--- name: Copilot Interaction Compliance Audit description: Analyse Microsoft 365 Copilot audit and DSPM for AI signals to surface sensitive-data exposure and compliance risk in user interactions. --- # Copilot Interaction Compliance Audit > **TL;DR:** This skill inspects Microsoft 365 Copilot audit logs and Purview DSPM for AI signals to find where prompts and responses touched sensitive data, then produces a prioritised risk register so you can act on the highest-exposure interactions first. ## What does the Microsoft Purview DSPM for AI dashboard reveal about Copilot interactions? Microsoft Purview Data Security Posture Management (DSPM) for AI aggregates Microsoft 365 Copilot interaction signals captured through the unified audit log, alongside sensitivity labels, Data Loss Prevention (DLP) policy matches, and Microsoft Entra identity context. Each Copilot prompt and response generates auditable events that record the user, the referenced files, and any sensitive information types detected. This skill reads those signals to show where Copilot surfaced labelled or regulated content and whether existing controls contained the exposure. It treats your tenant as a modern, cloud-only estate governed by Microsoft Entra and Microsoft Purview. ## When should you run this skill? - "Show me which Copilot interactions referenced files labelled Highly Confidential." - "Audit whether Copilot exposed any data subject to DLP policies last month." - "Which users are generating the highest-risk Copilot prompts in our tenant?" - "Prepare a compliance evidence pack for our Copilot rollout review." - "Did any Copilot response include personally identifiable or financial information?" - "Assess our DSPM for AI posture before we widen Copilot licensing." - "Flag Copilot interactions that touched content lacking a sensitivity label." ## How this skill works, step by step 1. Confirm read-only access to the Microsoft Purview portal and the unified audit log via an appropriately scoped Microsoft Entra identity. 2. Query Microsoft 365 Copilot audit events for the requested period, capturing prompt, response, accessed resources, and acting user. 3. Pull DSPM for AI signals to enrich each interaction with sensitivity labels, sensitive information types, and DLP policy matches. 4. Correlate each interaction with Microsoft Entra user and group context to establish role and access scope. 5. Classify interactions by the highest sensitivity label or information type referenced and whether a control (label, DLP) was present. 6. Derive a risk score per interaction from data sensitivity, control coverage, and user exposure breadth. 7. Aggregate scores into a prioritised register, grouping recurring patterns by user, label, and data type. 8. Summarise tenant-level posture, highlighting unlabelled content reached by Copilot and gaps in DLP coverage. ## Output format The skill returns a prioritised risk register followed by a posture summary. | Interaction ID | User | Sensitive Data Referenced | Control Present | Risk Score | | --- | --- | --- | --- | --- | | CP-10482 | `finance.lead@contoso.com` | Highly Confidential label, Credit Card Number | DLP block (audit only) | High | | CP-10519 | `hr.coord@contoso.com` | Unlabelled document, Australian Tax File Number | None | Critical | - Total Copilot interactions analysed and the number flagged at High or Critical risk. - Top users and sensitivity labels driving exposure. - Count of interactions touching unlabelled or uncontrolled sensitive content. - Recommended remediation priorities, such as extending DLP scope or applying default labels. ## Scope and safety This skill is read-only by default and makes no changes to your tenant, policies, or data. This skill does NOT: - Modify, delete, or quarantine any Copilot interaction, file, or audit record. - Create, edit, or disable sensitivity labels, DLP policies, or Conditional Access rules. - Change user licensing, permissions, or Microsoft Entra group membership. - Disable or restrict Microsoft 365 Copilot for any user or organisation unit. ## Licensing and permissions ### Licences and add-ons | Capability used | Minimum licence | | --- | --- | | Microsoft Purview DSPM for AI (Copilot interaction insights) | Microsoft 365 E5 or E5 Compliance | | Audit (Standard) for Copilot interaction events | Microsoft 365 E3 (long retention and search needs E5 / Audit Premium) | | Sensitivity labels and DLP policy match context | Microsoft 365 E5 or E5 Compliance | ### Least-privilege roles - Global Reader or Compliance Data Administrator for read-only review of DSPM for AI and Purview signals. - Audit Reader (or a role group granting the View-Only Audit Logs permission) to search the unified audit log for Copilot events. ### Microsoft Graph permissions (read-only) - `AuditLog.Read.All` — reads unified audit log events, including Copilot interaction records, where surfaced through the Microsoft Graph audit logs. - `InformationProtectionPolicy.Read` — reads the tenant sensitivity label configuration used to interpret labelled content. - DSPM for AI dashboards, DLP policy match detail, and most Copilot interaction analytics are administered through the Microsoft Purview portal (and Security and Compliance PowerShell), not Microsoft Graph; review these in the portal rather than relying on Graph scopes. ## Sources and compliance - [AI compliance and governance with Microsoft Purview](https://learn.microsoft.com/en-us/purview/ai-microsoft-purview) - [Audit logs for Microsoft 365 Copilot](https://learn.microsoft.com/en-us/purview/audit-copilot) - Supports Essential Eight monitoring and logging objectives by surfacing auditable Copilot interaction events; aligns with ISM guidance on event logging and data classification. - [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model) - Output in Australian English.