When an individual asks your organization for a copy of their personal data processed by Microsoft Copilot, you must respond legally and quickly. The Microsoft 365 Purview compliance portal provides a dedicated Data Subject Request tool for this task. This article walks through the exact steps to locate, review, and export Copilot-related personal data for a specific user. You will learn how to configure the search, understand what data Copilot stores, and deliver the export to the requester within the required timeframe.
Key Takeaways: Copilot DSAR Workflow
- Microsoft Purview compliance portal > Data Subject Requests: Central tool to create and manage DSAR searches for Copilot personal data.
- Search query with user principal name and date range: Filters Copilot activity logs and stored content for the specific requester.
- Export as CSV or PST: Delivers search results in a machine-readable format suitable for review and delivery to the data subject.
What Copilot Personal Data Is Subject to a DSAR
Microsoft Copilot processes personal data through user prompts, generated responses, and interaction logs. When a user submits a query in Copilot for Microsoft 365, the system stores the prompt text, the response text, and metadata such as timestamp and user identifier. This data is retained in Exchange Online mailboxes, SharePoint Online sites, and Microsoft 365 audit logs depending on the Copilot service used.
The Data Subject Access Request workflow in Microsoft Purview searches across these data sources. It does not search local device files or third-party services. The search scope covers Copilot interactions within Microsoft 365 apps including Word, Excel, PowerPoint, Teams, and Outlook. Any personal data stored in these Copilot interactions must be included in the DSAR response.
Before starting the workflow, you need the following prerequisites:
- Global Administrator or eDiscovery Manager role assigned in Microsoft 365
- Licensed Microsoft 365 E5 or Microsoft 365 E5 Compliance subscription
- The data subject’s user principal name for search targeting
- A defined date range for the search to limit scope
Steps to Create and Execute a Copilot DSAR in Microsoft Purview
The workflow uses the eDiscovery (Premium) solution in Purview. Follow these steps to create a case, run a search, review results, and export data for the requester.
- Open Microsoft Purview compliance portal
Go to https://compliance.microsoft.com and sign in with your administrator account. Select eDiscovery > eDiscovery (Premium) from the left navigation menu. - Create a new DSAR case
Click the Cases tab, then click Create a case. Enter a case name such as “DSAR – John Smith – Copilot Data” and add a description. Set the access permissions to include only the eDiscovery managers who will process this request. - Add the data subject as a custodian
Inside the case, go to Sources > Custodians. Click Add custodian and search for the data subject by name or user principal name. Select the user and click Next. On the settings page, ensure the mailbox and OneDrive for Business are included as data sources. - Create a search query for Copilot data
Go to Searches and click New search. Name the search “Copilot Interactions Search.” In the query field, enter:ComplianceTag:"CopilotInteraction" AND From:"user@domain.com"
Replace the email with the data subject’s user principal name. Set the date range to match the DSAR time window. Click Search. - Review the search results
After the search completes, click the search name to open the results pane. Review the summary showing the number of items found. Click Review sample to inspect a subset of the data. Verify that the results contain Copilot prompts and responses for the data subject. - Export the search results
Click Actions > Export results. Choose CSV for structured data or PST for mailbox content. Select the export options such as deduplication and file naming. Click Export and wait for the export job to complete. Download the exported files to a secure location. - Review and redact if necessary
Open the exported CSV or PST file. Review each Copilot interaction for third-party personal data that must be redacted before delivery. Use Excel or a PST viewer to remove or mask data that does not belong to the requester. - Deliver the data to the requester
Package the reviewed file in a password-protected archive. Send the archive to the data subject using a secure delivery method such as encrypted email or a secure file transfer link. Include a cover letter explaining the data format and the retention period for the request.
Common Issues When Processing Copilot DSAR Requests
The search returns no results for Copilot interactions
This usually means the ComplianceTag filter is incorrect or the Copilot data is not indexed yet. Verify that the user has active Copilot licenses and has used Copilot within the date range. Check that the search location includes the user’s Exchange Online mailbox. If the user uses Copilot in Teams, ensure the Teams chat data is also included in the search scope by adding the Teams location in the search query.
The export file is too large to download
Purview limits single export files to 10 GB. If the search returns more data, split the search by date range. Create separate searches for each month or quarter. Export each batch individually. Combine the smaller files after download using a zip utility.
The data subject requests deletion instead of export
A DSAR can include a request for erasure under GDPR Article 17. In Purview, you cannot delete Copilot data directly from the search results. Instead, use the Microsoft 365 admin center to delete the user’s mailbox content or use the Purview content search delete action. Note that Copilot interaction logs in audit logs cannot be deleted; they are retained for compliance purposes.
| Item | eDiscovery (Premium) DSAR | Manual Search in Exchange Admin Center |
|---|---|---|
| Search scope | Mailbox, OneDrive, SharePoint, Teams, Copilot logs | Mailbox only |
| Filter for Copilot data | Yes, using ComplianceTag filter | No built-in filter |
| Export format | CSV, PST, or native files | PST only |
| Redaction tools | Review set with redaction | Not available |
| Time to complete | 30 minutes to 2 hours | 1 to 4 hours depending on mailbox size |
The eDiscovery (Premium) approach is the recommended method for Copilot DSARs because it provides the ComplianceTag filter and review set tools. Manual search does not support these capabilities.
You now have a complete workflow to process a Data Subject Access Request for Microsoft Copilot personal data. Start by creating a case in Purview eDiscovery (Premium) and adding the data subject as a custodian. Use the ComplianceTag filter to isolate Copilot interactions from other content. After export, review and redact the data before delivering it to the requester. As an advanced tip, schedule a recurring monthly search for all active Copilot users so you can respond to DSARs faster when they arrive.