Audience: IT admins, security leads, and team champions rolling out Copilot for Microsoft 365 in production.
Why prompt patterns matter
Good prompts narrow Copilot’s operating space to “approved content in approved places,” which means:
- Scope by exact SharePoint site/library or OneDrive path rather than “everything I can see.”
- Ask for file names and links in a Sources section.
- Set label allow/deny rules inside the prompt (for example, allow General/Internal, skip Confidential and above).
- Instruct Copilot to stop and ask if it encounters anything outside the rules.
Keep lists to a minimum in user training, but make these ideas muscle memory through repetition in your templates.
Reusable prompt templates grounded on SharePoint and OneDrive
Use these as copy‑paste starters. Adjust site URLs, library names, and label terms to match your tenant.
Summarise
Project digest, last 30 days, Internal only Summarise changes and key decisions from files in SharePoint site: https://contoso.sharepoint.com/sites/ProjectX, library: Documents, updated in the last 30 days. Only use items with sensitivity label = Internal. Return a dated narrative with file names and full SharePoint paths under Sources. If any candidate is labeled Confidential or higher, list it under Held back by label and do not include its content.
OneDrive working set with citations Summarise the attached working files from my OneDrive folder OneDrive\\QuarterlyReview. Produce a one‑page narrative. Add Sources with the exact file path for each fact or number. If a file is encrypted and I do not have rights, skip it and note Access denied.
Transform
Internal draft to external version with automatic redaction Rewrite the current document for an external audience. Remove or replace all passages that come from files labeled Confidential or Highly Confidential. Where removal is needed, insert [REDACTED – sourced from Confidential content]. Keep a change log at the end mapping original paragraph → action taken → source file path.
Structured extract with label awareness From https://contoso.sharepoint.com/sites/HR/Policies, extract all policy effective dates, owners, and review cadences into a 3‑column table. Use items labeled Internal or General only. Do not quote content from Confidential files; instead list their titles under Requires permission review.
Generate
Weekly status from constrained sources Create a weekly status update for Project X using files from \\sites\\ProjectX\\Status and my OneDrive folder OneDrive\\ProjectX\\Notes, updated this week and labeled Internal or General. Output: accomplishments, risks, next steps, open decisions. End with Sources listing file names and links. If a candidate is Confidential, flag it under Do not include.
Meeting agenda that never leaks Draft a 45‑minute agenda for a risk review. Use only items labeled Internal from \\sites\\RiskRegister. Include three questions that prompt attendees to check labels before sharing. Add a final reminder: “Do not forward without label review.”
Purview sensitivity labels and DLP: what they mean for Copilot
Copilot relies on the same Microsoft 365 permissions and compliance controls that govern files and messages:
- Sensitivity labels decide who can open and use a file. If the label applies encryption and the current user has no rights, Copilot cannot open the file to ground its response. If the user does have rights, Copilot may use the content, but the output does not change the source label. Train users to verify the label on the resulting document or message before sharing.
- Label inheritance in SharePoint can apply a default label at the library or folder level. Use this to keep project libraries consistently classified so prompts like “Internal only” behave as expected.
- Auto‑labeling helps catch unlabeled content that matches sensitive info types. The goal is to shrink the pool of unlabeled documents that prompts might touch.
- DLP policies act at egress points. If a prompt or response would move sensitive data into a channel where the rule applies, the app can block or warn. Test common flows in Word, Outlook, Teams chat, and SharePoint to confirm your policy tips and blocks behave correctly.
Admin guardrails and monitoring
Early success comes from limiting where Copilot looks, then expanding with confidence.
Guardrails to set before pilot:
- Turn on a restricted SharePoint search scope for the pilot group so Copilot looks only at a defined set of project sites. Keep the safe list tight for Wave 0.
- Set default sensitivity labels on the SharePoint libraries you include in scope, with label inheritance enabled.
- Enable auto‑labeling for well‑known sensitive info types relevant to your business. Start in simulation, then enforce.
- Confirm DLP policies cover your highest‑risk channels. Include policy tips that explain what to do when content is blocked.
- Review guest access and anonymous links on the in‑scope sites. Reduce oversharing before you add Copilot to the mix.
What to watch:
- Unified Audit entries for Copilot usage and file access, plus standard SharePoint file operations. Look for access denied events or unusual spikes on sensitive libraries.
- Usage and adoption reports for Copilot to see which teams create value. Pair this with helpdesk tickets and policy hit rates to find friction.
Adoption waves and training plan
A lightweight plan makes the difference between “neat demo” and durable value.
Wave 0: Foundations Security, compliance, and IT run a two‑week technical pilot on a handful of non‑critical sites. Capture evidence: prompts used, outputs, policy hits, and any access denied cases.
Wave 1: Champions Nominate 20–50 trusted users across two or three business units. Provide them a curated set of prompts and a simple “how Copilot sees your data” briefing. Keep the restricted search scope. Office hours twice a week.
Wave 2: Team rollout Open to full teams that share those sites. Expand the safe list of sites and start auto‑label enforcement. Add scenario training by role: project managers, analysts, HR, sales.
Training essentials Keep it practical: where Copilot looks, how to constrain by site and label, how to add a Sources section, what to do when policy tips appear, and how to check a document’s label before sending it outside.
Do and don’t
Do: Point Copilot to exact SharePoint sites or OneDrive folders. Allow only specific labels in the prompt and say what to do with others. Require a Sources section with file names and paths. Insert clear redaction markers when transforming for external use. Pilot with restricted search, then expand.
Don’t: Ask Copilot to search “everything I can access.” Mix Internal and Confidential sources without guidance. Accept outputs without any trace back to files. Paste sensitive paragraphs into external chats or emails. Roll out tenant‑wide on day one.
Governance settings to standardise
Aim for a simple baseline that teams can understand.
- Restricted search scope for Copilot pilots: include only approved sites. Widen as adoption grows.
- Default sensitivity labels on key libraries, with label inheritance turned on. Teach owners to request changes through IT.
- Auto‑labeling for the top sensitive info types you care about. Keep the policy list short and well named.
- DLP policies for the routes people actually use: SharePoint downloads, Teams chat, email, and device controls for unmanaged endpoints.
- Periodic access reviews for project sites to remove stale permissions and guests.
What success looks like
People ask Copilot focused questions, outputs cite files, and anything beyond the line gets flagged or blocked. Audit shows normal file access patterns, DLP catches the real mistakes, and champions bring back new patterns you can add to the template pack.
