Securing Copilot in Office 365: Data Loss Prevention and Sensitivity Labels

Microsoft 365 Copilot inherits the permissions of the user who invokes it. That single fact drives every security decision you make. If a user can open a SharePoint file in a browser, Copilot can read it, summarize it, and quote it into a Word doc, a Teams chat, or an Outlook draft. The blast radius of any oversharing problem you already have just got dramatically larger.

This playbook walks through the controls that actually matter: sensitivity labels, DLP for Copilot, conditional access, oversharing detection in Defender for Cloud Apps, SharePoint Premium governance, and the Purview audit trail. None of this is theoretical. The default tenant configuration is unsafe for Copilot, and you should assume that anything labeled Internal is one prompt away from leaking into a customer-facing summary.

Why default Copilot tenants leak

Three failure modes account for the majority of Copilot data incidents you will see in 2026:

Oversharing in SharePoint: years of "share with anyone in the company" links, broken inheritance, and orphaned permissions mean Copilot can index documents that the original author never intended for general consumption.
No sensitivity labels on legacy content: without labels, Copilot has no signal to suppress confidential files from its grounding queries.
No DLP policies targeted at Copilot responses: even when input data is sensitive, the generated Copilot response is a new artifact that can bypass legacy DLP rules built around email and endpoint.

The fix is layered. Labels classify, DLP enforces, conditional access gates, and Defender for Cloud Apps + Purview audit observe.

A workable sensitivity label taxonomy

Start with four labels. Anything more granular fails adoption, and anything less granular collapses into Internal-for-everything. Apply via Microsoft Purview Information Protection (the unified labeling client is deprecated in M365 Apps for Enterprise as of late 2025 — labels are now native in Word, Excel, PowerPoint, and Outlook).

| Label | Encryption | Watermark | Copilot processing | Downstream controls | |-------|------------|-----------|--------------------|---------------------| | Public | None | None | Full read + generate | None | | Internal | None | "Internal Use" footer | Full read + generate, but responses inherit label | Block external share, restrict to managed devices | | Confidential | AES-256 via Azure RIM | "Confidential" diagonal watermark | Read allowed, generation suppresses content unless user is in the label's authorized scope | Block copy, block print, block external recipients | | Restricted | AES-256 with do-not-forward | "Restricted - Do Not Distribute" | Copilot excluded entirely via DLP rule | View-only, time-bound access, audit every touch |

The Copilot-excluded behavior on Restricted is the key. As of the November 2025 Purview update, DLP policies support a "Microsoft 365 Copilot" location with conditions on sensitivity label that suppress the labeled item from grounding entirely. The user sees a "Some content was excluded because of organizational policy" notice rather than a hallucinated summary of a Restricted document.

Auto-labeling that doesn't drown users

Manual labeling adoption tops out around 40 percent. The rest needs auto-labeling. Build these auto-label rules in Purview:

Trainable classifiers: enable the built-in classifiers for Source Code, Financial Documents, Healthcare, and Legal Affairs. They run on SharePoint, OneDrive, and Exchange. Match confidence threshold of 75 percent applies a recommendation; 85 percent applies the label.
Sensitive info types (SITs): for regulated data, use exact data match (EDM) against an uploaded customer or employee table. EDM beats regex by 10x on false positives.
Keyword + location: simple rules like "any file in /Sites/Legal/Contracts containing the string Master Services Agreement gets Confidential."

Roll out in audit mode for 30 days before enforcement. Read the activity explorer daily for the first week to catch overzealous rules.

DLP policies tuned for Copilot

Purview DLP now has a first-class "Microsoft 365 Copilot" location alongside Exchange, SharePoint, OneDrive, Teams, and Endpoint. Create three baseline policies:

```yaml policy: Block-Restricted-From-Copilot location: Microsoft 365 Copilot condition: sensitivity_label: Restricted action:

exclude_from_grounding: true
notify_user: "This content is Restricted and cannot be used by Copilot."
generate_incident: true ```

```yaml policy: Warn-On-Confidential-In-Copilot-Output location: Microsoft 365 Copilot condition: output_contains: sensitivity_label: Confidential OR sensitive_info_type: [SSN, CreditCard, BankAccount] action:

