{"id":23360,"date":"2026-05-07T09:05:00","date_gmt":"2026-05-07T16:05:00","guid":{"rendered":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/?p=23360"},"modified":"2026-05-07T09:11:46","modified_gmt":"2026-05-07T16:11:46","slug":"how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft","status":"publish","type":"post","link":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\/","title":{"rendered":"How we\u2019re tackling Microsoft 365 Copilot governance internally at Microsoft"},"content":{"rendered":"\n<nav\n\tclass=\"wp-block-inside-track-in-post-navigation\"\t>\n\t<button class=\"in-page-block__button\" aria-expanded=\"false\" aria-controls=\"in-page-block__list\">\n\t\tWhat this guide contains\t<\/button>\n\n\t<ul id=\"in-page-block__list\">\n\t\t\t\t\t<li class=\" \" style=\"\">\n\t\t\t\t<a class=\"\" data-id=\"introduction\" href=\"#introduction\" style=\"\">Introduction: Governance in the age of AI<\/a>\n\t\t\t<\/li>\n\t\t\t\t\t<li class=\" \" style=\"\">\n\t\t\t\t<a class=\"\" data-id=\"chapter-1\" href=\"#chapter-1\" style=\"\">Chapter 1: Enable self-service<\/a>\n\t\t\t<\/li>\n\t\t\t\t\t<li class=\" \" style=\"\">\n\t\t\t\t<a class=\"\" data-id=\"chapter-2\" href=\"#chapter-2\" style=\"\">Chapter 2: Establish container labels and set well-scoped, intuitive defaults<\/a>\n\t\t\t<\/li>\n\t\t\t\t\t<li class=\" \" style=\"\">\n\t\t\t\t<a class=\"\" data-id=\"chapter-3\" href=\"#chapter-3\" style=\"\">Chapter 3: Derive file labels from parent containers<\/a>\n\t\t\t<\/li>\n\t\t\t\t\t<li class=\" \" style=\"\">\n\t\t\t\t<a class=\"\" data-id=\"chapter-4\" href=\"#chapter-4\" style=\"\">Chapter 4: Train employees<\/a>\n\t\t\t<\/li>\n\t\t\t\t\t<li class=\" \" style=\"\">\n\t\t\t\t<a class=\"\" data-id=\"chapter-5\" href=\"#chapter-5\" style=\"\">Chapter 5: Trust employees, but verify their work<\/a>\n\t\t\t<\/li>\n\t\t\t\t\t<li class=\" \" style=\"\">\n\t\t\t\t<a class=\"\" data-id=\"chapter-6\" href=\"#chapter-6\" style=\"\">Chapter 6: Implement lifecycle management and attestation<\/a>\n\t\t\t<\/li>\n\t\t\t\t\t<li class=\" \" style=\"\">\n\t\t\t\t<a class=\"\" data-id=\"chapter-7\" href=\"#chapter-7\" style=\"\">Chapter 7: Enable company-shareable links<\/a>\n\t\t\t<\/li>\n\t\t\t\t\t<li class=\" \" style=\"\">\n\t\t\t\t<a class=\"\" data-id=\"chapter-8\" href=\"#chapter-8\" style=\"\">Chapter 8: Extract inventory to detect and report oversharing<\/a>\n\t\t\t<\/li>\n\t\t\t\t\t<li class=\" \" style=\"\">\n\t\t\t\t<a class=\"\" data-id=\"conclusion\" href=\"#conclusion\" style=\"\">Conclusion: The way forward<\/a>\n\t\t\t<\/li>\n\t\t\t<\/ul>\n<\/nav>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"introduction\">Governance in the age of AI<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Unlocking the next generation of productivity tools<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft 365 Copilot combines the power of large language models (LLMs) with your organization\u2019s data to turn employees\u2019 words into some of the most powerful productivity tools on the planet\u2014all within the flow of work. It suffuses the Microsoft 365 apps your people use every day\u2014including Word, Excel, PowerPoint, Outlook, Teams, and more\u2014to provide real-time intelligent assistance.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Findings from workplace surveys that we did internally here at Microsoft show that AI tools are having a significant and measurable impact across some of our major business functions:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"469\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/05\/Measurable-impact-of-AI-tools-across-our-business_-1024x469.png\" alt=\"Text graphic shows the measurable impact of AI tools on different functions at Microsoft with specific data points for marketing, IT, HR, and finance.\" class=\"wp-image-23529\" srcset=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/05\/Measurable-impact-of-AI-tools-across-our-business_-1024x469.png 1024w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/05\/Measurable-impact-of-AI-tools-across-our-business_-300x137.png 300w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/05\/Measurable-impact-of-AI-tools-across-our-business_-768x352.png 768w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/05\/Measurable-impact-of-AI-tools-across-our-business_-1536x703.png 1536w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/05\/Measurable-impact-of-AI-tools-across-our-business_.png 2000w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Getting governance right<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">With all the opportunities AI presents, your organization might be in the process of implementing Microsoft 365 Copilot. But it\u2019s important to do that safely.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Copilot combs through your organization\u2019s entire data estate in the blink of an eye, so the old method of security through obscurity doesn\u2019t cut it. You need to assert control over where data flows throughout your tenant, so Copilot knows what it can and can\u2019t access or display.<\/p>\n\n\n\n<div class=\"wp-block-group has-white-200-background-color has-background has-global-padding is-layout-constrained wp-container-core-group-is-layout-ef8af98e wp-block-group-is-layout-constrained\" style=\"padding-top:var(--wp--preset--spacing--spacing-16);padding-right:var(--wp--preset--spacing--spacing-16);padding-bottom:var(--wp--preset--spacing--spacing-16);padding-left:var(--wp--preset--spacing--spacing-16)\">\n<h3 class=\"wp-block-heading has-body-xl-font-size\" style=\"margin-top:0\"><strong>Learn from our Microsoft 365 Copilot experience<\/strong><\/h3>\n\n\n\n<p class=\"has-body-lg-font-size wp-block-paragraph\" style=\"margin-top:var(--wp--preset--spacing--spacing-4);margin-bottom:var(--wp--preset--spacing--spacing-4)\">We learned a lot as the first large enterprise to deploy Microsoft 365 Copilot. We used those learnings to create this deployment and adoption guide that you can use at your company\u2014check it out:<\/p>\n\n\n\n<div class=\"wp-block-columns are-vertically-aligned-center is-not-stacked-on-mobile is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"56\" height=\"58\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Learn-from-our-experience.png\" alt=\"\" class=\"wp-image-23393\" style=\"object-fit:cover\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/deploying-microsoft-365-copilot-in-five-chapters\/\"><strong>View our full Microsoft 365 Copilot deployment and adoption guide.&nbsp;<\/strong><\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/microsoft-365-copilot-for-executives-sharing-our-deployment-and-adoption-journey-at-microsoft\/\">View a condensed version of the guide, designed for executives.<\/a>&nbsp;<\/strong><\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">To ensure that proper data hygiene extends to AI-powered workflows, Microsoft designed Copilot to respect the sensitivity labels and data loss prevention (DLP) controls that organizations configure in their Microsoft Azure environment. That way, administrators can be confident that the right people and apps have access to the data they need, and that sensitive information doesn\u2019t appear where it shouldn\u2019t.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Our team in Microsoft Digital, the company&#8217;s IT organization, created a company-wide governance strategy to address this challenge. In the process, we learned valuable lessons that will be useful to any organization using Copilot.<\/p>\n\n\n\n<div class=\"wp-block-group has-teal-to-brown-gradient-background has-background has-global-padding is-layout-constrained wp-container-core-group-is-layout-10685bb4 wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:var(--wp--preset--spacing--spacing-20)\">\n<div class=\"wp-block-group has-white-background-color has-background has-global-padding is-layout-constrained wp-container-core-group-is-layout-ff4033b8 wp-block-group-is-layout-constrained\" style=\"padding-top:var(--wp--preset--spacing--spacing-16);padding-right:var(--wp--preset--spacing--spacing-16);padding-bottom:var(--wp--preset--spacing--spacing-16);padding-left:var(--wp--preset--spacing--spacing-16)\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<p class=\"has-body-xl-font-size wp-block-paragraph\" style=\"margin-top:0;margin-bottom:var(--wp--preset--spacing--spacing-4);font-style:normal;font-weight:600\"><em><em><em><em>\u201cWe\u2019re entering an age where AI amplifies human capability at unprecedented scale, and the integrity of our data determines the integrity of that transformation. Thoughtful governance ensures that we balance adoption with risk to enable the business.\u201d<\/em><\/em><\/em><\/em><\/p>\n\n\n\n<p class=\"has-gray-800-color has-text-color has-link-color has-body-lg-font-size wp-elements-56ae4016e91e34ce31a48cff497c7e23 wp-block-paragraph\" style=\"margin-top:0;margin-bottom:var(--wp--preset--spacing--spacing-4)\"><strong><strong><strong><strong>Brian Fielder, vice president, Microsoft Digital<\/strong><\/strong><\/strong><\/strong><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:165px\">\n<figure class=\"wp-block-image alignright size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"500\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Brian-Fielder_teal.png\" alt=\" A photo of Fielder.\" class=\"wp-image-23379\" style=\"object-fit:cover\" srcset=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Brian-Fielder_teal.png 500w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Brian-Fielder_teal-300x300.png 300w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Brian-Fielder_teal-150x150.png 150w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/figure>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">This guide outlines our process for developing and implementing a governance strategy that delivers the benefits of Copilot to Microsoft employees while minimizing the risks to our data estate. We share our internal learnings so our customers can get up and running quickly while avoiding pitfalls or surprises.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Follow along to find out how you can safely and effectively deploy Copilot at your organization\u2014backed by rock-solid governance.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cWe\u2019re entering an age where AI amplifies human capability at unprecedented scale, and the integrity of our data determines the integrity of that transformation,\u201d says Brian Fielder, vice president of Microsoft Digital. \u201cThoughtful governance ensures that we balance adoption with risk to enable the business. AI accelerates possibility and does so with clarity, confidence, and unwavering trust.\u201d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Principles for effective AI governance<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Use this set of tips to ground yourself as you read through this guide:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Enable self-service. <\/strong>Give employees the ability to create new workspaces across your Microsoft 365 applications. By maintaining all data on a unified Microsoft 365 tenant, you ensure that your governance strategy applies to any new workspaces.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Limit the number of information protection labels. <\/strong>Try to limit your taxonomy to a maximum of five parent labels and five sub-labels. That way, employees won\u2019t feel overwhelmed by the volume of different options.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Use intuitive labels that mean what they say. <\/strong>Make your labels simple and legible. For example, a \u201cbusiness-critical\u201d label might imply confidentiality, but every employee\u2019s work feels critical to them. On the other hand, there\u2019s very little doubt about what \u201chighly confidential\u201d or \u201cpublic\u201d mean.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Capture container labels for groups and sites. <\/strong>Label your data containers for segmentation to ensure your data isn\u2019t overexposed by default. Consider setting your container label defaults to the \u201cPrivate: no guests\u201d setting.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Derive file labels from parent containers. <\/strong>Classify files according to their parent containers. That consistency boosts security at multiple levels and ensures that deviations from the default are exceptions, not the norm.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Train employees. <\/strong>Train your employees to handle and label sensitive data to increase accuracy and ensure they recognize labeling cues across your productivity suite.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Trust employees, but verify their work. <\/strong>Trust your employees to apply sensitivity labels, but also verify them. Check against DLP standards and use auto-labeling and quarantining through Microsoft Purview automation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Implement lifecycle management and attestation. <\/strong>Use strong lifecycle management policies that require employees to attest containers, creating a chain of accountability.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Consider your default link-sharing configuration. <\/strong>Limit oversharing at the source by allowing company-shareable links\u2014at least as secondary options\u2014rather than forcing employees to add large groups for access. For highly confidential items, limit sharing to employees on a need-to-know basis.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Extract inventory to detect and report oversharing. <\/strong>Use Microsoft Graph Data Connect extraction in conjunction with Microsoft Purview to catch and report oversharing after the fact. When you find irregularities, contain the vulnerability or require the responsible party to repair it themselves.