Communication Compliance in Microsoft Purview helps your organization detect and review potentially inappropriate messages. When users interact with Copilot across Microsoft 365 apps, those interactions can also be captured and analyzed. This article explains how to configure communication compliance rules specifically for Copilot-generated content. You will learn the required permissions, the step-by-step setup process, and common pitfalls to avoid.
Key Takeaways: Configuring Copilot Communication Compliance in Purview
- Microsoft Purview compliance portal > Communication Compliance > Policies: Create a new policy and select the Copilot interactions template.
- Policy settings > Conditions > Copilot messages: Choose which Copilot interactions to monitor, such as chats in Teams or prompts in Word.
- Reviewers and alerts: Assign reviewers and set alert thresholds to respond quickly to policy violations.
Understanding Copilot Communication Compliance in Purview
Communication Compliance is a feature in Microsoft Purview that helps organizations detect and act on inappropriate or risky messages. It uses machine learning classifiers and custom keyword lists to scan communications. Copilot interactions, including prompts and responses in Microsoft 365 apps, can be included in these scans. This ensures that employee use of AI tools meets your organization’s compliance and security standards.
Before you start, you need a license that includes Communication Compliance. The required license is Microsoft 365 E5, Microsoft 365 E5 Compliance, or Microsoft 365 E5 Insider Risk Management. You also need the Communication Compliance Admin role or equivalent permissions in the Microsoft Purview compliance portal. Without these licenses and roles, the policy creation options for Copilot will not appear.
Steps to Create a Copilot Communication Compliance Policy
- Sign in to the Microsoft Purview compliance portal
Go to https://compliance.microsoft.com and sign in with your admin credentials. In the left navigation menu, select Communication Compliance. - Create a new policy
On the Communication Compliance page, select the Policies tab. Click Create policy. From the list of templates, choose the Copilot interactions template. This template is pre-configured to scan Copilot messages across supported apps. - Name the policy and choose users
Enter a descriptive name for the policy, for example “Copilot Compliance Scan – All Users.” Under Choose users and groups, select all employees or a specific group. You can use Azure AD groups to scope the policy to certain departments. - Select communication conditions
In the Conditions section, check the box for Copilot messages. You can also add other communication types like Teams chats or Exchange emails. Use the dropdown to select specific Copilot interactions: prompts, responses, or both. - Add classifiers and keyword lists
Under Classifiers, choose one or more pre-built classifiers such as Offensive Language, Harassment, or Threat. To add custom keywords, click Add keyword list. Enter terms specific to your organization, like project code names or internal acronyms. Click Add. - Configure review and alerts
In the Review and alerts section, assign at least one reviewer from your compliance team. Set the alert threshold — for example, send an alert when 5 or more policy matches occur within an hour. This prevents alert fatigue while catching serious violations. - Review and finish
Review all settings on the summary page. Click Submit to create the policy. The policy will start scanning Copilot interactions within 24 hours.
If Copilot Interactions Are Not Being Scanned
Copilot messages do not appear in the policy
This usually happens when the Copilot interactions template is not selected during policy creation. Go back to the policy settings and confirm that Copilot messages is checked under Conditions. Also verify that the users included in the policy have active Copilot licenses. Without a Copilot license, the user’s interactions are not generated and cannot be scanned.
False positives or missed violations
Machine learning classifiers sometimes miss context. For example, a sarcastic remark might not trigger the Offensive Language classifier. To reduce false negatives, add custom keyword lists with terms your compliance team has identified as high risk. For false positives, use the Review tab to mark items as Not a violation. This trains the classifier over time.
Reviewers do not receive alerts
Check the alert threshold settings in the policy. If the threshold is too high, minor violations may not trigger an alert. Lower the threshold to a number that matches your organization’s risk tolerance. Also confirm that reviewer email addresses are correct in the Review and alerts section.
Communication Compliance Policy Types: Copilot Template vs Custom Policy
| Feature | Copilot Interactions Template | Custom Policy (No Template) |
|---|---|---|
| Pre-configured for Copilot | Yes — automatically selects Copilot messages condition | No — you must manually add Copilot messages condition |
| Recommended for | Organizations new to Copilot compliance | Organizations with existing policies that need Copilot added |
| Time to create | 5–10 minutes | 10–15 minutes |
| Custom classifiers | Optional — can add after template is applied | Required — you choose all classifiers manually |
Both options work equally well. The template saves time and reduces the risk of missing the Copilot condition. Use the custom policy if you want to combine Copilot scanning with other communication types in one policy.
You can now create and manage Copilot communication compliance rules in Microsoft Purview. Start by using the Copilot interactions template to scan prompts and responses across your organization. Review the alerts and adjust keyword lists as your compliance needs evolve. For advanced protection, combine this policy with insider risk management policies to detect data exfiltration via Copilot.