,
and this is a tool I recently found
out. It's the site policy comparison tool in
the SharePoint admin center, and it'll go I've
(22:43):
never even heard of that one, but I
haven't I haven't spent a lot of yeah.
I haven't spent a lot of time in
SharePoint lately. The downside is it doesn't necessarily
look for duplicate
files, but it will tell you if you
have two sites
where over 70%
of the content on the sites is duplicated.
So it's like if somebody took a copy
of a site or copied all the contents
(23:05):
of a site to another site, it would
be nice to maybe see it expanded in
the future to look for just duplicate files.
Like, do a file comparison of how many
nearly duplicate files do I have across my
environment. I imagine it that takes a little
bit more processing power, but it's it's definitely
a thing. And then
I wrapped up here too when I was
(23:26):
giving this presentation with just a few tools
and examples of
using custom PowerShell
to look for some of these things. Microsoft
has reports.
They're not always as detailed as you need,
and that's where I wrote some of these
reports to pull a list of all my
files and all my sharing links across all
of SharePoint. I need to go tweak it.
I looked ran this against a site that
(23:48):
had, like, millions of items. I think the
PowerShell script was running for, like, three weeks.
Takes a hot minute to enumerate that much
data. Yeah. Yeah. But then I had a
CSV from all of the sites in the
environment with all of the sharing links, and
I went and threw them out in Azure
Data Explorer, And then I could do a
bunch of KQL to go help narrow it
down, like, how many organizational wide sharing links
(24:10):
do I have? Which sites have the most
sharing links?
Where are all my links that don't have
expiration dates on them, and they've just been
shared indefinitely for years and years?
So just a couple different ways there to
help dig through the content a little bit
more. I think it's generally manageable and goes
back to the a little bit of, like,
hey. Like, this stuff is known, but you
(24:31):
as a customer need to go out and
spend that time, do that research,
and figure out what that is. Like, a
lot of the things you're talking about here,
like, maybe like a PowerShell script for that
discovery aspect, like, these things exist. There's a
bunch of community examples,
blog posts, stuff on GitHub from community contributors,
from Microsoft themselves. Right? But
(24:53):
you don't have to reinvent the wheel, but
you do gotta do some work along the
way. From there, then it's, okay, now I
know what I have. How do you go
in and
fix it all? And
this is where I get a ton of
discussion because,
for instance,
another example, one of my clients, they had,
like, 45,000
links
(25:13):
across their organization.
Like, how do we even begin to
fix this or evaluate it? You cross your
fingers and you hope for the best. Right?
And it's that whole combination of one is
we need to get a lot better at
permissions in SharePoint. I'm guilty of this, Scott.
I have examples. I can think of examples
with clients
where I totally did the whole security by
(25:34):
obscurity. Mhmm. Again, maybe not a big deal
because
a lot of times when I did this,
it's, yeah, we don't necessarily
want people to just stumble across it. If
they find it, it's not the end of
the world.
We just wanna make it a little bit
more difficult. Well, with Copilot, that difficulty becomes
a lot less. So I think you
you definitely want to be thinking about permissions
(25:56):
a lot more in SharePoint, avoiding the whole
security by obscurity and doing security the right
way. There's these opportunities, right, to go and
think about these things. Yep. The thing I
always think about in the back of my
head I'm a little spoiled here, right? Like
like my employer kinda just has every capability
lit up, and
everything's available to me there as a user,
(26:19):
as a developer, as an admin, like I
can go make all those things happen and
play in the playground, and it's all hunky
dory and great. But
I think there is a step for customers
to rationalize along the way, things like licensing.
Right? Like,
now not only do I need to evaluate
if I need the feature, now I need
to weigh out, do I need the feature,
(26:39):
and
can I afford the feature, or does the
feature have the right kind
of TCO
for my company? So that could be things
like the ability
to
apply sensitivity labels, right, and enforce them. It
could be
some of the Purview components that are out
there. Like, those are gonna cost you money
for maybe Purview. They might cost you money
(27:00):
per API call, right, to to come in
and figure that. So, like, hey, are you
gonna figure out that like, like, how do
you figure out, like and sit down. Like,
you gotta do some kinda hard modeling and
a little bit of work and extrapolation
and other things
based on your environment, your users, your corpus
of data,
all that kind of stuff. I will say,
(27:21):
generally, like, it feels like the TCO is
there and like the juice is worth the
squeeze as of right now,
but, you know, my thinking, like I said,
is kind of colored by just having access
to everything all the time.
And I don't know that I'm so grounded
in,
here's like a vanilla tenant. Right? Somebody who
never came off, like, e threes or something
(27:43):
like that, and they're still in in that
world because
I've been in different one for a while
now, and I think it does, like, change
and color my thinking. We could go down
a whole licensing
(28:05):
features that you pay for. If you use
everything that's in the license,
I can't I feel like it's worth it.
I'm also a small company. You work for
the company that owns it all. It is
absolutely expensive.
I'm not gonna deny that either. I look
at some of these bills where you get
into eight, ten thousand person companies
spending
(28:26):
$50
on an e five. I mean, that's, yeah,
50.
You're hundreds of thousands or millions of dollars
a year in investment, and then there are
companies that are still using other third parties.
I was on with one today, and they're
using a different antivirus. They're using something else
for MDM. And I'm like Mhmm. Do I
think you could use e five? Yeah. Is
it a little harder to justify it when
(28:47):
you're not gonna use all the features because
you're using other third party features?
Absolutely. Mhmm. Do you need to make that
choice of where you want it to sit?
I think it's part of, like, the rationalization.
Right? So once you've onboarded to these things,
kind of opened a little bit your talk
track around
maintenance and governance and ongoing kinds of things,
these are certainly part of that conversation. So
(29:09):
you might start off your journey at license
level a,
and then you sit and you hear about
like a new capability or something that might
be in a license, it might be a
one off feature you can buy, so you're
kind of on this constant path of evaluation.
