Microsoft Purview and Copilot: Complete Integration Guide

Microsoft Purview is the compliance backbone for every Microsoft 365 Copilot deployment. Without Purview, you have no visibility into what Copilot is accessing, no control over what it can surface, no ability to detect sensitive data exposure, and no way to respond to regulatory inquiries about AI-generated content. Copilot without Purview is an unsecured AI system operating in your enterprise.

This is not optional. Organizations in regulated industries---healthcare (HIPAA), financial services (SOC 2, FINRA, SEC), government (FedRAMP, NIST 800-53), and any company processing EU data (GDPR)---must configure Purview before enabling Copilot for any user population. Even organizations without explicit regulatory obligations need Purview to prevent data oversharing, maintain audit trails, and protect intellectual property.

This guide covers every Purview capability relevant to Copilot: sensitivity labels, Data Loss Prevention (DLP), audit logging, eDiscovery, Information Barriers, retention policies, and Communication Compliance. For each capability, we explain what it does, how it interacts with Copilot, how to configure it, and what happens if you skip it.

Sensitivity Labels: Controlling What Copilot Can Access

How Sensitivity Labels Work with Copilot

Sensitivity labels are the first line of defense. When a document or email is labeled (e.g., "Confidential," "Highly Confidential," "Internal Only"), Copilot respects those labels during content retrieval. If a user asks Copilot to summarize documents about a topic, Copilot's behavior is influenced by the labels applied to the source documents.

Key behaviors:

• Encryption enforcement: If a document is labeled with encryption (e.g., "Highly Confidential - Encrypted"), Copilot can only access it if the current user has the decryption rights. This prevents Copilot from surfacing encrypted content to unauthorized users
• Label inheritance: When Copilot generates content derived from labeled sources, the output should inherit the highest sensitivity label from the source documents. If Copilot summarizes a "Confidential" report and an "Internal Only" email, the summary should be labeled "Confidential"
• Visual markings: Headers, footers, and watermarks defined by sensitivity labels appear on Copilot-generated documents, maintaining visual indicators of content sensitivity

Configuration Steps

Step 1: Define your sensitivity label taxonomy

A typical enterprise taxonomy:

| Label | Scope | Encryption | Copilot Behavior | |-------|-------|------------|-------------------| | Public | External-facing content | None | Fully accessible | | Internal Only | All employees | None | Accessible to all licensed users | | Confidential | Specific groups | Optional | Restricted to authorized groups | | Highly Confidential | Named individuals | Required | Restricted to named individuals only | | Regulated Data | Compliance-specific | Required | Restricted + additional DLP controls |

Step 2: Enable auto-labeling policies

Manual labeling relies on user compliance, which is unreliable. Configure auto-labeling to apply sensitivity labels automatically based on content inspection:

• Documents containing Social Security numbers: Auto-label "Regulated Data - PII"
• Documents containing financial account numbers: Auto-label "Confidential - Financial"
• Documents in specific SharePoint sites (e.g., HR, Legal, M&A): Auto-label based on site sensitivity
• Emails containing specific keywords or patterns: Auto-label based on content match

Step 3: Configure label policies for Copilot interactions

• Require users to apply a label before saving any Copilot-generated document
• Set default labels for new documents created through Copilot (e.g., "Internal Only" as default)
• Configure label downgrade justification requirements (users must provide a reason to lower a label's sensitivity)

Step 4: Test label inheritance with Copilot

Before broad deployment, test the following scenarios:

• Ask Copilot to summarize a "Confidential" document---verify the summary inherits the "Confidential" label
• Ask Copilot to combine content from multiple labeled documents---verify the output inherits the highest label
• Ask Copilot to generate content in a labeled SharePoint site---verify the generated content receives the site's default label
• Ask Copilot to reference encrypted content when the user does not have decryption rights---verify Copilot denies access

What Happens If You Skip Sensitivity Labels

Without sensitivity labels:

