When your organization uses information barriers in Microsoft 365, Copilot must respect those policies to prevent unauthorized cross-group communication. Information barriers restrict communication and collaboration between specific user groups, such as departments that handle sensitive data. Copilot inherits these restrictions, which means it cannot access, summarize, or generate content from data that belongs to a group the user is not permitted to interact with. This article explains exactly how Copilot behaves across groups, what data it can and cannot use, and how to verify that your barrier policies are applied correctly.
Key Takeaways: Copilot Cross-Group Behavior With Information Barriers
- Information barrier policies in Microsoft Purview compliance portal: Define which user segments cannot communicate or share data; Copilot enforces these policies at runtime.
- Copilot data grounding in Microsoft Graph: Copilot only retrieves data from files, chats, and emails the user has explicit access to; barrier policies restrict that access before Copilot reads anything.
- Cross-group Copilot queries return limited or no results: If a user asks Copilot about content in a restricted segment, Copilot either returns an empty response or content only from the user’s own segment.
How Information Barriers Affect Copilot Data Access
Information barriers are policies defined in the Microsoft Purview compliance portal. They prevent specific user segments from communicating or sharing data with other segments. For example, a finance department segment might be blocked from communicating with a human resources segment that handles confidential employee data. When a user interacts with Copilot, the service checks the user’s identity and the information barrier policies for that user. Copilot then restricts its data grounding to only those Microsoft Graph resources the user is permitted to access.
Copilot uses data grounding to retrieve relevant information from Microsoft 365 services such as SharePoint, OneDrive, Teams chats, and emails. If information barrier policies block the user from a specific segment, Copilot cannot retrieve any data from that segment. This includes files, messages, calendar items, and any other content stored in Exchange Online, SharePoint Online, or Teams. The restriction applies to both the generation of new content and the summarization of existing content.
Scope of Copilot Features Affected
All Copilot features that rely on Microsoft Graph data are subject to information barrier policies. This includes Copilot in Word, Excel, PowerPoint, Outlook, Teams, and the Copilot pane in Microsoft 365 apps. For example, if a user in the finance segment asks Copilot in Word to summarize a document stored in a SharePoint site that belongs to the HR segment, Copilot returns an error or an empty response. The same applies to Copilot in Teams, where it cannot summarize chat messages or meeting transcripts from a restricted segment.
Cross-Group Behavior: What Copilot Does and Does Not Do
When a user attempts to access data across groups that are blocked by an information barrier, Copilot behaves in one of two ways depending on the scenario:
- Direct query about restricted content
If the user explicitly asks Copilot about a file, email, or chat that belongs to a restricted segment, Copilot returns a response indicating that the content is not available or that the user does not have access. Copilot does not reveal any details about the content itself, including its title, author, or summary. - Indirect query that might include restricted data
If the user asks a general question that could be answered by data from multiple segments, Copilot only uses data from segments the user is permitted to access. The response is based solely on the user’s own segment data. Copilot does not indicate that other data exists but was excluded.
This behavior is by design. It ensures that information barrier policies are enforced without leaking any information about the existence or nature of restricted content. Users are not told what they are missing; they simply get results from their permitted data sources.
How to Verify Information Barrier Policies Are Applied to Copilot
To confirm that Copilot respects your information barrier policies, you need to test the configuration and monitor audit logs.
Test With a Controlled Query
- Create a test user in each segment
Assign the user to a segment that is blocked from another segment. Ensure the test user has a Microsoft 365 E5 license or a Copilot for Microsoft 365 license. - Place a known file in the restricted segment
Upload a document to a SharePoint site that belongs to the restricted segment. Note the file name and a unique phrase in the document. - Ask Copilot about the file from the test user account
Open Copilot in Word or the Copilot pane and ask a question that includes the unique phrase. Verify that Copilot returns no results or an access denied message. - Ask Copilot a general question from the test user account
Ask a broad question that could be answered by data from both segments. Confirm that Copilot only returns results from the test user’s own segment.
Check Audit Logs for Copilot Activity
- Open the Microsoft Purview compliance portal
Navigate to Audit in the left navigation. - Search for Copilot interaction events
Use the filter Workload: Copilot and set a time range. Look for events where the user queried content that is blocked by an information barrier. - Verify the audit entry details
In the audit log entry, check the Item field. If the item is from a restricted segment, the audit log shows that Copilot could not retrieve the data. The user does not see this log, but administrators can review it.
If Copilot Still Returns Restricted Data
If your testing reveals that Copilot is returning data from a restricted segment, the information barrier policy may not be correctly applied to the data source or the user. Review the following possibilities.
Information Barrier Policy Not Applied to SharePoint or Teams
Information barrier policies must be scoped to cover the SharePoint sites, Teams channels, and Exchange mailboxes that belong to each segment. If a site or channel is not assigned to a segment, Copilot can access it regardless of the user’s segment membership. Verify that each site and channel is linked to the correct segment by checking the site’s policy settings in the Microsoft Purview compliance portal.
User Not Assigned to the Correct Segment
A user must be assigned to a segment in Azure Active Directory for information barriers to apply. Check the user’s profile in the Microsoft 365 admin center under Active users. Confirm that the Information barrier attribute is set to the correct segment. If the attribute is missing or incorrect, update it and wait for the policy to propagate, which can take up to 24 hours.
Copilot License Not Properly Configured
If a user does not have a Copilot for Microsoft 365 license, Copilot is not available and no cross-group behavior occurs. Ensure the user is assigned the correct license under Billing > Licenses in the Microsoft 365 admin center.
| Item | Copilot Without Information Barriers | Copilot With Information Barriers |
|---|---|---|
| Data grounding scope | All Microsoft Graph data the user has access to | Only data from segments the user is permitted to access |
| Cross-group query results | Returns content from any accessible segment | Returns empty response or error for restricted segments |
| User notification about restricted data | Not applicable | Copilot does not inform the user that data was excluded |
| Audit log visibility | Standard Copilot audit events | Includes events for blocked cross-group access attempts |
| Policy enforcement point | User-level permissions only | User-level permissions plus information barrier policies |
Copilot with information barriers applies an additional layer of access control beyond standard user permissions. This ensures that even if a user has read access to a SharePoint site, Copilot cannot retrieve data from that site if an information barrier blocks the user’s segment from the site’s segment.
To confirm that your information barrier policies are working as intended for Copilot, run the test queries described above at least once per quarter and after any policy changes. Monitor the Copilot audit logs for blocked access events to catch unintended data leaks early. If you need to adjust policies, always test with a non-production user account first to avoid disrupting business operations.