show_policy_tip: "Your response includes Confidential content. Verify recipients before sharing."
allow_with_override: true
log_to_audit: true ```

```yaml policy: Block-External-Recipients-In-Outlook-Copilot location: Exchange Online + Microsoft 365 Copilot condition: recipient_domain: not in [allowed_partners] AND copilot_generated: true AND output_contains_sit: [SSN, CreditCard, ProjectCodename] action:

block_delivery
notify_admin ```

Conditional access for Copilot

Copilot is governed by the Microsoft Graph endpoints it calls. Build a Conditional Access policy in Entra ID with:

Cloud app: Microsoft 365 Copilot (now a first-class enterprise application)
Conditions: device compliance = compliant, sign-in risk = low or medium
Grant: require MFA, require Intune-managed device, block unmanaged BYOD
Session: 8-hour token lifetime, sign-in frequency 4 hours for users in the Confidential or Restricted label scope

Pair this with Continuous Access Evaluation so a revoked token kills active Copilot sessions within minutes, not hours.

Oversharing detection with Defender for Cloud Apps

Defender for Cloud Apps (MDCA) ships with a Copilot-specific policy template called "Oversharing risk for Copilot". It scans SharePoint sites and surfaces:

Sites with "Everyone except external users" permissions
Sites with broken permission inheritance
Files with anyone-with-the-link sharing enabled and no expiration
Sites that contain Confidential-labeled content and have >500 unique viewers in the last 90 days

Run this scan before Copilot rollout. Treat the top 10 percent of sites as remediation backlog. Microsoft's own data shows that fixing the top 5 percent of oversharing sites eliminates 60 percent of Copilot exposure.

SharePoint Premium for governance at scale

SharePoint Premium (formerly Syntex) provides the bulk-remediation muscle. Key features:

Restricted access control policies that lock a site to a security group regardless of inherited permissions
Site lifecycle management that flags inactive sites for archival, removing them from Copilot indexing
Content explorer with bulk relabel actions
Permission state reports at site and library level

For tenants over 10 TB or 1,000 SharePoint sites, Premium is effectively required. The per-user license cost is offset within two quarters by the reduction in manual remediation work.

Audit logs that catch real incidents

Every Copilot interaction generates events in the Purview Unified Audit Log under the workload "Copilot". The events you care about:

`CopilotInteraction`: prompt + response + grounding sources (the actual SharePoint URLs Copilot read)
`SensitivityLabelApplied` / `SensitivityLabelChanged`: track labeling drift
`FileAccessedByCopilot`: granular file-level audit
`DLPPolicyMatch` with workload = Copilot

Stream these to Sentinel via the Office 365 connector. Build a hunting query that flags any `CopilotInteraction` where the grounding sources include a Confidential or Restricted item that the user has not previously accessed directly. This catches the "Copilot found something I didn't know existed" exfiltration pattern.

Real leak scenarios and how each control prevents them

Scenario 1: An intern asks Copilot to "summarize our largest customer contracts." Copilot grounds against /Sites/Legal/Contracts because permissions inherited from the parent Legal site granted "Members" to a group the intern was added to during onboarding.

Prevented by: oversharing scan in Defender for Cloud Apps + Restricted Access Control on /Sites/Legal/Contracts + auto-labeling Confidential on the Contracts folder.

Scenario 2: An employee uses Copilot in Outlook to draft a customer-facing email and Copilot pulls a paragraph from an internal product roadmap deck marked Confidential.

Prevented by: Warn-On-Confidential-In-Copilot-Output policy showing a policy tip + Block-External-Recipients policy blocking send if the user proceeds.

Scenario 3: A terminated employee's session is still active on an unmanaged laptop. They prompt Copilot to dump everything about Project Atlas.

Prevented by: Conditional Access requiring managed device + Continuous Access Evaluation revoking the token + Project Atlas content labeled Restricted with DLP excluding it from Copilot grounding entirely.

License and SKU realities

A common rollout snag is licensing. Copilot for Microsoft 365 sits on top of an E3 or E5 SKU; auto-labeling requires Information Protection P2 (included in E5, separate add-on under E3); Defender for Cloud Apps requires E5 or the Defender add-on; SharePoint Premium is a per-user license layered on top. Build the SKU map before you build the policy map. We have seen multi-quarter delays caused by a procurement team realizing mid-rollout that auto-labeling was not in their plan.

Pricing as of Q2 2026 (list, USD per user per month):

Microsoft 365 E5: $57
Copilot for M365: $30
Information Protection P2 (if not on E5): $5
Defender for Cloud Apps (if not on E5): $5
SharePoint Premium: $5

A typical Copilot rollout for a 5,000-person org with mixed E3/E5 lands around $150k to $220k per month in licensing once all the supporting controls are in place. Knowing this number early lets you scope the rollout realistically.

The data residency question

For regulated workloads (FedRAMP High, ITAR, healthcare in certain jurisdictions), confirm which Copilot endpoints are in scope for your environment. Copilot for GCC High became generally available in mid-2025 with a subset of features; some grounding sources (notably the Microsoft Graph connectors to non-M365 systems) remain unavailable. Map your high-sensitivity workloads to a separate Copilot tenant or a separate environment entirely. Mixing GCC and Commercial Copilot in the same Conditional Access policy creates audit headaches that take months to untangle.

Rollout checklist

[ ] Inventory all SharePoint sites with public or anyone-link sharing using Defender for Cloud Apps oversharing scan
[ ] Define the four-label taxonomy and publish via Purview to a pilot of 50 users
[ ] Enable auto-labeling in simulation mode for 30 days; tune the rules
[ ] Promote auto-labeling to enforcement on Confidential and Restricted only
[ ] Build the three baseline DLP policies (Block-Restricted, Warn-Confidential, Block-External-Output)
[ ] Create the Copilot Conditional Access policy requiring managed devices + MFA + low/medium sign-in risk
[ ] Pilot SharePoint Premium Restricted Access Control on the top 20 sensitive sites
[ ] Wire Purview audit logs into Sentinel with the Copilot-specific hunting queries
[ ] Run a tabletop incident response exercise on the three scenarios above
[ ] Brief all Copilot users on the policy tip language and the override workflow

For governance discipline beyond technical controls, our copilot-governance-checklist covers organizational rollout, training, and acceptable use language. If you're choosing between Copilot and Claude or ChatGPT Enterprise as your default stack, the claude-ai-vs-chatgpt-enterprise-comparison breaks down the security posture differences.

Next steps

Run the Defender for Cloud Apps oversharing scan this week. It is free, takes about 20 minutes to configure, and will give you a defensible baseline before you turn on any new Copilot licenses. Then prioritize the four-label taxonomy and DLP policies as a 30-day project before broad rollout. We help mid-market and federal teams stand up Purview-aligned Copilot deployments end to end — reach out if you want a second set of eyes on the policy design.

View All Insights