<\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-639b5052 wp-block-group-is-layout-constrained\" style=\"padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Learn-more.png\" alt=\"\" class=\"wp-image-23363\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Learn more<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>How we did it at Microsoft<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/riding-the-wave-of-agents-washing-over-microsoft-with-good-governance\/\">See how we\u2019re riding the wave of agents washing over Microsoft with good governance.<\/a> This story shares how we established our initial policies and matrixed governance model for agents.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/becoming-a-frontier-firm-our-it-playbook-for-the-ai-era\/\">Explore our IT playbook for the AI era and learn how we\u2019re becoming a Frontier Firm.<\/a> This article shares our journey as an IT organization in support of this new operating model.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/enterprise-ai-maturity-in-five-steps-our-guide-for-it-leaders\/\">Read our five-step guide for IT leaders who want to drive greater AI maturity.<\/a> This resource can help you chart a course through AI maturity to reimagine what&#8217;s possible for the enterprise.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/the-agentic-future-how-were-becoming-an-ai-first-frontier-firm-at-microsoft\/\">Discover how Microsoft is becoming an AI-first Frontier Firm.<\/a> This story shares how we\u2019re approaching the idea of an \u201cagentic future.\u201d<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Further guidance for you<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/security\/security-for-ai\/agent-365-security\" target=\"_blank\" rel=\"noreferrer noopener\">Secure your agents at scale with Microsoft Agent 365 guidance<\/a> for unified identity, compliance, and control across platforms.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/ai\/responsible-ai?msockid=3702b47881576ac600afa2e6809f6b09\" target=\"_blank\" rel=\"noreferrer noopener\">Learn about the Responsible AI policies and practices<\/a> that we use to guide our use of AI at Microsoft.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"chapter-1\">Chapter 1: Enable self-service<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Empowering employees with secure self-service<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Applying self-service principles to the way we manage labeling and governance emerged as a crucial step for us.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Self-service is a core tenet of employee empowerment here at Microsoft. We want to give every employee the independence to create the resources they need without engaging IT. But that level of freedom relies on ensuring our Microsoft Digital governance team identifies and protects valuable data. As a result, our employees can implement and own the containers, workspaces, and content they need to do their work productively.&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-group has-white-200-background-color has-background has-global-padding is-layout-constrained wp-container-core-group-is-layout-48e64321 wp-block-group-is-layout-constrained\" style=\"padding-top:var(--wp--preset--spacing--spacing-12);padding-right:var(--wp--preset--spacing--spacing-12);padding-bottom:var(--wp--preset--spacing--spacing-12);padding-left:var(--wp--preset--spacing--spacing-12)\">\n<div class=\"wp-block-columns is-not-stacked-on-mobile is-layout-flex wp-container-core-columns-is-layout-cff36b9d wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:56px\">\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"44\" height=\"60\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Lightbulb.png\" alt=\"\" class=\"wp-image-23365\" style=\"width:auto;height:56px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<p class=\"wp-block-paragraph\" style=\"margin-top:var(--wp--preset--spacing--spacing-4);margin-bottom:var(--wp--preset--spacing--spacing-4)\">A container or workspace is a logical unit of content storage associated with a designated roster of collaborators. Common containers include SharePoint sites, Viva Engage communities, Outlook groups, and Teams channels.<\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Self-service forms the foundation of our entire governance strategy. Employees can create workspaces and content across many of the Microsoft tools they use for their day-to-day work, including SharePoint, OneDrive, Teams, and Power Platform. That freedom enables a culture of innovation and agility, where people can work together across teams and geographies without encountering \u201cIT gating,\u201d the need for IT to get involved in enabling day-to-day activities.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">By encouraging collaboration in place, our tenant structure frees employees from resorting to email attachments or working in overly broad and open workspaces. As an IT team ourselves, we understand the value of eliminating IT gating for minimizing the time and effort our professionals need to invest in keeping employees productive.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This kind of data hygiene isn\u2019t just about Microsoft 365 Copilot. It maintains data security and compliance wherever employees access company content and information. But because Copilot depends on the ability to access an organization\u2019s data estate, good governance is essential for keeping it within bounds\u2014especially in a self-service culture.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here are the key pillars of our asset governance:<\/p>\n\n\n\n<div class=\"wp-block-group is-layout-grid wp-container-core-group-is-layout-917f6bf6 wp-block-group-is-layout-grid\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-block-group-is-layout-constrained\">\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"445\" height=\"445\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Empower-employees.png\" alt=\"Empower employees\" class=\"wp-image-23384\" srcset=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Empower-employees.png 445w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Empower-employees-300x300.png 300w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Empower-employees-150x150.png 150w\" sizes=\"auto, (max-width: 445px) 100vw, 445px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Support self-service creation<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Use lifecycle management<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Offer user education and awareness\/trainings<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Implement monitoring and auditing<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Adopt insider risk management<\/li>\n<\/ul>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-block-group-is-layout-constrained\">\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"445\" height=\"445\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Identify-valuable.png\" alt=\"Identify valuable and vulnerable content\" class=\"wp-image-23385\" srcset=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Identify-valuable.png 445w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Identify-valuable-300x300.png 300w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Identify-valuable-150x150.png 150w\" sizes=\"auto, (max-width: 445px) 100vw, 445px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Require classification for containers<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Scan with Microsoft Purview Data Loss Prevention and Information Protection services<\/li>\n<\/ul>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-block-group-is-layout-constrained\">\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"445\" height=\"445\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Protect-assets.png\" alt=\"Protect assets\" class=\"wp-image-23386\" srcset=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Protect-assets.png 445w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Protect-assets-300x300.png 300w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Protect-assets-150x150.png 150w\" sizes=\"auto, (max-width: 445px) 100vw, 445px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Limit reach<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Enforce policy<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Use conditional access or multifactor authentication<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Apply Microsoft Purview Data Loss Prevention and Information Protection services<\/li>\n<\/ul>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-block-group-is-layout-constrained\">\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"445\" height=\"445\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Ensure-accountability.png\" alt=\"Ensure accountability\" class=\"wp-image-23387\" srcset=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Ensure-accountability.png 445w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Ensure-accountability-300x300.png 300w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Ensure-accountability-150x150.png 150w\" sizes=\"auto, (max-width: 445px) 100vw, 445px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Manage group or site ownership<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Review external membership<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Generate reports<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Responsible self-service<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Self-service container creation has abundant benefits, but it also poses some challenges for content governance and security\u2014things like oversharing, unneeded asset sprawl, and data leakage. To address these challenges, our Microsoft Digital governance team has established self-service principles that balance the needs of employees and the company.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">We empower with accountability<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Accountability has responsibility. Any full-time employee can create a workspace, but they\u2019re responsible for re-attesting its compliance every six months to ensure it meets our governance requirements. They also need to attest that they still require and maintain the resource. They need to manage their own content and ensure it\u2019s properly classified, labeled, and secured. The content\u2019s accountable owner makes any decisions about the workspace with respect to reach or the desire to maintain it. That removes any guesswork for IT about whether a site is still valued and cared for.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">We empower with guardrails<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We secure assets by default and expand access based on employee needs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">We trust, but we also verify<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft Information Protection (MIP) sensitivity labels and Purview DLP act as guardrails for employee-led governance efforts.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As we in Microsoft Digital have worked to improve the company\u2019s overall governance posture, we\u2019ve learned several important lessons. When you consider self-service container creation, there are a few questions to ask yourself:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Who do you trust to create containers?<\/strong>&nbsp;At Microsoft, we reserve complete self-service capabilities for full-time employees. Then, we configure those privileges in Microsoft Entra ID to define who can create Microsoft 365 Groups. These users need to take relevant trainings, and we hold them accountable for the containers they create.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Where does employee self-service make sense?<\/strong>&nbsp;Different employees will require self-service in different environments. Will yours need to operate within SharePoint? Power Platform? Teams?<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>What are your lifecycle rules?&nbsp;<\/strong>Think about your policies and rule sets. Who\u2019s accountable? What does the lifecycle look like?<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>What are your naming rules?&nbsp;<\/strong>A clear taxonomy can act as an extra signpost and organizational driver for your users. It can also be useful to think through what names are explicitly helpful or obscure. At Microsoft, we use a blocked word list, but we don\u2019t prefix or suffix all groups or site names to avoid overloading the employee experience.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">When you\u2019ve settled on degrees of autonomy and where to apply it, you can begin your AI governance journey.&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/purview\/sensitivity-labels-teams-groups-sites\" target=\"_blank\" rel=\"noreferrer noopener\">Find out how to configure containers for self-service.<\/a><\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-639b5052 wp-block-group-is-layout-constrained\" style=\"padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Key-takeaways.png\" alt=\"\" class=\"wp-image-23364\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Key takeaways<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Use these tips\u2014which are based on what we learned here at Microsoft\u2014to enable self-service in Copilot governance at your organization:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Front-end load on building your strategy. <\/strong>Put thought into your environment and tenant architecture, key personas, and scenarios before adoption.