Mitigating Data Risks: Essential Information Protection Controls for Microsoft Copilot

Microsoft 365 Copilot, Copilot Chat, and associated agents can retrieve data stored in your Microsoft 365 tenant, including mailboxes in Exchange Online and documents on SharePoint or OneDrive.

In addition to accessing  Microsoft 365 content, Copilot and its agents can also pull data from the file you're working on within an Office app session—no matter where that file is stored. This could be on your local drive, via network shares, in cloud storage, or even on a USB stick. When a file is actively open in an app, this is known as accessing data in use.

Before you roll out licenses for Copilot, ensure you're well-versed in the following key points to enhance your data protection measures:

• Content with VIEW but not EXTRACT Rights:

i- When a user opens content that only grants VIEW rights within an app, Microsoft 365 Copilot will be disabled for that session.

ii- In this scenario, Copilot will not summarize the content; instead, it will provide a reference link for users to open and view the content outside Copilot.

iii- For files governed by a Microsoft Purview Data Loss Protection policy—even if encrypted—Copilot and its agents will similarly refrain from summarizing, offering only a reference link for external access.

• Sensitivity Label Access and Limitations:

i- Copilot and its agents can access sensitivity labels applied within your organization, but they do not recognize labels from external organizations.

• Handling of Unopened Documents:

i- Unopened documents in SharePoint and OneDrive that are labeled and encrypted with user-defined permissions remain inaccessible to Copilot and its agents.

ii- However, once these documents are open (i.e., in a data-in-use state), they become accessible.

iii- Similarly, unopened SharePoint documents configured with a default sensitivity label that extends permissions to downloaded items are not accessible.

• Limitation of Container Label Inheritance:

i- Sensitivity labels applied at the group or site level (container labels) are not inherited by individual items within those containers.

ii- As a result, items—such as Teams channel chat messages summarized from a Confidential team or content from SharePoint site pages and lists—will not display the container’s sensitivity label in Copilot.

• Considerations with SharePoint IRM:

i- SharePoint Information Rights Management (IRM) settings restrict copying text during file downloads rather than at creation or upload.

ii- To prevent Copilot from summarizing such files at rest, ensure that sensitivity labels are configured to apply encryption without granting EXTRACT rights.

• Inherited Sensitivity Labels in Content Creation:

i- When new content is automatically assigned an inherited sensitivity label, it will override any previously manually applied lower-priority label.

ii- If the inherited label cannot be applied—due to the destination item being read-only, already encrypted (and the user lacking EXPORT or FULL CONTROL rights), or the label not being published—the label will not be added.

iii- Moreover, label inheritance isn’t supported for new content creation from labeled and encrypted items when encryption uses user-defined permissions or is applied independently.

• Double Key Encryption (DKE) Restrictions:

i- Copilot and its agents are unable to access data protected by Double Key Encryption (DKE), which is designed for the most sensitive content.

ii- As a result, DKE-protected items will not be returned by Copilot, and if such an item is open (data in use), Copilot functionality will be limited.

• Teams Meetings and Chat Sensitivity Considerations:

i- Sensitivity labels that protect for Teams meetings and chat are not currently recognized by Copilot or its agents.

ii- Data returned from a meeting chat or channel chat will not show an associated sensitivity label.

iii- Copying chat data to a destination item cannot be restricted, and the sensitivity label is not inherited.

iv- This limitation does not affect meeting invites, responses, or calendar events that are protected by sensitivity labels.

• Microsoft 365 Copilot Chat Specifics:

Meeting Invites:

i- A sensitivity label applied to a meeting invite appears in the message body but not in the metadata (e.g., date, time, recipients).

ii- Consequently, queries based solely on metadata (e.g., "What meetings do I have on Monday?") return unlabeled data, while those including the meeting content (e.g., agenda details) return labeled data.

Handling Encrypted Content:

i- If content is encrypted independently of its sensitivity label—where encryption grants VIEW but not EXTRACT rights—Copilot can return that content to a source item.

ii- This scenario can occur if a document labeled as "General" has Office restrictions applied without corresponding encryption.

Editing in Outlook:

i- When returned content carries a sensitivity label, the "Edit in Outlook" option is disabled, as this feature is not supported for labeled data.

External Data Sources with Extension Capabilities:

i- Sensitivity labels and encryption on data from external sources (via plugins or the Microsoft Graph Connector) are not recognized by Microsoft 365 Copilot Chat.

ii- External sources can be disconnected using the Microsoft 365 admin center by disabling plugins and disconnecting Graph API connector connections.

• App-Specific Exceptions:

Microsoft 365 Copilot in Outlook:  You must have a minimum version of Outlook to use Microsoft 365 Copilot for encrypted items in Outlook:

i- Outlook (Classic) for Windows: Minimum version 2408 in the Current Channel or Monthly Enterprise Channel.

ii- Outlook for Mac: Version 16.86.609 or newer.

iii- Outlook for iOS: Version 4.2420.0 or newer.

iv- Outlook for Android: Version 4.2420.0 or newer.

vi- Outlook on the Web & New Outlook for Windows: Both are supported.

Microsoft 365 Copilot in Edge/Windows:

i- Unless Data Loss Prevention (DLP) is enabled in Edge, Copilot can reference encrypted content from the active browser tab (e.g., Office for the web or Outlook on the web) provided the content lacks EXTRACT rights.