I I used to think about this all
the time when I was doing
SharePoint and Office three sixty five
consulting
(29:30):
and kind of administration
for organizations
and things like that, like,
is
your role goes from
hugging servers and managing infrastructure
to changing a lot into
just rationalizing
ROI for your organization,
what's your total cost of ownership. So, like,
you know, that ten hours a week that
(29:51):
you used to spend patching servers, well, guess
what? You're spending ten hours a week now
maybe doing, like, comparative research and going out
there, and may maybe doing things like lighting
this up in, like, test environments
and really trying to figure it out. So
the world is changing rapidly. I think we
all kinda see that, right? Like, it's all
moving at a kind of a crazy pace
going
in different directions and often feels like diverging
(30:14):
directions. Like,
all of a sudden, you were going to
the right and you were on a path,
and you're like, no. I gotta turn the
car around, do a one eighty, and go
back the other way, and drive just as
far as you just came, but in the
opposite direction, and then some kind of thing.
So
it is important
to think through this stuff to go back
and look at it, and kind of figure
out and weigh it. And is that justification
(30:38):
there along the way for you? And then
even once the justification's there, there's still all
the hard work
of what's now like, hey. Great. I got
access to, I don't know, sensitivity labels. Like,
how am I gonna configure those? What part
of the stack am I gonna do it
in? Like, you still have to go and
evaluate the corpus of data in your environment,
understand how your users talk to it, understand
(30:59):
the impacts of maybe applying things like that,
what type of training you need to give,
and all that stuff. So it's a
it's
a lot, but it also keeps us all
employed, which is kinda fun.
Pays the bills. Anyways, that was, like, permissions.
The other thing I've seen, people created a
lot of public sites, and that's especially in
or public teams
(31:20):
in Microsoft three sixty five groups,
especially initially
without thinking through
or maybe even realizing it sometimes that if
it's public, anybody can go grant themselves access
to that group and just get access to
all the content in it. So another one
of those,
I think people really need to think about
where do we need to either move content
(31:41):
out of public groups or
create private groups going forward as the default.
Mhmm. That's something to think about. Correctly configure
default sharing links. This is becoming one of
my pet peeves. People that leave org wide
Nobody does this.
They don't. Maybe they do, and I'm I'm
just not seeing it. I see it a
(32:01):
lot in customers.
It it it's kinda fun to go through,
like, the Office three sixty five subreddit and
things like that and just see some of
the,
the issues that pop up over time to
ultimately, like, what's a low hanging fruit configuration
task, but I get it takes time. Like,
again, like, you can't just shut it off
(32:22):
wholesale without understanding how your users are using
it and and what's going on out there.
And, like, all of a sudden, like, that
little thing where it's like, yeah, let me
change that configuration item turns into, like, a
project or something that requires
a little bit
a little bit more long term thinking, but
it is funny how that's kinda ends up
being the
just the default state
(32:43):
in a lot of places. And then these
are often the things that you hear about
in the news, right? Like when somebody gets
quote unquote hacked, and it's like, no, they
didn't get hacked. They were just configured wrong.
They were wide open from the start. Yeah.
Your Facebook account wasn't hacked. You just stayed
signed in on a device someone else had
access to. Mhmm. 100%. And
if you leave it as org wide, guarantee
(33:03):
it's nothing people are doing intentionally. They just
click share content and click the copy link
button. They don't even realize what they're doing.
So I also place some of the blame
here on people that just roll this out
without training their end users on how to
properly share. Org wide is easy. You still
need to train your users. Don't click org
wide only or organizational link. This is what
it does. One nice thing I do, Microsoft
(33:25):
is coming out I don't know if you've
seen this on the roadmap, with the hero
links coming the end of this year, where
right now when you go share it, it
actually creates multiple links. Every time you share
it, it creates
another link. So you have one organizational wide
link, and then you have an edit link,
and then you have a view link, you
know, all of this.
It is changing so that in December, when
(33:47):
this new hero link comes out, it creates
one link, and then you're actually just able
to adjust permissions
on a single link. So you don't need
to go back and clean up a whole
bunch of links. You're just gonna have one
link. You're gonna have to manage permissions on
it.
The other thing
that is going to be part of this,
even better than hero links, is changing the
(34:07):
default
right now, and I've heard a lot of
people complain about this. You can't set the
default to people with existing access. You can
either set it to specific people or set
it to org wide. You can set it
to just by default create a link, but
only people that have access already are gonna
use this link. That's kinda bundled in this
(34:27):
hero links is setting that default now to
existing people only, so you're not Yes. It
makes it a lot easier to share a
link and not have it change permissions
than kind of that experience today. That's another
one. The SharePoint indexes,
you can remove stuff from Copilot by just
turning off the search index. Downside is it.
(34:48):
Also, it turns off the search index. You
remove a search. Yeah. Securing content with policies,
sensitivity labels, setting DLP. We're gonna run out
of time here, Scott. We might have to
do part two. And then the other one
I wanna mention here, there's a button now
in the SharePoint admin center that says restrict
content from Copilot on each site. I can
go into a site, click the little radio
button that says restrict content or restrict access
(35:11):
to Copilot. I want Microsoft to change the
verbiage on this. This is very deceptive to
me because
the way it reads, I would think, oh,
I click this. This site's not gonna be
included in Copilot. If you click on the
little information
bubble and hover over it and then click
on learn more, and maybe it even has
it in the bubble,
this is not just remove it from Copilot.
(35:33):
This is
don't return
content from this site in Copilot or in
search if it hasn't been recently accessed by
the user. So if a user goes to
it and clicks on it or interacts with
it or somehow
accesses that content
recently, it's all of a gust setting gonna
start showing up in Copilot and SharePoint.
(35:54):
Does it help in the cleanup? Yeah. But
does it really restrict it from Copilot?
They need to make it more clear. It's
not what it seems to be. The devil's
in the details. So so, you know, that
feature is called restricted content discovery.
It is not called block content discovery
or never do content discovery
(36:15):
again. I think
the rub with that one is
recent interaction.
Like if somebody just hears the word recent
interaction, right? Like, All right, well, what was
a recent interaction for me? Was that
thirty days? Was it ninety days?
And, you know, however it comes together. And
then what do you do with your users
(36:37):
who I I think this is the other
side of that one, is
you turn that feature on, and they have
a good experience on day one, which is
what you want them to do. Like, you've
gone through, you've configured your environment, That so
you restricted it. They had the recent interaction.
They were able to use it in Copilot
and
in Teams and business chat, all those things.
And then
maybe their role is, like, quarterly or biyearly.
(37:00):
So they only come back and they touch
that thing, and then next time it's horrible.
Like, it doesn't give them the same result.
It doesn't do the same thing. Features like
that are nice, but, like, they're also, like,
really hard to rationalize, particularly as a user.
