Microsoft adds Copilot data controls to all storage locations

Source: Bleeping Computer

Overview

Microsoft is expanding Data Loss Prevention (DLP) controls to block the Microsoft 365 Copilot AI assistant from processing confidential Word, Excel, and PowerPoint documents, regardless of where the files are stored.

Previously, Microsoft Purview DLP policies applied only to files in SharePoint or OneDrive; local device files were not covered.

Deployment Details

• Component: The change will be delivered through the Augmentation Loop (AugLoop) Office component.
• Timeline: Deployment is scheduled between late March and late April 2026.
• Scope: DLP controls will apply to all Office documents—local, SharePoint, and OneDrive.

“This enhancement responds to customer feedback requesting more consistent protection coverage across local and cloud‑based file locations,” Microsoft said in a message‑center update.

Impact on Copilot

• Once deployed, Copilot will be unable to read or process Word, Excel, or PowerPoint files that are labeled as restricted by DLP policies.
• The update will be automatically enabled for organizations that already have DLP policies blocking Copilot from processing sensitivity‑labeled content; no additional admin action is required.

“This update does not modify Copilot capabilities. Instead, Office clients and AugLoop have been enhanced so AugLoop can read a file’s sensitivity label directly from the client,” Microsoft added.

“Today, AugLoop retrieves the label by calling Microsoft Graph using the file’s SharePoint or OneDrive URL, which limits DLP enforcement to files stored in OneDrive and SharePoint. By enabling the client to provide the label, DLP enforcement now applies uniformly across all storage locations, including local files.”

Background: Recent Copilot Bug

The update follows a recent software bug—described by Microsoft as a “code issue”—that allowed Microsoft 365 Copilot Chat to read and summarize confidential emails in users’ Sent Items and Drafts folders for nearly a month, despite those emails being protected by active DLP policies and labeled as confidential.

• Discovery date: January 21.
• Affected feature: Copilot “work tab” chat functionality.
• Behavior: The bug accessed and summarized emails stored in Sent Items and Drafts, including those with explicit confidentiality labels.

Microsoft clarified that the summarized information was only available to users already authorized to see it, but the behavior did not align with the intended Copilot experience, which is designed to exclude protected content from Copilot access.