MC1263277 - Microsoft Purview | DLP to safeguard sensitive data from external web search in Microsoft 356 Copilot and Copilot Chat

Introduction

We’re expanding Microsoft Purview Data Loss Prevention (DLP) for Microsoft 365 Copilot and Copilot Chat to help organizations prevent sensitive data from being sent to external web search. This enhancement introduces real‑time DLP evaluation for prompts containing sensitive information types (SITs), ensuring Copilot and Microsoft 365‑published agents avoid using sensitive content for external web queries. When blocked, Copilot will still respond based on internal Microsoft Graph grounding if licensed.

This message is associated with Microsoft 365 Roadmap ID 548671.

When this will happen

Public Preview: Rollout begins in late March 2026 and completes in late April 2026.
General Availability (Worldwide): Rollout begins in late June 2026 and completes in late July 2026.

How this affects your organization

Who is affected

Organizations using Microsoft 365 Copilot, Copilot Chat, and Copilot Studio agents published to Microsoft 365 Copilot
Admins who manage DLP policies in the Microsoft Purview portal

What will happen

New DLP control for Copilot web search

DLP policy creation will include a new option to restrict Copilot from performing external web searches when a prompt contains selected SITs.
When triggered, Copilot:
- Will not send content to external web search.
- Will continue responding using internal Microsoft Graph data sources, if your licensing allows.

New investigation and monitoring experiences

Alerts triggered by this policy will appear in DLP Alerts (if alerts are enabled).
Activity Explorer under DLP and DSPM for AI will include Copilot‑related actions for monitoring and analysis.

Policy management updates

The DLP policy page may display new recommendations related to this feature.
Available in the Microsoft Purview portal and editable by:
- Admin roles listed in Permissions - Create and deploy data loss prevention policies, and
- Data Security AI Admins.

Default state

The feature becomes available automatically.
Organizations must opt in by creating or updating a DLP policy.

Screenshot 1 - Choose M365 Copilot and Copilot Chat as the policy location:

Screenshot 2 - New DLP protection to restrict Copilot from performing web searches:

What you can do to prepare

No action is required for enablement. To begin using the feature, admins can:

Create or update a DLP policy for Microsoft 365 Copilot in the Purview portal.
Review current DLP configurations to understand potential impact.
Ensure the admin account includes the required roles described in Microsoft Learn.
Notify IT, security teams, or helpdesk staff about the new capability.
Update any internal documentation related to AI governance, DLP, or Copilot usage.

Learn more:

Compliance considerations

Question	Answer
Does the change alter how existing customer data is processed, stored, or accessed?	Yes. Sensitive data included in Copilot prompts will now be assessed by DLP before being sent to external web search. When blocked, data remains internal and is not transmitted externally.
Does the change introduce or modify AI/ML or agent capabilities that interact with customer data?	Yes. Copilot agents adapt behavior by restricting web search when sensitive data is detected, using Microsoft Graph grounding only.
Does the change modify, interrupt, or disable Purview capabilities?	Yes. Adds new enforcement behavior for DLP policies in Copilot scenarios.
Does the change alter how admins can monitor or report compliance activities?	Yes. New Copilot‑specific activities appear in Activity Explorer and DLP alerting.
Does the change include an admin control?	Yes. Admins must explicitly configure or update a DLP policy to enable this protection.