Microsoft Extends DLP Controls to Block Copilot from Sensitive Files Everywhere

Microsoft now applies Purview Data Loss Prevention (DLP) to Microsoft 365 Copilot across all file locations. This stops Copilot from processing sensitivity-labeled files on local drives, network shares, OneDrive, or SharePoint. Earlier limits left local files exposed. The update uses client-side label checks via AugLoop. Microsoft Message Center (MC1234661) states: “Office clients send sensitivity labels directly, enabling full DLP enforcement.”

Copilot pulls context from Office files to assist users. Past DLP only checked cloud URLs via Microsoft Graph. Local or network files slipped through. Now, Word, Excel, and PowerPoint report labels directly. DLP blocks restricted content automatically.

Rollout ties to Roadmap ID 557255. It starts late March 2026 for Worldwide and GCC tenants. Completes by late April 2026. No policy changes needed for existing setups. As of February 26, 2026, preview tests confirm seamless expansion.

Enterprises gain tighter AI governance. Sensitive data stays safe from unintended Copilot prompts. This fits growing rules like GDPR and compliance audits.

Rollout Details

How It Works

Client-side enforcement closes gaps.

• AugLoop gets labels from Office apps, not just cloud URLs.
• DLP evaluates all locations uniformly.
• Blocked if label matches restricted policy.
• Default on for tenants with DLP rules.

Admin Steps

Prepare your teams.

• Review sensitivity labels now.
• Update helpdesk docs on Copilot limits.
• Test in pilot groups.
• Communicate to users on file handling.
• Monitor via Purview audit logs.

FAQ