3.4. How Data Protection Policies Restrict Prompt Results
💡 First Principle: Microsoft 365 data protection works in layers. Permissions and a sensitivity label's encryption/usage rights govern what Copilot can access; a DLP policy for the Copilot location governs what Copilot may process and include in output; and content Copilot generates from labeled sources inherits the source label. So Copilot can be prevented from including protected content in a response even when the user would normally be able to access that content — via DLP, not via a label's classification name alone.
Without this understanding, two costly mistakes emerge. First, users assume that because they can access a file, Copilot will always include its contents in responses — then are surprised and frustrated when a DLP policy silently blocks the output. Second, some assume data protection only controls access, not generation — and are unaware that sensitive content can slip into an AI-generated report even if the user didn't explicitly reference the source. Both assumptions create compliance exposure: one through unexpected friction, the other through unexpected leakage.
How sensitivity labels interact with Copilot:
Microsoft Purview sensitivity labels classify documents and emails by confidentiality level (e.g., Public, Internal, Confidential, Highly Confidential) and can apply encryption with specific usage rights. Copilot interacts with labels in two main ways — and, importantly, a label does not by itself filter or block Copilot's output based on its classification name:
| Label behavior | Effect on Copilot |
|---|---|
| Encryption + usage rights | If a label encrypts content and the user lacks EXTRACT (and VIEW) usage rights, Copilot cannot summarize or reference that content. This is how a label restricts access. |
| Label inheritance | Content Copilot generates from a labeled source automatically inherits the source's highest-priority label and its protection settings. |
| Permissions | Copilot never surfaces content the user can't already access — independent of labeling. |
| Classification name alone | A label like "Confidential" does NOT by itself stop Copilot from summarizing the content. To exclude labeled content from responses, use a DLP policy (below). |
How DLP policies interact with Copilot:
Data Loss Prevention (DLP) policies define rules about sensitive information types — things like credit card numbers, social security numbers, health records, or proprietary business data. When Copilot generates a response that would include content matching a DLP rule, the policy can:
- Block the response entirely
- Remove or redact the sensitive information
- Alert the user that restricted content was detected
A DLP policy for the Microsoft 365 Copilot location can also exclude items that carry a specific sensitivity label from being processed — the item still appears in the response's citations, but its content isn't used. This is the mechanism that actually stops Copilot from summarizing labeled content.
The practical implication: If you ask Copilot a question and receive a less complete answer than expected — or a warning about restricted content — it may be because a DLP policy is excluding sensitive content, or because you lack the usage rights to encrypted labeled content. This is working as intended, not a bug.
⚠️ Exam Trap: Many people believe data protection policies only affect what Copilot can access — like a locked door. In reality, they also affect what Copilot outputs — like a filter on the door's output slot. A user might have read access to a highly confidential document, but a DLP policy can still prevent Copilot from including that document's content in a response that could be shared outside the organization.
Reflection Question: A finance analyst asks Copilot to summarize a quarterly earnings document labeled "Highly Confidential" and receives a warning instead of a summary. What is the most likely cause, and is this a problem with Copilot or with the organization's data configuration?