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Account for hesitancy. <\/strong>Understand that IT organizations have inherently cautious habits, and self-service might seem like a leap. As you lay out the business value for self-service container creation, illustrate the safety backstops as well. Also consider the risks if you don\u2019t take this step, like employees misusing existing sites or other means not supported by IT.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Bring leadership on board. <\/strong>Make the business case and offer reassurances that greater flexibility doesn\u2019t equal greater vulnerability.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Assess your current setup. <\/strong>Consider your existing data hygiene and how it needs to extend to accommodate AI.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Learn-more.png\" alt=\"\" class=\"wp-image-23363\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Learn more<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>How we did it at Microsoft<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/powering-data-governance-at-microsoft-with-purview-unified-catalog\/\">Read how we\u2019re powering data governance at Microsoft with Purview Unified Catalog.<\/a> This article explains how we centralized data governance and improve data discoverability at scale with the Purview Unified Catalog.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/riding-the-wave-of-agents-washing-over-microsoft-with-good-governance\/\">Discover how we\u2019re riding the wave of agents washing over Microsoft with good governance practices.<\/a> This post explores how we established strong governance practices to safely enable the rapid adoption of AI agents across the organization.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Further guidance for you<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/techcommunity.microsoft.com\/blog\/microsoft365copilotblog\/how-to-prepare-for-microsoft-365-copilot\/3851566\" target=\"_blank\" rel=\"noreferrer noopener\">Get an overview of pre-deployment preparation for Microsoft 365 Copilot.<\/a> This guide outlines the key pre\u2011deployment steps organizations can take to ensure Microsoft 365 Copilot is secure and compliant.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/techcommunity.microsoft.com\/blog\/microsoft365copilotblog\/your-path-to-value-with-copilot-for-microsoft-365\/4078744\" target=\"_blank\" rel=\"noreferrer noopener\">Learn about our Copilot Success Kit, a one-stop shop for most of our Copilot deployment and adoption resources.<\/a> This resource walks through a centralized collection of tools, guidance, and best practices for deploying and adopting Copilot.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Learn more about <a href=\"https:\/\/cm-edgetun.pages.dev\/en-us\/security\/business\/information-protection\/microsoft-purview-data-loss-prevention\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Purview Data Loss Prevention<\/a> and <a href=\"https:\/\/cm-edgetun.pages.dev\/en-us\/security\/business\/risk-management\/microsoft-purview-data-governance\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Purview Data Governance<\/a>, which are key to our organization\u2019s approaches for protecting sensitive information and managing data assets throughout their lifecycle.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"chapter-2\">Chapter 2: Establish container labels and set well-scoped, intuitive defaults<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Balancing freedom with trust through an easy-to-use labeling taxonomy<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Self-service container creation forms the foundation of our employee-centric governance strategy. As part of that freedom, our Microsoft Digital governance team has established baseline protections inherent to all containers, and those protections depend on sensitivity labels. Microsoft 365 Copilot respects labels, so establishing effective labeling practices extends data security into our employees\u2019 AI usage.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Baseline labeling habits<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Employees need to label every container or workspace they create using Purview Information Protection (PIP) container labels. It\u2019s a matter of policy at Microsoft: If it isn\u2019t labeled, we delete it. We use container labeling for data delineation and to apply consistent protection and governance policies to containers based on their sensitivity and purpose.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft labels break out into four different categories:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Highly confidential. <\/strong>This is our most critical data. Employees can only share this with specifically designated recipients.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Confidential. <\/strong>This is sensitive business data that\u2019s crucial to achieving our goals. Employees should limit distribution to a need-to-know basis.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>General. <\/strong>The \u201cGeneral\u201d label includes data we use and share throughout Microsoft, like personal settings and postal codes. They\u2019re visible internally throughout Microsoft.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Public. <\/strong>Public data is unrestricted and suitable for open, external consumption. It includes open-source code or financials the company has announced. Employees can share this data freely.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Container labels provide two things:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>First, they drive user awareness<\/strong> <strong>over how to handle content.<\/strong> For example, if something is highly confidential, employees shouldn\u2019t talk about it in the caf\u00e9.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Second, they illustrate what data is appropriate for which container.<\/strong> In other words, they signal to an employee that they shouldn\u2019t store highly confidential documents on a general site.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Our Microsoft Digital governance team predefines and centrally manages labels to align them with broader MIP sensitivity levels used for email, files, meetings, and containers. Those include the same four categories: \u201chighly confidential,\u201d \u201cconfidential,\u201d \u201cgeneral,\u201d and \u201cpublic,\u201d although we don\u2019t use the last one for containers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Matching labels with policies and protections<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Each label we\u2019ve defined has a set of protection settings that include policies around characteristics like guest allowance and membership openness. They also drive inherited file labeling, which we use for encryption.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At its core, container classification communicates four things:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Privacy level:<\/strong>&nbsp;Labels determine whether the workspace is broadly available internally or it\u2019s a private site.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>External permissions:<\/strong>&nbsp;We administer guest allowance via the group\u2019s classification, allowing specified partners to access teams when appropriate.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Sharing guidelines<\/strong>: We tie important governance policies to the container\u2019s label. For example, can employees share this workspace outside Microsoft? Is this group limited to a specific division or team? Or is it restricted to specific people? The label establishes these rules.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Conditional access:<\/strong>&nbsp;While not implemented at Microsoft, tying identity and device verification to container labels introduces additional governance controls.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\" style=\"margin-bottom:0\">After extensive experimentation, we arrived at our current schema for how container sensitivity labels align with MIP policies. Your organization might make different choices about your labels\u2019 relationships with information protection policies, but this graphic can give you an idea of what a healthy governance ecosystem looks like:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\" style=\"margin-top:0\"><img loading=\"lazy\" decoding=\"async\" width=\"2000\" height=\"1520\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Information-protection-container-sensitivity_labels_REV.png\" alt=\"A chart shows the different types of data container labels and what level of access is given for each one. \" class=\"wp-image-23483\" srcset=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Information-protection-container-sensitivity_labels_REV.png 2000w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Information-protection-container-sensitivity_labels_REV-300x228.png 300w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Information-protection-container-sensitivity_labels_REV-1024x778.png 1024w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Information-protection-container-sensitivity_labels_REV-768x584.png 768w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Information-protection-container-sensitivity_labels_REV-1536x1167.png 1536w\" sizes=\"auto, (max-width: 2000px) 100vw, 2000px\" \/><figcaption class=\"wp-element-caption\">Our Microsoft Digital schema clearly lays out what each container sensitivity label means and how it affects content.<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Building a process around employee ownership<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The labeling process works like this: When employees create a new container, they\u2019re responsible for selecting a container label that matches the sensitivity and purpose of the content they intend to store and share. By default, we lock new containers, which means that only the owner and members can access them. Locked containers prevent unauthorized or accidental access to their content.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Container owners can unlock the container if they need to share content with a broader audience within the organization or external partners. Container owners can also change the container label if the sensitivity or purpose of the content changes over time.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At Microsoft, this process provides the right combination of flexibility and protection while empowering employees with effective self-service.<\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-639b5052 wp-block-group-is-layout-constrained\" style=\"padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Key-takeaways.png\" alt=\"\" class=\"wp-image-23364\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Key takeaways<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Here are some of the main insights we\u2019ve gleaned from our own data-labeling practices, which you can apply to your efforts in this area:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Use intuitive labels. <\/strong>Your employees will be the ones applying labels, so make those labels intuitive. For example, \u201chighly confidential\u201d is easy to understand, while \u201cbusiness-critical\u201d can be interpreted many ways from a sensitivity standpoint.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Make use of existing defaults. <\/strong>Identify the security needs and regulatory compliance that are specific to your organization and use built-in governance controls available through Microsoft tools.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Limit the number of labels to 5\u00d75. <\/strong>Keep labels minimal to avoid overtaxing your employees\u2019 understanding. We recommend restricting your labeling schema to no greater than five main labels with five sub-labels each\u2014and the fewer, the better!<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Pilots are powerful. <\/strong>Experiment with sensitivity labeling through a small group of early champions, then roll these features out alongside an adoption and education initiative.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Learn-more.png\" alt=\"\" class=\"wp-image-23363\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Learn more<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>How we did it at Microsoft<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/microsoft-creates-self-service-sensitivity-labels-in-microsoft-365\/\">Learn how we create self-service sensitivity labels in Microsoft 365.<\/a> This article covers how we designed and implemented self\u2011service sensitivity labels to empower employees while reducing administrative overhead.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/empowering-employee-self-service-with-guardrails-how-were-using-sensitivity-labels-to-make-microsoft-more-secure\/\">Find out how we\u2019re using sensitivity labels to make Microsoft more secure.<\/a> This post examines how we use sensitivity labels with built\u2011in guardrails to strengthen security without slowing down employee productivity.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Further guidance for you<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/purview\/sensitivity-labels\" target=\"_blank\" rel=\"noreferrer noopener\">Read about getting started with sensitivity labels.<\/a> This documentation introduces the core concepts, setup steps, and capabilities of sensitivity labels in Microsoft Purview.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/support.microsoft.com\/en-us\/office\/apply-sensitivity-labels-to-your-files-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9\" target=\"_blank\" rel=\"noreferrer noopener\">Explore how to apply sensitivity labels to your files.<\/a> Read a guide on how to apply sensitivity labels to files and emails across Microsoft 365 apps.