• Copilot treats all content equally regardless of sensitivity
• Users can ask Copilot to summarize M&A documents, executive compensation data, or legal hold materials
• Copilot-generated summaries contain sensitive information without any visual indicators or access controls
• There is no audit trail of which sensitive documents Copilot accessed
• Regulated data (PII, PHI, financial records) can be surfaced in Copilot responses without DLP detection

Data Loss Prevention (DLP): Preventing Copilot from Leaking Data

How DLP Works with Copilot

DLP policies evaluate content processed by Copilot and take enforcement actions when sensitive data is detected. This applies to both input (documents Copilot reads) and output (content Copilot generates).

DLP enforcement points for Copilot:

• Document retrieval: When Copilot retrieves documents to answer a query, DLP evaluates whether the user should have access to the sensitive data types in those documents
• Response generation: When Copilot generates a response, DLP scans the output for sensitive data patterns (credit card numbers, SSNs, medical record numbers)
• Sharing actions: When users share Copilot-generated content via Pages, email, or Teams, DLP policies enforce sharing restrictions

Critical DLP Policies for Copilot

Policy 1: PII Protection

• Detect Social Security numbers, driver's license numbers, passport numbers in Copilot responses
• Action: Block sharing externally, notify compliance team, log the event
• Scope: All Copilot users

Policy 2: Financial Data Protection

• Detect credit card numbers, bank account numbers, routing numbers
• Action: Block sharing, encrypt the content, notify compliance
• Scope: All Copilot users, with enhanced enforcement for non-finance roles

Policy 3: Healthcare Data Protection (HIPAA)

• Detect medical record numbers, diagnosis codes, patient names combined with health information
• Action: Block sharing, require encryption, trigger Purview audit alert
• Scope: All users in healthcare organizations

Policy 4: Intellectual Property Protection

• Detect content from labeled "Highly Confidential" or "Trade Secret" documents in Copilot outputs
• Action: Restrict sharing to internal-only, apply watermarks, notify document owner
• Scope: All Copilot users

Policy 5: Cross-Boundary Data Leakage

• Detect when Copilot outputs combine data from different business units that should not be mixed (e.g., investment banking + equity research in financial services)
• Action: Block the response, notify compliance, log for regulatory review
• Scope: Users in organizations with information barriers

Configuration Best Practices

• Start with detection mode: Deploy DLP policies in "test" mode first to understand the volume and nature of sensitive data flowing through Copilot before enabling enforcement
• Tune sensitivity thresholds: Overly aggressive DLP causes alert fatigue and user frustration. Calibrate detection thresholds based on test mode data
• Create Copilot-specific policy tips: When DLP blocks a Copilot response, the user should understand why and what to do. Generic "content blocked" messages generate help desk tickets
• Monitor DLP incidents weekly: Review Copilot-related DLP incidents to identify patterns (specific departments, document libraries, or query types triggering DLP)

Audit Logging: Tracking Every Copilot Interaction

What Purview Audit Captures for Copilot

Microsoft Purview Unified Audit Log captures Copilot interactions including:

• CopilotInteraction event: Logged when a user submits a prompt to Copilot
• Application context: Which Microsoft 365 app (Word, Excel, Teams, Business Chat) the interaction occurred in
• User identity: Who submitted the prompt
• Timestamp: When the interaction occurred
• Response metadata: Information about the response (not the full response text in standard audit)

Configuring Audit Logging for Copilot

Step 1: Enable Unified Audit Logging

Verify that Unified Audit Logging is enabled in your tenant:

• Microsoft Purview compliance portal > Audit > Verify "Start recording user and admin activity" is enabled
• For large enterprises, ensure you have the appropriate Purview license (E5 or E5 Compliance add-on) for advanced audit capabilities

Step 2: Configure audit log retention

• Standard retention: 180 days (E3 license)
• Extended retention: 1 year (E5 license)
• Custom retention: Up to 10 years (E5 Compliance add-on)

