Microsoft to Extends DLP Support for Copilot to Prevent Sensitive File Processing

Microsoft Expands Support for DLP Data Loss Prevention (DLP) controls for Copilot Purview are being extended to prevent Microsoft 365 Copilot from handling files with sensitivity labels in all storage locations, including local devices This article explores extended prevent microsoft. . A crucial governance gap in enterprise AI deployments is intended to be closed by the modification.

Copilot's DLP policy enforcement was previously restricted to files kept in OneDrive for Business and SharePoint Online. Learn more about antivirus software. Malware that uses secure coding techniques This resulted in a major blind spot: Copilot could still access files that were locally stored on an employee's device or that were accessible through a network drive. Microsoft's update directly addresses this limitation by expanding coverage to every location where Office files may reside, even if the organization had DLP policies in place to restrict sensitive content3.

The DLP Extension's Operation The technical modification stems from the way sensitivity label information is retrieved by Copilot's augmentation loop (AugLoop). In the past, AugLoop detected a file's label by calling Microsoft Graph using the file's SharePoint or OneDrive URL. Locally stored files were automatically excluded by this method.

This update removes the need for a cloud-based URL lookup by enabling Office clients to send the sensitivity label to AugLoop directly from the client side. Regardless of whether the file is stored on a local device, network drive, OneDrive, or SharePoint, this architectural modification allows DLP policies to consistently assess and enforce restrictions.

Copilot is prevented from processing a file's content in Word, Excel, or PowerPoint when an active DLP policy finds that the file has a restricted sensitivity label. Roadmap ID 557255 for Detailed Information MC1234661 is the message ID. Apps Affected: Word, Excel, and PowerPoint Start of Rollout Late March 2026 Complete Rollout Late April 2026 License Requirement Microsoft 365 Copilot + M365 E5 Policy Changes Needed None Default State On (for tenants with DLP rules): No policy migration or reconfiguration is necessary for tenants who already have the necessary DLP rules configured.

Policies that are already in place will continue to operate exactly as they did before; they just automatically become more widely enforced. Timeline and Requirements for Rollout This update has been verified by Microsoft under Message ID MC1234661 and Roadmap ID 557255.

Late March 2026 is when general availability for GCC and global environments is expected to start. By the end of April 2026, it should be finished. It is recommended that administrators in charge of Purview DLP policies examine any sensitivity-label-based limitations that are currently in place and revise internal helpdesk documentation appropriately.

It is also advised to communicate with the security and compliance teams to make sure they are aware of the enlarged enforcement scope. Businesses that currently use Microsoft 365 Copilot should be aware that in order to fully utilize this DLP feature, a Microsoft 365 Copilot license must be combined with a Microsoft 365 E5 license or something similar. This update only strengthens the governance boundary around what content Copilot is allowed to access and process; it has no effect on Copilot's core functionality.

Set ZeroOwl as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.