With the power of Microsoft 365 Copilot, organizations are unlocking new ways to increase productivity using AI. But with great power comes great responsibility—especially when it comes to data security.
So, how do you make sure Copilot doesn’t peek into your organization’s sensitive content?
The answer lies in Sensitivity Labels and Data Loss Prevention (DLP) policies—two powerful tools under the Microsoft Purview umbrella.
Let’s break down the steps for preventing Copilot from processing content in Microsoft 365.
Why Should You Keep Copilot Away from Sensitive Data?
Organizations often store sensitive content—customer data, financial documents, internal communications—across Microsoft 365. When AI-powered tools like Copilot start summarizing these files, there’s a risk of exposing information unintentionally.
What is the Microsoft 365 Copilot (Preview) Policy Location?
This is a new DLP location in preview that allows you to exclude content with specific sensitivity labels from being summarized by Microsoft 365 Copilot.
📌 Key Highlights:
- You can prevent specific labeled items (like Highly Confidential or Personal) from being used in Copilot-generated summaries.
- These items will still appear in citations, but Copilot won’t process their actual content in the summary response.
- The feature currently works for SharePoint and OneDrive content only.
If you’re ready to stop Copilot from summarizing sensitive content, follow these detailed steps—from creating a sensitivity label to applying a DLP policy using the new Microsoft 365 Copilot (preview) location.
Create a Sensitivity Label in Microsoft Purview
To create a sensitivity label in Microsoft Purview, follow the steps below:
- Go to Microsoft Purview compliance portal → Information Protection → Labels.
- Click Create a label and give name and description.
- In the Define the scope for this label page, check Files & other data assets ->Next.
- In the Choose protection settings for the types of items you selected page, select Control access -> Next.
- In the Access Control page, assign permissions to users/groups to use the content that has this labeled applied.
- Click Next.
- Configure other settings (if applicable) and publish the label.
Create a DLP Policy for Microsoft 365 Copilot
For creating a DLP policy that block content access, follow the steps below:
- Go to Microsoft Purview compliance portal → Data loss prevention → Policies.
- Click Create policy.
- Choose Custom policy template, then click Next.
- Configure the policy by giving name and description.
- Choose locations in the choose where to apply page.
- Select Microsoft 365 Copilot (preview).
- In the next page, create a rule setting condition as Content contains -> Add -> Sensitivity Labels.
- Choose Content contains
- Pick the label you created in the above step.
Set actions:
- Choose: Prevent Copilot from processing content. This ensures the content of the item won’t be used in the response summary
- As a final step, finish creating the policy.
Once this policy is in place:
Microsoft 365 Copilot will skip summarizing any labeled content in SharePoint or OneDrive
Users must still have permission to access the file
But Copilot won’t use that content in any generated response or summary
Final Thoughts
Microsoft 365 Copilot is a powerful productivity enhancer—but without the right guardrails, it can expose sensitive content. The Copilot policy location in Microsoft Purview DLP (preview) is a game-changing feature for data protection in the AI era.
As Microsoft continues to expand Copilot capabilities, expect tighter integration with DLP, sensitivity labels, and information governance tools. Until then, this feature gives forward-thinking organizations a strong head start.
