Microsoft is expanding data loss prevention (DLP) controls to block the Microsoft 365 Copilot AI assistant from processing confidential Word, Excel, and PowerPoint documents, regardless of their location.
Currently, Microsoft Purview DLP policies apply only to files stored in SharePoint or OneDrive, but not to those stored on local devices.
This change will be deployed through the Augmentation Loop (AugLoop) Office component between late March and late April 2026 to ensure that DLP controls apply to all Office documents, whether they are stored locally, in SharePoint, or OneDrive.
“This enhancement responds to customer feedback requesting more consistent protection coverage across local and cloud-based file locations,” Microsoft said in a message center update.
Once the change is deployed, Copilot will not be able to read or process Word, Excel, or PowerPoint documents that are labeled as restricted by DLP controls.
Microsoft also stated that the changes will be automatically enabled for organizations with DLP policies configured to block Copilot from processing sensitivity-labeled content, without requiring any administrative action or changes.
“This update does not modify Copilot capabilities. Instead, Office clients and AugLoop have been enhanced so AugLoop can read a file’s sensitivity label directly from the client,” Microsoft added.
“Today, AugLoop retrieves the label by calling Microsoft Graph using the file’s SharePoint or OneDrive URL, which limits DLP enforcement to files stored in OneDrive and SharePoint. By enabling the client to provide the label, DLP enforcement now applies uniformly across all storage locations, including local files.”
This comes on the heels of a software bug (described by Microsoft as a “code issue”) that allowed Microsoft 365 Copilot Chat (the company’s AI-powered, content-aware chat that lets users interact with AI agents) to read and summarize confidential emails in users’ Sent Items and Drafts folders for nearly a month despite the emails being protected by active data loss prevention policies and labeled as confidential.
The bug, which was first discovered on January 21, affected the Copilot “work tab” chat functionality, which mistakenly accessed and summarized emails stored in users’ Sent Items and Drafts folders, including those labeled confidential and intended to be protected from automated tools by explicit confidentiality labels.
In a statement to BleepingComputer, Microsoft explained that the bug provided access to the summarized information only to those who were already authorized to see it, but that the “behavior did not meet our intended Copilot experience, which is designed to exclude protected content from Copilot access.”
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
