When you create documents, emails, or presentations using Copilot in Microsoft 365, the output may contain sensitive business information. Without proper protection, that content could be shared outside your organization or accessed by unauthorized users. Sensitivity labels in Microsoft Purview let you apply classification and protection rules automatically to Copilot-generated content. This article explains how to set up automatic labeling for Copilot output and how to apply labels manually after generation.
Key Takeaways: Apply Sensitivity Labels to Copilot Content
- Microsoft Purview compliance portal > Information protection > Auto-labeling: Create policies that scan Copilot-generated files and apply labels based on content patterns.
- Sensitivity label settings in Purview > Label > Auto-labeling for files and emails: Configure labels to apply automatically when Copilot creates content containing sensitive data.
- Office apps > Home > Sensitivity button: Manually assign a label to any Copilot-generated document or email after creation.
How Sensitivity Labels Work With Copilot in Microsoft 365
Sensitivity labels are classification markers that define the sensitivity of your organization’s data. They can apply encryption, headers, footers, and watermarks automatically or on demand. When Copilot generates content in Word, Excel, PowerPoint, or Outlook, the resulting file inherits the same sensitivity label as the source data it references. If the source data has no label, the generated content remains unlabeled unless you configure automatic labeling policies.
Copilot uses Microsoft Graph to retrieve data from your tenant. The sensitivity labels applied to that source data are preserved in the output. For example, if you ask Copilot to summarize a document labeled “Confidential,” the summary file Copilot creates will also be marked “Confidential.” This inheritance behavior is built into Copilot’s integration with Microsoft Purview.
Prerequisites for Using Sensitivity Labels With Copilot
Before you can apply sensitivity labels to Copilot-generated content, your organization must meet these requirements:
- An active Microsoft 365 E5 or Microsoft 365 E5 Compliance license for each user who creates or consumes labeled content.
- Sensitivity labels published to users via the Microsoft Purview compliance portal.
- Copilot for Microsoft 365 enabled for users in your tenant.
- Azure Information Protection unified labeling client installed on Windows devices if you need manual labeling in older Office versions.
Configure Automatic Sensitivity Labeling for Copilot Content
Automatic labeling applies a sensitivity label to files and emails based on the content they contain. You can create auto-labeling policies that scan Copilot-generated documents for patterns like credit card numbers, passport numbers, or custom keywords. Follow these steps to set up automatic labeling.
- Sign in to the Microsoft Purview compliance portal
Go to compliance.microsoft.com and sign in with an account that has Compliance Administrator or Security Administrator permissions. - Open the Information protection section
In the left navigation, select Information protection and then choose Auto-labeling from the submenu. - Create a new auto-labeling policy
Click + Create auto-labeling policy. Select a template such as “Financial” or “Privacy” to preconfigure sensitive info types, or choose Custom policy to define your own rules. - Name the policy and choose locations
Enter a name like “Copilot Auto-Labeling Policy.” Under Choose locations, select SharePoint sites and Exchange. Add the specific site URLs where Copilot saves generated documents. For example, add your team’s SharePoint document library URL. - Define content conditions
Under Content contains, click Add sensitive info types. Select the types you want to detect, such as “U.S. Social Security Number” or “International Bank Account Number.” You can also add custom keywords by clicking Add keyword dictionary. - Select the sensitivity label to apply
Under Choose label, pick a sensitivity label from the list. For example, select “Highly Confidential” if you want strict protection on Copilot output that contains sensitive data. Click Next. - Set the policy mode and test
Choose Simulation mode first to see which files would be labeled. Run the simulation for at least 24 hours. Review the results in the Simulation tab. If the matches are correct, edit the policy and change the mode to Enforce. - Review and finish
Click Submit to activate the policy. The auto-labeling engine now scans all new and modified files in the selected locations, including those created by Copilot.
Manually Apply a Sensitivity Label to Copilot Content in Office Apps
If automatic labeling is not configured or you need to override the inherited label, you can apply a sensitivity label manually. This method works in Word, Excel, PowerPoint, and Outlook after Copilot generates the content.
In Word, Excel, or PowerPoint
- Open the Copilot-generated file
Double-click the file in SharePoint, OneDrive, or your local folder. The document opens in the desktop or web version of the Office app. - Locate the Sensitivity button
In the top-right corner of the ribbon, find the Sensitivity button. It shows the current label name or “No label” if none is applied. - Select the desired sensitivity label
Click the Sensitivity button and choose a label from the dropdown list. For example, select “Internal” or “Confidential.” The label applies immediately, and the document header or footer updates accordingly. - Save the file
Press Ctrl+S to save the labeled file. The label persists in the file metadata and travels with the document when shared.
In Outlook
- Create a new email with Copilot
In Outlook, click New Email and use Copilot to draft the message content. - Open the Sensitivity dropdown
In the email compose window, go to the Options tab. Click the Sensitivity button in the ribbon. - Choose a label
Select the appropriate label, such as “Internal Only” or “Confidential.” The email header shows the label name. - Send the email
Click Send. The sensitivity label is applied to the email and any attachments Copilot generated.
Common Issues When Using Sensitivity Labels With Copilot
Copilot Output Does Not Inherit the Source File’s Label
If Copilot generates a summary or draft from a labeled file but the output appears unlabeled, check the following:
- Confirm the source file has a published sensitivity label. Labels that are in draft or not published do not trigger inheritance.
- Verify that the user has the Azure Information Protection unified labeling client installed if using Office desktop apps on Windows.
- Ensure the Copilot service has access to the source file. If the file is stored in a site that Copilot cannot read, inheritance fails.
Auto-Labeling Policy Does Not Scan Copilot Files
If your auto-labeling policy runs but does not detect Copilot-generated documents, review these settings:
- Make sure the policy includes the exact SharePoint site URL where Copilot saves files. Use the full site collection URL, not the root domain.
- Check that the policy mode is set to Enforce and not still in simulation mode.
- Verify that the sensitive info types in the policy match the actual content in the Copilot output. For example, if the policy looks for credit card numbers but the output contains only names, no label will apply.
Manual Labeling Option Is Grayed Out
When the Sensitivity button appears but you cannot select a label, the likely cause is a group policy or conditional access rule that restricts labeling to certain users. Contact your Microsoft 365 administrator to verify that your user account is included in the label publishing scope.
Sensitivity Label Inheritance vs Automatic Labeling: Key Differences
| Item | Label Inheritance from Source | Automatic Labeling via Policy |
|---|---|---|
| Trigger | Copilot reads a labeled source file | Policy scans file content after creation |
| User action required | None | None after policy is configured |
| Detection method | Metadata of source file | Sensitive info types or pattern matching |
| Applicable to | Only files that reference a labeled source | All files in selected locations |
| Custom keywords | Not supported | Supported via keyword dictionaries |
| Encryption enforcement | Inherits encryption from source label | Applies encryption defined in the label |
Both methods can work together. Label inheritance covers content that references labeled data. Automatic labeling catches content that contains sensitive patterns but came from unlabeled sources. For maximum protection, enable both approaches in your tenant.
You now know how to configure automatic labeling policies and apply sensitivity labels manually to Copilot-generated content. Start by running a simulation policy on your team’s SharePoint site to see which files Copilot creates and which labels would apply. After reviewing the simulation results, switch the policy to enforce mode. For files that bypass automatic detection, train your users to use the Sensitivity button in the Office ribbon. As an advanced step, create a custom sensitive info type that matches your organization’s confidential project codenames so Copilot output containing those names is labeled automatically.