Table of Contents
New DLP Policy for Copilot Action to Block Processing Web Searches
Recently, there’s been a spate of developments to bring Microsoft 365 content into OpenAI and Anthrophic for processing by external AI models. Microsoft is in a bit of a quandary when it comes to competing with OpenAI and Anthrophic. Microsoft badly wants to sell more Microsoft 365 Copilot licenses. At the same time, Microsoft 365 Copilot is dependent on OpenAI and Anthrophic models, so Microsoft can’t criticize the AI technology from its partners.
What Microsoft can do is emphasize the value of deep integration between Copilot and the Microsoft 365 apps, as evident in its comparison between Microsoft 365 Copilot and ChatGPT Enterprise with the tagline “Not all AI is built for work.”
DLP Policy for Copilot
Surprisingly, Purview Data Loss Prevention (DLP) doesn’t feature in the comparison. However, a DLP policy for Copilot has been available since March 2025 and it’s one of the most valuable pieces of the Copilot ecosystem because it blocks Copilot and Copilot agents from processing files protected by specific sensitivity labels.
I guess you could argue that the OpenAI connectors or Anthrophic’s Connector for Claude don’t need DLP to do any blocking for them because neither integration can open Office or PDF files protected by sensitivity labels with encryption because the external programs cannot authenticate to gain access to the protected content. That’s stretching a deficiency to become a strength in a way that doesn’t hold water.
DLP Policy to Protect Sensitive Copilot Interactions
In any case, DLP comes with a default policy called “Default DLP policy – Protect sensitive M365 Copilot interactions” introduced in late 2025 to control the use of sensitive information types in Copilot prompts. The policy comes preconfigured to protect many different sensitive information types from an ABA routing number to a U.S. social security number (Figure 1).
Before putting the policy to use, it’s a good idea to remove sensitive information types that don’t make sense for your organization or maybe add some that are missing from the default set. You should also turn on incident reports so that administrators become aware of attempts to use sensitive information types in Copilot prompts and switch the mode from simulation to “On.”
Once enabled, DLP will detect attempts to use the sensitive information types specified in the policy in Copilot prompts. Users will be told that the organization has blocked Copilot from responding to some types of content and Copilot will do nothing further to process the prompt.
Extending DLP Policy for Copilot Actions to Block Web Searches
Originally, the DLP policy to protect sensitive Copilot interactions had just one action – to block prompts as described above. MC1263277 (27 March 2026, Microsoft 365 roadmap 548671) describes a new action that’s available in preview and due to roll out in general availability in June 2026. The new action blocks Copilot from performing web searches to ground prompts.
Microsoft 365 Copilot can consult both internal and external sources to ground prompts before it generates responses. External sources are consulting by running Bing searches to find relevant web content. The new action allows Copilot to continue process user prompts against Microsoft 365 content (if the user has a Microsoft 365 Copilot license) while stopping Copilot from sending potentially sensitive data to Bing to perform a search.
A DLP policy created for the special Copilot location can only choose one of the available actions for restricting Copilot from processing content (Figure 2). Apart from that, everything works just like for other DLP policies.
Overall, this is a nice change that demonstrates the value of working within an integrated ecosystem. I’m not saying that the OpenAI and Anthrophic connectors for Microsoft 365 are not valuable because that’s obviously not the case. However, organizations that value aspects like compliance and data governance will consider that being to exert control through mechanisms like DLP is very valuable. Isn’t choice wonderful?
Learn how to use Purview DLP and to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.