Like, why is
why is a system that's already nondeterministic
already being like, it's being, like, super nondeterministic
(37:20):
now?
Like, what did it do,
and which way did it go? So,
yeah, I
think, in general, there is a bunch for
folks to think about here.
We'd love to hear about
how you're thinking about securing your environments. Like,
do you have any tips and tricks? Maybe
you've got, like, a favorite repo of
(37:40):
PowerShell scripts or things like that that you're
go that you're using for
go to management.
Maybe you have
alternatives for some of these things, like Ben
was mentioning
finding duplicate files earlier.
I know there's third party products that do
that. Maybe you're one of these customers who's
like a like you said, Ben, you do
the Ben thing, like you described, with multiple
licenses,
(38:01):
lots of ISV tooling, things like that. Like,
we'd love to hear more about the ecosystem
and your experience with it. So we've
contact form on the website, which you can
go to. It's pretty easy.
M s cloud I t pro podcast dot
com, and you'll see a big
contact us button there. That just sends Ben
an email, and then he usually just loops
(38:24):
me in on on on the thread. You
can also get us get ahold of us
on LinkedIn.
The podcast has a page on LinkedIn if
you wanna directly ask questions there. Ben's on
LinkedIn. I'm on LinkedIn as well. So,
like, come back. Give us some feedback. Let
us know how you're using it. We're eager
to hear. And maybe like you said, Ben,
maybe we can kinda come back and do
a part two on this one.
(38:44):
And
or if not, like, finish the conversation because
maybe we should come back and talk about
some of the,
DSPM stuff,
some of the reporting aspects,
how to do risk assessments,
and all that. And that way, we can
kind of round out the entire story. Yeah.
I think we should do a part two
on DSPM for
(39:05):
AI and DLP and sensitivity labels and some
of that. So we'll come back and talk
more about that in a later episode. Alright.
Come back and check us out for that
one. As always, thanks, Ben. Much appreciate it.
Glad to have you back from vacation, and
we'll get back on track here. Alright. Thank
you, and have a good weekend. Talk to
you next time. Thanks, Ben.
(39:26):
If you enjoyed the podcast, go leave us
a five star rating in iTunes. It helps
to get the word out so more IT
pros can learn about Office three sixty five
and Azure.
If you have any questions you want us
to address on the show, or feedback about
the show, feel free to reach out via
our website, Twitter, or Facebook.
Thanks again for listening, and have a great
(39:46):
day.
Welcome to episode 409
of the Microsoft Cloud IT Pro podcast recorded
live on 08/22/2025.
This is a show about Microsoft three sixty
five in Azure from the perspective of IT
pros and end users, where we discuss a
topic or recent news and how it relates
to you. In this episode, we explore the
configuration
(00:23):
decisions tenant administrators
face when preparing their Microsoft three sixty five
environment for Copilot.
And, really, just in general, when thinking about
data security in Microsoft three sixty five, we
dive into some of the key questions every
IT professional should be asking when it comes
to users' access to content within the Microsoft
(00:44):
three sixty five tenant. So let's dive in.
Welcome back from vacation, Ben. Thanks. It was
fun all the up until the part where
I got back from vacation.
I kinda did the same thing. I'm looking
forward. We have a US holiday, Labor Day,
coming up next week. So Is that next
(01:04):
week? Yeah. I'm looking forward to having an
extended weekend. That's kind of our last national
holiday, federal holiday, for a little while here
in The US, so enjoy it while it
lasts. No. Vacation was good. Like, we got
to go up to Michigan, spend some time
up there,
then had a family reunion. This is a
lot of people's scout. Went out to Denver
for, like, a long weekend for a family
reunion. With my wife's family, there were 58
(01:25):
people that were all out there. So that
was kinda fun. Lot of family.
It is. But it was cool. Like, there
must have been, like, 10 or 12 kids
all between the ages of, like, six and
10, which are close
to our boys' age. And, I mean, it's
Colorado. Right? Weather's beautiful. We're out in the
woods. The mountains of boys are just outside
playing with all the other kids. Sticks and
(01:47):
rocks and yeah.
Exactly. Made up games with, like, I don't
even know what they were doing with volleyballs
and throwing them up on the roof of
one of the houses we were staying at.
Let them go at it and do what
they need to do. Yep. One of my
wife's cousins is actually big into, like, he
lives out near Denver, big into rock climbing,
hiking.
So he actually, one day, took us
(02:10):
we took the rental Jeep. He's like, oh,
we can make it here. It's a rental
Jeep.
I hope he got his did not get
charged extra for that run rental Jeep, but
took it on a road that we didn't
think was that bad. Let's just say there
was one point in time where I think
only two tires of the Jeep were on
the ground. The other two were, like, up
in the air, but then went to our
Jeeps have solid axles. Right? You need two
(02:31):
eighteen millimeter wrenches and hop under and disconnect
that sway bar. They you're all good. You
have to have those two wrenches or the
sway bar disconnect on there, but,
yeah, that that's funny. We did a similar
thing on our vacation.
We we drove through the Red Redwoods in
California.
There's a road in Jedidiah State Forest, it's
called Holland Hills Road. Okay. But you you
(02:51):
kinda read about it, and some people say,
like, oh, don't take your rental car on
there, don't do that. But when you go
to the park station in the morning and
you say, like, hey, like, we're here for
these types of experiences, where should you go?
They just ask you. Like like the rangers,
they ask. They say, hey, what kind of
car do you have? And as long as
you have a car with four wheels and
you're not towing a trailer,
they give you directions to this random To
(03:12):
go on this road? Dirt forest Service road.
It's a four it's like a 11 mile
forest service road, and then it's got yank
pull offs for some of the various, like,
redwood groves and things like that. But
we did that, like, halfway through our road
trip on on the West Coast.
And from the day we did that on,
that car was never clean again. Like, it
had a layer of thick dust on it
(03:35):
just going through. I was totally expecting to
get, like, a ding from the rental car
company.
Thankfully, it rained, like, at the hotel we
were staying at before we flew back the
next day to get it, and that cleaned,
like, most of it up. But up until
that last day, it had, like, a good
like, it felt like a this is an
exaggeration, but it felt this
this way. It felt like it had a
(03:55):
half inch of dirt on it, right? Just
like everything. You could only see through the
windshield, and the only part you could see
out of the back windshield was where it
had the rear windshield wiper.