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"chapter-3\">Chapter 3: Derive file labels from parent containers<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Using default file-labeling based on container labels<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019re helping our teams stay consistent with how they create and store resources by making sure that default file-labeling happens based on container labels. Here\u2019s how that looks for our employees:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">SharePoint and other containers support default library labels, which we configure to align with the container label through mapping we define in Purview.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">For instances where we need to define default library labels for tools that don\u2019t have container labels, like OneDrive for Business, we create custom scripts. For OneDrive, we \u201csecure by default\u201d by using a default label like \u201cConfidential\\Internal-only,\u201d which means that any file type that supports protection will remain protected&#8211;even if it\u2019s accidentally left behind on a device, emailed externally, or purposefully shared externally. Without lowering the label, the default protection will not be decryptable by external actors.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">By default, new items that are unlabeled inherit the label of the container that stores them. That helps employees apply the correct label and avoid misclassification. For example, if an employee creates a new document in a SharePoint site labeled \u201cconfidential,\u201d the document will automatically receive that label.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Employees can change the item label if the sensitivity or purpose of the content differs from the container label. But that only works in one direction; they can\u2019t store files with higher-confidentiality labels in a lower-confidentiality container. For example, they can downgrade a file in a \u201chighly confidential\u201d container to \u201cgeneral\u201d if it doesn\u2019t require heightened protection, but they can\u2019t upgrade a file in a \u201cgeneral\u201d container to anything above that grade. SharePoint will provide warnings to site owners when it detects label mismatches\u2014for example, when a file label is more sensitive than its container\u2019s.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">The following graphic shows how default file-labeling is impacted by container labels and other sharing limitations:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\" style=\"margin-top:0\"><img loading=\"lazy\" decoding=\"async\" width=\"2000\" height=\"1350\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Item-sensitivity-labels.png\" alt=\"Graphic shows the different levels of protection for different container labels at Microsoft.\" class=\"wp-image-23397\" srcset=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Item-sensitivity-labels.png 2000w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Item-sensitivity-labels-300x203.png 300w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Item-sensitivity-labels-1024x691.png 1024w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Item-sensitivity-labels-768x518.png 768w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Item-sensitivity-labels-1536x1037.png 1536w\" sizes=\"auto, (max-width: 2000px) 100vw, 2000px\" \/><figcaption class=\"wp-element-caption\"><em>By trusting employees and setting good defaults, we\u2019re able to account for 99% of our governance needs.\u202f&nbsp;&nbsp;<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">By defaulting file labels to their container labels, you can ensure that every item and collaborative space will align with both its context in your organization and your information protection policies. As a result, Copilot will respect those labels and their corresponding information protection policies.<\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-639b5052 wp-block-group-is-layout-constrained\" style=\"padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Key-takeaways.png\" alt=\"\" class=\"wp-image-23364\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Key takeaways<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Here are some key tips for setting up container-file relationships, based on what we\u2019ve learned through our own experience here at Microsoft:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Communicate the relationship between files and containers. <\/strong>Employees might not understand the relationship between files and their containers intuitively. When you implement your labeling strategy, be sure to include education about container-file derivation.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Guide through correction. <\/strong>Many employees learn best from practice, not instruction. Include automated messages that correct edge-case behaviors like trying to make a file in a confidential container generally available.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Ensure you\u2019re comfortable with your label defaults. <\/strong>Employees will more often than not use the default, so ensure your defaults are correct and reflect your organization\u2019s needs.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Reinforce the importance of file labels. <\/strong>Because a file can be moved or downloaded from its original container, the only way to protect that information is to ensure its label remains durable. Embed that durability in your object label configurations.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Match container and file label defaults. <\/strong>Whenever possible, make the container and file defaults the same from the outset. If you start with different labels or policy sets at the outset, it will be difficult to reconcile those changes later.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Learn-more.png\" alt=\"\" class=\"wp-image-23363\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Learn more<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>How we did it at Microsoft<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/sensitivity-labeling-a-new-layer-of-security-for-microsoft-teams-premium-meetings\/\">Find out how we\u2019re using sensitivity labeling as a new layer of security for Microsoft Teams Premium meetings.<\/a> This post explains how we apply sensitivity labels to content in Teams Premium to protect sensitive collaboration.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Further guidance for you<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/purview\/sensitivity-labels-sharepoint-default-label\" target=\"_blank\" rel=\"noreferrer noopener\">Learn more about configuring default sensitivity labels in SharePoint libraries.<\/a> This guidance details how default sensitivity labels in SharePoint libraries ensure consistent protection for our stored content.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"chapter-4\">Chapter 4: Train employees<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Empowering our employees: A joint effort between IT and users<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Training your employees on how to handle and label sensitive data continues to be a critical step on our governance journey.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Establishing a robust labeling strategy is only part of good governance. When it comes to getting employees on board, culture is as critical as policy.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At Microsoft, employee learning and development are how we move sensitivity labeling from the administrative sphere into day-to-day practice. It helps us increase the accuracy of how our labels are used and ensures that our employees recognize labeling cues when they appear across our productivity suite.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Every incoming Microsoft employee takes our Standards of Business Conduct and security trainings. As part of that process, we created an internal SharePoint resource dedicated to educating employees about their responsibilities for labeling and adhering to our governance policies. It educates employees about the philosophy behind our policies, shares a simplified overview of our sensitivity label structure, and provides practical, app-specific guidance for self-service labeling.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\" style=\"margin-top:0\"><img loading=\"lazy\" decoding=\"async\" width=\"2000\" height=\"1165\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Label-decision-tree.png\" alt=\"Text graphic shows the Microsoft labeling taxonomy that determines how employees determine what sensitivity label to use.\" class=\"wp-image-23398\" srcset=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Label-decision-tree.png 2000w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Label-decision-tree-300x175.png 300w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Label-decision-tree-1024x596.png 1024w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Label-decision-tree-768x447.png 768w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Label-decision-tree-1536x895.png 1536w\" sizes=\"auto, (max-width: 2000px) 100vw, 2000px\" \/><figcaption class=\"wp-element-caption\">This quick-reference guide helps Microsoft employees understand our labeling taxonomy at a glance.<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Effective learning and development assets<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">As you build out your employee education assets, consider emulating our content with the following elements:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>1. Overview<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It will be much easier for employees to act according to your governance policies if they understand what the policies do and why they\u2019re so important. Our overview illustrates the relevance of sensitivity labeling for security and compliance and reinforces our employees\u2019 role in maintaining them.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>2. A quick-reference guide<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A visual guide will help employees understand how labels relate to each other and what they accomplish. At Microsoft, we use a helpful flowchart that provides an outline of our labeling taxonomy without overloading employees with details. Placing it near the beginning of your training content grounds employees in the knowledge early, before they dive deeper into the details.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>3. Technical education<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Our learning material includes a section on how labeling works within our data estate. Then, it proceeds into an in-depth description of how each label or classification interacts with users\u2019 content. Including this section will make labeling more tangible for your employees.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>4. App-specific guidance<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At this point, our guidance documentation progresses through the most common app-based use cases for sensitivity labeling: Microsoft 365 files, Teams, Power BI, and PDFs, as well as AIP and other file types separate from Microsoft 365. This app-by-app procedural content will help employees home in on their most common scenarios and educate themselves accordingly.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Aside from laying a solid foundation as an IT team, the most effective way to promote good governance is by bringing your workforce on board. Robust learning and development content is a powerful lever for establishing a culture of data security.<\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-639b5052 wp-block-group-is-layout-constrained\" style=\"padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Key-takeaways.png\" alt=\"\" class=\"wp-image-23364\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Key takeaways<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Here are some of the key insights we\u2019ve drawn from our own employee training in Copilot governance, which can guide you as you set up your own trainings.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Educate from day one. <\/strong>People will only do what they know, so ensure employees know your policies and how to enact them. Build robust education into your labeling and governance strategy, ideally as part of employee onboarding.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Don\u2019t neglect in-app education opportunities. <\/strong>Labeling cues are an excellent opportunity for helping employees remember their responsibilities. Make label descriptions brief and tangible during in-app experiences.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Provide education on-ramps. <\/strong>Nobody\u2019s memory is perfect. Link out to relevant information as part of label descriptions so curious employees have a chance to reinforce their knowledge.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Engage actively and situationally. <\/strong>If breaches occur or certain teams underperform, coordinate with relevant managers to refresh employee knowledge.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Learn-more.png\" alt=\"\" class=\"wp-image-23363\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Learn more<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>How we did it at Microsoft<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/deploying-copilot-for-microsoft-365-with-the-help-of-you-guessed-it-copilot\/\">Find out how we\u2019re deploying Microsoft 365 Copilot with the help of\u2014you guessed it\u2014Copilot.<\/a> This article explains how we used Copilot itself to plan, deploy, and scale Microsoft 365 Copilot across the organization.