Microsoft CoPilot

4 Mins Read

Copilot in Microsoft 365: Protecting Sensitive Data with Compliance

Voiced by Amazon Polly

Generative AI tools like Microsoft 365 Copilot are transforming workplace productivity such as drafting emails, summarizing meetings and generating reports at lightning speed. However, this power comes with new risks like sensitive data exposure and prompt injection attacks. Microsoft Purview and its Communication Compliance solution offer a powerful set of tools to monitor, detect and remediate Risky interactions between users and Generative AI applications. In this blog, we will learn how Microsoft Purview helps organizations establish security strategies for Copilot, with real-world use cases, technical capabilities and advanced classifiers like Prompt Shields and Protected Material.

Customized Cloud Solutions to Drive your Business Success

  • Cloud Migration
  • Devops
  • AIML & IoT
Know More

Microsoft Purview Communication Compliance: Core Capabilities

Microsoft Purview Communication Compliance policies are designed to monitor and manage internal communications across Microsoft 365 apps, including MS 365 Copilot interactions. It offers enhanced ability to:

  • Detect policy violation where it can identify prompts and responses with harassing, discriminatory or threatening language.
  • Monitor sensitive data by flagging unauthorized sharing of confidential or proprietary information.
  • Detects profanity or inappropriate images.

Detecting Risky AI Content: How Purview’s Classifiers Protect Your Organization

To enhance detection accuracy, Microsoft Purview introduces trainable classifiers- AI models that identify specific types of risky content. Two key classifiers for generative AI offered by Microsoft Purview Communication Compliance are:

Prompt Schield

This classifier is designed to detect and prevent prompt injection attacks in generative AI systems like Microsoft 365 Copilot. It identifies attempts to manipulate AI behavior by embedding harmful or unauthorized instructions in user prompts. By catching risky prompts before they cause issues, it helps organizations maintain data security.  Prompt Shield is integrated into the “Detect Microsoft Copilot Interactions” policy template in Purview and can be customized to meet specific organizational needs.

Protected Material

Protected Material classifier designed to detect and identify AI-generated responses that contain branded, copyrighted, or proprietary content.

Risk Detection Workflow Diagram

This flowchart represents how Microsoft Purview Communication Compliance manages risks in interactions with Microsoft 365 Copilot.

Flowchart showing Copilot messages tagged, evaluated by classifiers, flagged for risk and sent for reviewer action.

How Purview flags risky Copilot interactions and routes them for review and remediation.

It begins when a user engages with Copilot, and the system tags the message as Copilot-related. Once tagged, a compliance policy is triggered to review the interaction. The next step involves classifier evaluation, where advanced models such as Prompt Shield and Protected Material analyze the content. Prompt Shield identifies prompt injection risks, while Protected Material detects intellectual property violations or sensitive content exposure.  If any risk is found, the system flags it and alerts a compliance reviewer for assessment. Finally, remediation actions are taken, which may include notifying the user, blocking the content or escalating the issue.

Step-by-Step: How to use Prompt Shield and Protected Material classifiers in Policy

Let’s walk through a typical policy integration scenario using these classifiers.

Step 1: Access the Microsoft Purview portal

  1. Go to the Microsoft Purview portal
  2. Select “Communication Compliance” from the left menu.

Step 2: Create a New Policy

  1. Click on “Policies”  → Create policy
  2. Choose the template: Detect Microsoft Copilot Interaction.

Step 3: Configure Policy Details

  1. Enter policy name, select users/groups and set reviewers.
  2. Set how long detected messages should be preserved

Step 4: Select Classifiers

  1. In the classifier section, choose:
    • Prompt Shield (detects risky prompts and prompt injection attacks)
    • Protected Material (detects confidential, branded or proprietary content)

Step 5: Set Scope & Locations

  1. Define which users/departments the policy applies to.

Step 6: Review, Create & Validate

  1. Review all settings and click “Create policy” → Validate.

Real-World Use Case: Policy Workflow

John Smith is the Compliance Manager at AlphaBank, a financial institution that uses Microsoft 365 Copilot to help employees draft emails and generate client reports. John is concerned that Copilot might accidentally include sensitive customer data or proprietary financial information in its AI-generated content.

