Microsoft is bolstering data loss prevention (DLP) measures for its AI assistant, Microsoft 365 Copilot, to prevent the processing of confidential information across all storage locations. The move aims to address concerns about data security and build user trust in the rapidly evolving landscape of AI-powered productivity tools.
Currently, Microsoft Purview DLP policies, designed to prevent sensitive data from leaving an organization’s control, only apply to files stored in SharePoint and OneDrive. This left data residing on local devices vulnerable. Microsoft’s upcoming changes will extend these protections to encompass all Office documents, regardless of where they are saved – be it a user’s computer, SharePoint, or OneDrive.
The rollout, leveraging the Augmentation Loop (AugLoop) Office component, is scheduled between late March and late April 2026. According to a Microsoft message center update, this enhancement directly responds to customer feedback requesting more consistent data protection. Once implemented, Copilot will be unable to read or process Word, Excel, or PowerPoint documents flagged as restricted by existing DLP controls.
“This update does not modify Copilot capabilities,” Microsoft clarified. “Instead, Office clients and AugLoop have been enhanced so AugLoop can read a file’s sensitivity label directly from the client.” Previously, AugLoop relied on accessing file URLs within SharePoint or OneDrive, limiting DLP enforcement. By enabling the client to provide the label, Microsoft achieves uniform enforcement across all storage locations, including local files.
The announcement comes after a recent incident where a software bug allowed Copilot Chat to access and summarize confidential emails in users’ Sent Items and Drafts folders, despite active DLP policies and confidentiality labels. The issue, discovered on January 21, affected the “work tab” chat functionality. Microsoft described the incident as a “code issue” and stated that access to the summarized information was limited to those already authorized to view the emails, but acknowledged the behavior was not aligned with the intended Copilot experience.
In a statement to BleepingComputer, Microsoft explained that the bug did not expose information to unauthorized users, but that the unintended access was still a concern. The company has since addressed the vulnerability.
How the Latest DLP Controls Will Work
The core of the update lies in how Copilot identifies sensitive information. Previously, Copilot relied on Microsoft Graph and file URLs to determine a document’s sensitivity label. This method inherently excluded locally stored files from DLP enforcement. The new system allows Office clients to directly provide the sensitivity label to AugLoop, enabling consistent protection regardless of storage location. This means that if a document is labeled as “Confidential” within Microsoft Purview, Copilot will respect that designation whether the file is in the cloud or on a user’s hard drive.
Automatic Implementation for Existing Policies
Organizations already utilizing Microsoft Purview DLP policies to restrict Copilot’s access to sensitive content will not need to take any additional action. Microsoft confirmed that the changes will be automatically enabled for these configurations, streamlining the deployment process and minimizing administrative overhead. This automated approach underscores Microsoft’s commitment to simplifying security management for its enterprise customers.
Implications for Data Security and AI Adoption
This move signals a broader trend of prioritizing data security as AI tools become increasingly integrated into workplace workflows. By extending DLP controls to all storage locations, Microsoft aims to alleviate concerns about accidental data leaks and ensure compliance with data privacy regulations. The enhanced controls are likely to encourage wider adoption of Copilot within organizations that have stringent data security requirements. The ability to confidently leverage AI’s capabilities without compromising sensitive information is a key factor driving enterprise AI strategies.
Looking ahead, Microsoft will likely continue to refine its DLP capabilities for Copilot, incorporating new features and addressing emerging security threats. The company’s ongoing commitment to data protection will be crucial as AI technology continues to evolve and reshape the future of work.
What are your thoughts on Microsoft’s enhanced Copilot data controls? Share your comments below and let us grasp how these changes will impact your organization.