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/skilling-up-for-the-future-of-work-at-microsoft-with-agent-launchpad\/\">Discover how we&#8217;re skilling up our employees for the future of work with Agent Launchpad.<\/a> This post covers our latest training program to help our workers get the most out of agentic AI. <\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Further guidance for you<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/purview\/sensitivity-labels\" target=\"_blank\" rel=\"noreferrer noopener\">Learn more about sensitivity labels.<\/a> This Microsoft Learn content provides an overview of sensitivity labels, including how they help classify, protect, and govern sensitive data across Microsoft 365.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"chapter-5\">Chapter 5: Trust employees, but verify their work<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Self-service with guardrails: Backstopping our employee efforts with technology<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Trusting your employees while also verifying that their actions are secure via automation is a crucial step.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Thanks to our education efforts and intuitive labeling interfaces, we trust employees to apply sensitivity labels. But we also verify their work. It\u2019s how we catch the 1% of edge cases where problems might arise.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We accomplish that by checking files against our data-loss prevention (DLP) standards and using auto-labeling and quarantining when we need them. Swiftly tying up any loose ends eliminates wayward items that Microsoft 365 Copilot might scoop up during the course of its work. Another way we verify employee decisions is by asking them to provide a reason when they downgrade a security label.<\/p>\n\n\n\n<div class=\"wp-block-group has-white-200-background-color has-background has-global-padding is-layout-constrained wp-container-core-group-is-layout-48e64321 wp-block-group-is-layout-constrained\" style=\"padding-top:var(--wp--preset--spacing--spacing-12);padding-right:var(--wp--preset--spacing--spacing-12);padding-bottom:var(--wp--preset--spacing--spacing-12);padding-left:var(--wp--preset--spacing--spacing-12)\">\n<div class=\"wp-block-columns is-not-stacked-on-mobile is-layout-flex wp-container-core-columns-is-layout-cff36b9d wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:56px\">\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"44\" height=\"60\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Lightbulb.png\" alt=\"\" class=\"wp-image-23365\" style=\"width:auto;height:56px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<p class=\"wp-block-paragraph\" style=\"margin-top:var(--wp--preset--spacing--spacing-4);margin-bottom:var(--wp--preset--spacing--spacing-4)\">Data-loss prevention (DLP) is a set of technologies and practices centered around Microsoft Purview that help detect, monitor, and reduce the risk of sensitive data being inappropriately shared or accessed.<\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">At Microsoft Digital, we use Purview DLP policies to define the rules and actions for detecting and protecting sensitive data across Microsoft 365, SharePoint, OneDrive, and Teams.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DLP policies support vulnerable data types and scenarios that require protection. They include any kind of information that might introduce inappropriate access to company data or intellectual property:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Access credentials like keys or tokens<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Personally identifying information<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Financial data<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Non-public source code<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Sign-in information<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Reports and dashboards are available via Purview to help our team monitor and analyze content activity and compliance across the organization. They also provide insights into the volume, location, and usage of sensitive data, as well as any incidents and alerts that indicate potential data breaches or violations.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For example, an employee might label something as \u201cGeneral,\u201d but it contains credentials or other sensitive end-user identification information (EUII). In those instances, Purview will automatically block the file from access beyond its owner or reapply a more appropriate label.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Automation and escalation<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019ve configured Purview to automatically remediate these kinds of issues or escalate them to our Microsoft Digital governance team for resolution when an issue is more complex. DLP remediation and escalation processes can involve several different groups of stakeholders depending on the severity and impact of the incident or alert:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Content owners<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Content champions<\/li>\n\n\n\n<li class=\"wp-block-list-item\">The MIP team<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Our legal team<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Security<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">We use Microsoft 365 Purview to run DLP remediation operations at scale.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">DLP systems acquire telemetry from the Microsoft 365 activity management API. Backend processing cleanses the data to build relevant insights and surface them through Power BI dashboards.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">We flag information about files and aggregate it at the file level, then assign it to the last modifier for remediation action.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">If users don\u2019t act on the files quickly, the DLP team scopes risky sites to quarantine any files with vulnerabilities.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">All activities\u2014including sharing, labeling, and changing labels\u2014get written into the unified audit log and into Sentinel to monitor for possible risks.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Fortunately, all these features and functionalities are available out of the box through Microsoft 365 and Purview. After you\u2019ve established your labeling strategy and policies, it\u2019s just a matter of adding guardrails to your self-service environment. By automating information protection through quarantining content or rightsizing its label, you can keep Copilot from making sensitive information available where it shouldn\u2019t.<\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-639b5052 wp-block-group-is-layout-constrained\" style=\"padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Key-takeaways.png\" alt=\"\" class=\"wp-image-23364\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Key takeaways<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Here\u2019s what we\u2019ve learned from our trust and verification process, which can inform your own process:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Consider your key escalation partners. <\/strong>When human intervention is necessary, it\u2019s important to have immediate access to the relevant stakeholders. Assemble your list and build it into your process.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Understand DLP\u2019s limitations. <\/strong>Purview DLP is a powerful set of capabilities, but it still relies on automation, which can miss things humans don\u2019t. For example, DLP might not understand the code name for a product and fail to catch it during automated verification.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Identify and manage exceptions. <\/strong>There are very few absolutes in IT, so you\u2019ll always need exceptions. For example, finance professionals will often need to include passwords or credit card numbers in working documents, so we exempt them from Purview DLP oversight with that team. At Microsoft, we use exemption groups to exempt certain employees.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Involve experts. <\/strong>Your legal, HR, and security teams will be key allies in this process. Engage them early to help you flesh out risk factors and vulnerabilities.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Learn-more.png\" alt=\"\" class=\"wp-image-23363\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Learn more<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>How we did it at Microsoft<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/empowering-our-employees-with-generative-ai-while-keeping-the-company-secure\/\">Learn how we\u2019re empowering our employees with generative AI while keeping the company secure.<\/a> This story explores how our employees use generative AI tools in their work while maintaining strong security, compliance, and governance controls.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/powering-data-governance-at-microsoft-with-purview-unified-catalog\/\">Discover how we\u2019re using Purview Unified Catalog to power data governance at Microsoft.<\/a> This post describes how we use Purview Unified Catalog to centralize data governance and improve visibility and trust in data assets.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Further guidance for you<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/purview\/dlp-learn-about-dlp\" target=\"_blank\" rel=\"noreferrer noopener\">Find out how Microsoft Purview Data Loss prevention can help you automate remediation.<\/a> This guidance outlines how Microsoft Purview DLP helps organizations identify, monitor, and automatically remediate risky data activities.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/sentinel\/sentinel-overview\" target=\"_blank\" rel=\"noreferrer noopener\">Explore how Microsoft Sentinel provides cloud-native security and event management.<\/a> This overview explains how Microsoft Sentinel delivers security and event management to help detect, investigate, and respond to threats at scale.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"chapter-6\">Chapter 6: Implement lifecycle management and attestation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Pairing trust with accountability: How we\u2019re maintaining our data hygiene with attestation<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We focused on strong lifecycle management policies and employee attestation to help us get our lifecycle management right.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Attestation and self-service go hand-in-hand. In simple terms, it means employees can create what they need, but they\u2019re accountable for its upkeep. In turn, that chain of accountability makes sure Copilot only accesses clean and appropriate data.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To support this, SharePoint now offers both activity\u2011based and non\u2011activity\u2011based attestations through SharePoint Advanced Management, giving organizations flexible ways to validate that their containers are being properly maintained. Microsoft Entra also provides an inactive group expiration policy that requires renewal of any inactive Microsoft 365 Group (like a team, group-connected site, or Outlook group).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At Microsoft, we follow the principle of data minimization. That means only content that\u2019s necessary and relevant for the company\u2019s operations and objectives should exist in storage. Data minimization reduces the risk of oversharing content that isn\u2019t cared for by employees, minimizes asset sprawl, halts data leakage, and improves quality and usability.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To implement this principle, we require that every existing container has attestation. By extension, we delete information that doesn\u2019t have a full-time employee to care for it or that has become stale or irrelevant.<\/p>\n\n\n\n<div class=\"wp-block-group has-white-200-background-color has-background has-global-padding is-layout-constrained wp-container-core-group-is-layout-48e64321 wp-block-group-is-layout-constrained\" style=\"padding-top:var(--wp--preset--spacing--spacing-12);padding-right:var(--wp--preset--spacing--spacing-12);padding-bottom:var(--wp--preset--spacing--spacing-12);padding-left:var(--wp--preset--spacing--spacing-12)\">\n<div class=\"wp-block-columns is-not-stacked-on-mobile is-layout-flex wp-container-core-columns-is-layout-cff36b9d wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:56px\">\n<figure class=\"wp-block-image aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"44\" height=\"60\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Lightbulb.png\" alt=\"\" class=\"wp-image-23365\" style=\"width:auto;height:56px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<p class=\"wp-block-paragraph\" style=\"margin-top:var(--wp--preset--spacing--spacing-4);margin-bottom:var(--wp--preset--spacing--spacing-4)\">Attestation is the process of verifying and validating the existence, ownership, and purpose of a container and ensuring it complies with content governance and security policies.<\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">At Microsoft, we require attestation from a full-time employee for all shared workspaces every six months to confirm several aspects of their containers:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">It\u2019s correctly labeled.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Users actually care about its ongoing existence.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">The roster of people with access is accurate and necessary.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Sharing capabilities are appropriately restrictive or permissive.