Purview Launches New DLP Policy to Control Copilot Prompts

DLP Policy for Copilot Chat Uses Sensitive Information Types to Detect Issues in User Prompts

As mentioned in my notes from the first day of Ignite 2025, Microsoft is rolling out a new DLP policy capability in preview to govern how people use sensitive data in Microsoft Copilot chat to “safeguard prompts.” The new policy works by detecting attempts to use sensitive information types (SITs) in prompts. The update is documented in message center notification MC1181998, last updated 12 November 2025, Microsoft 365 roadmap item 515945). The preview lasts from now until late December 2025 and Microsoft is aiming for general availability in late March 2026.

The original DLP policy for Microsoft Copilot blocks access to Office files and PDFs labeled with specific sensitivity labels. The sensitivity label-based policy stops Copilot using information stored in the labeled files in its responses to user prompts. The mechanism works well and is highly effective at preserving file confidentiality.

Separate DLP Policy Required

The new capability cannot be incorporated into an existing DLP policy for Copilot. A new policy is required to specify the set of sensitive information types like credit card numbers, bank account numbers, passport numbers, and so on for DLP to check against when users issue prompts to Copilot.

The two types of DLP policies for Copilot run quite happily alongside each other because each type of policy deals with very different information. Administrators must be a member of the Data Security AI admins role group (or a higher role group, like Organization Management) to configure DLP policies.

Microsoft maintains a set of over 300 sensitive information types for use with DLP and other Purview solutions. Most sensitive information types are pattern-based classifiers. Broadly speaking, many of the standard classifiers use Regex patterns to find matches.

Purview includes methods to generate custom sensitive information types, including through document fingerprinting. For instance, I generated a sensitive information type by processing samples of the U.S. W-8BEN tax form. Sensitive information types created using document fingerprinting cannot be used with the DLP policy for Copilot. I only discovered this when I attempted to use the type when defining the set of sensitive information types to scan for in a policy rule (Figure 1).

Using the DLP Policy for Copilot Prompts

Like the earlier policy, DLP works with Copilot chat in both the app (BizChat) and the chat function in the Office apps. The policy works for both the free and paid-for versions of Copilot Chat.

Figure 2 shows a very simple example. The user knows about a social security number and has used that sensitive information in a prompt to ask Copilot if it can locate the employee that the social security number belongs to. In normal circumstances, Copilot could consult Graph resources like SharePoint files, email messages, or Teams conversations to respond to the prompt. With the DLP policy in place, Copilot politely declines to handle the query.

DLP for Education

The use of DLP policies to prevent people from using sensitive information types in Copilot prompts is a good example of how DLP can educate users about the proper handling of this kind of data. Nothing bad happens from a user perspective. Copilot declines to deal with the query and life goes on. Perhaps a future version of the policy will allow some force of stricter enforcement, such as monitoring how often users try to use blocked sensitive information types in prompts to give frequent offenders more pointed advice. I guess we’ll see!

---

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work!