MC1263277 - Microsoft Purview | DLP to safeguard sensitive data from external web search in Microsoft 356 Copilot and Copilot Chat

Introduction

We’re expanding Microsoft Purview Data Loss Prevention (DLP) for Microsoft 365 Copilot and Copilot Chat to help organizations prevent sensitive data from being sent to external web search. This enhancement introduces real‑time DLP evaluation for prompts containing sensitive information types (SITs), ensuring Copilot and Microsoft 365‑published agents avoid using sensitive content for external web queries. When blocked, Copilot will still respond based on internal Microsoft Graph grounding if licensed.

This message is associated with Microsoft 365 Roadmap ID 548671.

When this will happen

• Public Preview: Rollout begins in late March 2026 and completes in late April 2026.
• General Availability (Worldwide): Rollout begins in late June 2026 and completes in late July 2026.

How this affects your organization

Who is affected

• Organizations using Microsoft 365 Copilot, Copilot Chat, and Copilot Studio agents published to Microsoft 365 Copilot
• Admins who manage DLP policies in the Microsoft Purview portal

What will happen

New DLP control for Copilot web search

• DLP policy creation will include a new option to restrict Copilot from performing external web searches when a prompt contains selected SITs.
• When triggered, Copilot:
  • Will not send content to external web search.
  • Will continue responding using internal Microsoft Graph data sources, if your licensing allows.

New investigation and monitoring experiences

• Alerts triggered by this policy will appear in DLP Alerts (if alerts are enabled).
• Activity Explorer under DLP and DSPM for AI will include Copilot‑related actions for monitoring and analysis.

Policy management updates

• The DLP policy page may display new recommendations related to this feature.
• Available in the Microsoft Purview portal and editable by:
  • Admin roles listed in Permissions - Create and deploy data loss prevention policies, and
  • Data Security AI Admins.

Default state

• The feature becomes available automatically.
• Organizations must opt in by creating or updating a DLP policy.

Screenshot 1 - Choose M365 Copilot and Copilot Chat as the policy location:

Screenshot 2 - New DLP protection to restrict Copilot from performing web searches:

What you can do to prepare

No action is required for enablement. To begin using the feature, admins can:

• Create or update a DLP policy for Microsoft 365 Copilot in the Purview portal.
• Review current DLP configurations to understand potential impact.
• Ensure the admin account includes the required roles described in Microsoft Learn.
• Notify IT, security teams, or helpdesk staff about the new capability.
• Update any internal documentation related to AI governance, DLP, or Copilot usage.

Learn more:

• Learn about data loss prevention | Microsoft Purview | Microsoft Learn
• Learn about using Microsoft Purview Data Loss Prevention to protect interactions with Microsoft 365 Copilot and Copilot Chat | Microsoft Purview | Microsoft Learn
• Permissions - Create and deploy data loss prevention policies | Microsoft Purview | Microsoft Learn

Compliance considerations