Safeguarding Sensitive Data in Microsoft 365 Copilot with Purview DLP (GA Release)

The challenge with sensitive data and access to Copilot Microsoft 365 Copilot empowers users with AI-driven assistance across Microsoft 365 apps, but it also raises concerns about accidental oversharing of sensitive information. In response, Microsoft has extended its Purview Data Loss Prevention (DLP) capabilities to Microsoft 365 Copilot, allowing organizations to enforce information protection policies within AI workflows. The DLP for Microsoft 365 Copilot has been in preview for some time, but Microsoft has now announced it is released for GA (General Availability). Among some of the interesting features are new features like alerting and policy simulation. Key details:  Rollout Timeline: As of June 2025, the rollout has begun. It should be completed worldwide by late July 2025. Scope: Initially, DLP for Copilot was available for Copilot Chat scenarios. By the time of GA this is expanding to Copilot in core Office apps (Word, Excel, PowerPoint) as well. Ensuring that DLP prote...

Prepare for: Multiple account access to Copilot in Microsoft 365

There is a new (As of January 30, 2025) policy setting is available in Cloud Policy, which will enable multiple account access to Copilot in Microsoft 365 desktop and mobile apps, allowing users to utilize Copilot across different signed-in accounts. 

The feature itself will allow a user to use a fully licensed Copilot feature from one tenant on "any" document available to them in a tenant they have access to. No matter if the user has Copilot in any of the other tenants. The feature will be rolled out globally from early March 2025 and is expected to be completed by late March 2025, but organizations might want to look into this policy and understand how it may or may not impact their existing security policies.

I recommend reading up on the following article, where details about what the user can access in different scenarios are described.

Here are some of the things to take into consideration: 

  • Copilot's data protection is based on the identity used to access the file, ensuring enterprise data protection regardless of the account used. 
  • The setting for web grounding in Copilot is also identity-based. If web grounding is disabled for a particular identity, it will remain disabled even when accessing Copilot from another account.
  • If a user is accessing a document in a different tenant, work grounded data from the home tenant will NOT be available
  • The feature will be available in most of the major apps. 
For organizations considering to restrict this behaviour, Microsoft has provided the following Learn Article.