Microsoft 365 Copilot Cannot Use Sensitivity Labeled Document: Fix

You open a document protected by a Microsoft Purview Information Protection sensitivity label, such as Confidential or Highly Confidential, and ask Copilot to summarize the content or draft a reply based on it. Instead of returning the expected output, Copilot either refuses to act on the document, returns a generic error message, or skips the document entirely. This behavior occurs because Copilot respects the same access controls that govern the underlying Microsoft 365 data, and sensitivity labels enforce usage restrictions that Copilot must obey. This article explains why sensitivity labels block Copilot actions, provides the exact steps to verify and adjust label settings so Copilot can process labeled content, and covers related failure patterns you may encounter.

Why Sensitivity Labels Block Copilot from Reading Documents

Microsoft Purview Information Protection sensitivity labels apply encryption and usage rights to documents and emails. When a label with encryption is applied, only users or groups explicitly granted rights in the label configuration can decrypt the content. Copilot operates under the identity of the signed-in user and inherits that user’s permissions. If the user has only Viewer or Reviewer rights, Copilot cannot extract text for summarization, generation, or grounding. Additionally, labels configured with auto-labeling set to “Mandatory” force the label to be applied before the document can be saved or shared, which can interrupt Copilot’s ability to process the document inline before the label is fully applied.

Encryption Rights and Copilot Access

Each sensitivity label can define custom permissions, including the rights to view, edit, copy, print, and forward. Copilot requires at least the VIEW and EXTRACT rights to read the document text. If the label grants only VIEW without EXTRACT, Copilot sees the document metadata but cannot access the body content. If the label grants neither, Copilot cannot open the document at all. The rights are defined in the label encryption settings under “Assign permissions now” or “Let users assign permissions.”

Auto-Labeling and Copilot Timing

Auto-labeling policies can apply labels automatically based on sensitive information types or trainable classifiers. When auto-labeling is set to “Mandatory,” the label is applied at save time. If Copilot attempts to process the document before the label is applied — for example, while the document is still in draft — Copilot may succeed. After the label is applied, Copilot may fail. This inconsistency can be confusing. Setting auto-labeling to “Recommended” or “None” for documents that Copilot must process eliminates this timing issue.

Steps to Allow Copilot to Read Sensitivity-Labeled Documents

Follow these steps in the Microsoft Purview compliance portal to adjust label settings so Copilot can process labeled content. You must have at least the Information Protection Administrator role to make these changes.

1. Open the Microsoft Purview compliance portal
   Go to https://compliance.microsoft.com and sign in with your administrator account. In the left navigation, expand Information Protection and select Label policies.
2. Locate the label policy that contains the blocking label
   Click the label policy name that applies to your users. For example, if the affected document has a label from the “Confidential” sub-label, find the policy that publishes that label. Click Edit label policy.
3. Select the specific label to modify
   Under Labels, click the label name that is blocking Copilot. Do not change the policy-level settings. Click Edit label.
4. Verify encryption settings
   In the label configuration, scroll to Encryption. Click Edit. Under Assign permissions now, ensure the user or group that runs Copilot has at least VIEW and EXTRACT rights. If the label uses Let users assign permissions, users must manually grant these rights when applying the label. For consistent Copilot access, switch to Assign permissions now and add the appropriate users or groups with VIEW and EXTRACT rights.
5. Change auto-labeling to Recommended or None
   Scroll to Auto-labeling for Office apps. If it is set to Mandatory, change it to Recommended or None. Click Save. This change prevents the label from being applied automatically at save time, which can interrupt Copilot processing.
6. Enable the Copilot advanced setting in Azure Information Protection
   If Copilot still cannot read labeled documents, configure the Azure Information Protection unified labeling client advanced setting. Open the Azure Information Protection blade in the Azure portal. Under Advanced settings, add a new setting with the key EnableCopilot and the value true. This setting explicitly allows Copilot to bypass label encryption for read operations while still enforcing other label protections. Click Save.
7. Test with a labeled document
   Open a document that has the modified sensitivity label in Word or Excel. Type a Copilot prompt such as “Summarize this document.” Copilot should now return a summary based on the document content. If it still fails, verify that the label is published to the user and that the user has signed out and signed back in to refresh the label policy.

If Copilot Still Has Issues After the Main Fix

Copilot Returns Generic Output Instead of Tenant-Specific Data

If Copilot responds with general information rather than content from the labeled document, the label may be configured with the Do Not Forward or Encrypt-Only option. These options restrict Copilot from extracting text. To fix this, edit the label encryption settings and ensure the Allow offline access option is set to a reasonable number of days, and that the Users and groups list includes the user running Copilot with both VIEW and EXTRACT rights. Alternatively, use a label that does not have these restrictive encryption options for documents that Copilot must process.

Copilot Cannot Access Document in SharePoint or OneDrive

If the document is stored in SharePoint or OneDrive, the site-level permissions may override the label permissions. Verify that the user has at least Read access to the document library. If the library has unique permissions, ensure the user is explicitly added. Additionally, check that the document is not checked out to another user. Copilot cannot read a document that is checked out to someone else because the file is locked.

Copilot Fails Only in Microsoft Teams Chat

When you attach a sensitivity-labeled document in a Teams chat and ask Copilot to summarize it, the failure may be caused by Teams not supporting inline Copilot processing for encrypted attachments. The workaround is to open the document in the desktop app or in the browser and use Copilot there. Microsoft is gradually adding Teams support, so check the Microsoft 365 roadmap for updates.

Copilot Label Behavior: Before and After Fix

Item	Before Fix	After Fix
Encryption rights	VIEW only or no EXTRACT right	VIEW and EXTRACT rights assigned
Auto-labeling	Mandatory	None or Recommended
Azure Information Protection advanced setting	Not configured or set to false	EnableCopilot set to true
Copilot output	Error message or generic response	Document-specific summary or reply

You can now configure sensitivity labels so Copilot can read and process protected documents without compromising security. Start by adjusting the encryption rights and auto-labeling settings in the Microsoft Purview compliance portal. If the issue persists, enable the EnableCopilot advanced setting in Azure Information Protection. For ongoing management, monitor the Microsoft 365 admin center audit log for Copilot access failures related to sensitivity labels, which will help you identify labels that still need adjustment.