For regulated industries, configure retention to match your regulatory requirements:

• HIPAA: 6 years minimum
• SOC 2: 7 years recommended
• FINRA: 6 years (3 years immediately accessible)
• SEC Rule 17a-4: 6 years

Step 3: Create Copilot-specific audit search queries

Build saved searches in Purview Audit for common investigation scenarios:

• All Copilot interactions by a specific user (for employee investigations)
• All Copilot interactions accessing a specific SharePoint site (for data breach assessment)
• All Copilot interactions during a specific time window (for incident response)
• All Copilot interactions flagged by DLP (for compliance review)

Step 4: Configure alert policies

Create Purview alert policies that notify your security team when:

• A user submits an unusually high number of Copilot prompts (potential data harvesting)
• Copilot accesses documents in a restricted SharePoint site
• DLP blocks a Copilot response (sensitive data exposure attempt)
• A user accesses Copilot from an unusual location or device

Audit Logging Gaps and Mitigations

Gap 1: Full prompt text may not be captured in standard audit Microsoft's standard audit logs capture the event metadata but may not include the full text of user prompts or Copilot responses. For organizations requiring full conversation capture, consider implementing Microsoft 365 E5 advanced audit or deploying supplementary logging through Graph API.

Gap 2: Cross-application context When a user starts a query in Business Chat and the response references documents from SharePoint, emails from Outlook, and messages from Teams, the audit log may not fully capture the cross-application data flow. Correlate CopilotInteraction events with SharePoint access logs and Exchange audit logs for complete visibility.

Gap 3: Agent interactions Copilot agents operating with application permissions may generate audit events under the application identity rather than a user identity. Ensure your audit search queries account for both user and application identities.

eDiscovery: Finding Copilot Content for Legal Matters

Why eDiscovery Matters for Copilot

Legal holds and discovery obligations apply to Copilot-generated content. If your organization is involved in litigation, regulatory investigation, or internal investigation, you must be able to:

• Search for and preserve Copilot-generated documents
• Produce Copilot-generated emails, meeting summaries, and reports in response to discovery requests
• Identify all Copilot interactions by specific custodians during a relevant time period
• Preserve Copilot Pages and Loop components that may contain relevant content

Configuring eDiscovery for Copilot

Step 1: Verify Copilot content is indexed

Copilot-generated content stored in standard Microsoft 365 locations (Word documents in OneDrive/SharePoint, emails in Exchange, meeting transcripts in Teams) is indexed by default. However, verify that:

• Pages content is searchable in eDiscovery
• Copilot-generated Loop components are captured
• Meeting transcripts with Copilot summaries are preserved

Step 2: Create Copilot-specific eDiscovery searches

Build search queries that target Copilot-generated content:

• Search for documents with "Created by: Microsoft Copilot" metadata
• Search for documents containing Copilot-specific metadata tags
• Search for audit log entries of CopilotInteraction events by custodian

Step 3: Configure legal holds for Copilot content

When placing custodians on legal hold:

• Include OneDrive (where Pages are stored)
• Include Exchange mailboxes (Copilot-generated emails)
• Include Teams data (meeting summaries and chat interactions)
• Include SharePoint sites (Copilot-generated documents)

Step 4: Test eDiscovery workflows

Before a legal matter arises, test your ability to:

• Search for and preview Copilot-generated content
• Export Copilot content in standard formats (PST, PDF)
• Produce Copilot audit logs alongside content for context

Information Barriers: Preventing Cross-Boundary AI Access

Why Information Barriers Matter for Copilot

Information Barriers prevent specific groups of users from communicating or sharing information with each other. In financial services, Information Barriers separate investment banking from equity research to prevent insider trading. In law firms, they separate client teams working on conflicting matters.

Copilot amplifies Information Barrier risks because it can aggregate information across the tenant. Without properly configured barriers, an analyst in equity research could ask Copilot about a pending acquisition and receive information from the investment banking team's SharePoint site---violating regulatory requirements and potentially constituting insider trading.