I had gone to gas stations and tried
to clean it up, and it was like,
this is just a lost cause. So Not
gonna work. Jeeps are tough. Yeah. You'll be
fine. All good. So we did fun. But
once we got to the end of that,
it was to a rock climbing spot where
there were routes set up. So he, like,
(04:17):
set up routes for us with the ropes,
and he had all the harnesses for the
kids, so he got to do, like, some
real rock climbing because we live in Florida
where the biggest rock you climb is, like,
a boulder in the front yard of some
place Yep. Where you have to do a
gym. So it was a good trip. And
then from there, I went I came home
and was home for, like, sixteen hours and
then flew to Atlanta for TechCon three sixty
(04:38):
five. That leads us into today's topic.
So we've been kinda going back and forth
between maybe talking about, like, Copilot and how
to enable it in your organization, maybe some
things your users can use it for. We
just got done kinda talking
through MCP and that's how that's helpful and
maybe some agentic workflows and stuff like that.
(04:59):
But it's been a little bit, and we've
never really taken a deep dive on it.
So so you had this talk at TechCon
about securing Copilot.
So so really kind of like, you have
to prepare for Copilot in certain ways. There's
licenses you need to turn on, there's things
you might want to
think about within your organization and who has
(05:19):
access to what and things like that.
But there's more than just lighting up a
license to think about. Kinda like when you
maybe did, like, SharePoint search back in the
day or you do, like, an m three
sixty five search thing today, there's all this
security trim stuff out there and the these
experiences, they have access to a lot of
data per user.
So you did a talk at TechCon called
Preparing for Copilot Securing your Microsoft three sixty
(05:42):
five Data and Beyond
and I think this is a good one
to dive into.
It's Copilot
centric but a lot of the concepts in
here, right, like like just kind of thinking
about and taking a step back and, hey,
like, let's take a beat and think about
what type of data is in my Microsoft
three sixty five environment, like what's the sensitivity
(06:03):
of that data, maybe I need licensing for
things that give me capabilities like sensitivity labels,
all that. And then
once you've put it together, how do you
have to tweak it, what does that look
like, and kind of maintenance and everything beyond.
So I figured it'd be a good kind
of topic to hop into, and since it's
been top of mind for you,
(06:24):
it's certainly like fresh and right there. And
you've got all the context from the conference
and questions attendees asked you and things like
that. So be a fun little whirlwind tour.
It is, and it'll definitely be whirlwind because
this was a seventy five minute session. Granted,
there were demos and stuff in there, but
it has been. It's been an interesting topic,
and not only did I I kind of
(06:45):
did a session on it because
I don't even know how many clients I've
had ask me about this recently. Like, hey,
we want to deploy Copilot.
What should we be thinking about? What does
our environment look like? How do we prepare
for it? And to your point, it's an
interesting one because it's like, well, technically, this
is stuff you should have been doing all
along. But Copilot is just bringing it to
(07:06):
the forefront to that point of that we've
talked about before, is Copilot doesn't necessarily
introduce any new security vulnerabilities. Like, I I
don't know how many times I've talked about
this. It just it brings to the forefront
quicker and easier mistakes that maybe you've done
in the past
with your Microsoft three sixty five environment. And
(07:27):
that's kinda where even this slide is, like
and I'm sharing kind of the slides that
I did at the presentation. We can work
through those as we talk through it. But
it all starts with what should you be
thinking about when it comes to Copilot, and
a lot of these bullet points too. The
things I think through are like, what types
of data do you have in Microsoft three
sixty five? In particular,
(07:47):
SharePoint. What type of data do you put
in SharePoint? Because Copilot has access
to Exchange or Outlook, your Teams, conversations, all
of that stuff. But by and large, that's
already secured. Right? Like It should be. It
should be. And I don't think Copilot actually
even has access yet to share mailboxes. I
think that's one limitation is if someone shared
their mailbox with you, they have access to
(08:08):
a shared mailbox.
I don't believe Copilot can reason over that.
So I try to frame it as what
types of data are out there. You wanna
think about should Copilot have access to sensitive
data.
And this is one that maybe you haven't
thought about before, but it's maybe you need
access to sensitive data for your day to
day work. Right? Like, you're in finance,
(08:29):
you're in education,
maybe there's data around
bank accounts out there, there's
financial spreadsheets out there, there's
student data that's in your environment.
People legitimately need access to some of that
to do work, but do you want Copilot
to have the same access to it that
a user does if they just go open
(08:49):
a particular file? So that's another thing to
think about. And then one is just who
has access to your content. Where has stuff
been overshared? This one's been talked about a
ton. And then thinking through, so how do
you start fixing it, and how do you
maintain it once you've done it? You have
ten years of bad practices.
You go spend six months fixing it. How
do you keep those bad practices from continuing
(09:10):
after you fix it? It's this kinda, like,
whirlwind thing, and
as I get more into the world
in my day job of thinking about
agentic
AI and, like, some of the MCP stuff
that we talked about, So if you look
at tools like Copilot,
you can go create your own declarative agent,
(09:32):
you can maybe go create an agent in
Copilot Studio,
there's tools out there or there's services out
there like Azure AI Foundry that then have
their own tool integrations, all these kinds of
things. So we're kind of on this weird
cusp again of
you have to rationalize things like Copilot and
the value and TCO and all that for
your organization,
(09:53):
but now we're kind of looping back around
to
user access plus agent access or agentic access.
So like what's the right way to build
those things? What does that look like and
how does that come together?
Because
eventually, it's like these things are all just
going to be like talking to each other.
Like that finance example that you have, it
(10:15):
might be somebody going in and having access
to a
a fine tuned model, right, that helps them
spit out a financial report at the end
of the quarter. Like, use this template. Here's
good examples. Here's how these are legally compliant.
All these kinds of things, but, you know,
those agents are going to either interact as
real applications within the environment, so now you're
(10:36):
back to like application access and thinking about
scoping things, maybe like permissions
for,
for those, and what are the rights that
you give them within the environment. It could
be user access. It could be a mix
of both depending on what was going on
and how it composed and what came together.
And then
you further kind of muddy the waters there
(10:56):
with, like, oh, like, maybe that's not an
agent that's just or a user even that's
interacting with, like, data in a single system
like SharePoint.
What happens when they're using the SAP connector
or they're using the Dynamics connector, like, and
you have these other systems that are talking
to each other on the back end and
these agentic workflows. And I think it does
become, like, an important consideration
(11:18):
along the way,
and it's an it's an interesting thought exercise.
