Security and governance innovations for Microsoft 365 Copilot and agents from Ignite 2025

Microsoft 365 Copilot is built on a foundation of trust established through our commitments to protect customer data and the controls we make available directly to customers. We’re excited to share the latest updates to these security and governance tools, designed to help you: 

• Gain a unified view of key security and governance features as a Copilot/IT admin 

• Block sensitive data from Copilot processing or sent as web queries 

• Address oversharing through automation and greater visibility 

The latest security and governance updates introduce the following tools and features: 

• Purview value integrated in the Microsoft 365 admin center 

• Purview Data Loss Prevention for Microsoft 365 Copilot to safeguard prompts 

• Purview Data security posture management Data risk assessments: item-level investigation and remediation 

• SharePoint Advanced Management (SAM) Content management assessment  

• SAM Permission report for a given user 

• SAM Agent insight report  

• SAM Catalog management  

• SAM Delegating control to site administrators allows site admins to manage Restricted access control (RAC) and Restricted content discovery (RCD) 

• SharePoint Admin Agent 

• Microsoft Baseline security mode 

Be sure to watch the Ignite session BRK 293 - From oversharing to oversight for more details and demos of many of these new capabilities! 

Unified view of key security features 

As a Copilot and IT admin managing the security and governance of Copilot, you need a unified view to see key security and governance features and take actions. At Ignite 2025, we announced that Microsoft Purview value is now integrated directly into the Microsoft 365 admin center (MAC). Now available in Public Preview. 

The Copilot overview page now offers a Security tab, where you can click on cards to prevent data leakage, manage data oversharing, and strengthen data compliance, directly in the MAC. 

Figure 1: Purview value integrated in the Microsoft Admin Center

Block sensitive data from processing 

Many of you have expressed concerns about sensitive data being processed by Copilot or sent as web queries through a web search. Last year, we announced Microsoft Purview Data Loss Prevention (DLP) for Microsoft 365 Copilot (now Generally Available) to block Copilot from processing files and email with specific sensitivity label. This year, we are thrilled to extend the capability of DLP for Copilot to safeguard prompts that contain sensitive data. Now available in Public Preview. We are also excited to share that Purview DLP for Copilot prompt is available to all users of Microsoft 365 Copilot and Copilot chat!  

Purview DLP for Copilot prompt provides real-time control to help you mitigate data leakage and oversharing risks. It prevents Microsoft 365 Copilot, including pre-built agents in Microsoft 365 Copilot, and Microsoft 365 Copilot Chat, from returning a response when the prompt contains sensitive data. This feature helps to ensure sensitive data is not used for internal grounding or sent through web searches. 

Figure 2: Microsoft Purview Data Loss Prevention for Microsoft 365 Copilot to safeguard prompts blocking responses to questions around Project Wingtip, as Project Wingtip is on the organization’s sensitive information block list

Automation and visibility to address oversharing 

As part of Microsoft’s commitments and controls, Copilot responses only contain data the user has permission to access, but oversharing can still happen regardless of Copilot use. 

Oversharing happens when an employee has been granted access to information and files that aren’t necessary for them to do their job. It’s generally an accidental oversight occurring when users share files too broadly, or when files aren’t protected in a way that persists regardless of location. 

To help customers address oversharing for a Microsoft 365 Copilot deployment, we published the Oversharing blueprint, powered by two powerful tools: Microsoft Purview, and SharePoint Advanced Management - included in your Microsoft 365 Copilot license. 

Figure 3: Tools to address oversharing

Last year we introduced Microsoft Purview Data security posture management for AI Data risk assessment to address oversharing concerns. This year, we expanded Data risk assessments to include item-level investigation and remediation.  

Now, in addition to identifying sharing links across SharePoint sites, this enhanced capability enables bulk remediation by allowing admins to remediate or disable overshared links at scale. This helps organizations proactively reduce data exposure, strengthen compliance posture, and ensure sensitive files are only accessible to the right people. Now available in Public preview. 

Figure 4: Oversharing remediation tools

SharePoint Advanced Management (SAM), included in your Microsoft 365 Copilot license, concentrates on helping you manage content sprawl and clutter, control permissions and content access, and automate housecleaning chores like making sure all your sites have owners, content is attested on a continuous basis, and provides targeted audit capabilities by tracking changes in the tenant configurations.

