3.2.1. How Copilot Accesses Data via Microsoft Graph

💡 First Principle: Microsoft Graph is the single API gateway that Copilot uses to access all M365 data — emails, files, calendar events, Teams messages, SharePoint content. When Copilot answers a question, it queries Microsoft Graph using the signed-in user's identity and permissions. The response contains only data that user is already authorized to see.

Think of Microsoft Graph as the universal librarian for M365. Every request goes through the librarian, who checks your library card (your identity and permissions) before handing over any content. Copilot is a sophisticated patron making requests — but it uses your library card, not a master key.

The Microsoft 365 Semantic Index enhances this: it builds a semantic understanding of your M365 content (relationships between documents, concepts, people) to help Copilot find relevant content more effectively. The semantic index also respects permissions — it only indexes content the user can access.

Key implication for administrators: before deploying Copilot, audit and tighten permissions. Files shared with "Everyone" or "All Users" are reachable by Copilot for every user in the tenant. Reviewing oversharing isn't a post-Copilot task — it's a pre-Copilot prerequisite.

⚠️ Exam Trap: Copilot doesn't "bypass" sensitivity labels. If a file is encrypted by a sensitivity label and the user doesn't have decryption rights, Copilot can't read that file's content either. Labels are an effective control for limiting what Copilot can surface.

Reflection Question: A user asks Copilot to summarize all documents in the "Project X" SharePoint site. Copilot returns a summary that includes some documents the user's manager says they shouldn't have seen. What is the root cause, and which admin tool would you use first to investigate?