Configure a communication compliance policy to detect for Copilot for Microsoft 365 interactions

You can use communication compliance to analyze interactions (prompts and responses) entered into Copilot for Microsoft 365 to detect for inappropriate or risky interactions or sharing of confidential information.

Communication compliance can detect interactions in any of the following Copilot apps:

• Teams (chats/channels/meetings) Copilot
• Word Copilot
• PowerPoint Copilot
• Excel Copilot
• OneNote Copilot
• Loop Copilot
• Whiteboard Copilot
• Microsoft 365 Chat in Teams
• Microsoft 365 Chat in Bing
• Forms Copilot

You can take advantage of all communication compliance features when you create a communication compliance policy that detects for Copilot for Microsoft 365 interactions, including:

• Sensitive information types
• Keywords
• Trainable classifiers
• Content safety classifiers for Teams based on large language models
• Conditions

How it works

Any prompt or response entered into a supported Copilot app that matches a communication compliance policy is displayed as a policy match on the Policies page on the Pending tab, with separate entries for prompts and responses. If only the prompt or only the response matches a policy, an item is created on the Pending tab just for that policy match. You can remediate policy matches for Copilot in the same way that you remediate any other policy match.

The following information is displayed for each item on the Pending tab for Copilot policy matches:

• Copilot icon: This icon () identifies the policy match as a Copilot interaction.
• Subject column: The value in this column identifies the policy match as a Copilot interaction and lists the name of the app that was used. For example: "Copilot in Excel".
• Sender column: Sender of the message. If the policy match is a response from Copilot, the value is "Copilot".
• Recipient column: Recipients included in the message. If the policy match is a prompt to Copilot, the value is "Copilot".
• Message text: The message text that the user entered (the text that caused the policy match) is shown on the right side of the screen in its entirety.

Prerequisites

To investigate Copilot interactions in communication compliance, you must have one of the following roles: Communication Compliance, Communication Compliance Investigators, Communication Compliance Analysts. You must also be assigned as a reviewer of the policy in the Reviewers field during policy creation.

Create a policy that detects for Copilot for Microsoft 365 interactions

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

Microsoft Purview portal

1. Sign in to the Microsoft Purview portal using credentials for an admin account in your Microsoft 365 organization.
2. Go to the Communication Compliance solution.
3. Select Policies in the left navigation.
4. Select Create policy, and then select the Detect Copilot for Microsoft 365 interactions template.
5. Enter the policy name, select the users and groups to apply the policy to, and then select the reviewers for the policy. Learn more about these options when creating a policy from a template
6. Review the list of settings chosen for you based on the template, and then select Create policy to create the policy or select Customize policy if you want to make any changes before creating the policy.

Compliance portal

1. Sign into the Microsoft Purview Compliance portal using credentials for an admin account in your Microsoft 365 organization.
2. Select the Communication Compliance solution.
3. Select the Policies tab.
4. Select Create policy, and then select the Detect Copilot for Microsoft 365 interactions template.
5. Enter the policy name, select the users and groups to apply the policy to, and then select the reviewers for the policy. Learn more about these options when creating a policy from a template
6. Review the list of settings chosen for you based on the template, and then select Create policy to create the policy or select Customize policy if you want to make any changes before creating the policy.

Add Copilot as a location for an existing policy

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

Microsoft Purview portal

1. Sign in to the Microsoft Purview portal using credentials for an admin account in your Microsoft 365 organization.

2. Go to the Communication Compliance solution.

3. Select Policies in the left navigation.

4. Select the More actions (ellipsis) button in the row for the policy you want to change, and then select Edit.

5. Select Next two times in the policy creation wizard to go to the Choose locations to detect communications page.

6. Select the Copilot for Microsoft 365 checkbox to add Copilot for Microsoft 365 as a location.

   

7. Make any other changes to the policy, and then on the Review and finish page, select Save.

Compliance portal

1. Sign into the Microsoft Purview Compliance portal using credentials for an admin account in your Microsoft 365 organization.

2. Select the Communication Compliance solution.

3. Select the Policies tab.

4. Select the More actions (ellipsis) button in the row for the policy you want to change, and then select Edit.

5. Select Next two times in the policy creation wizard to go to the Choose locations to detect communications page.

6. Select the Copilot for Microsoft 365 checkbox to add Copilot for Microsoft 365 as a location.

   

7. Make any other changes to the policy, and then on the Review and finish page, select Save.

Create a policy to review all Copilot interactions

When you're first working with Copilot interactions, you may want to review all Copilot interactions to get a feel for how people in your organization are using Copilot. To create a policy to review all Copilot interactions, when you create or edit the policy:

• Make sure that the location is set to Copilot for Microsoft 365.
• Make sure that the Review percentage option on the Choose conditions and review percentage page is set to 100%.
• Do not set any conditions for the policy.

Note

Depending on the size of your organization, a policy that detects all Copilot interactions might result in a high volume of detected messages, which could cause your organization to reach its storage limit. In that case, you may need to make adjustments to the policy to reduce the number of detections.

Remediate policy matches and alerts that contain Copilot interactions

You can remediate policy matches and alerts that contain Copilot interactions in the same way that you remediate any policy match or alert in communication compliance. For example, you can tag a policy match, escalate it, resolve it, download it, or export it. Learn more about resolving policy matches and alerts in communication compliance.

Reports

Copilot interactions that are brought into the scope of a communication compliance policy appear in communication compliance reports and audit data. Learn more about communication compliance reports and audits.

See also

• Microsoft Purview data security and compliance protections for Microsoft Copilot
• Investigate and remediate communication compliance alerts
• Use communication compliance reports and audits