Figure 5: SharePoint Advanced Management

We’re excited to share these new SAM features:  

• Content management assessment evaluates and improves content management with a single click to identify content risks, ensure compliance, and maintain data integrity. Generally Available. 

• Permission report for a given user provides a detailed overview of all SharePoint and OneDrive access points, highlights oversharing risks, and enables admins to quickly identify and fix risky permissions across the organization for a given user. Generally Available. 

• Agent insight report shows how agents interact and access SharePoint sites and OneDrive accounts, and allow admins take governance actions to manage these agents. Generally Available. 

• Catalog management defines organizational content clusters for targeted actions and automatically groups SharePoint sites using existing sites and user properties to enable governance with precision and at scale. Available in Public Preview. 

• Delegating control to site administrators allows site admins to manage Restricted access control (RAC) and Restricted content discovery (RCD). Available in Public Preview. 

We’ve also heard many of you request support in working with the breadth of admin tools, reports and capabilities available in SharePoint—so we were especially excited to announce SharePoint Admin Agent, designed for administrators that are tasked with the responsibility of insuring that their organizational content is governed properly in the AI era, with the help of AI. Now available in public preview. 

The SharePoint Admin Agent removes the need for you to know what SAM reports to trigger, how to read the reports, what actions to take. Now all you need to know is what problem you are trying to solve. The SharePoint Admin Agent will be equipped with skills to help you manage permissions, storage, lifecycle and access to start with, but we have much more planned for the future.   

Figure 6: SharePoint Admin Agent

Baseline security mode 

The adoption of AI can accelerate the ability for malicious actors to exploit configuration gaps, specifically legacy configurations that can be the most vulnerable, in your enterprise environment. To support security administrators with this challenge, we introduced Baseline security mode, which applies Microsoft-recommended security settings across Office, SharePoint, and Teams to standardize protections across your deployments, so you can more easily identify gaps and reduce risk.   

Baseline security mode, included with your existing Microsoft 365 license, is Generally Available for Microsoft 365 and Entra. It allows you to: 

• Act on tailored recommendations with preconfigured defaults that protect against known vulnerabilities from legacy configurations and emerging AI risks exploiting them, helping you keep pace with the rapidly evolving threat landscape and helps to ensure that security protections are current. 

• Adopt changes safely and test configurations safely in simulation mode before rollout, making adoption straightforward, mitigating the risk of misconfiguration and helping organizations stay ahead of evolving threats. 

• Take advantage of built-in protection and benefit from purpose-built integration, as BSM is optimized for Microsoft 365, and updated regularly to help deliver ongoing security enhancements. 

To learn more on how to get started with Microsoft Baseline security mode, read our Insider Track blog and Learn doc. 

Figure 7. Microsoft Baseline security mode

Closing

As we continue to enhance security and governance capabilities, Microsoft is committed to building trust with you, our customers, by equipping you with robust tools to effectively manage Copilot and agents. By delivering security and governance capabilities in Microsoft 365 Admin Center, Microsoft Purview, and SharePoint Advanced Management, we empower administrators to maintain transparency, security, and compliance in your Microsoft 365 environments. These innovations ensure your most valuable data is protected and provide your organization with the confidence to collaborate securely in an AI-powered workplace.

Related 

• Copilot control system: aka.ms/CopilotControlSystem
• Ignite 2025: Copilot Control System and related updates for IT and Security Teams: aka.ms/CCSIgnite2025
• Learn more about Copilot Control System’s Security and Governance pillar: aka.ms/CCS/SecureGovern
• Blueprint guidance to help you enable Agent in Microsoft 365 Copilot: https://aka.ms/Copilot/Microsoft365AgentsBlueprint
• Microsoft Security for AI Ignite news: https://aka.ms/S4AI_IgniteNews2025 
• Copilot readiness and resiliency with Microsoft 365: Copilot readiness and resiliency with Microsoft 365: Ignite 2025 Edition | Microsoft Community Hub
• Microsoft Baseline security mode: https://aka.ms/MicrosoftBaselineSecurityMode