Configuring Information Barriers for Copilot

Step 1: Define barrier segments

Identify the user groups that must be separated:

• Investment banking vs. equity research (financial services)
• Prosecution vs. defense teams (law firms)
• M&A team vs. general employees (any industry during active acquisitions)

Step 2: Create Information Barrier policies

In Microsoft Purview:

• Define segments based on Azure AD attributes (department, custom attributes)
• Create policies that block communication and content sharing between segments
• Apply policies to Microsoft Teams, SharePoint, and OneDrive

Step 3: Verify Copilot respects barriers

Test critical scenarios:

• User in Segment A asks Copilot about content stored in Segment B's SharePoint site---verify Copilot does not surface the content
• User in Segment A asks Copilot to summarize a meeting that included participants from Segment B---verify Copilot does not include Segment B's contributions
• User in Segment A asks Copilot a general question that could be answered by content in either segment---verify Copilot only uses Segment A's content

Step 4: Monitor barrier compliance

Configure alerts for any Copilot interaction that crosses barrier boundaries. Review weekly and investigate any violations immediately.

Retention Policies: Managing Copilot Content Lifecycle

Copilot Content Types Requiring Retention Policies

| Content Type | Storage Location | Default Retention | Action Required | |--------------|-----------------|-------------------|-----------------| | Pages | OneDrive | User's OneDrive retention policy | Verify Pages are covered | | Copilot-generated documents | OneDrive/SharePoint | Site/library retention policy | Verify coverage | | Meeting summaries | Teams/Exchange | Teams retention policy | Verify Copilot summaries included | | Chat interactions | Exchange (hidden) | Exchange retention policy | Configure if not already | | Audit logs | Purview Audit | 180 days (E3) / 1 year (E5) | Extend for regulated industries | | Agent interactions | Dataverse/Custom | No default | Configure explicitly |

Configuration Steps

1. Verify existing retention policies cover all Copilot content storage locations
2. Create specific retention labels for Copilot-generated content if your retention requirements differ from standard content
3. Configure auto-apply retention labels for Copilot-generated content based on content type or sensitivity label
4. Test retention and deletion workflows to confirm Copilot content is properly retained and disposed

Communication Compliance: Monitoring Copilot-Generated Communications

Why Communication Compliance Matters

Communication Compliance in Purview monitors communications for policy violations---harassment, threats, regulatory non-compliance, insider trading signals, and inappropriate content. Copilot-generated communications (emails, chat messages, meeting notes) fall within scope.

Configuration for Copilot

• Include Copilot-generated emails in Communication Compliance policies
• Monitor Copilot-assisted Teams messages for policy violations
• Configure reviewers who understand AI-generated content patterns
• Create policies specific to AI-generated content that check for factual accuracy concerns (Copilot may generate plausible-sounding but incorrect statements that could constitute misrepresentation in regulated communications)

Implementation Priority Matrix

Not all Purview capabilities need to be configured before Copilot deployment. Prioritize based on risk:

Must Have Before Copilot Deployment (Week 1-2)

1. Sensitivity labels: Define taxonomy, enable auto-labeling for high-risk data types
2. DLP policies: Deploy PII and financial data protection policies in enforcement mode
3. Audit logging: Verify enabled, configure retention to meet regulatory requirements
4. SharePoint permissions audit: Review and remediate overly permissive access

Should Have Within 30 Days

1. Information Barriers: Configure for organizations with regulatory separation requirements
2. eDiscovery configuration: Test Copilot content searchability and preservation
3. Communication Compliance: Enable for Copilot-generated emails and messages
4. Alert policies: Configure anomaly detection for unusual Copilot usage patterns

Should Have Within 90 Days

1. Retention policies: Verify coverage for all Copilot content types
2. Advanced audit: Deploy E5 advanced audit for extended retention and detailed logging
3. Custom DLP policies: Create organization-specific policies based on 30-day DLP incident data
4. Reporting dashboards: Build Power BI reports for compliance monitoring

Common Configuration Mistakes

Mistake 1: Deploying Copilot before configuring sensitivity labels Impact: Copilot surfaces sensitive content without access controls or visual indicators. Users unknowingly include classified information in Copilot-generated documents that are shared broadly.

