Services
Affected Platforms
Summary
Microsoft Purview is adding a new DLP control for Microsoft 365 Copilot and Copilot Chat to exclude external emails from being used in AI-generated responses. This feature, off by default, will roll out from June to August 2026 and helps protect organizations by limiting Copilot’s data sources to trusted internal content.
Details
Introduction
We’re expanding Microsoft Purview Data Loss Prevention (DLP) controls for Microsoft 365 Copilot and Copilot Chat to help organizations reduce the risk of untrusted or externally sourced content influencing AI‑generated responses. This new capability allows admins to exclude emails from external senders from being used as grounding data during Copilot prompt processing. When enabled, Copilot continues to generate responses using trusted internal Microsoft 365 data sources, subject to existing licensing and policy controls.
This message is associated with Microsoft 365 Roadmap ID 561552.
When this will happen
- Public preview: We will begin rolling out in early June 2026 and expect to complete by late June 2026.
- General availability (Worldwide):Â We will begin rolling out in late July 2026 and expect to complete by late August 2026.
How this affects your organization
Who is affected
- Organizations using Microsoft 365 Copilot (Premium) or Copilot Chat
- Admins managing AI governance, security, and data protection using Microsoft Purview
What will happen
- A new DLP policy control will be available for Microsoft 365 Copilot and Copilot Chat.
- When enabled by an admin:
- Emails sent from external or untrusted domains are excluded from being:
- Referenced
- Summarized
- Used as grounding data by Copilot
- Copilot continues to generate responses using trusted internal Microsoft 365 data sources (for example, SharePoint, OneDrive, and internal Exchange content), subject to existing licensing and policy.
This change does not:
- Affect email delivery, retention, eDiscovery, or user access
- Change existing Copilot interaction behavior unless the policy is explicitly configured
Default state:
- Off by default.
- There is no change unless an admin enables this control in Microsoft Purview.
Screenshot 1. Select Microsoft 365 Copilot and Copilot Chat as the DLP policy location:Â
Screenshot 2. New DLP setting to restrict processing of external email content:Â
What you can do to prepare
No action is required if you do not plan to use this capability.
If you want to enable the feature:
- Create or update a DLP policy for Microsoft 365 Copilot in the Microsoft Purview portal.
- Review existing DLP configurations to understand potential Copilot impact.
- Ensure your admin account has the required DLP and Purview roles.
- Inform IT, security, and helpdesk teams about the new control.
- Update internal documentation related to AI governance and Copilot usage.
Learn more:
- Learn about data loss prevention | Microsoft Purview | Microsoft Learn
- Learn about using Microsoft Purview Data Loss Prevention to protect interactions with Microsoft 365 Copilot and Copilot Chat | Microsoft Purview | Microsoft Learn
- Permissions - Create and deploy data loss prevention policies | Microsoft Purview | Microsoft Learn
Compliance considerations
| Question | Answer |
| Does the change alter how existing customer data is processed? | Yes. External email content is excluded from Copilot grounding when the policy is enabled; underlying email storage, access, and retention are unchanged. |
| Does the change introduce or modify AI/ML capabilities interacting with customer data? | Yes. Copilot grounding logic is updated to respect a new DLP exclusion for external email content. |
| Does the change modify Purview DLP enforcement? | Yes. Adds a new DLP control scoped specifically to Copilot and Copilot Chat grounding behavior. |
| Does the change include an admin control? | Yes. The feature is controlled via Microsoft Purview DLP policies and is admin-configurable. |