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">It complies with corporate retention guidelines.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">If a container or an item doesn\u2019t have attestation, we consider it orphaned or abandoned, and it\u2019s subject to deletion. Note that we archive deleted items over an extended period, in case our employees decide they need them after the fact.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Managing exceptions<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If a container is subject to a retention or hold for our legal team, that supersedes any deletion event. Generally speaking, containers where the legal team is the accountable owner aren\u2019t subject to re-attestation because we handle those lifecycles more granularly based on Purview retention policies.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ultimately, every organization will have to decide what makes the most sense for them. Applying these principles will help you maintain organization-wide data hygiene, which prevents over-access from Copilot.<\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-639b5052 wp-block-group-is-layout-constrained\" style=\"padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Key-takeaways.png\" alt=\"\" class=\"wp-image-23364\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Key takeaways<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Here are some tips that come from our experience managing the product lifecycle for Microsoft 365 Copilot here at Microsoft.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Choose a meaningful attestation interval. <\/strong>The attestation interval should be short enough that it doesn\u2019t introduce risk through neglect and long enough that it isn\u2019t unnecessarily burdensome for employees. Think about what makes the most sense for your people by analyzing their behaviors.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Communication is key. <\/strong>Be sure that the attestation requests you create for employees contain both the objective for motivation and simple instructions. That will increase buy-in and smooth the process.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Base non-compliance response on severity. <\/strong>The severity of non-compliance will vary based on different files and containers. Some might be more relaxed, and others more strict. Determine a strategy for deciding which is which.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Include reasonable resolution and recovery options. <\/strong>Consider your resolution and recovery intervals after a lapse in attestation. You\u2019ll need to balance between items\u2019 sensitivity, employees\u2019 bandwidth, and the infrastructure cost of extended archiving for recoverable items.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Learn-more.png\" alt=\"\" class=\"wp-image-23363\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Learn more<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>How we did it at Microsoft<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/copilot-for-microsoft-365-for-executives-sharing-our-internal-deployment-and-adoption-journey-at-microsoft\/\">Check out our&nbsp;guide for deploying and driving adoption of Microsoft 365 for executives.<\/a> This executive-level guide explains how we deployed Microsoft 365 Copilot and drove adoption across the organization.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Further guidance for you<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/users\/groups-lifecycle\" target=\"_blank\" rel=\"noreferrer noopener\">Find out how to configure the expiration policy for Microsoft 365 groups.<\/a> Read how expiration policies help to manage the lifecycle of Microsoft 365 groups.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/sharepoint\/site-lifecycle-management\" target=\"_blank\" rel=\"noreferrer noopener\">Learn about managing site lifecycle policies.<\/a> This documentation outlines how to manage SharePoint site lifecycle policies to govern site creation, retention, and deletion.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"chapter-7\">Chapter 7: Enable company-shareable links<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Enabling fluid, secure collaboration: Extending access with company-shareable links<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019re finding that the best way to reduce oversharing is by addressing it at the source.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At Microsoft Digital, we recognize that content sharing is essential for collaboration and productivity. Employees need to share content with both internal and external audiences. But that also poses a risk of content oversharing when employees expose material to more people or for longer than necessary. It might also mean they\u2019ve shared content without proper protection or classification.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In many cases, employees need to share content outside its container. That might include simply sharing a specific file outside of the container\u2019s roster to enable collaboration in place without resorting to making a copy of the file. On the other hand, someone might need to email the file as an attachment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Using company-shareable links<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">We limit oversharing at the source by enabling employees to directly share with users or groups, or by using company-shareable links (CSLs) for all SharePoint sites and items (except ones labeled \u201chighly confidential\u201d).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A CSL is a type of link that allows anyone who receives it within our organization to access the content. CSLs are convenient and easy to use, and they promote a culture of openness and transparency.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Before CSLs, employees were forced to share content with large security groups, because they didn\u2019t know which groups contained everyone who needed access and manually adding every unique user was too cumbersome. That behavior leads to oversharing, because anyone with access can stumble on the content in Microsoft Search or via an answer from Copilot. Any Microsoft 365 discovery scenario will security-trim results, so it\u2019s important that users can\u2019t directly access things they don\u2019t need.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">While employees can pass a company-shareable link around within the company, it isn\u2019t discoverable in Microsoft Search or Copilot, because only users who received the link directly via email or chat will have pre-granted access. It might seem counterintuitive that a CSL is more secure, but it eliminates the need for standing access to content and provides greater protection.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Finally, we allow content owners to modify or revoke CSLs if their sensitivity or purpose changes, or if sharing is no longer necessary. The content owner can also set an expiration date or a password for their link to enhance security and control.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Note that company-shareable links are no longer the default option, but they are still available as a sharing option for the reasons outlined here.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Extra protection for highly confidential items<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Our governance team at Microsoft Digital determined that we should enable CSLs by default for all containers and items labeled \u201cpublic,\u201d \u201cgeneral,\u201d or \u201cconfidential.\u201d As a result, employees can share content with their colleagues without having to grant individual permissions or manage access requests.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There are some kinds of content that employees absolutely shouldn\u2019t share through a company-shareable link. The risk emerges if someone copies the link into an open location like a broadly accessible document or community. You\u2019ll have to decide where to draw that line for your organization. At Microsoft, we\u2019ve elected to disable CSLs for all containers and items that are labeled \u201chighly confidential.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At Microsoft, highly confidential items require need-to-know access for specific people. For these files, employees use links they designate for specific people, which allows access to only individuals the content creator or owner explicitly identifies. In those situations, large security groups aren\u2019t appropriate in any case.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We also want to drive broad sharing to SharePoint, so we discourage CSL use on OneDrive by automatically implementing expiration policies on OneDrive-created CSLs.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These policies compel employees to think about who needs access to content and to take deliberate action before sharing. In some ways, the policies act as an extra gate or prompt to keep our people security-conscious during the sharing process.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At Microsoft Digital, we tailored our policies to the company\u2019s specific needs, but it provides a blueprint for other organizations to build a CSL strategy. Deciding what should be sharable and how will help you ensure robust information protection that\u2019s still flexible enough to foster collaboration and productivity.<\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-639b5052 wp-block-group-is-layout-constrained\" style=\"padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Key-takeaways.png\" alt=\"\" class=\"wp-image-23364\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Key takeaways<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Here are some key learnings we took from our CSL strategic work at Microsoft, which you can apply to your own efforts in this area:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Establish thresholds for company-shareable links or specific-people links. <\/strong>Align your CSL policies with the sensitivity labels that meet your organization\u2019s security needs. Above a certain threshold, it might make sense to require links for specific people.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Embed education in the process. <\/strong>Employees will need time to get used to this structure. Create education communications early in the process, and configure your labeling interface to display information about the sharing implications of different labels.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Manage expectations for security teams. <\/strong>CSLs are counterintuitive in terms of safety. They might make security professionals uncomfortable because employees are free to share them internally with anyone. Reinforce that CSLs are safer than giant security groups, which will be the other default behavior for employees. And unlike security groups, they won\u2019t show up in Microsoft Search.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Build data hygiene on good defaults. <\/strong>Most people will take the simple path, so make the simple path the safe path. Generally speaking, employees leave the defaults intact. If CSLs are your default, that\u2019s the behavior it will drive for your employees.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Learn-more.png\" alt=\"\" class=\"wp-image-23363\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Learn more<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>How we did it at Microsoft<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/deploying-microsoft-365-copilot-in-five-chapters\/\">Check out our guide for deploying Microsoft 365 Copilot.<\/a> This guide details our approach for deploying Microsoft 365 Copilot, from technical readiness to adoption and value realization.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Further guidance for you<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/sharepoint\/shareable-links-anyone-specific-people-organization\" target=\"_blank\" rel=\"noreferrer noopener\">Find out how&nbsp;company-shareable links work in Microsoft 365 environments.<\/a> This Microsoft Learn content explains how organization\u2011wide sharing links affect access, security, and collaboration.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"chapter-8\">Chapter 8: Extract inventory to detect and report oversharing<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Remediating oversharing errors when they occur: Reporting on broad-access files and sites with Microsoft Graph Data Connect<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When oversharing does slip through, it\u2019s important to have systems in place to catch it.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In spite of our Microsoft Digital governance team\u2019s best efforts to limit oversharing at the source, it can still occur. In some ways, it\u2019s inevitable.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Organizations are made up of people, and so will always be vulnerable to human error. Left unchecked, content oversharing can have negative consequences for an organization, including data breaches, compliance violations, or reputational damage. It will also give employees access to content through Copilot that isn\u2019t appropriate.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To detect and mitigate content oversharing, we use Microsoft Graph Data Connect to report on every broad-access file or site with more sensitive labels. It helps us access and analyze data from Microsoft 365, SharePoint, OneDrive, and Teams using Azure Data Factory, Azure Synapse Analytics, or Azure Machine Learning. We then connect those datasets in our data estate using Azure Synapse Spark and track how many SharePoint sites and items are currently overshared based on our business rules.