I actually think it's a little scary too
depending on, like, where you sit organizationally
and how things are composed in your environment
today,
just to think about
where we are today and where the world's
gonna be in
the the future. And the future could be
(11:38):
really short. Like, it could be the next
couple months, it could be maybe the next
year.
I don't think you can take you have
the advantage of thinking ahead to five years
from now kind of thing. And speaking of
scary, can I go completely off topic about
a scary, like Squirrel? Squirrel. Yeah. Okay. Squirrel.
So but thinking about Copilot and AI and
how you're asking it, I did see a
really funny I think it was on Instagram
(11:58):
where it was two people walking into a
room or, like, somebody rang the doorbell of
a door, and a guy picked up his
phone and said, hey, ChatGPT, someone's knocking at
my door. What should I do?
And Chad GPT tells him to open it.
And then he opens it, and the lady
outside the door says, Hey, Chad GPT. He
opened the door for me. Now what should
I do? And it was, You should say
(12:19):
hello or walk in the door and say
hello. It was these people that literally were
using their phones to have chat gbt tell
them how to interact with each other, but
I think it does highlight, like, how much
we're asking
AI and, again, a little bit of a
rabbit hole, but how much are we becoming
dependent on it and how it could actually
be one of those scary environments where we,
(12:39):
like, yeah, how it's going to change how
we work, interact,
live, etcetera. I think it can be scary.
Like, it can be exciting, but I also
think it kinda raises the priority or the
importance of, like, thinking about these questions and
thinking through them and making sure that
as
Microsoft three sixty five customers,
(13:00):
could be Azure customer, really, like any kind
of, like, SaaS cloud based product that's adopting
these kinds of things, or even if you're
bringing them into your internal environments, right, like
these are all like I think they're common
sense considerations, like there's nothing in here that's
like,
oh my gosh, like, but you have to
really take the time and be intentional
(13:22):
and go down the path of looking at
all of them. Like it's not just a
one dimensional kind of thing, it's this multidimensional
kind of exercise
to
to get in. So,
like, it's always kinda fun to do these
things with you because I get access to
the decks and your talks and everything, and
we get to talk and plan it out
(13:42):
ahead of time. So, like, I know a
little bit about where the story's going. So
why don't we keep kind of getting in
that and kind of Yeah. Yeah. So I
think, yeah, like, good place to start. Yeah.
Just like, I've got the data out there.
How do I figure out, like, what's out
there and what's going? And like you said,
like, for folks listening here, like, oh my
gosh, these, like, crackpots are talking about Copilot
and AI again. A lot of these concepts
(14:04):
broadly apply to Microsoft March,
and they might apply to,
heck, your on prem SharePoint environment. Right? There
was a CVE for SharePoint on prem last
month. A lot of organizations had to go
through this kind of, like, patching workflow due
to a hack for on prem SharePoint that
came out of China.
All these things are broadly applicable.
(14:24):
And, yeah, it sounds like common sense, but
I encourage you, stick with us, and maybe
you'll hear something in here that says, Oh,
I didn't think about that, or, Oh, you
know what? That one was on the back
burner for me. Maybe I kinda need to
lift it up the priority list and go
spend a little bit more time on it.
Yeah. And I would say some of these
even are more broad
(14:45):
than just SharePoint. And
this first one, it's tools related to SharePoint,
but it's concepts you need to think about
for any
data that maybe AI has access to. And
when I start thinking about exploring the content,
it's somewhat what I hit at before, but
it's looking at sensitive data.
Where is this sensitive data? What sensitive data
is out there? And to your point, I
(15:07):
was working with one client, and they have
certain policies around what should be in SharePoint
and what shouldn't be. And this was not
even a Copilot exercise. This was just, like,
overall data governance.
And I used Data Explorer, so we'll tie
this in a little bit, Data Explorer in
Microsoft three sixty five. But however you do
this, it's we found data. We're like, did
you know you have these Social Security numbers
(15:29):
in your SharePoint environment? We're like, no. We
had no idea. So they went in and
cleaned that up right away. But that's one
of the first things is how do you
explore this content? Whether it's Data Explorer in
Microsoft three sixty five or there's
what is it? There's I'm drawing a blank
on it. It's is it part of Azure
Information Explorer? It's,
you can use it on a file share
(15:50):
to actually explore the file share and scan
all your content on a file share, and
it has some ties into Purview. Azure Data
Explorer. Yeah. And then Yeah. That ties into
this weird
weird I mean, it is what it is.
Its name's like per Purview,
Activity Explorer, something like that, but that's that
kinda large data volume. Hey. Let me go
and scan that thing. So it's part of
(16:11):
Purview and the compliance stack. Yeah. So there's
that. And then the next one is just
oversharing.
And again, Microsoft three sixty five,
I talk about the data access governance insights.
This one's another one. There's some PowerShell commandlets.
It's start SPO
data access governance insight. We'll put links to
(16:31):
this PowerShell commandlet in the show notes. But
you can go run this particular
report and look at OneDrive for business
and look at SharePoint and
spit out a summary
of how many different types of sharing links
exist in your environment. I was looking at
one client. We looked at OneDrive. We found
(16:53):
out this particular individual
had content in their OneDrive, and one of
the aspects of this report is how many
people it's shared with. He had content shared
with almost 2,500
different people
hosted in his OneDrive. There's also some data
access governance reports in the SharePoint admin center
that get included with Copilot now. I've written
some custom PowerShell scripts where
(17:15):
it actually goes through and looks at all
the content in SharePoint and spits out sharing
links and URLs and the title of the
files and all of that. But this is
really going back to
where is content shared
with people that shouldn't have access to it,
whether it was laziness and just putting in
I mean, not a file share, putting in,
oh, we'll just share this with domain users
(17:36):
and then not realizing
what people have maybe dropped in that particular
folder that shouldn't be there
or forgetting that it was shared with everybody
or somebody meant to do it at a
subfolder and accidentally did it at the parent
folder.
All those same things apply to file shares,
to SharePoint.
I mean, technically, it can apply to Dropbox,
(17:57):
Box.
Anywhere where you have content is really thinking
through,
and how do you report on where is
content shared more broadly than it should be,
or where are folders? This is the other
interesting one. Where are folders shared more broadly
than they should be? And people can just
drop content into it, and all of a
sudden it becomes shared because they just dropped
(18:17):
it in a folder or a SharePoint site
Mhmm. Or a Teams SharePoint site, any of
those.
