The whole can be greater than the sum of its parts. It’s a reference to a well-known phrase and really fits the narrative of this post. Within this post, we’ll explore the label inheritance incorporated into Copilot for Microsoft and the power of Microsoft Purview Auto-labeling to solve issues with inheritance.
Label inheritance through Copilot for Microsoft 365
Let’s start with the absolute basics. When you reference a file within Copilot for Microsoft 365, the Sensitivity Label of that file is automatically inherited alongside the protective measures of the inherited label. Alright, but what does that mean? Let’s assume you have 4 Sensitivity Labels ranging from C1 to C4. When you “draft with Copilot” in Word and reference a file classified as C2. The C2 label is automatically applied to the Word document. Microsoft Purview data security and compliance protections for Microsoft Copilot | Microsoft Learn
Microsoft positions this as ‘Microsoft Purview strengthens information protection for Copilot’, but in my opinion doesn’t highlight an amazingly important part in the documentation. I believe that the result derived from combining multiple files doesn’t always mean that the highest classification of the source used still applies. Wait, what?!
Can the whole be greater than the sum of its parts?
I’ve found that examples always resonate more than just words, so let’s work based on an example. Imagine you have a list of Patient IDs, their Full Names and the room they currently stay in. As this holds Personal Identifiable Information (PII) but not the reason of their stay, this is classified as C3.
Next up, you have a different file that lists the Medial Condition of these patients, which is the reason why they’re hospitalized. These contain a reference to the Patient ID, which implies this list by itself cannot be traced back to individuals and can be classified as C2.
All data is generated by Copilot for Microsoft 365, obviously.
When we use Copilot for Microsoft 365 to create a new document where we combine data from the two files, then by default the resulting file will inherit the highest classification: C3. Whilst this works from a technical perspective, it might not fit the data classification standard. For argument sake, let’s state the combination of PII and Medical Terms & Conditions should be classified as C4. As the file is labelled, there’s no pop-up to end-users triggering them to correctly classify the data. So how would we solve this?
In comes (client-side) auto-labeling, which allows us to define the conditions that lead to a higher classification. In this case, you can create an auto-label policy that applies the C4 label, whenever both PII and Medical Terms are detected in the same file. C4-classified data could also automatically apply content restrictions (rights management) and serve as a condition for DLP policies etc.
The whole can be greater than the sum of its parts, and with auto-labeling we can help end-users correctly label the documents they co-create using the power of Copilot for Microsoft 365. With all the tools in the toolkit that comprise Microsoft 365 Purview, it truly strengthens information protection in Copilot for Microsoft 365.
But why does this work - isn’t label inheritance a form of manual labeling?
Microsoft has great content describing when a label is inherited, separated by scenarios, also see: Considerations for deploying Microsoft Purview data security and compliance protections for Microsoft Copilot | Microsoft Learn However, we also know that auto-label policies will not override an existing label that has been applied manually, also see: Automatically apply a sensitivity label in Microsoft 365 | Microsoft Learn. This means that the way that Copilot for Microsoft 365 applies the inherited label onto the file, is seen as an automatically applied label, not a manual user action. Which is interesting when considering that it’s an application integration (Copilot for Microsoft 365) that acts on behalf of the end-user. I was a bit afraid at first that this would be seen as a user manually labeling the file, but that’s not the case! Auto-labeling works on top of label inheritance actions taken by Copilot for Microsoft 365. Microsoft holds true to its statement:
Microsoft Purview strengthens information protection for Copilot