If your organization uses Microsoft Purview DLP Copilot policies to restrict what Copilot can and cannot process, there is a meaningful update arriving in April 2026. Microsoft is expanding DLP enforcement so that sensitivity-label-based restrictions now apply to Word, Excel, and PowerPoint files in all storage locations. That includes files saved on a user’s local device, not just files in SharePoint or OneDrive.
This is a behind-the-scenes infrastructure change that closes a compliance gap many organizations did not know existed. No policy changes are required. If your DLP policies are already configured, the extended coverage kicks in automatically.
This update is linked to Microsoft 365 Roadmap ID 557255.
What Is Changing and Why It Matters
Until now, Microsoft Purview DLP Copilot enforcement based on sensitivity labels only worked for files stored in SharePoint or OneDrive for Business. The reason was architectural: AugLoop, the service that powers Copilot’s document processing, needed a SharePoint or OneDrive URL to call Microsoft Graph and retrieve the file’s sensitivity label. Files stored locally did not have such a URL, so DLP enforcement could not apply to them.
That means there was a genuine gap. A user working on a sensitivity-labeled Word document saved to their desktop or a local folder could invoke Copilot without any DLP restriction. The same policy that blocked Copilot for a labeled file in SharePoint had no effect on the identical file sitting in the user’s Downloads folder.
Microsoft has fixed this by updating the Office clients and AugLoop so that AugLoop can now read the sensitivity label directly from the Office client, without needing a cloud storage URL. As a result, DLP enforcement applies consistently across all locations:
- SharePoint
- OneDrive for Business
- Local device storage
- Other storage locations accessible to Word, Excel, and PowerPoint
What Users Will Experience
When Copilot is blocked by a DLP policy, users will not see their file’s content processed by Copilot. This behavior is already familiar for SharePoint and OneDrive files. From April 2026, users will see that same consistent enforcement regardless of where the file is stored. There are no new prompts or warnings specific to local files. The experience mirrors what already exists for cloud-stored files.
Rollout Timeline
According to Microsoft, this should be rolling out around April 2026.
| Phase | Scope | Start | Expected Completion |
|---|---|---|---|
| General Availability | Worldwide and GCC | April 2026 | May 2026 |
There is no Public Preview phase for this update. The feature will be enabled automatically for any tenant that has relevant DLP policies configured with sensitivity-label conditions that include the Copilot location. Tenants without such policies configured will not notice any change.
How to Review Your DLP Policies for Copilot
No action is required for this update to take effect. However, this is a useful moment to review your existing policies and confirm they are set up correctly before the rollout completes. Here is how to do that.
Review via the Microsoft Purview Portal
- Sign into the Microsoft Purview portal as a Compliance Admin or higher.
- Navigate to Data Loss Prevention and then Policies.
- Filter or search for policies that include the Microsoft 365 Copilot and Copilot Chat location.
- Open each relevant policy and review the Conditions section.
- Confirm that your rules use Content contains > Sensitivity labels as the condition for restricting Copilot.
- Check that the action is set to Restrict or block the use of content in Microsoft 365 Copilot and Copilot Chat.
- If you make any changes, save the policy and consider running it in test mode before full enforcement.
Review via PowerShell
You can also audit your DLP policies using Security and Compliance PowerShell. First, connect:
powershell
Connect-IPPSSession -UserPrincipalName [email protected]Then list your DLP policies:
powershell
Get-DlpCompliancePolicy | Where-Object { $_.Mode -ne "PendingDeletion" } | Select-Object Name, Mode, EnabledTo inspect the rules within a specific policy:
powershell
Get-DlpComplianceRule -Policy "Your Policy Name" | Select-Object Name, BlockAccess, ContentContainsSensitivityLabelReview the output to confirm which policies include sensitivity-label conditions and whether those rules are active.
Admin Tips
Check which sensitivity labels are in scope. Not every DLP policy that uses sensitivity labels will affect Copilot. Only policies where the Microsoft 365 Copilot location is explicitly included will apply. Go through each relevant policy to confirm the Copilot location is active.
No policy migration needed. Existing policies extend automatically to local files. You do not need to create new policies, duplicate existing ones, or reconfigure anything.
Update internal documentation. If your organization has documented what Copilot DLP does and does not cover, update it to reflect that local file storage is now included. This matters for compliance audits and helpdesk guidance.
Communicate with your security and compliance teams. This is a low-disruption update, but teams responsible for compliance reporting should know the gap is now closed. It may also affect how they report on Copilot DLP coverage going forward.
Monitor alerts after rollout. Once April 2026 arrives, check your DLP alerts and activity reports in the Purview portal. You may start seeing new alerts for local file scenarios. This can also reveal users who are regularly working with sensitivity-labeled files outside SharePoint or OneDrive, which may itself be a governance concern worth addressing.
Test with a pilot group. Even though no configuration is needed, it is good practice to monitor a small pilot group after the rollout to confirm behavior is as expected before drawing broader conclusions.
License Requirements
To use Microsoft Purview DLP policies that restrict Copilot based on sensitivity labels, the following licenses are required:
- Microsoft 365 Copilot for any user whose Copilot experience is governed by DLP policies
- Microsoft Purview DLP capabilities, which are included in Microsoft 365 E3, E5, Microsoft 365 Business Premium, and Office 365 E5
Review the Microsoft Purview service description for the full licensing breakdown if you are unsure what your organization currently holds.
The Paul-Take
This update closes a gap that was genuinely hard to explain to compliance teams. The typical answer when they asked ‘what happens if a user opens a sensitivity-labeled file locally and uses Copilot?’ was something like ‘well, it depends on where the file is stored.’ That is not a satisfying answer when you are trying to enforce a consistent data governance policy across your organization.
The technical fix is clean. Instead of requiring a cloud storage URL to look up the sensitivity label via Microsoft Graph, the Office client now passes the label directly to AugLoop. That makes the enforcement location-agnostic, which is exactly how it should work.
What I want to flag is this: this update only helps if you have actually configured DLP policies for Copilot with sensitivity-label conditions. If those policies are not in place, extending enforcement to local files does not protect you. It just means that once your policies are configured properly, they will work everywhere. So if Copilot governance is still on your roadmap, use this update as the prompt to get those policies set up. The enforcement infrastructure is now in place. What it enforces is still up to you.
MVP Reference List
- Roadmap ID: 557255
- Learn: Data Loss Prevention overview: Learn about data loss prevention | Microsoft Purview
- Learn: DLP for Microsoft 365 Copilot: Learn about using Microsoft Purview DLP to protect interactions with Microsoft 365 Copilot