Forum Discussion

Stefan19x9a's avatar
Stefan19x9a
Copper Contributor
Sep 08, 2025
Solved

Copilot DLP Policy Licensing

Hi everyone We are currently preparing our tenant for a broader Microsoft 365 Copilot rollout and in preparation to that we were in the progress of hardening our SharePoint files to ensure that sens...
copilot
data loss prevention
dlp
purview
  • vimal_raj1984hotmail's avatar
    vimal_raj1984hotmail
    Sep 09, 2025

    You are correct. The ability to create a Data Loss Prevention (DLP) policy that specifically blocks Microsoft Copilot from accessing certain content was initially available more broadly during its preview phase. However, as the feature moved towards General Availability (GA) and Microsoft refined its licensing, it was placed into a higher-tier license.

    The action to "Restrict access for Microsoft 365 Copilot" within a Purview DLP policy is now considered an advanced compliance feature. This capability requires Microsoft 365 E5 or a specific add-on license. It is no longer included with the standard Microsoft 365 E3 + Copilot for Microsoft 365 license combination.

    This is why the action disappeared from your existing policy and why the "Add an action" button is greyed out for that specific function.

    Your Licensing Options (Beyond a Full E5 Upgrade)

    Since a full E5 upgrade is not an option, your strategy should be to purchase a "step-up" or "add-on" license that provides the necessary Purview capabilities. You only need to license the users who will be creating/managing these policies or, in some cases, the users whose content needs this level of protection (always verify with your Microsoft account manager or licensing partner).

    Here are your best options, ordered from most targeted to most comprehensive:

    Option 1 (Best & Most Direct): Microsoft Purview Information Protection

    • License Name: Microsoft Purview Information Protection (formerly Microsoft 365 E5 Compliance or MIP)
    • Why it's the best choice: This is the most direct and cost-effective add-on to get the feature you need. It's specifically designed to provide the advanced data classification, sensitivity labeling, and DLP capabilities of the E5 suite without the other E5 components (like advanced security, voice, etc.).
    • Key Features Included:
      • The ability to use sensitivity labels as a condition in DLP policies to block services like Copilot.
      • Automatic and recommended sensitivity labeling.
      • Trainable classifiers and exact data match (EDM) for highly accurate data detection.
      • Advanced message encryption capabilities.

    This license directly enables the scenario you described and is the standard "step-up" from E3 for advanced data governance.

    Option 2 (Broader Compliance): Microsoft 365 E5 Compliance

    • License Name: Microsoft 365 E5 Compliance
    • Why it's a good choice: This is a larger bundle that includes everything in Option 1, plus other advanced compliance features. It's a good choice if you also foresee needing capabilities like eDiscovery, Insider Risk Management, or Communication Compliance in the near future.
    • Key Features Included:
      • Everything in Microsoft Purview Information Protection (solves your immediate problem).
      • eDiscovery & Audit: Advanced eDiscovery for legal holds and investigations.
      • Insider Risk Management: Policies to detect and act on risky user activities.
      • Communication Compliance: Policies to monitor communications (email, Teams) for code of conduct or regulatory violations.

    If your "hardening" project extends beyond just data classification into user behavior and legal compliance, this is the more strategic, long-term purchase.

    Recommended Strategy and Action Plan

    1. Confirm the Need: Your plan is solid. Using sensitivity labels to create a "fence" around confidential data that Copilot cannot access is Microsoft's recommended best practice. You are on the right track.
    2. Choose the Right License:
      • If your only goal is to enable the Copilot DLP action and enhance sensitivity labeling, purchase the Microsoft Purview Information Protection add-on for the necessary users.
      • If your organization is also looking to improve its legal and HR compliance posture, the Microsoft 365 E5 Compliance add-on offers much more value for a slightly higher cost.
    3. Engage with Your Licensing Partner/Microsoft Rep: Contact your Microsoft licensing provider or account manager.
      • Ask for a quote for both "Microsoft Purview Information Protection" and "Microsoft 365 E5 Compliance" add-on licenses.
      • Confirm the exact number of licenses you need. Typically, you would license the users whose data you are protecting or the administrators setting up the policies. Clarify this with your rep as licensing terms can be nuanced.
    4. Implement the Solution: Once the licenses are procured and assigned, the "Restrict access for Microsoft 365 Copilot" action in the DLP policy wizard will become available again, and you can re-implement your original, correct strategy.
Stefan19x9a's avatar
Stefan19x9a
Copper Contributor
Sep 10, 2025

After some further research, I might have found a solution that fits our needs.

According to official documentation, paid Microsoft 365 Copilot licenses include some features from SharePoint Advanced Management like restricting site access to specific groups or restrict content from Microsoft 365 Copilot.

https://learn.microsoft.com/en-us/sharepoint/advanced-management#sharepoint-advanced-management-features-in-microsoft-365-copilot-licenses

Resources