Skip to main content
Version: 2.1.1-preview

MT.1175 - DLP policy is configured for the Microsoft 365 Copilot location

Overview​

Ensure a Microsoft Purview Data Loss Prevention (DLP) policy is configured for the Microsoft 365 Copilot location, so Copilot is blocked from summarising or surfacing files containing sensitive information types or labelled content the requesting user has access to but should not have AI summarise.

Microsoft 365 Copilot acts on every file, message and meeting that the requesting user can read. Without a DLP policy targeting the Copilot location, Copilot can:

  • Summarise files containing PII, PCI, PHI, secrets or other regulated data.
  • Paraphrase content from labelled documents in chat / Word / PowerPoint generations.
  • Expose oversharing risk in OneDrive / SharePoint at AI speed.

A DLP policy on the Copilot location lets you block Copilot interactions involving files that match SITs or have specific sensitivity labels β€” without disabling Copilot for the user entirely.

The test passes when at least one enabled, non-simulation DLP policy targets the Microsoft 365 Copilot location. Detection inspects multiple Purview schema fields (MicrosoftCopilotLocation, Workload, Locations, and EnforcementPlanes) so policies created through the older preview surface and through the current Microsoft Purview portal / PowerShell paths are both recognised.

Remediation action:​

  1. Open the Microsoft Purview portal β€” Data Loss Prevention β€” Policies.
  2. Click + Create policy and choose a Custom or template-based DLP policy.
  3. Under Locations, enable Microsoft 365 Copilot (you may also enable Exchange / SharePoint / OneDrive / Devices alongside).
  4. Configure rules β€” for example, match sensitive information types (Credit Card, SSN, customer-specific SITs) or sensitivity labels (Confidential, Highly Confidential).
  5. Choose actions β€” block Copilot from processing the matched file, notify the user, or generate an alert.
  6. Set Mode = Turn the policy on immediately (avoid leaving it in test/simulation mode for production protection).
  7. Verify with: Get-DlpCompliancePolicy | Where-Object { $_.MicrosoftCopilotLocation -or $_.Workload -match 'Copilot' -or ($_.Locations | Out-String) -match 'Copilot' -or ($_.EnforcementPlanes | Out-String) -match 'Copilot' }.

Test Metadata​

FieldValue
Test IDMT.1175
SeverityHigh
SuiteMaester
CategoryPurview
PowerShell testTest-MtPurviewAiDlpPolicy
TagsMaester, MT.1175, Purview

Source​

  • Pester test: tests/Maester/Purview/Test-MtPurviewAi.Tests.ps1
  • PowerShell source: powershell/public/maester/purview/Test-MtPurviewAiDlpPolicy.ps1