--- name: Copilot DLP Impact and Simulation description: "Simulate Microsoft Purview DLP for Microsoft 365 Copilot: preview which prompts, files and labels would be blocked and measure coverage." --- # Copilot DLP Impact and Simulation > **TL;DR:** This skill inspects your Microsoft Purview DLP policies scoped to Microsoft 365 Copilot, predicts which prompts, files and sensitivity labels would be blocked, and produces a coverage versus sensitive-data exposure report so you can tune policies before enforcing them. ## What Microsoft Purview DLP for Microsoft 365 Copilot actually evaluates Microsoft Purview Data Loss Prevention (DLP) offers a dedicated Microsoft 365 Copilot location that prevents Copilot from processing or summarising content carrying specified sensitivity labels. When Microsoft 365 Copilot retrieves files through Microsoft Graph, the DLP engine checks each grounding item against your policies and excludes labelled content from the response. This skill reads those policies, the sensitivity labels applied across SharePoint and OneDrive, and the simulation (test mode) results to forecast real-world impact before you switch policies to enforce. ## When should you run this skill? - "Before I turn on a Copilot DLP policy, show me what it would actually block." - "Which sensitivity labels are excluded from Copilot grounding today?" - "How much of our sensitive content is still reachable by Copilot right now?" - "I enabled a DLP policy in simulation mode, summarise the predicted hits." - "Is our Copilot DLP coverage strong enough for our compliance posture?" - "Which files or prompts would be filtered if we enforce this label-based rule?" - "Give me a coverage versus exposure baseline before our next audit." ## How this skill works, step by step 1. Authenticate read-only to Microsoft Purview and Microsoft Graph using delegated permissions for the signed-in compliance reviewer. 2. Enumerate all DLP policies that include the Microsoft 365 Copilot location and capture their rules, conditions and sensitivity-label exclusions. 3. Identify each policy's mode: test (simulation), test with notifications, or enforce, so predicted versus active behaviour is clear. 4. Read the sensitivity labels published in the tenant and map which labels the Copilot DLP rules target. 5. Sample labelled SharePoint and OneDrive content to estimate how many grounding-eligible items carry an excluded label. 6. Collect simulation results and policy-match telemetry to count prompts and files that would be blocked under each policy. 7. Calculate a coverage figure (share of sensitive items protected from Copilot) against an exposure figure (sensitive items still reachable). 8. Derive a risk score from exposure volume, label sensitivity and the proportion of policies still left in test mode rather than enforced. 9. Compile findings into the output table and summary without changing any policy, label or mode. ## Output format The skill returns a per-policy table followed by a tenant summary. | Policy name | Location | Mode | Targeted labels | Predicted blocks (prompts/files) | Exposure remaining | Risk | | --- | --- | --- | --- | --- | --- | --- | | Restrict Highly Confidential | M365 Copilot | Test (simulation) | Highly Confidential | 42 / 318 | 1,204 items | High | | Block Personal Data in Copilot | M365 Copilot | Enforce | Confidential, Personal | 9 / 87 | 156 items | Medium | Summary metrics: - Coverage: percentage of sensitive, grounding-eligible items protected from Microsoft 365 Copilot. - Exposure: count of labelled items still reachable by Copilot grounding. - Policies in test mode versus enforced, highlighting gaps that exist only in simulation. - Top three sensitivity labels driving residual exposure. ## Scope and safety This skill is read-only by default and makes no changes to your tenant. It reads policy definitions, label metadata and simulation telemetry only, and never alters enforcement state. This skill does NOT: - Create, modify, enable or delete any DLP policy or rule. - Change a policy's mode from test (simulation) to enforce. - Apply, remove or reconfigure sensitivity labels on any content. - Read or export the body of user prompts, files or Copilot responses. ## Licensing and permissions ### Licences and add-ons | Capability used | Minimum licence | | --- | --- | | Microsoft Purview DLP for the Microsoft 365 Copilot location | Microsoft 365 E5 Compliance (or E5) | | Sensitivity labels published across SharePoint and OneDrive | Microsoft 365 E3 (advanced label scenarios require E5) | | Microsoft 365 Copilot grounding and processing | Microsoft 365 Copilot licence | ### Least-privilege roles - Compliance Data Administrator or Compliance Administrator (read DLP policies, simulation results and labels) — Global Reader suffices for read-only viewing of much of this configuration. - View-Only DLP Compliance Management role for reviewers who only need to read policy definitions and simulation telemetry. ### Microsoft Graph permissions (read-only) DLP policies, simulation (test) mode and the Microsoft 365 Copilot location are administered through the Microsoft Purview portal and Security and Compliance PowerShell (for example `Get-DlpCompliancePolicy` and `Get-DlpComplianceRule`) rather than Microsoft Graph, so most of this skill reads configuration there. - `InformationProtectionPolicy.Read` — reads the published sensitivity labels and label policy that DLP rules target. - `Sites.Read.All` — samples grounding-eligible SharePoint and OneDrive content to estimate labelled exposure. ## Sources and compliance - [Learn about the Microsoft 365 Copilot DLP location](https://learn.microsoft.com/en-us/purview/dlp-microsoft365-copilot-location-learn-about) - [Test a DLP policy using simulation mode](https://learn.microsoft.com/en-us/purview/dlp-test-dlp-policies) - Supports Essential Eight mitigation strategies for restricting and monitoring data exposure to generative AI; aligns with ISM controls for data loss prevention and protective markings. - [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model) - Output in Australian English.