As organizations adopt Copilot across Microsoft 365, administrators need visibility into how the AI assistant accesses and processes data. Without proper governance, sensitive information may be exposed through Copilot responses or user prompts. Microsoft Purview provides the compliance tools to audit, monitor, and control Copilot activity. This article explains how to configure Purview to govern Copilot usage effectively.
Key Takeaways: Governing Copilot with Microsoft Purview
- Microsoft Purview compliance portal > Audit > Search: Enables searching for Copilot interaction logs across Teams, Word, Excel, and other M365 apps.
- Microsoft Purview > Data Loss Prevention > Policies > Copilot: Blocks or warns users when Copilot attempts to access or generate content containing sensitive info like credit card numbers or health data.
- Microsoft Purview > Communication Compliance > Policies > Copilot: Detects inappropriate or policy-violating prompts and responses in Copilot conversations.
What Microsoft Purview Offers for Copilot Governance
Microsoft Purview is the compliance hub for Microsoft 365. It includes several tools that directly apply to Copilot governance. The key capabilities are auditing, data loss prevention, communication compliance, and retention policies. Each tool addresses a different compliance need.
Auditing in Purview records every Copilot interaction. This includes the prompt the user typed, the response Copilot generated, and the data sources Copilot accessed. Auditing must be enabled in the Purview portal before logs appear.
Data Loss Prevention or DLP policies can inspect Copilot prompts and responses in real time. When DLP detects sensitive data such as Social Security numbers or confidential project names, it can block the action, notify the user, or trigger an alert to administrators.
Communication Compliance policies monitor Copilot conversations for inappropriate language, harassment, or sharing of restricted information. These policies work across Copilot in Teams and other M365 apps. Retention policies ensure that Copilot interaction logs are kept for the required period for legal or regulatory reasons.
Prerequisites for Using Purview with Copilot
Before you configure Purview for Copilot governance, confirm the following requirements:
- Licensing: Your tenant must have Microsoft 365 E5, Microsoft 365 E5 Compliance, or Microsoft 365 E5 Information Protection and Governance licenses. Copilot for Microsoft 365 licenses are also required for users generating activity.
- Roles: You need the Compliance Administrator or Compliance Data Administrator role to access Purview settings. Audit Administrator or Audit Viewer roles are needed to view audit logs.
- Audit Logging: Audit logging must be enabled in the Purview portal. This is a tenant-wide setting found under Audit solutions.
Steps to Enable and Search Copilot Audit Logs
Audit logs are the foundation of Copilot governance. They record every interaction and allow administrators to investigate specific users, dates, or data sources. Follow these steps to enable audit logging and search for Copilot activity.
- Open the Purview compliance portal
Go to https://compliance.microsoft.com and sign in with your compliance administrator account. - Enable audit logging if not already active
In the left navigation, select Audit. If the top banner shows that auditing is turned off, click Start recording user and admin activity. Wait up to 24 hours for logs to populate. - Search for Copilot activity
In the Audit search page, under Activities, type or select Copilot. A list of Copilot-specific activities appears, such as CopilotInteraction, CopilotResponse, and CopilotGeneratedContent. Select the activities you want to audit. - Set the date range and user
Choose a start and end date. To filter for a specific user, enter their email in the Users field. Leave it blank to see all users. - Run the search and review results
Click Search. The results table shows each Copilot interaction with the date, user, and activity type. Click any row to view the full details including the prompt text and the data sources Copilot accessed.
Steps to Create a DLP Policy for Copilot
DLP policies protect sensitive information from being exposed through Copilot. A DLP policy can block Copilot from processing content that contains credit card numbers, passport data, or custom sensitive info types. Create a DLP policy targeting Copilot interactions.
- Navigate to Data Loss Prevention
In the Purview portal, go to Data Loss Prevention and then select Policies. - Create a new policy
Click Create policy. Choose Custom and then Custom policy. Give the policy a name such as Copilot DLP – Financial Data. - Select the location
Under Choose locations to apply the policy, select Copilot interactions. This location covers prompts and responses in all M365 apps that use Copilot. You can also select Exchange, SharePoint, and OneDrive if needed. - Define the sensitive info types
Click Create or customize advanced DLP rules. Add a rule. Under Conditions, select Content contains and then Sensitive info types. Choose the types you want to block, such as Credit Card Number or U.S. Social Security Number. - Set the action
Under Actions, select Restrict access or encrypt the content. Check Block users from interacting with Copilot. Optionally, enable user notifications and policy tips to inform users why the action was blocked. - Test and deploy
Set the policy to Test mode first. Review DLP alerts and reports for a few days. If no false positives appear, change the mode to Turn it on immediately.
Steps to Configure Communication Compliance for Copilot
Communication Compliance policies detect policy violations in Copilot conversations. These policies are useful for detecting harassment, sharing of confidential data, or use of inappropriate language in prompts. Configure a policy to monitor Copilot interactions.
- Open Communication Compliance
In the Purview portal, go to Communication Compliance and then select Policies. - Create a new policy
Click Create policy. Choose a template such as Detect inappropriate text or Monitor for sensitive info. Give the policy a name like Copilot Communication Policy. - Select Copilot as the channel
Under Choose locations, check Copilot. This includes Copilot conversations in Teams, Word, Excel, PowerPoint, and Outlook. You can also add Microsoft Teams and Exchange if you want broader coverage. - Configure conditions
Under Conditions, choose the type of content to detect. For inappropriate text, select Content contains any of these classifiers and pick classifiers like Threat, Harassment, or Profanity. For sensitive info, select Content contains sensitive info types and choose the types. - Assign reviewers and set actions
Under Reviewers, add the email addresses of compliance officers who will review flagged items. Under Actions, select Notify reviewer and optionally Block user from sending to prevent the user from sending the violating prompt. Click Create policy.
If Copilot Activity Is Not Appearing in Audit Logs
Audit logging is disabled
If no Copilot interactions appear in the Audit search, confirm that audit logging is turned on. Go to Purview > Audit and check the banner. If it says auditing is off, click Start recording user and admin activity. Logs can take up to 24 hours to appear after enabling.
Licenses are missing
Copilot audit events require both a Copilot for Microsoft 365 license for the user and an E5 or E5 Compliance license for the tenant. Verify in the Microsoft 365 admin center that users have the required licenses assigned.
Incorrect activity filter
In the Audit search page, ensure you selected the correct Copilot activities. Use the search box to type Copilot and select all matching activities. Do not limit the search to only one activity type if you want a broad view.
Copilot Governance Features: Purview vs Native Microsoft 365 Controls
| Item | Microsoft Purview | Native M365 Controls |
|---|---|---|
| Audit logging | Detailed logs of prompts, responses, and data sources | Basic sign-in logs only |
| Data loss prevention | Real-time blocking of sensitive data in Copilot | No Copilot-specific DLP |
| Communication compliance | Detects policy violations in Copilot conversations | No Copilot-specific monitoring |
| Retention policies | Keeps Copilot logs for legal hold periods | Default 90-day audit retention |
| Alerting | Custom alerts for DLP and compliance violations | Basic admin alerts |
Microsoft Purview provides the advanced governance capabilities that native M365 controls lack. For organizations that need to meet regulatory requirements or protect sensitive data, Purview is the recommended solution.
You now have the steps to enable audit logging, create DLP policies, and set up communication compliance for Copilot. Start by enabling audit logs and running a search to confirm Copilot activity is recorded. Next, create a DLP policy for the most common sensitive data types in your organization. For advanced governance, add a retention policy to keep Copilot logs for the period required by your compliance team.