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">One of the principal benefits of Microsoft Graph Data Connect is accessing the information we need through each of these technologies in a secure and scalable way, with control governed by our tenant admins.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"2000\" height=\"1363\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Microsoft-Graph-Data-Connect-chart.png\" alt=\"Flow-chart graphic shows how Microsoft Graph Data Connect analyzes and remediates oversharing instances in our network. \" class=\"wp-image-23391\" srcset=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Microsoft-Graph-Data-Connect-chart.png 2000w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Microsoft-Graph-Data-Connect-chart-300x204.png 300w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Microsoft-Graph-Data-Connect-chart-1024x698.png 1024w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Microsoft-Graph-Data-Connect-chart-768x523.png 768w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Microsoft-Graph-Data-Connect-chart-1536x1047.png 1536w\" sizes=\"auto, (max-width: 2000px) 100vw, 2000px\" \/><figcaption class=\"wp-element-caption\"><em>We use Microsoft Graph Data Connect to detect, reveal, and remediate oversharing in the rare cases where it occurs.<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Note that there will always be cases where we create exemptions to sharing limits. The policies around these exemptions are laid out as part of our Enterprise Governance, Risk, and Compliance guidelines.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Reporting for accountability<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Our tenant\u2019s data team uses Microsoft Graph Data Connect to generate reports on every file or site on the tenant with a broad access level, like a CSL or link that can be shared with anyone. It also monitors any item with a sensitive label like \u201cconfidential\u201d or \u201chighly confidential.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These reports provide information and insights on the content\u2019s owners, recipients, activity, and content protection and compliance status. They also help identify and prioritize potential cases of content oversharing.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At Microsoft, this output is helpful for several groups of stakeholders:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">We share the reports with the&nbsp;<strong>content champions<\/strong>&nbsp;responsible for reviewing and validating any cases of content oversharing.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">We use the reports to contact and educate the&nbsp;<strong>content owners<\/strong>&nbsp;on how to resolve oversharing issues and comply with our governance and security policies.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">We share the reports with the&nbsp;<strong>legal and security teams<\/strong>&nbsp;responsible for investigating and responding to cases of content oversharing that involve legal or security risks and incidents.<\/li>\n\n\n\n<li class=\"wp-block-list-item\">We&nbsp;<strong>track our improvement over time<\/strong>&nbsp;as we enforce policies on our assets.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">To help customers benefit from this kind of visibility,&nbsp;<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/microsoft-graph-data-connect-for\/oversharing-for-very-large-tenants\/ba-p\/4086761\" target=\"_blank\" rel=\"noreferrer noopener\">we\u2019ve created a freely available reporting template<\/a>. We encourage you to use this tool to track oversharing.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Beyond weaving your Microsoft Graph data connect and data export into your own data estate, you can now also use SharePoint Advanced Management in SharePoint Premium to get a list of sites that meet a set of criteria that you select. We use this capability to find all of our sites that share Highly Confidential data to more than 5,000 users. We then use the same capabilities to selectively require our site owners to fix any anomalies we discover.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/sharepoint\/data-access-governance-reports\" target=\"_blank\" rel=\"noreferrer noopener\">Get more information on this data access functionality in SharePoint<\/a> from Microsoft Learn. &nbsp;&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With the right controls and policies in place, you can minimize the number of oversharing errors your employees commit. But when errors do occur, a proactive detection strategy quarantines the risk from Copilot, even as your staff stays connected and collaborating.<\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-639b5052 wp-block-group-is-layout-constrained\" style=\"padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Key-takeaways.png\" alt=\"\" class=\"wp-image-23364\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Key takeaways<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Some of the things we learned about setting up an oversharing detection and reporting system included:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Select the tools that work best for you. <\/strong>Between Microsoft 365 and Azure, it\u2019s likely you already have access to the tools you need to set up your reporting apparatus. Explore out-of-the-box functionality before building your own solution.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Get reports to the right people. <\/strong>Collaborate with stakeholder teams to nominate point people who will receive oversharing reports and take action or communicate findings.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Put thought into your communication strategy. <\/strong>Work with internal comms professionals to determine the best communication strategy when you detect oversharing, especially when speaking with content owners.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Consider the content of your reports. <\/strong>Different stakeholders will require different information. Work with individual teams to determine what their reports should look like.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Learn-more.png\" alt=\"\" class=\"wp-image-23363\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Learn more<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>How we did it at Microsoft<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/powering-a-generational-shift-in-it-at-microsoft-with-ai\/\">Find out how we\u2019re powering a generational shift in IT at Microsoft with AI.<\/a> This article explores how we\u2019re using AI to transform IT operations across the company.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Further guidance for you<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/graph\/reportroot-concept-overview\" target=\"_blank\" rel=\"noreferrer noopener\">See how you can set up your Microsoft Graph Data Connect reporting apparatus.<\/a> This resource explores how Microsoft Graph Data Connect enables large\u2011scale reporting and analytics across Microsoft 365 data.<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-group has-teal-to-brown-gradient-background has-background has-global-padding is-layout-constrained wp-container-core-group-is-layout-10685bb4 wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:var(--wp--preset--spacing--spacing-20)\">\n<div class=\"wp-block-group has-white-background-color has-background has-global-padding is-layout-constrained wp-container-core-group-is-layout-12b84cfd wp-block-group-is-layout-constrained\" style=\"padding-top:var(--wp--preset--spacing--spacing-12);padding-right:var(--wp--preset--spacing--spacing-16);padding-bottom:var(--wp--preset--spacing--spacing-12);padding-left:var(--wp--preset--spacing--spacing-16)\">\n<div class=\"wp-block-columns are-vertically-aligned-top is-not-stacked-on-mobile is-layout-flex wp-container-core-columns-is-layout-a5331a9e wp-block-columns-is-layout-flex has-2-columns\" style=\"padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\">\n<div class=\"wp-block-column is-vertically-aligned-top is-layout-flow wp-block-column-is-layout-flow\">\n<p class=\"has-body-xl-font-size wp-block-paragraph\" style=\"margin-top:0;margin-bottom:var(--wp--preset--spacing--spacing-4);font-style:normal;font-weight:600\"><em><em>\u201cAs AI becomes woven into the fabric of how we work, governance is no longer just an operational requirement\u2014it\u2019s a strategic imperative.\u201d<\/em><\/em><\/p>\n\n\n\n<p class=\"has-gray-800-color has-text-color has-link-color has-body-lg-font-size wp-elements-24a67a908777d52efe33b0e41e2803da wp-block-paragraph\" style=\"margin-top:0;margin-bottom:var(--wp--preset--spacing--spacing-4)\"><strong><strong>David Johnson, principal architect, Microsoft Digital<\/strong><\/strong><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-top is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:165px\">\n<figure class=\"wp-block-image alignright size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"500\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/David-Johnson_teal.png\" alt=\"\" class=\"wp-image-23382\" style=\"object-fit:cover\" srcset=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/David-Johnson_teal.png 500w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/David-Johnson_teal-300x300.png 300w, https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/David-Johnson_teal-150x150.png 150w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/figure>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"conclusion\">The way forward<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Getting governance right in the age of AI<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The advent of AI tools like Microsoft 365 Copilot is a once-in-a-generation development. At this point, we\u2019re still learning all the ways that these tools can be used to unlock creativity, productivity, collaboration, and innovation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But we can be sure of one thing: implementing them securely and effectively should be priority one.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u201cAs AI becomes woven into the fabric of how we work, governance is no longer just an operational requirement\u2014it\u2019s a strategic imperative,\u201d says David Johnson, a principal architect in Microsoft Digital. \u201cWhen we pair powerful tools like Copilot with thoughtful oversight, we ensure that innovation accelerates our mission without compromising our security or our values.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you\u2019re deploying Copilot to your organization, the lessons we\u2019ve learned at Microsoft Digital can act as a roadmap for your own journey.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ultimately, the most important thing is to consider the data implications of AI assistance and plan accordingly. Diligence and forethought will make sure your employees get all the benefits of next-generation AI technology while your organization stays protected.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Welcome to the age of AI.<\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-639b5052 wp-block-group-is-layout-constrained\" style=\"padding-top:0;padding-right:0;padding-bottom:0;padding-left:0\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Key-takeaways.png\" alt=\"\" class=\"wp-image-23364\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Key takeaways<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">This guide reflects what we learned as we set up and implemented our governance processes during our internal rollout of Microsoft 365 Copilot. Here are some overall insights to keep in mind when establishing governance controls at your own organization.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>Build governance on intentional design, not inherited habits.<\/strong> Thoughtfully define your tenant architecture, sensitivity labels, lifecycle policies, and container defaults to create a governance environment that is both secure and scalable.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Empower secure self\u2011service.<\/strong> Give employees the freedom to create the workspaces they need, backed by intuitive labeling and clear accountability for the content they manage.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Keep labeling simple, consistent, and enforced by defaults.<\/strong> Use a minimal, intuitive sensitivity label taxonomy and rely on container\u2011based default labeling to ensure that files stay consistently protected wherever they go.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Trust users\u2014but verify with automation.<\/strong> Use Purview DLP, auto\u2011labeling, quarantining, and escalation workflows to catch exceptions and prevent sensitive data from being exposed through Copilot.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Maintain data hygiene with lifecycle management and attestation.<\/strong> Require regular re\u2011attestation, remove stale or unowned content, and use SharePoint Advanced Management to support both activity\u2011based and non\u2011activity\u2011based attestations.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Make collaboration safer with thoughtful sharing defaults.<\/strong> Use company\u2011shareable links (CSLs) and clear link\u2011sharing policies to reduce oversharing while still enabling fluid, secure collaboration.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>Detect oversharing proactively and remediate quickly.<\/strong> Use Microsoft Graph Data Connect and SharePoint Advanced Management reporting to surface broad\u2011access content, notify owners, and correct issues before Copilot surfaces inappropriate data.