Do you feel overwhelmed by trying to manage
your Office three sixty five environment? Are you
facing unexpected issues that disrupt your company's productivity?
IntelliJunk is here to help. Much like you
take your car to the mechanic that has
(18:38):
specialized knowledge on how to best keep your
car running, Intelligent helps you with your Microsoft
cloud environment because that's their expertise. Intelligent keeps
up with the latest updates in the Microsoft
cloud to help keep your business running smoothly
and ahead of the curve. Whether you are
a small organization with just a few users
up to an organization of several thousand employees,
they want to partner with you to
implement
(19:00):
and administer your Microsoft cloud technology. Visit them
at inteligink.com/podcast.
That's intelligink.com/podcast
for more information or to schedule a thirty
minute call to get started with them today.
Remember, Intelligink focuses on the Microsoft cloud so
(19:22):
you can focus on your business.
So that was one of,
configuration
changes, again, where somebody accidentally changes permissions,
sets up permissions the wrong way. One interesting
thing that came out, I hadn't thought of
this before,
but somebody else brought it up at the
conference and I was like, oh, that's an
interesting one, is comparing sites or duplicate content.
(19:45):
How many companies have you been in, Scott,
where, like, somebody creates a file and then
creates that file v two and v three
and v four and v five and v
six and v seven, all the way up
to whatever, and now you have, like, 20
copies of a nearly identical file all out
there? Guess what gets really confused
about pulling accurate information when you have 10
or 20 nearly identical files? Doctor. Nearly identical
(20:08):
and also mixed in with identical identical, right?
Doctor. Right.
Doctor. I do this sometimes
where
somebody writes a paper and I'm like, Oh,
I want to save that as an example
for later. So I take that and put
it in my OneDrive and it's still like
the canonical version still sits, but I want
like that point in time snapshot maybe to
reference back to you later
as a doc, a PDF, a PowerPoint, whatever.
(20:31):
So my OneDrive is like just
absolutely littered with things like that. I can
tell you very specifically what does not do
a good job here is Copilot notebooks,
which we talked about.
I actually did this recently where I had
a couple iterations of not the same document,
but similar documents. It was more like there
was a section in this one,
(20:58):
limitations of Copilot notebooks
because what the notebook was doing was while
it was grounded in the information that was
available in there, right, I added these, like,
I actually went beyond the limit. I had
to take docs out because you can only
have, like, up to 20
documents in a Copilot notebook right now or
combination of documents and OneNote
and things like that. So I was at,
(21:19):
like, 28 or something. So I was really
trying to confuse it, but it was getting,
like, extra confused because not only were the
documents in the Copilot notebook where I'd said,
hey. Here they are. Like, here's the canonical
version,
but other people had copies of them out
there, like you said. Like, they had the
like, they've done the thing I did, right,
where they made a copy in their own
space. But when they made a copy in
(21:39):
their own space, like, some folks put those
in other public areas that I have access
to, or they might have emailed it to
me. So, like, figuring out how to wrangle
the prompts and get things to where, like,
oh, I actually can do what I wanna
do with this, super hard to do. I
wasted more time in the Copilot notebook trying
to get it to behave the right way
when I literally could've just
walked over to my 32 inch monitor and
(22:01):
pulled up five docs on the top row
and five docs on the bottom row and
just started, like, scrolling through.
I I would've been better off for the
amount of time that I was trying to
fight that process and have it come through.
But it was a good lesson for me,
like, hey. Right tool for the right job.
Here's the limitation of this thing.
But it it did kinda
get the back of my head tingling, like
the Spidey sense going, right, to say, like,
(22:23):
I wonder, like, what happens to other people
or how this is out here. So it
it was one of those things I saw
it in the presentation here. I was like,
like, good. Ben Ben's thought about this too.
I'm not crazy. Doctor. I'm thinking about this,
and this is a tool I recently found
out. It's the site policy comparison tool in
the SharePoint admin center, and it'll go I've
(22:43):
never even heard of that one, but I
haven't I haven't spent a lot of yeah.
I haven't spent a lot of time in
SharePoint lately. The downside is it doesn't necessarily
look for duplicate
files, but it will tell you if you
have two sites
where over 70%
of the content on the sites is duplicated.
So it's like if somebody took a copy
of a site or copied all the contents
(23:05):
of a site to another site, it would
be nice to maybe see it expanded in
the future to look for just duplicate files.
Like, do a file comparison of how many
nearly duplicate files do I have across my
environment. I imagine it that takes a little
bit more processing power, but it's it's definitely
a thing. And then
I wrapped up here too when I was
(23:26):
giving this presentation with just a few tools
and examples of
using custom PowerShell
to look for some of these things. Microsoft
has reports.
They're not always as detailed as you need,
and that's where I wrote some of these
reports to pull a list of all my
files and all my sharing links across all
of SharePoint. I need to go tweak it.
I looked ran this against a site that
(23:48):
had, like, millions of items. I think the
PowerShell script was running for, like, three weeks.
Takes a hot minute to enumerate that much
data. Yeah. Yeah. But then I had a
CSV from all of the sites in the
environment with all of the sharing links, and
I went and threw them out in Azure
Data Explorer, And then I could do a
bunch of KQL to go help narrow it
down, like, how many organizational wide sharing links
(24:10):
do I have? Which sites have the most
sharing links?
Where are all my links that don't have
expiration dates on them, and they've just been
shared indefinitely for years and years?
So just a couple different ways there to
help dig through the content a little bit
more. I think it's generally manageable and goes
back to the a little bit of, like,
hey. Like, this stuff is known, but you
(24:31):
as a customer need to go out and
spend that time, do that research,
and figure out what that is. Like, a
lot of the things you're talking about here,
like, maybe like a PowerShell script for that
discovery aspect, like, these things exist. There's a
bunch of community examples,
blog posts, stuff on GitHub from community contributors,
from Microsoft themselves. Right? But
(24:53):
you don't have to reinvent the wheel, but
you do gotta do some work along the
way. From there, then it's, okay, now I
know what I have. How do you go
in and
fix it all? And
this is where I get a ton of
discussion because,
for instance,
another example, one of my clients, they had,
like, 45,000
links
(25:13):
across their organization.