To address this, John logs into the Microsoft Purview portal and selects Communication Compliance from the menu. He creates a new policy using the Detect Microsoft Copilot Interaction template. John names the policy “Finance AI Compliance,” selects the Finance department and assigns reviewers from his compliance team. He sets the preservation period for flagged messages to one year.

In the classifier section, John chooses Prompt Shield to detect risky prompts and prompt injection attacks, and Protected Material to identify confidential or branded content. He defines the scope to include all Finance department communications and ensures the policy covers both email and Teams chat channels.

After reviewing all settings, John creates and validates the policy. Now, whenever Copilot generates a message containing risky prompts or sensitive financial data, the system flags it for review, helping AlphaBank prevent data leaks and maintain regulatory compliance.

Learn More and Build Your Skills to Protect Your Copilot Interaction.

Learning more and building your skills to protect Copilot interactions empowers you to safeguard sensitive information and ensure compliance in your organization. By mastering these solutions, you can confidently prevent data leaks, mitigate regulatory risks and enable the safe and responsible use of AI.

Companies such as CloudThat offer hands-on courses and labs designed for security engineers and GenAI practitioners who want to strengthen their information protection strategies and capabilities. Programs such as SC-401: Information Security Administrator Associate & MS-4002: Prepare Security and Compliance to Support  have guided practice in configuring, managing and validating their GenAI security policies.

Secure Copilot Compliance

By leveraging built-in classifiers like Prompt Shield and Protected Material, organizations can confidently deploy Copilot while maintaining compliance, protecting sensitive data and preserving trust. Implementing robust guardrails for generative AI like Microsoft 365 Copilot is essential to protect sensitive data and maintain compliance in today’s digital workplace.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

WRITTEN BY Rahul Mehta

Rahul Mehta is a Subject Matter Expert at CloudThat, specializing in Microsoft and VMware technologies, Generative AI, and cloud security. With over 19 years of experience in the IT training domain, he has trained more than 1000 professionals to upskill in areas such as Microsoft 365 Copilot, Microsoft Team Administration, Azure Security and Compliance, VMware Data Centre Virtualization. Known for simplifying complex concepts and delivering hands-on, impactful training, he brings deep technical knowledge and practical application into every learning experience. Rahul's passion for continuous learning and emerging technologies reflects in his unique approach to learning and development

Share

PREV

Comments

    Click to Comment

Related Resources

Azure

Azure Pipelines vs GitHub Actions: How to Choose the

By Pramod Sunagar

Nov 17, 2025

Microsoft Power BI

Power Query with Azure & AWS: One Tool for

By Vivek Kumar

Nov 13, 2025

AI

Building Your Own Intelligent AI Agents with Vertex AI

By Laxmi Sharma

Nov 13, 2025

AWS, Cloud Computing, DevOps

Why 70% of Digital Transformations Fail Despite Million-Dollar Budgets

By Saurabh Jain

Nov 13, 2025

AI

LangGraph State: The Engine Behind Smarter AI Workflows

By Abhishek Srivastava

Nov 12, 2025

AWS

Turning Data Lakes into Knowledge Engines with Amazon S3

By Nitin Kamble

Nov 12, 2025

Microsoft Dynamics 365

How Copilot is Transforming Financial Operations in Dynamics 365

By Anoop H A

Nov 12, 2025

AI/ML, AWS, Cloud Computing

Transforming AI Workflows with DeepSeek V31 on Amazon Bedrock

By Nekkanti Bindu

Nov 12, 2025

Cloud Computing, DevOps

Why Generic Cloud Consulting Fails and Industry-Aware Strategies Succeed

By Saurabh Jain

Nov 12, 2025

Cloud Computing, DevOps

The CFO's Complete Guide to Justifying Cloud Investment and

By Saurabh Jain

Nov 12, 2025

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!