Mistake 2: DLP policies in detect-only mode indefinitely Impact: DLP detects sensitive data in Copilot responses but takes no action. The detection data accumulates in reports that nobody reviews. Sensitive data leaks continue unchecked.

Mistake 3: Insufficient audit log retention Impact: During a regulatory investigation 18 months after an incident, the audit logs have been purged because retention was set to the default 180 days. You cannot demonstrate compliance or investigate the scope of data exposure.

Mistake 4: Information Barriers not tested with Copilot Impact: Barriers work correctly for direct Teams communication and SharePoint access, but Copilot's semantic search bypasses barrier boundaries because the barrier policies were not applied to the Copilot service. Cross-boundary data exposure occurs silently.

Mistake 5: eDiscovery not updated for Copilot content Impact: During litigation, legal discovers that Copilot-generated Pages and meeting summaries were not captured by legal hold. Spoliation sanctions may apply, and the organization faces adverse inference instructions.

---

Need help configuring Microsoft Purview for Copilot? Schedule a readiness assessment to evaluate your compliance posture, then work with our data governance team to implement sensitivity labels, DLP policies, and audit logging before Copilot deployment.

Frequently Asked Questions

Do I need Microsoft Purview before deploying Copilot?

Yes, for any enterprise deployment. At minimum, you need sensitivity labels configured and enforced, DLP policies active for your most sensitive data types (PII, financial data, health information), and audit logging enabled with retention matching your regulatory requirements. Without these controls, Copilot operates as an unsecured AI system that can surface any data a user has technical access to---including data they were never intended to see. For regulated industries (healthcare, finance, government), deploying Copilot without Purview configuration is a compliance violation waiting to happen.

How does Copilot interact with sensitivity labels?

Copilot respects sensitivity labels during content retrieval and generation. If a document is labeled "Highly Confidential" with encryption, Copilot only accesses it if the current user has decryption rights. When Copilot generates content derived from labeled sources, the output inherits the highest sensitivity label from the source documents. Auto-labeling policies can automatically classify Copilot-generated content based on the sensitive data types it contains. Configure label inheritance testing in your pilot environment before broad deployment to verify these behaviors work correctly in your specific configuration.

What DLP policies should I configure for Copilot?

Configure five core DLP policies: (1) PII protection---detect SSNs, driver's licenses, passport numbers in Copilot outputs, block external sharing. (2) Financial data protection---detect credit cards, bank accounts, routing numbers, block sharing and encrypt. (3) Healthcare data protection---detect medical records, diagnosis codes, patient identifiers, block sharing and trigger audit alerts. (4) Intellectual property protection---detect content from "Highly Confidential" or "Trade Secret" labeled documents, restrict to internal-only sharing. (5) Cross-boundary leakage---detect when Copilot combines data from separated business units, block the response. Start in test mode for 2 weeks to calibrate thresholds before enabling enforcement.

How do I handle Copilot in eDiscovery?

Copilot-generated content is stored in standard Microsoft 365 locations (OneDrive for Pages, Exchange for emails, Teams for meeting content) and is indexed by eDiscovery. To ensure complete coverage: (1) Verify Pages content is searchable---run test searches for Copilot-generated Pages by custodian. (2) Include all content locations in legal holds---OneDrive, Exchange, Teams, and SharePoint. (3) Search for Copilot-specific metadata to identify AI-generated content. (4) Supplement content searches with Purview audit log exports to capture interaction context (what the user asked, what documents Copilot accessed). Test your eDiscovery workflow before an actual legal matter arises.