Like, how do we even begin to
fix this or evaluate it? You cross your
fingers and you hope for the best. Right?
And it's that whole combination of one is
we need to get a lot better at
permissions in SharePoint. I'm guilty of this, Scott.
I have examples. I can think of examples
with clients
where I totally did the whole security by
(25:34):
obscurity. Mhmm. Again, maybe not a big deal
because
a lot of times when I did this,
it's, yeah, we don't necessarily
want people to just stumble across it. If
they find it, it's not the end of
the world.
We just wanna make it a little bit
more difficult. Well, with Copilot, that difficulty becomes
a lot less. So I think you
you definitely want to be thinking about permissions
(25:56):
a lot more in SharePoint, avoiding the whole
security by obscurity and doing security the right
way. There's these opportunities, right, to go and
think about these things. Yep. The thing I
always think about in the back of my
head I'm a little spoiled here, right? Like
like my employer kinda just has every capability
lit up, and
everything's available to me there as a user,
(26:19):
as a developer, as an admin, like I
can go make all those things happen and
play in the playground, and it's all hunky
dory and great. But
I think there is a step for customers
to rationalize along the way, things like licensing.
Right? Like,
now not only do I need to evaluate
if I need the feature, now I need
to weigh out, do I need the feature,
(26:39):
and
can I afford the feature, or does the
feature have the right kind
of TCO
for my company? So that could be things
like the ability
to
apply sensitivity labels, right, and enforce them. It
could be
some of the Purview components that are out
there. Like, those are gonna cost you money
for maybe Purview. They might cost you money
(27:00):
per API call, right, to to come in
and figure that. So, like, hey, are you
gonna figure out that like, like, how do
you figure out, like and sit down. Like,
you gotta do some kinda hard modeling and
a little bit of work and extrapolation
and other things
based on your environment, your users, your corpus
of data,
all that kind of stuff. I will say,
(27:21):
generally, like, it feels like the TCO is
there and like the juice is worth the
squeeze as of right now,
but, you know, my thinking, like I said,
is kind of colored by just having access
to everything all the time.
And I don't know that I'm so grounded
in,
here's like a vanilla tenant. Right? Somebody who
never came off, like, e threes or something
(27:43):
like that, and they're still in in that
world because
I've been in different one for a while
now, and I think it does, like, change
and color my thinking. We could go down
a whole licensing
(28:05):
features that you pay for. If you use
everything that's in the license,
I can't I feel like it's worth it.
I'm also a small company. You work for
the company that owns it all. It is
absolutely expensive.
I'm not gonna deny that either. I look
at some of these bills where you get
into eight, ten thousand person companies
spending
(28:26):
$50
on an e five. I mean, that's, yeah,
50.
You're hundreds of thousands or millions of dollars
a year in investment, and then there are
companies that are still using other third parties.
I was on with one today, and they're
using a different antivirus. They're using something else
for MDM. And I'm like Mhmm. Do I
think you could use e five? Yeah. Is
it a little harder to justify it when
(28:47):
you're not gonna use all the features because
you're using other third party features?
Absolutely. Mhmm. Do you need to make that
choice of where you want it to sit?
I think it's part of, like, the rationalization.
Right? So once you've onboarded to these things,
kind of opened a little bit your talk
track around
maintenance and governance and ongoing kinds of things,
these are certainly part of that conversation. So
(29:09):
you might start off your journey at license
level a,
and then you sit and you hear about
like a new capability or something that might
be in a license, it might be a
one off feature you can buy, so you're
kind of on this constant path of evaluation.
I I used to think about this all
the time when I was doing
SharePoint and Office three sixty five
consulting
(29:30):
and kind of administration
for organizations
and things like that, like,
is
your role goes from
hugging servers and managing infrastructure
to changing a lot into
just rationalizing
ROI for your organization,
what's your total cost of ownership. So, like,
you know, that ten hours a week that
(29:51):
you used to spend patching servers, well, guess
what? You're spending ten hours a week now
maybe doing, like, comparative research and going out
there, and may maybe doing things like lighting
this up in, like, test environments
and really trying to figure it out. So
the world is changing rapidly. I think we
all kinda see that, right? Like, it's all
moving at a kind of a crazy pace
going
in different directions and often feels like diverging
(30:14):
directions. Like,
all of a sudden, you were going to
the right and you were on a path,
and you're like, no. I gotta turn the
car around, do a one eighty, and go
back the other way, and drive just as
far as you just came, but in the
opposite direction, and then some kind of thing.
So
it is important
to think through this stuff to go back
and look at it, and kind of figure
out and weigh it. And is that justification
(30:38):
there along the way for you? And then
even once the justification's there, there's still all
the hard work
of what's now like, hey. Great. I got
access to, I don't know, sensitivity labels. Like,
how am I gonna configure those? What part
of the stack am I gonna do it
in? Like, you still have to go and
evaluate the corpus of data in your environment,
understand how your users talk to it, understand
(30:59):
the impacts of maybe applying things like that,
what type of training you need to give,
and all that stuff. So it's a
it's
a lot, but it also keeps us all
employed, which is kinda fun.
Pays the bills. Anyways, that was, like, permissions.
The other thing I've seen, people created a
lot of public sites, and that's especially in
or public teams
(31:20):
in Microsoft three sixty five groups,
especially initially
without thinking through
or maybe even realizing it sometimes that if
it's public, anybody can go grant themselves access
to that group and just get access to
all the content in it. So another one
of those,
I think people really need to think about
where do we need to either move content
(31:41):
out of public groups or
create private groups going forward as the default.
Mhmm. That's something to think about. Correctly configure
default sharing links. This is becoming one of
my pet peeves. People that leave org wide
Nobody does this.
They don't. Maybe they do, and I'm I'm
just not seeing it. I see it a
(32:01):
lot in customers.
It it it's kinda fun to go through,
like, the Office three sixty five subreddit and
things like that and just see some of
the,
the issues that pop up over time to
ultimately, like, what's a low hanging fruit configuration
task, but I get it takes time. Like,
again, like, you can't just shut it off
(32:22):
wholesale without understanding how your users are using
it and and what's going on out there.
And, like, all of a sudden, like, that
little thing where it's like, yeah, let me
change that configuration item turns into, like, a
project or something that requires
a little bit
a little bit more long term thinking, but
it is funny how that's kinda ends up
being the
just the default state
(32:43):
in a lot of places. And then these
are often the things that you hear about
in the news, right? Like when somebody gets
quote unquote hacked, and it's like, no, they
didn't get hacked. They were just configured wrong.
