You are composing an encrypted email in Outlook and want Copilot to help draft, summarize, or suggest replies. But Copilot may not work as expected when Microsoft Purview Message Encryption is active. This behavior occurs because encryption restricts how Copilot reads and processes email content to protect sensitive data. This article explains exactly what happens when Copilot and encryption interact, including which features remain available, which are blocked, and why.
Key Takeaways: Copilot and Purview Message Encryption in Outlook
- Copilot cannot read encrypted email content: Drafting and summarizing features that require access to the message body are blocked.
- Copilot can still access unencrypted metadata: Subject line, sender, recipients, and date fields remain readable for suggestions.
- Encrypted attachments are not processed: Copilot cannot summarize or extract data from encrypted files attached to an email.
How Microsoft Purview Message Encryption Affects Copilot Access
Microsoft Purview Message Encryption uses Azure Rights Management to encrypt email content at rest and in transit. When an email is encrypted, the message body and attachments are wrapped in a protected envelope. Copilot, as an AI service, needs to read the plaintext content of an email to generate drafts, summarize threads, or suggest replies. Because encryption prevents unauthorized access to the content, Copilot cannot perform these operations on encrypted messages.
The encryption policy is applied at the tenant level by administrators using Microsoft Purview compliance portal. Users can also manually encrypt individual messages in Outlook by selecting Options > Encrypt. Once encryption is applied, Copilot treats the message as read-only in terms of metadata only. This is a deliberate security design to prevent data leakage through AI processing.
What Copilot Can Still Do With Encrypted Emails
Even with encryption active, Copilot retains access to email metadata that is not part of the encrypted payload. This includes the subject line, sender email address, recipient list, and timestamp. Copilot can use this metadata to suggest reply subjects, organize conversations by topic, or identify key contacts. For example, if you are composing a new email to a recipient who previously sent an encrypted message, Copilot may suggest a subject line based on the unencrypted subject of that earlier thread.
What Copilot Cannot Do With Encrypted Emails
Copilot cannot read or process the body of any email that is encrypted. This means the following features are unavailable for encrypted messages:
- Draft with Copilot: The button to generate a draft based on the current email context will not appear or will show an error.
- Summarize email thread: Copilot cannot produce a summary of an encrypted conversation.
- Suggest reply: Copilot cannot propose a reply that references the content of an encrypted email.
- Coaching tips: Copilot cannot analyze tone or clarity of an encrypted draft because it cannot read the draft content.
Check if Copilot Is Blocked in Your Encrypted Email
Before you attempt to use Copilot on an encrypted message, verify the encryption status of the email. Outlook shows a blue banner or a lock icon in the message header for encrypted items. If Copilot is blocked, the Copilot icon in the ribbon may appear grayed out, or you may see a message stating that Copilot is unavailable for this message due to encryption settings.
- Open the encrypted email in Outlook
Double-click the email to open it in a separate window. This ensures you see the full encryption banner. - Look for the encryption banner
Check the top of the message for a blue bar that says “This message is encrypted” or a lock icon next to the sender name. - Check the Copilot icon in the ribbon
In the message window, look at the Home or Message tab. If the Copilot icon is grayed out, hover over it to see the tooltip explaining that encryption prevents Copilot access. - Test with a non-encrypted message
Open any email that does not have encryption. Copilot should be fully active. This confirms the issue is specific to encryption, not a broader Copilot outage.
If Copilot Still Shows Errors on Non-Encrypted Emails
Copilot shows “Encryption detected” on a message you did not encrypt
This can happen if your organization has a default encryption rule applied to all outbound messages. Check with your IT admin to see if a transport rule encrypts all emails sent to external domains. Even if you did not manually encrypt the message, Copilot treats it as encrypted if the message is protected by Azure Rights Management.
Copilot cannot draft a reply to an encrypted email
When replying to an encrypted email, the reply itself may inherit the encryption automatically. Copilot cannot read the reply content if it is encrypted. To draft a reply, remove the encryption from the reply message before using Copilot. In Outlook, go to Options > Encrypt and select No Encryption. However, check your organization’s policy because removing encryption may be restricted.
Copilot works intermittently on encrypted emails after an update
Microsoft occasionally updates the interaction between Copilot and Purview encryption. If you see inconsistent behavior, ensure you are running the latest version of Microsoft 365 Apps. Go to File > Office Account > Update Options > Update Now. After the update, restart Outlook and test again.
Copilot in Outlook With and Without Encryption: Feature Availability
| Feature | Without Encryption | With Purview Encryption |
|---|---|---|
| Draft with Copilot | Available | Blocked |
| Summarize email thread | Available | Blocked |
| Suggest reply | Available | Blocked |
| Coaching tips | Available | Blocked |
| Read subject line | Available | Available |
| Read sender and recipients | Available | Available |
| Read message body | Available | Blocked |
| Read attachments | Available | Blocked |
This table shows that encryption blocks all Copilot features that require access to the message body or attachments. Only metadata remains accessible. If you need Copilot assistance on an encrypted thread, you must either remove encryption from the specific message or compose a new unencrypted email referencing the topic manually.
You can now identify why Copilot is unavailable in an encrypted email and verify encryption status quickly. If you frequently work with encrypted messages, consider drafting content in a separate unencrypted note and then pasting it into the encrypted email. For advanced scenarios, ask your IT admin about creating an exception rule for Copilot processing while still encrypting the message for recipients.