Microsoft 365 Copilot is the embedded AI tool available for M365 users with a valid license and Entra account, and comes equipped with the embedded cybersecurity configurations of your existing subscription. Because it effectively operates as an orchestration layer over the existing platform, the security controls that govern Copilot are the same identity, encryption, compliance and information protection settings that govern your Exchange Online, SharePoint Online and Teams accounts.
Continue reading below to better understand the protections built into Microsoft 365 Copilot, the controls inherited from the underlying tenant and the licensing prerequisites that determine which security capabilities apply:
Copilot Inherits Your Microsoft 365 Security Posture
Microsoft Copilot effectively works as an orchestration engine that connects a Large Language Model (LLM) to Microsoft Graph data and your M365 apps. In effect, Microsoft 365 Copilot does not introduce a parallel permission, identity or storage system – prompts, retrieved data and generated responses remain inside your licensed cloud storage, subject to the same Data Protection Addendum (DPA) and Microsoft Product Terms that cover Exchange and SharePoint workloads. The Office 365 layer operates as a data processor under those terms and Copilot uses Azure OpenAI Service for model inference rather than the public OpenAI consumer endpoints.
The orchestration engine has three working components: the foundational LLMs, the content surfaced through Microsoft Graph and the M365 apps in your account. Copilot retrieves Graph data under the requesting user’s identity through Semantic Index, which honors the identity-based access permission levels configured with your account already, so the grounding step only reaches content the current user is authorized to view. The result is that Copilot’s effective security ceiling is the same ceiling as the underlying tenant configuration — and any gap in permissions, labeling or data lifecycle policy will be reflected in Copilot output the same way it would be reflected in a SharePoint search result.
Identity and Access: Microsoft Copilot Sees What the User Sees
Authentication and authorization for Copilot run through Microsoft Entra ID. Every Copilot call is executed as the signed-in user and tenant isolation is enforced through Entra authorization and role-based access control combined with logical separation of customer content inside each tenant. There is no service-account elevation path and there is no mechanism by which a user can prompt Copilot into retrieving content they could not already open directly in SharePoint, OneDrive, Outlook or Teams. Conditional Access applies to Copilot sessions because sign-in flows through the same Entra identity surface as the rest of the M365 stack, but the type of Conditional Access available shifts by tier.
Enterprise Data Protection
Enterprise Data Protection (EDP) is the contractual framework Microsoft uses to describe the commitments that apply to prompts and responses for Microsoft 365 Copilot and Microsoft 365 Copilot Chat. The terms are the same enterprise terms that govern other M365 commercial workloads under the DPA and Product Terms and they cover three points that matter for administrators reviewing Copilot:
- No training on customer data — Prompts, responses and data accessed through Microsoft Graph are not used to train the foundation LLMs that power Microsoft 365 Copilot.
- Encryption at rest and in transit — Customer content is protected through BitLocker, per-file encryption, TLS and IPsec, with the same encryption posture as the rest of M365.
- Tenant isolation — Customer content is logically isolated within each tenant through Entra authorization and role-based access control.
Interaction history — the user’s prompt, Copilot’s response and the citations that ground the response — is stored as part of the user’s Copilot activity history. This data is encrypted at rest and is not used for model training. Administrators can view, search and apply retention to this interaction data through Content search and Microsoft Purview, and end users can delete their own activity history through the My Account portal. For Teams Copilot interactions, the Teams Export APIs also surface the stored data.
Microsoft Purview
Microsoft Purview is a portfolio of solutions built to help you manage your AI settings, and most of the configurable Copilot-specific protections live here. The solutions most directly relevant to Microsoft 365 Copilot deployments are Information Protection, Data Loss Prevention, Audit, Data Lifecycle Management, eDiscovery, Communication Compliance and Insider Risk Management.
The most Copilot-specific control is the Microsoft 365 Copilot and Copilot Chat DLP policy location, available only in the Custom policy template. Selecting this location disables all other locations on the same policy, and policy updates can take up to four hours to propagate to the Copilot experience. The policy supports three distinct controls:
- Block sensitive information types in prompts (preview) — A DLP rule using the Content contains > Sensitive information types condition prevents Copilot from returning a response when a prompt contains a specified SIT, and blocks the prompt from being used for internal or external web search.
- Block external web search grounding when prompts contain sensitive data (preview) — A narrower variant of the SIT control that blocks only the external web search grounding step, allowing Copilot to continue responding using internal Microsoft 365 sources.
- Exclude labeled files and emails from response summarization (generally available) — A DLP rule using the Content contains > Sensitivity labels condition prevents the content of labeled items from being used in the response summary.
