Purview Data Loss Prevention (DLP) controls are being expanded to block Microsoft 365 Copilot from processing sensitivity-labeled files across all storage locations, including local devices.
The change aims to close a critical governance gap in enterprise AI deployments. Previously, DLP policy enforcement for Copilot was limited to files stored in SharePoint Online and OneDrive for Business.
This created a significant blind spot: files stored locally on an employee’s device, or accessible via a network drive, could still be ingested by Copilot.
Even if the organization had DLP policies in place to restrict sensitive content3 Microsoft’s update directly addresses this limitation by extending coverage to every location where Office files may reside.
How the DLP Extension Works
The technical change is rooted in how Copilot’s augmentation loop (AugLoop) retrieves sensitivity label information.
Previously, AugLoop called Microsoft Graph using the file’s SharePoint or OneDrive URL to detect a file’s label. This method inherently excluded locally stored files.
With this update, Office clients have been enhanced to provide the sensitivity label directly to AugLoop on the client side, eliminating the need for a cloud-based URL lookup.
This architectural change enables DLP policies to evaluate and enforce restrictions consistently, regardless of whether the file resides in OneDrive, SharePoint, a network drive, or a local device.
When an active DLP policy detects that a file carries a restricted sensitivity label, Copilot is blocked from processing the file’s content in Word, Excel, or PowerPoint.
| Detail | Information |
|---|---|
| Roadmap ID | 557255 |
| Message ID | MC1234661 |
| Affected Apps | Word, Excel, PowerPoint |
| Rollout Start | Late March 2026 |
| Rollout Complete | Late April 2026 |
| Required License | Microsoft 365 Copilot + M365 E5 |
| Policy Changes Needed | None |
| Default State | On (for tenants with DLP rules) |
l tenants that have relevant DLP rules already configured, and no policy migration or reconfiguration is required.
Existing policies will continue to function exactly as before; they simply gain broader enforcement coverage automatically.
Rollout Timeline and Requirements
Microsoft has confirmed this update under Roadmap ID 557255 and Message ID MC1234661.
General availability for Worldwide and GCC environments is scheduled to begin in late March 2026. It is expected to be completed by late April 2026.
Administrators who manage Purview DLP policies are advised to review any existing sensitivity-label-based restrictions and update internal helpdesk documentation accordingly.
Communication to security and compliance teams is also recommended to ensure awareness of the expanded enforcement scope.
Organizations currently relying on Microsoft 365 Copilot should note that a Microsoft 365 Copilot license, paired with a Microsoft 365 E5 license or an equivalent, is required to leverage this DLP feature fully.
This update does not alter Copilot’s core functionality; it solely strengthens the governance boundary around what content Copilot is permitted to access and process.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
