Microsoft Expands Copilot Enterprise Controls and Data Access
Microsoft is extending its data loss prevention (DLP) controls to cover all storage locations accessed by Microsoft 365 Copilot, including SharePoint, OneDrive, and Teams. The AI assistant will also now draw data from Bing, MSN, and Edge by default, though an opt-out is available. CEO Satya Nadella framed the updates as foundational for adopting agentic AI at scale within enterprises.
- The expanded Data Loss Prevention (DLP) controls are integrated with Microsoft Purview, allowing organizations to create policies that prevent Copilot from processing content with specific sensitivity labels. This protection was previously limited to data in SharePoint and OneDrive but now extends to documents on local devices. These DLP policies function by identifying sensitivity labels on content and restricting Copilot from processing that information, rather than blocking data from leaving the organization. - The connection to Bing, MSN, and Edge data is designed to power Copilot's "memory" feature, enabling it to remember user preferences and context from those services. This "Microsoft usage data" setting is on by default, but users can opt-out and delete existing memory data through their Copilot settings. Microsoft states this data is used for personalization and not for training the foundational large language models. - Microsoft's vision for "agentic AI" involves AI agents that can autonomously manage business processes across different applications and databases, moving beyond the current "copilot" model where a human is always in the loop. CEO Satya Nadella suggests this will redefine Software-as-a-Service (SaaS) models, with prompts becoming the primary user interface to direct these autonomous agents. - Under its Enterprise Data Protection (EDP) commitments, Microsoft ensures that prompts, responses, and data accessed via Microsoft Graph are not used to train foundation LLMs. This policy is aligned with existing commitments for Microsoft 365 commercial customers, including GDPR and the EU Data Boundary. - The DLP policies can be configured to block Copilot from processing files based on Sensitive Information Types (SITs), such as those containing credit card or social security numbers. This allows for real-time policy enforcement as users interact with the AI assistant. - To prevent users from accessing the consumer version of Copilot without commercial data protection, administrators can update their DNS configuration to redirect traffic from `www.bing.com` to `nochat.bing.com`. - Security Copilot capabilities are directly embedded into the Microsoft Purview platform, allowing compliance professionals to use natural language to summarize alerts and investigate data security incidents. This integration helps automate and streamline compliance and reporting tasks.
