DLP for Microsoft 365 Copilot
Limited Availability: Microsoft 365 Copilot integration is a feature with limited availability. For assistance, contact Skyhigh Support. |
Legends Used
Legends: ![]() ![]() |
Microsoft 365 Copilot API integration with Skyhigh CASB provides comprehensive DLP controls for Copilot to prevent sensitive data leakage to the Cloud.
Create a DLP policy with the following policy rules and response actions to detect sensitive content and provide remediation actions for:
NOTE: DLP on prompts and responses for messages is enforced through Copilot integration. The file operations performed using Copilot (such as uploading, downloading, updating, and deleting) are handled via OneDrive or SharePoint, depending on the file location. To apply DLP on files, you must integrate OneDrive and SharePoint with Skyhigh CASB.
DLP for Messages (Prompts and Responses)
Apply DLP for messages (prompts and responses) to monitor and secure Copilot interactions in Copilot Work chat, Web Chat, OneDrive/SharePoint (prompts), and Teams. This provides visibility into user activities and protects against exfiltration of sensitive content. For example, if you prompt Copilot to summarize a Teams chat that includes credit card numbers, personal information, or any confidential information, Skyhigh CASB logs activities related to Copilot prompts and responses, identifies risky behavior, and ensures compliance by tracking data access and sharing. This enables secure AI usage within collaboration platforms.
DLP for File Attachments
Integrate OneDrive and SharePoint with Skyhigh CASB to protect sensitive file attachments from users of Copilot.
Enforcement of DLP for Copilot
Skyhigh CASB protects sensitive data from Copilot by applying encryption, access control, and AIP (Azure Information Protection) sensitivity labels to the files. To secure your data from Copilot, you need to integrate the following Microsoft collaboration tools with Skyhigh CASB:
- OneDrive. Skyhigh CASB scans the files according to DLP policies and excludes the Copilot if it finds sensitive information when a user adds/modifies files in OneDrive. For more information on integrating OneDrive with Skyhigh CASB, see About Skyhigh CASB for OneDrive.
- SharePoint. Skyhigh CASB continuously monitors SharePoint accounts for any file activity and processes those documents using Skyhigh CASB DLP policies. DLP policies are defined to exclude Copilot to protect against sensitive data exfiltration or malicious data ingestion. For more information on integrating Skyhigh CASB with SharePoint, see About Skyhigh CASB for SharePoint.
With expertise in cloud-native security, Skyhigh helps organizations embrace AI confidently while managing data breaches and compliance risks.
Protect Indexing of Sensitive Files from Copilot Using AIP
Azure Information Protection (AIP) allows organizations to classify and optionally protect sensitive documents using default and custom labels. Once you configure AIP, use AIP labels in Skyhigh CASB DLP policies for Office 365 CSP to protect sensitive files from Copilot.
Follow the steps below to exclude Copilot from indexing the sensitive files:
- Create an AIP label in Microsoft Purview to protect the indexing of sensitive files from Copilot.
- Select the newly created AIP label to apply classification and protection policies to your sensitive data. Here, we have created an Exclude Co-pilot label as an example.
- Configure AIP in Skyhigh CASB.
- Select the desired policy on the DLP Policies (Policy > DLP Policies > DLP Policies) page.
- Select the newly created label on the Responses section to exclude Copilot from sensitive files.
- If a sensitive file is shared, an incident will be created on the Policy Incidents page based on the AIP classification.
Skyhigh CASB excludes the file with sensitive information from indexing.
Supported DLP Incident Types
- ► Click to view the supported incident types, incident names, events, and associated CSPs for the collaboration tools (such as OneDrive, SharePoint, and Teams) and the Work and Web tabs in Copilot.
-
NOTE: The incident names listed in the table below are related to Copilot integration. The incident names related to OneDrive and SharePoint follow the same naming convention used in OneDrive and SharePoint integrations.
Collaboration Tools Incident Types Incident Name (Skyhigh Dashboard) Events Associated CSPs Work and Web tabs in Copilot- (Work tab is available only for licensed users) User Prompt User Prompt - Created
- Updated
- Copilot
Copilot Response Copilot Response - Copilot response generated
- Copilot
User Prompt With File User Prompt - Created
- Updated prompt with file
- Copilot (Messages)
- OneDrive/SharePoint (Files)
Copilot Response With File Copilot Response With File - Copilot response generated
- File downloaded
- Copilot (Messages)
- OneDrive/SharePoint (Files)
OneDrive User Prompt User Prompt - Created
- Updated
- Copilot
Copilot Response Copilot Response - Copilot response generated
- OneDrive
User Prompt With File User Prompt With File * - Created
- Updated prompt with file
- Copilot (Messages)
- OneDrive/SharePoint (Files)
Copilot Response With File Copilot Response With File * - Copilot response generated
- File downloaded
- OneDrive/SharePoint (Files)
SharePoint User Prompt User Prompt - Created
- Updated
- Copilot
Copilot Response Copilot Response - Copilot response generated
- SharePoint
User Prompt With File User Prompt With File * - Created
- Updated prompt with file
- Copilot (Messages)
- OneDrive/SharePoint (Files)
Copilot Response With File Copilot Response With File * - Copilot response generated
- File downloaded
- OneDrive/SharePoint (Files)
Teams User Prompt User Prompt - Created
- Updated
- Copilot
Copilot Response Copilot Response - Copilot response generated
- Copilot
* Generates multiple events because deduplication is not supported. For details, see Known Behaviors of Copilot with Skyhigh CASB.
Supported DLP Policy Rules and Response Action in Copilot
- ► Click to view the supported DLP policy rules and response actions in Copilot.
-
NOTE: DLP on files is handled via OneDrive/SharePoint.
DLP Policy Rules Supported Classification
Data Identifier File Name (Policy attached to OneDrive/SharePoint)
File Size (Policy attached to OneDrive/SharePoint)
File Type (Policy attached to OneDrive/SharePoint)
Keywords Regular Expression Enhanced IDM/EDM Legacy IDM/EDM *
* Supported until the end of June 2025
User Groups User Dictionaries Content-Dedupe (Messages) On Premises EPO Classification OCR (Optical Character Recognition) (Policy attached to OneDrive/SharePoint)
Match-Highlights (AWS/Skyhigh Default) Custom Email Template Content-Dedupe (File) Metadata-Dedupe (Policy attached to OneDrive/SharePoint)
Malware DLP Policy Response Actions Supported Delete
(Files)
(Prompts and responses)
User Email Notification Send Email Notification Allowed Remediation Supported Manual Remediation (Files)
(Prompts and responses)
Auto Remediation (Files)
(Prompts and responses)
Bulk Remediation
(Files)
(Prompts and responses)
Ares Bulk Remediation End User Remediation Self Remediation (Files)
(Prompts and responses)