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"50\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Learn-more.png\" alt=\"\" class=\"wp-image-23363\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Learn more<\/h2>\n<\/div>\n<\/div>\n\n\n\n<ul class=\"wp-block-list is-style-list-no-bullets\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/enterprise-ai-maturity-in-five-steps-our-guide-for-it-leaders\/\">Read our guide for IT leaders who want to drive greater AI maturity.<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/the-agentic-future-how-were-becoming-an-ai-first-frontier-firm-at-microsoft\/\">Discover how Microsoft is becoming an AI-first Frontier Firm.<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/powering-agentic-ai-adoption-at-microsoft-our-customer-zero-story\/\">Find out how we\u2019re powering agentic adoption at Microsoft as Customer Zero.<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/adoption.microsoft.com\/en-us\/copilot\/\" target=\"_blank\" rel=\"noreferrer noopener\">Explore the many resources we\u2019ve prepared to help with Microsoft 365 Copilot adoption.<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/deploying-microsoft-365-copilot-in-five-chapters\/\">Check out our full Microsoft 365 Copilot deployment and adoption guide.&nbsp;<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/cm-edgetun.pages.dev\/ai\/responsible-ai?msockid=3702b47881576ac600afa2e6809f6b09\" target=\"_blank\" rel=\"noreferrer noopener\">Learn about the Responsible AI policies and practices that we\u2019ve established at Microsoft.<\/a><\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"43\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Try-it-out.png\" alt=\"\" class=\"wp-image-23367\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">Try it out<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/copilot\/microsoft-365\/microsoft-365-copilot-setup\/?OCID=InsideTrack_Product_10847\" target=\"_blank\" rel=\"noreferrer noopener\">Get your organization and data ready for Microsoft 365 Copilot.<\/a><\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex has-2-columns\">\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:48px\">\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"54\" height=\"50\" src=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/Icon-Wed-like-to-hear-from-you.png\" alt=\"\" class=\"wp-image-23368\" style=\"width:48px\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-vertically-aligned-center is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\" style=\"margin-top:0;margin-bottom:0\">We&#8217;d like to hear from you!<\/h2>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"mailto:msitstaff@microsoft.com\">Want more information? Email us and include a link to this story and we\u2019ll get back to you.<\/a><\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Governance in the age of AI Unlocking the next generation of productivity tools Microsoft 365 Copilot combines the power of large language models (LLMs) with your organization\u2019s data to turn employees\u2019 words into some of the most powerful productivity tools on the planet\u2014all within the flow of work. It suffuses the Microsoft 365 apps your [&hellip;]<\/p>\n","protected":false},"author":115,"featured_media":23479,"comment_status":"closed","ping_status":"closed","sticky":true,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_hide_featured_on_single":false,"_show_featured_caption_on_single":true,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[71,854],"tags":[],"coauthors":[622],"class_list":["post-23360","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-featured","category-readiness-guide","m-blog-post"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>How we\u2019re tackling Microsoft 365 Copilot governance internally at Microsoft - Inside Track Blog<\/title>\n<meta name=\"description\" content=\"We share our experience with upholding high standards for data governance in our companywide rollout of Microsoft 365 Copilot.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How we\u2019re tackling Microsoft 365 Copilot governance internally at Microsoft - Inside Track Blog\" \/>\n<meta property=\"og:description\" content=\"We share our experience with upholding high standards for data governance in our companywide rollout of Microsoft 365 Copilot.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\/\" \/>\n<meta property=\"og:site_name\" content=\"Inside Track Blog\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-07T16:05:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-07T16:11:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/10847-Hero_image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2300\" \/>\n\t<meta property=\"og:image:height\" content=\"1293\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Alex Fleck\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Alex Fleck\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"44 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\\\/\"},\"author\":{\"name\":\"Alex Fleck\",\"@id\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/b623d895338189d1c487d4a0b93d4764\"},\"headline\":\"How we\u2019re tackling Microsoft 365 Copilot governance internally at Microsoft\",\"datePublished\":\"2026-05-07T16:05:00+00:00\",\"dateModified\":\"2026-05-07T16:11:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\\\/\"},\"wordCount\":8361,\"image\":{\"@id\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2026\\\/04\\\/10847-Hero_image.jpg\",\"articleSection\":[\"Featured\",\"Readiness Guide\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\\\/\",\"url\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\\\/\",\"name\":\"How we\u2019re tackling Microsoft 365 Copilot governance internally at Microsoft - Inside Track Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2026\\\/04\\\/10847-Hero_image.jpg\",\"datePublished\":\"2026-05-07T16:05:00+00:00\",\"dateModified\":\"2026-05-07T16:11:46+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/b623d895338189d1c487d4a0b93d4764\"},\"description\":\"We share our experience with upholding high standards for data governance in our companywide rollout of Microsoft 365 Copilot.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2026\\\/04\\\/10847-Hero_image.jpg\",\"contentUrl\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/uploads\\\/prod\\\/2026\\\/04\\\/10847-Hero_image.jpg\",\"width\":2300,\"height\":1293,\"caption\":\"This readiness guide walks you through how we\u2019re managing our Microsoft 365 Copilot governance internally here at Microsoft.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How we\u2019re tackling Microsoft 365 Copilot governance internally at Microsoft\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/\",\"name\":\"Inside Track Blog\",\"description\":\"How Microsoft does IT\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/#\\\/schema\\\/person\\\/b623d895338189d1c487d4a0b93d4764\",\"name\":\"Alex Fleck\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/340114d229a43eb2e869170b958db0ecd4394144a36e326e2b188d4937b1989d?s=96&d=mm&r=g4cfaccedbee32e457bda8cf3019f258b\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/340114d229a43eb2e869170b958db0ecd4394144a36e326e2b188d4937b1989d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/340114d229a43eb2e869170b958db0ecd4394144a36e326e2b188d4937b1989d?s=96&d=mm&r=g\",\"caption\":\"Alex Fleck\"},\"description\":\"I\u2019ve always had a passion for story, whether I find it in a novel, a medieval epic, a movie, or a game. Now, I\u2019m helping tell stories about the people and teams at Microsoft who build the technology that moves our world. When I\u2019m not reading, writing, translating, or gaming, you\u2019ll find me on a backcountry trek in Canada\u2019s woods and mountains.\",\"url\":\"https:\\\/\\\/cm-edgetun.pages.dev\\\/insidetrack\\\/blog\\\/author\\\/alexfleck\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How we\u2019re tackling Microsoft 365 Copilot governance internally at Microsoft - Inside Track Blog","description":"We share our experience with upholding high standards for data governance in our companywide rollout of Microsoft 365 Copilot.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\/","og_locale":"en_US","og_type":"article","og_title":"How we\u2019re tackling Microsoft 365 Copilot governance internally at Microsoft - Inside Track Blog","og_description":"We share our experience with upholding high standards for data governance in our companywide rollout of Microsoft 365 Copilot.","og_url":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\/","og_site_name":"Inside Track Blog","article_published_time":"2026-05-07T16:05:00+00:00","article_modified_time":"2026-05-07T16:11:46+00:00","og_image":[{"width":2300,"height":1293,"url":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/10847-Hero_image.jpg","type":"image\/jpeg"}],"author":"Alex Fleck","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Alex Fleck","Est. reading time":"44 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\/#article","isPartOf":{"@id":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\/"},"author":{"name":"Alex Fleck","@id":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/#\/schema\/person\/b623d895338189d1c487d4a0b93d4764"},"headline":"How we\u2019re tackling Microsoft 365 Copilot governance internally at Microsoft","datePublished":"2026-05-07T16:05:00+00:00","dateModified":"2026-05-07T16:11:46+00:00","mainEntityOfPage":{"@id":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\/"},"wordCount":8361,"image":{"@id":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\/#primaryimage"},"thumbnailUrl":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/10847-Hero_image.jpg","articleSection":["Featured","Readiness Guide"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\/","url":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\/","name":"How we\u2019re tackling Microsoft 365 Copilot governance internally at Microsoft - Inside Track Blog","isPartOf":{"@id":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\/#primaryimage"},"image":{"@id":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\/#primaryimage"},"thumbnailUrl":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/10847-Hero_image.jpg","datePublished":"2026-05-07T16:05:00+00:00","dateModified":"2026-05-07T16:11:46+00:00","author":{"@id":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/#\/schema\/person\/b623d895338189d1c487d4a0b93d4764"},"description":"We share our experience with upholding high standards for data governance in our companywide rollout of Microsoft 365 Copilot.","breadcrumb":{"@id":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\/#primaryimage","url":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/10847-Hero_image.jpg","contentUrl":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/10847-Hero_image.jpg","width":2300,"height":1293,"caption":"This readiness guide walks you through how we\u2019re managing our Microsoft 365 Copilot governance internally here at Microsoft."},{"@type":"BreadcrumbList","@id":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/how-were-tackling-microsoft-365-copilot-governance-internally-at-microsoft\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/"},{"@type":"ListItem","position":2,"name":"How we\u2019re tackling Microsoft 365 Copilot governance internally at Microsoft"}]},{"@type":"WebSite","@id":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/#website","url":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/","name":"Inside Track Blog","description":"How Microsoft does IT","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/#\/schema\/person\/b623d895338189d1c487d4a0b93d4764","name":"Alex Fleck","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/340114d229a43eb2e869170b958db0ecd4394144a36e326e2b188d4937b1989d?s=96&d=mm&r=g4cfaccedbee32e457bda8cf3019f258b","url":"https:\/\/secure.gravatar.com\/avatar\/340114d229a43eb2e869170b958db0ecd4394144a36e326e2b188d4937b1989d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/340114d229a43eb2e869170b958db0ecd4394144a36e326e2b188d4937b1989d?s=96&d=mm&r=g","caption":"Alex Fleck"},"description":"I\u2019ve always had a passion for story, whether I find it in a novel, a medieval epic, a movie, or a game. Now, I\u2019m helping tell stories about the people and teams at Microsoft who build the technology that moves our world. When I\u2019m not reading, writing, translating, or gaming, you\u2019ll find me on a backcountry trek in Canada\u2019s woods and mountains.","url":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/author\/alexfleck\/"}]}},"jetpack_featured_media_url":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/uploads\/prod\/2026\/04\/10847-Hero_image.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9hcZA-64M","_links":{"self":[{"href":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/23360","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/wp-json\/wp\/v2\/users\/115"}],"replies":[{"embeddable":true,"href":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/wp-json\/wp\/v2\/comments?post=23360"}],"version-history":[{"count":49,"href":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/23360\/revisions"}],"predecessor-version":[{"id":23549,"href":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/wp-json\/wp\/v2\/posts\/23360\/revisions\/23549"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/wp-json\/wp\/v2\/media\/23479"}],"wp:attachment":[{"href":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/wp-json\/wp\/v2\/media?parent=23360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/wp-json\/wp\/v2\/categories?post=23360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/wp-json\/wp\/v2\/tags?post=23360"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/cm-edgetun.pages.dev\/insidetrack\/blog\/wp-json\/wp\/v2\/coauthors?post=23360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}