Copilot adds DLP — with caveats

Microsoft is giving Microsoft 365 Copilot a better lock on sensitive company data at the same moment it is loosening one of its Europe promises under heavy demand. The result is a product that looks safer inside the tenant and less tidy at the border. (learn.microsoft.com 1) (learn.microsoft.com 2) The new lock is Microsoft Purview data loss prevention, which is the rules engine companies use to stop tools from handling things like passport numbers, credit card numbers, or files marked confidential. Microsoft says admins can now target Microsoft 365 Copilot and Copilot Chat so prompts with sensitive information types can be restricted in preview and files or emails with sensitivity labels can be blocked in general availability. (learn.microsoft.com 1) (learn.microsoft.com 2) That matters because Copilot does not invent access to your files; it uses the access a worker already has through Microsoft Graph, which is Microsoft’s map of mail, documents, meetings, and chats. If a company has messy permissions, Copilot can surface that mess faster by summarizing it in one answer. (learn.microsoft.com) (techcommunity.microsoft.com) Microsoft’s second change is aimed at that permissions problem, and it calls it oversharing control. In Microsoft’s own examples, the risky patterns are SharePoint sites open to everyone in the company, default sharing set too broadly, and broken inheritance where folder permissions no longer match the site above them. (techcommunity.microsoft.com) (learn.microsoft.com) Microsoft has been bundling SharePoint Advanced Management with Microsoft 365 Copilot to help fix that, including site access reviews and controls that can restrict Copilot from certain sensitive sites. The company’s guidance now frames Copilot governance less like a chatbot setting and more like a file-permissions cleanup project. (techcommunity.microsoft.com) (learn.microsoft.com) Then comes the caveat for Europe. Microsoft now documents a feature called flex routing for customers in the European Union and the European Free Trade Association that allows large language model inferencing outside the European Union Data Boundary during peak demand, if the customer enables it. (learn.microsoft.com) Inferencing is the step where the model actually processes the prompt and generates the answer, so this is not a minor logging detail. Microsoft says flex routing is meant to keep Copilot responsive during busy periods, but it also means some processing can leave the bloc that many buyers treated as the clean compliance line. (learn.microsoft.com) At the same time, Microsoft’s main privacy page for Microsoft 365 Copilot still says the service is compliant with the European Union Data Boundary for commercial customers. That is why procurement teams are likely to spend more time on the checkbox and consent details than on the headline feature list. (learn.microsoft.com 1) (learn.microsoft.com 2) There was a second policy wobble this week around wording that said Copilot was provided for “entertainment purposes,” which triggered confusion because Microsoft 365 Copilot is sold as a work product. Microsoft told reporters that wording was legacy text, not a change in how enterprise Copilot is positioned, and said it would update the language. (moneycontrol.com) (microsoft.com) So buyers now have two Microsoft messages to reconcile at once. One message says Copilot is getting more enterprise-grade controls through Purview and SharePoint, and the other says some legal and residency language still needs cleanup before global companies will treat the platform as settled. (learn.microsoft.com) (learn.microsoft.com)