Share via

Is it possible to use the NOT operator to eliminate the builtin SITs that get detected but are not a part of the policy?

Mark Sannuti (C-Admin) 280 Reputation points
2026-03-06T16:57:10.6966667+00:00

Is it possible to use the NOT operator to eliminate the builtin SITs that get detected and are not a part of the policy? I'm using a DLP policy and location is , "Microsoft 365 Copilot and Copilot Chat". It seems that the NOT operator doesn't work for this location setting, but works for other locations like Email...

So in summary: In DLP policy selecting location - Microsoft 365 Copilot and Copilot Chat

Content Type:

SS#

Passport#

Credit Card#

NOT

Full Names

Poland Passport

Hong Kong Identity Card

etc

Microsoft 365 and Office
Microsoft 365 and Office

A comprehensive suite of productivity tools and cloud services that enhance collaboration, communication, and efficiency. Combining classic Office apps with advanced Microsoft 365 features, it supports both personal and business needs

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-06T16:57:21.3833333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    For the Microsoft 365 Copilot and Copilot Chat DLP location, the supported conditions and actions are limited and don't include using NOT to filter out specific built-in sensitive information types (SITs).

    For this location, the only supported condition types are:

    • Content contains > Sensitivity labels
    • Content contains > Sensitive information types

    And the supported action is:

    • Prevent Copilot from processing content (either processing prompts, or processing files/emails with certain sensitivity labels)

    The documentation for this location doesn't describe support for complex boolean logic (such as nested groups with NOT) the way general DLP policy design does. The boolean and nested-group capabilities (including using NOT to replace Exceptions) are documented for DLP policies in general, but the Copilot-specific location has its own, narrower list of supported conditions and actions.

    Therefore, for Microsoft 365 Copilot and Copilot Chat:

    • It isn't supported to use NOT to exclude specific SITs (such as Full Names, Poland Passport, Hong Kong Identity Card) from detection while including others in the same rule.
    • To control which SITs are enforced, configure the rule to include only the SITs that should be blocked (for example, SSN, Passport, Credit Card) rather than trying to include a broad set and then exclude unwanted ones with NOT.

    If more granular logic is required (for example, complex combinations of SITs and NOT conditions), that behavior is available in other locations (such as Exchange email) but not in the Copilot-specific DLP location.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.