The Telefónica Group identified the need to secure shared information for responsible and secure adoption with the arrival of Microsoft Copilot in corporate environments. The deployment of this Generative AI-based tool required prior assurance of compliance with data governance standards, especially considering the global scale of the organization and the nature of the information handled.

The legacy file-sharing architecture in Microsoft 365, based on total delegation to users (the “content owner” model), posed a high risk in terms of oversharing and exposure of critical information.

The initiative combined auditing, remediation, and deployment of technical controls, requiring strong collaboration between Global Security, Corporate IT, Microsoft, and the business units (OBs).

Highlights of the success story

Diagnosis and remediation of data oversharing in Microsoft 365

Massive exposure risks were identified in SharePoint and OneDrive using advanced tools like SAM and custom scripts. Critical cases were prioritized, especially shares outside current policies and data in senior management accounts and sensitive areas. A combined manual and automatic remediation was performed, correcting permissions that exposed information (e.g., “Everyone” and “Anyone”) and mitigating uncontrolled access to corporate data.

The result was a secure and governed environment for the activation of Microsoft 365 Copilot

More than one million items were analyzed, eliminating thousands of insecure permissions. Cases of oversharing in key accounts and sensitive areas were corrected. A prepared environment was achieved, with security controls, labeling, and data visibility. The Telefónica Group now has a scalable governance model applicable to future AI initiatives.

Evolution towards dynamic data governance

Once Copilot is integrated, the Telefónica Group will continue to advance the maturity of its data governance model. The global deployment of automatic tagging and DLP policy capabilities for Endpoint is planned, as well as the continuous review of the classification model. The ecosystem will be kept under control through recurring audits and technical and organizational monitoring mechanisms.

Activation of protection controls and preparation of the environment for Copilot

With the risks mitigated, training and licensing were provided to implement information protection solutions included in Microsoft 365 E5 such as DLP and Purview. Common, automatic tagging adapted to Copilot's operation ensures that it only accesses properly protected information, under criteria of traceability and minimal exposure.

Coordination, automation, and focus on data

The success of the project is based on a structured approach with use cases defined and prioritized by level of criticality. Automation played a key role in the massive remediation of risks, allowing for agile and controlled action on large volumes of data. Likewise, the adoption of solutions such as Purview, together with a clear training and awareness strategy, consolidated a data governance model prepared to support the demands of corporate use of Generative Artificial Intelligence.