Secure sensitive information in Copilot for Microsoft 365 prompts with Microsoft Purview Communication Compliance 

Commpurview Featured

Microsoft MVP Jasper Oosterveld discusses communication risks with Copilot for Microsoft 365 prompts and steps for creating a policy using Microsoft Purview Communication Compliance.

You’ve rolled out Copilot for Microsoft 365 in your organization. Your colleagues use it to draft documents, find and share information, and collaborate like never before—that’s great!  

But as someone who’s always tuned into data security and governance, my radar is buzzing. There’s a risk that sensitive or unauthorized information might be exposed with Copilot for Microsoft 365 prompts. 

This is where Microsoft Purview Communication Compliance leaps into action and can help minimize communication risks. Let’s get into it. 


The challenge with Copilot for Microsoft 365 prompts

Let’s look at how communication risks can arise using a hypothetical company, Contoso Electronics, and a hypothetical product called DG-2000, as examples.  

You work for Contoso Electronics and are part of the launch team for the company’s flagship product, DG-2000. To get information on the product, you use Copilot for Microsoft 365 which provides a summary of it. But there’s a risk Copilot could accidentally reveal restricted information: 

Prompt

Even if you’re allowed to see this information with all the right permissions, Contoso still needs to be aware of these prompts to ensure sensitive information is handled carefully.  


What is Microsoft Purview Communication Compliance? 

Microsoft Purview Communication Compliance is an insider risk solution. Meaning it helps you spot and manage potentially inappropriate messages within your organization, minimizing communication risks.  Recently, Microsoft extended this tool to Copilot for Microsoft 365 interactions, offering the following out-of-the-box policy: 

Communication Compliance

To fully leverage these capabilities, make sure you consider the licensing requirements for Microsoft Purview Communication Compliance, outlined in the following figure: 

Licensing

Let’s dive into setting up your first Copilot for Microsoft 365 policy with Microsoft Purview Communication Compliance. 


Create a Copilot for M365 policy with Microsoft Purview Communication Compliance 

To create a policy, follow these steps: 

1. Sign in to the compliance portal with an admin account in your M365 organization 

2. Go to the Communication compliance solution 

3. Select the Policies tab

4. Select Create policy, and then select Custom policy

Communication Compliance 1

5. Give the policy a name. You can also include a description.

6. On the Choose users and reviewers page, you’ll see the sections for: 

Choose Users And Reviewers

Users and groups

To improve the quality and management of your policy, focus your policy on a specific group of people within your organization. If you don’t, you’ll face an overload of alerts, making your policy hard to manage. You can manually select users or use adaptive scope. For larger groups with varied roles and departments, adaptive scope is recommended. 

Reviewers 

Employees assigned the reviewer role need one of the following roles to execute their tasks: 

  • Communication Compliance Analysts  
  • Communication Compliance Investigators  

Assign these roles within the Microsoft Purview Administration Portal by going to the Roles & scopes tab: 

Role Groups

7. On the Choose locations to detect communications page, set “Copilot for Microsoft 365” as the default communication channel: 

Choose Locations

8. On the Choose conditions and review percentage, choose the communication direction to detect. I’ve stuck with the default options (inbound, outbound, and internal): 

Choose Conditions

9. In the Conditions section, you’ll find various options. I recommend starting with detecting sensitive information types, which I covered in a previous ShareGate article. These types are key for your Communication Compliance policy. For example, you can set it to flag any mentions of the DG-2000 product. 

Conditions

10. Next is the Optical character recognition (OCR) section. You can select “Use OCR to extract texts from images” if you want to identify embedded or attached images in messages that match policy conditions:

Optical Character Recognition

11. In the Review percentage section, you can adjust the slider to change the amount of content to review. This is useful when your policy generates too many reviews for your reviewers to handle.  

Skip the Filter email blasts section. You’re all done! Now, let’s explore your review options! 


Monitor and act

Once you submit your query about the new DG-2000 product in Copilot for Microsoft 365, the reviewer receives a notification to begin the review process. 

review process

Is everything okay with the message? Click “Resolve” and add a comment for other reviewers: 

Click Resolve

The alert will be moved to the resolved tab: 

Resolved Tab

Note: If you have a license for Copilot for Security, you can review a summary of the alert. 

Send a notice allows the reviewer to get in touch with the employee(s) detected in the alert:

Send A Notice

You can create your own notice template. For example: 

Create Your Own

If a reviewer can’t resolve an alert, another reviewer can be contacted for support: 

Escalate 1

Use the Escalate for investigation option to take things to the next level. This option connects with Microsoft Purview eDiscovery to build a case for potential lawsuits. Your organization must have the appropriate license for this solution and assign employees the roles of eDiscovery Manager and eDiscovery Administrator: 

Investigate

The last option integrates with Power Automate, allowing you to connect custom workflows to support your review process using Microsoft Purview Communication Compliance. 

Power Automate

Lessons learned from Microsoft Purview Communication Compliance 

Are you currently rolling out Copilot for Microsoft 365, or already done? Using Microsoft Purview Communication Compliance can help prevent data leaks and monitor unauthorized access to sensitive information. I recommend starting with a pilot to familiarize yourself with how Purview works, and its impact on your organization.  

During our pilot, for example, we faced challenges when we activated the service to monitor interactions involving sensitive information. This resulted in a flood of alerts that overwhelmed our Security Operations Center (SOC) and slowed down our pilot. 

Beyond the technical aspects, it’s essential for your organization to grasp how the service will be used and how it influences your daily operations. 


Jasper Oosterveld is a Microsoft MVP and Data Security Consultant specializing in Microsoft Purview and Microsoft 365. With great passion, he inspires and helps you implement compliance, governance, and adoption within Microsoft Teams and SharePoint. Interested in learning from him? He loves to share his expertise and love for Microsoft products!

What did you think of this article?

Recommended by our team

Your biggest Microsoft 365 jobs, made easy

15-day full-featured trial—no strings, no credit card.

Spot Icon

Smooth Google migration  Migrate from Google Drive to M365 the right way