Skip to main content

Microsoft 365 Copilot Data Readiness

Microsoft 365 Copilot grounds its answers on the semantic index of your tenant's content, and it answers every prompt in the security context of the user who asked, so it can only surface what that user is already permitted to open (semantic index for Copilot). That one fact reframes Copilot readiness as a data-security problem: wherever content is over-permissioned, unlabeled, or overshared, Copilot will faithfully surface it to everyone who can already reach it, at machine speed. Readiness is about closing those gaps before Copilot is enabled, not after.

This is a CUI-flow and access-control problem first. The controls below keep labeled CUI out of Copilot's grounding and responses and keep the prompt/response exchange auditable, mapping to CMMC AC.L2-3.1.3 (control the flow of CUI), AC.L2-3.1.1 / 3.1.5 (access enforcement and least privilege), and AU.L2-3.3.1 (audit).

Availability: verify before you plan a rollout. Microsoft 365 Copilot is generally available in GCC High and runs entirely inside the government tenant; prompts, responses, and generated content stay in the sovereign cloud (gov overview). The Purview data-security stack that protects it is mostly present in GCC High, but several pieces lag commercial and must be checked against the GCC High Purview deployment plan and the Copilot service description:

  • DSPM for AI is available, but only for supported AI sites (Microsoft 365 Copilot). The "browse to URL" policy and third-party generative-AI monitoring are not available in GCC High or DoD.
  • Built-in agents (Researcher, Analyst) and Copilot in Teams chat and channels are not yet available in GCC High.
  • Sovereign-cloud timelines trail commercial, so verify each capability in the service description before relying on it; a feature shown in a commercial walkthrough may not be in GCC High yet.

The four-step Purview model

Microsoft's deployment model for securing Copilot and its agents has four steps (Secure and govern Microsoft 365 Copilot agents):

StepWhat it establishesPrimary mechanism
1. DiscoverTurn on auditing; surface oversharing and sensitive-content risk; find regulatory gapsPurview Audit, DSPM for AI data risk assessments, SharePoint Advanced Management (SAM) reports, Compliance Manager
2. Protect grounding dataKeep sensitive content out of Copilot's knowledge sourceSensitivity labels, DLP for Copilot (label-based exclusion), retention to cut stale data
3. Protect interactionsProtect the prompt and response exchangeLabel inheritance in Copilot output, DLP for Copilot (prompt SITs / web-grounding block), Insider Risk Management "Risky AI usage"
4. Govern interactionsRetain and investigate AI activityRetention for Copilot interactions, eDiscovery, Communication Compliance, Audit

Step 1, Discover. Auditing must be on before DSPM for AI can capture Copilot prompts and responses (it is on by default; confirm it). From there, DSPM for AI data risk assessments and SAM reports (data-access governance, ownerless and inactive sites, "Anyone" and "Everyone Except External Users" links) locate the content that would overshare (get ready for Copilot with SAM).

Step 2, Protect grounding data. Sensitivity labels are the keystone: Copilot honors label encryption and usage rights, and legacy IRM-protected documents are excluded from Copilot grounding entirely (Copilot data and compliance readiness). A DLP for Copilot policy (location Microsoft 365 Copilot, condition content contains a sensitivity label, action prevent Copilot from processing the content) keeps labeled files out of responses even when the user can open them (DLP for Copilot). This guardrail depends entirely on a published label taxonomy (Chapter 14-2).

Step 3, Protect interactions. Copilot output inherits the highest sensitivity label of the files it cites. DLP for Copilot can block prompts containing sensitive information types from being processed, and the Insider Risk Management "Risky AI usage" template flags users probing for sensitive content through prompts (protect interactions).

Step 4, Govern interactions. Retention policies preserve Copilot interactions for the required period, eDiscovery makes them searchable, and Communication Compliance reviews prompts and responses for policy violations.

Oversharing and search readiness

Indexing does not change permissions; it inherits them, so an overshared site becomes an overshared Copilot answer. Readiness here is oversharing remediation, not an index "health score":

  • Inventory and remediate with SAM data-access-governance reports and the DSPM oversharing assessment; disable EEEU ("Everyone Except External Users") at the tenant level and restrict "Anyone" links.
  • Apply guardrails while permissions are reviewed. Restricted Access Control (RAC) gates a site to up to 10 designated Entra security groups or Microsoft 365 groups: users outside them lose access even with prior permissions or shared links, and group membership alone grants nothing (a user needs both the site permission and the group), which makes RAC a durable governance boundary rather than another sharing path (RAC). Restricted Content Discovery (RCD) temporarily hides high-risk sites from Copilot and organization-wide search during review without changing permissions. Restricted SharePoint Search (RSS) is retiring (new enablement is blocked starting July 31, 2026); use RCD instead (RSS retirement).
  • Validate through Purview Audit that Copilot no longer surfaces restricted content before a broad rollout.

Licensing

RequirementNotes
Microsoft 365 Copilot add-onPer-user paid add-on on G3 / G5 (and Office 365 G plans). A single Copilot license anywhere in the tenant also unlocks SAM (below).
Sensitivity labels, DLP (Exchange / SharePoint / OneDrive)Included in the G3 baseline; no new license to start Step 2.
DSPM for AI, Insider Risk Management, retention, Communication CompliancePurview AI and data-governance features; confirm entitlement, and that a pay-as-you-go (Azure subscription) billing link is configured for the metered DLP-for-Copilot capabilities.
Endpoint DLP, auto-labeling, container labelsG5 Compliance add-on.
SharePoint Advanced Management (SAM)Provides the oversharing reports, RAC, RCD, site access reviews, and site-level Conditional Access (authentication contexts). No add-on needed with a Copilot license in the tenant: one assigned license unlocks the SAM feature set, confirmed for GCC High and DoD. Buy the standalone SharePoint Premium add-on only if the tenant holds no Copilot licenses.
  1. Build and publish a sensitivity-label taxonomy (Chapter 14-2). It is the prerequisite for everything below.
  2. Run the DSPM for AI and SAM oversharing assessments, remediate the worst sites, and apply RCD / RSS as interim guardrails. Build in the new DSPM for AI experience, not the classic one Microsoft is retiring.
  3. Turn on the DLP-for-Copilot label-exclusion policy, then move it and the DSPM-for-AI policies from test to enforce once labels and SITs are tuned.
  4. Add the Step 3 and 4 controls: Insider Risk Management "Risky AI usage," label-inheritance validation, and retention for Copilot interactions.
  5. Confirm licensing and network, then pilot with a small cohort before tenant-wide enablement.
Labels are the first domino

With zero sensitivity labels, the most important guardrail (keeping labeled CUI out of grounding and summaries) has nothing to act on: every DLP-for-Copilot and DSPM-for-AI policy you build sits idle until a taxonomy is published. Build labels first.

📩 Don't Miss the Next Solution

Join the list to see the real-time solutions I'm delivering to my GCC High clients.