@SecurityWriter I posted the link to the real report. That’s as much real info as I have available. Read it. You’re not the first person to say that it might not be this as bad as it sounds. I don’t know, so that’s why I posted a link to the source.

I’d love to post a link to a clearer rebuttal. Like “sensible people would always set ABC, and if you set it that way, copilot will return XYZ in this situation instead of returning passwords.”

I don’t have the equipment or experience to reproduce it. But the pen test partners report seems to have all it takes to reproduce their results, doesn’t it?

@paco We tested it when the report first came out and haven’t been able to replicate on a properly configured tenant. That said not everyone reads the documentation and will no doubt run into these issues.

To be honest I’d rather they abandoned the accursed thing.

@paco I’ve raised concerns about what would happen if we let Copilot index first and restrict Access later (say for future sites), I really don’t know what would happen as it’s undocumented.

I might give it a whirl should I get time.

@SecurityWriter @paco main thing I noticed yesterday is that Restricted Search is disabled by default. Which makes me unhappy.

@v_perjorative @paco it’s rather silly. Should be opt-in. Not opt out.

@SecurityWriter @paco yup, but entirely at odds with the entire business model of AI