They were wide open from the start. Yeah.
Your Facebook account wasn't hacked. You just stayed
signed in on a device someone else had
access to. Mhmm. 100%. And
if you leave it as org wide, guarantee
(33:03):
it's nothing people are doing intentionally. They just
click share content and click the copy link
button. They don't even realize what they're doing.
So I also place some of the blame
here on people that just roll this out
without training their end users on how to
properly share. Org wide is easy. You still
need to train your users. Don't click org
wide only or organizational link. This is what
it does. One nice thing I do, Microsoft
(33:25):
is coming out I don't know if you've
seen this on the roadmap, with the hero
links coming the end of this year, where
right now when you go share it, it
actually creates multiple links. Every time you share
it, it creates
another link. So you have one organizational wide
link, and then you have an edit link,
and then you have a view link, you
know, all of this.
It is changing so that in December, when
(33:47):
this new hero link comes out, it creates
one link, and then you're actually just able
to adjust permissions
on a single link. So you don't need
to go back and clean up a whole
bunch of links. You're just gonna have one
link. You're gonna have to manage permissions on
it.
The other thing
that is going to be part of this,
even better than hero links, is changing the
(34:07):
default
right now, and I've heard a lot of
people complain about this. You can't set the
default to people with existing access. You can
either set it to specific people or set
it to org wide. You can set it
to just by default create a link, but
only people that have access already are gonna
use this link. That's kinda bundled in this
(34:27):
hero links is setting that default now to
existing people only, so you're not Yes. It
makes it a lot easier to share a
link and not have it change permissions
than kind of that experience today. That's another
one. The SharePoint indexes,
you can remove stuff from Copilot by just
turning off the search index. Downside is it.
(34:48):
Also, it turns off the search index. You
remove a search. Yeah. Securing content with policies,
sensitivity labels, setting DLP. We're gonna run out
of time here, Scott. We might have to
do part two. And then the other one
I wanna mention here, there's a button now
in the SharePoint admin center that says restrict
content from Copilot on each site. I can
go into a site, click the little radio
button that says restrict content or restrict access
(35:11):
to Copilot. I want Microsoft to change the
verbiage on this. This is very deceptive to
me because
the way it reads, I would think, oh,
I click this. This site's not gonna be
included in Copilot. If you click on the
little information
bubble and hover over it and then click
on learn more, and maybe it even has
it in the bubble,
this is not just remove it from Copilot.
(35:33):
This is
don't return
content from this site in Copilot or in
search if it hasn't been recently accessed by
the user. So if a user goes to
it and clicks on it or interacts with
it or somehow
accesses that content
recently, it's all of a gust setting gonna
start showing up in Copilot and SharePoint.
(35:54):
Does it help in the cleanup? Yeah. But
does it really restrict it from Copilot?
They need to make it more clear. It's
not what it seems to be. The devil's
in the details. So so, you know, that
feature is called restricted content discovery.
It is not called block content discovery
or never do content discovery
(36:15):
again. I think
the rub with that one is
recent interaction.
Like if somebody just hears the word recent
interaction, right? Like, All right, well, what was
a recent interaction for me? Was that
thirty days? Was it ninety days?
And, you know, however it comes together. And
then what do you do with your users
(36:37):
who I I think this is the other
side of that one, is
you turn that feature on, and they have
a good experience on day one, which is
what you want them to do. Like, you've
gone through, you've configured your environment, That so
you restricted it. They had the recent interaction.
They were able to use it in Copilot
and
in Teams and business chat, all those things.
And then
maybe their role is, like, quarterly or biyearly.
(37:00):
So they only come back and they touch
that thing, and then next time it's horrible.
Like, it doesn't give them the same result.
It doesn't do the same thing. Features like
that are nice, but, like, they're also, like,
really hard to rationalize, particularly as a user.
Like, why is
why is a system that's already nondeterministic
already being like, it's being, like, super nondeterministic
(37:20):
now?
Like, what did it do,
and which way did it go? So,
yeah, I
think, in general, there is a bunch for
folks to think about here.
We'd love to hear about
how you're thinking about securing your environments. Like,
do you have any tips and tricks? Maybe
you've got, like, a favorite repo of
(37:40):
PowerShell scripts or things like that that you're
go that you're using for
go to management.
Maybe you have
alternatives for some of these things, like Ben
was mentioning
finding duplicate files earlier.
I know there's third party products that do
that. Maybe you're one of these customers who's
like a like you said, Ben, you do
the Ben thing, like you described, with multiple
licenses,
(38:01):
lots of ISV tooling, things like that. Like,
we'd love to hear more about the ecosystem
and your experience with it. So we've
contact form on the website, which you can
go to. It's pretty easy.
M s cloud I t pro podcast dot
com, and you'll see a big
contact us button there. That just sends Ben
an email, and then he usually just loops
(38:24):
me in on on on the thread. You
can also get us get ahold of us
on LinkedIn.
The podcast has a page on LinkedIn if
you wanna directly ask questions there. Ben's on
LinkedIn. I'm on LinkedIn as well. So,
like, come back. Give us some feedback. Let
us know how you're using it. We're eager
to hear. And maybe like you said, Ben,
maybe we can kinda come back and do
a part two on this one.
(38:44):
And
or if not, like, finish the conversation because
maybe we should come back and talk about
some of the,
DSPM stuff,
some of the reporting aspects,
how to do risk assessments,
and all that. And that way, we can
kind of round out the entire story. Yeah.
I think we should do a part two
on DSPM for
(39:05):
AI and DLP and sensitivity labels and some
of that. So we'll come back and talk
more about that in a later episode. Alright.
Come back and check us out for that
one. As always, thanks, Ben. Much appreciate it.
Glad to have you back from vacation, and
we'll get back on track here. Alright. Thank
you, and have a good weekend. Talk to
you next time. Thanks, Ben.
(39:26):
If you enjoyed the podcast, go leave us
a five star rating in iTunes. It helps
to get the word out so more IT
pros can learn about Office three sixty five
and Azure.
If you have any questions you want us
to address on the show, or feedback about
the show, feel free to reach out via
our website, Twitter, or Facebook.
Thanks again for listening, and have a great
(39:46):
day.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.