The two condition types — Sensitive information types and Sensitivity labels — cannot be combined in the same DLP rule, but can be configured as separate rules within the same policy. Coverage is scoped: only files stored in SharePoint Online and OneDrive for Business are supported, emails are supported if sent on or after January 1, 2025, calendar invites are not supported, and files uploaded directly into a Copilot prompt are not scanned by DLP. In Word, Excel and PowerPoint, the policy is evaluated at file open; sensitivity labels applied mid-session take effect the next time the file is opened.
Copilot operates within existing permissions, which means content that is overshared at the SharePoint, OneDrive or Teams permission layer will be reachable through Copilot grounding to the same degree it is reachable through search. Microsoft addresses this through a deployment blueprint structured around three pillars — remediate oversharing, set up guardrails and meet regulations — combining Purview controls with SharePoint Advanced Management (SAM), which is included with the Microsoft 365 Copilot license rather than sold as a separate add-on. SAM provides site access reviews, restricted access controls and oversharing reports that surface high-risk content patterns at the SharePoint layer.
AI Safeguards: Prompt Injection, Content Filtering and Web Query Handling
Beyond the controls inherited from Microsoft 365, Copilot applies a set of model-layer safeguards built into the orchestration engine. Proprietary jailbreak classifiers and cross-prompt injection attack (XPIA) classifiers analyze inputs and block high-risk prompts prior to model execution. Content harm filters cover four categories — hate and fairness, sexual, violence and self-harm — and additional workplace-harm filters restrict Copilot from generating inferences about employee performance, internal state or personal characteristics from workplace communications. Protected material detection identifies copyrighted text and licensed code in Copilot output and the Customer Copyright Commitment indemnifies commercial customers against third-party copyright infringement claims arising from Copilot output when Microsoft’s content filters and guardrails remain in place.
When Copilot determines that a prompt would benefit from current web information, it generates a search query, strips user and tenant identifiers, and sends it to Bing Search. This query will ostensibly not be used to train AI models nor shared with advertisers and is handled by a different data layer than Graph. However, Admins can disable web search at the tenant is web grounding falls outside of your data handling requirements.
Microsoft 365 Copilot Security Features: Business vs Enterprise Licenses
Microsoft 365 Copilot comes as an add-on license on top of a qualifying base subscription. Qualifying base licenses for M365 Business plans include Microsoft 365 Business Basic, Business Standard and Business Premium. For these plan tiers, the security delta can be broken down across three categories:
- Identity and access management — All three Business tiers support single-identity sign-in and MFA enforcement for Copilot. Device-based Conditional Access and remote wipe of Copilot-generated content are available across Basic, Standard and Premium. Conditional Access based on identity, device and location, near-real-time access policy enforcement with immediate revocation on critical events, Windows Hello for Business and terms-of-use enforcement are Premium-only.
- Endpoint management — Wiping work content from lost or stolen devices is available across all three Business tiers. Pushing M365 apps to devices, managing M365 app updates, restricting Copilot use on personal devices, preventing files from saving to unprotected apps and revoking work access on noncompliant Windows devices are Premium-only capabilities. Business Standard adds revocation of work access on noncompliant iOS and Android devices ahead of Premium.
- Data security and compliance — Audit (Standard) logging for Copilot interactions and the ability to apply manual retention policies for Copilot interactions are available across all three Business tiers. eDiscovery search-and-export of Copilot interactions is available across all three tiers; case management and legal hold for Copilot interactions are Premium-only through eDiscovery (Standard). Prohibiting Copilot from surfacing sensitive data where the user lacks extract permissions is available at Standard and Premium. Excluding files the user cannot view from Copilot processing is available across all three tiers. DLP for Copilot-generated content saved to M365 locations (files and email), manual and mandatory sensitivity labeling of M365 content used by Copilot and sensitivity-label inheritance into Copilot output and citations are all Premium-only.
M365 Enterprise plans come with expanded security capabilities that carry over into your Copilot settings:
- Microsoft 365 E3 — Entra ID P1, Intune for unified endpoint management, Purview eDiscovery (Standard), Purview Information Protection and the Purview audit baseline.
- Microsoft 365 E5 — Adds Entra ID P2 (Identity Protection, PIM), Defender XDR (Defender for Endpoint Plan 2, Defender for Identity, Defender for Cloud Apps, Defender for Office 365 Plan 2), Purview Insider Risk Management, Purview Communication Compliance and eDiscovery (Premium).
Get a Microsoft 365 Copilot Assessment with SWK Technologies
Microsoft 365 Copilot’s security depends on the configuration of the tenant beneath it — permission hygiene across SharePoint and OneDrive, sensitivity label coverage, DLP policy scope, Conditional Access enforcement and the endpoint posture under Defender and Intune. A clean Copilot rollout is gated on those layers being in order before the license is activated against a user population.
Contact SWK here to review your tenant configuration ahead of a Microsoft 365 Copilot rollout and identify the remediation work your business needs before your next license renewal.