Security for Microsoft 365 Copilot

Security is foundational to Microsoft's approach to Microsoft 365 Copilot. This article explains how Microsoft secures Copilot and how it inherits Microsoft 365 security, compliance, and privacy protections.

Diagram depicting ways Microsoft secures Microsoft 365 Copilot.

Note

This article describes Microsoft's security approach for Microsoft 365 Copilot. It doesn't include deployment or data-readiness steps.

For rollout planning and readiness guidance, see Configure a secure and governed data foundation for Microsoft 365 Copilot.

For deep technical details about data flow, protections, and auditing, see:

Microsoft's defense-in-depth approach

Microsoft applies a multilayered, defense-in-depth strategy to secure Microsoft 365 Copilot at every level, grounded in enterprise security, privacy, and compliance standards. This layered approach helps ensure that if one control is compromised, other protections remain in place.

For more information, see Data, Privacy, and Security for Microsoft 365 Copilot.

Identity and access protection

Microsoft 365 Copilot is built on Microsoft 365 identity and access controls and aligns with Zero Trust principles such as strong identity verification, least-privilege access, and continuous evaluation.

For more information, see Apply principles of Zero Trust to Microsoft 365 Copilot.

Data protection and compliance

Microsoft 365 Copilot honors your organization's existing security and data protection controls. Copilot only accesses data that users are authorized to access, and it respects Microsoft 365 compliance, privacy, and data residency commitments.

For more information, see How data is protected and audited in Microsoft 365 and Microsoft 365 Copilot.

Enterprise data protection

Enterprise data protection (EDP) describes the contractual and technical commitments that apply to customer data for Microsoft 365 Copilot and Microsoft 365 Copilot Chat under Microsoft Product Terms and the Data Protection Addendum.

For details, see the following articles:

Preventing oversharing

Microsoft 365 Copilot operates within existing permissions and access controls. Overshared or poorly governed content can affect Copilot results and increase risk.

For prescriptive remediation guidance, see the following articles:

Security dashboard

Microsoft 365 Copilot includes built-in security controls from Microsoft Purview. To help you monitor, investigate, and act on AI-related risk, Microsoft provides two complementary dashboards:

Use the Microsoft 365 admin center dashboard for day-to-day Copilot data governance, and use the Security Dashboard for AI when you need a unified, organization-wide view of AI security posture across Microsoft Defender, Microsoft Entra, and Microsoft Purview.

Copilot security dashboard in the Microsoft 365 admin center

The Copilot security dashboard provides insights and controls to help you:

To view the dashboard in the Microsoft 365 admin center, select Copilot > Overview > Security.

To display the Security section, you need the Global Reader role. To make changes, the AI administrator role is required.

Microsoft Security Dashboard for AI

Microsoft Security Dashboard for AI is a unified dashboard that helps CISOs and AI risk leaders understand and address AI risk across the enterprise. It aggregates posture and real-time risk signals from Microsoft Defender, Microsoft Entra, and Microsoft Purview into a single interactive experience. Security leaders can govern and collaborate while security teams continue to work in the tools they already use.

The dashboard provides:

  • Real-time AI risk visibility. An AI risk scorecard on the Overview tab highlights where risks exist and assesses your organization's implementation of Microsoft security-for-AI capabilities.
  • Comprehensive AI inventory. Broad coverage of AI assets, including:
    • Microsoft 365 Copilot
    • Microsoft Copilot Studio agents
    • Microsoft Foundry applications and agents
    • Third-party AI models, applications, and agents such as Google Gemini, OpenAI ChatGPT, and MCP servers
    • Unmanaged and shadow AI agents discovered in your environment
  • AI-powered insights with Security Copilot. Suggested prompts help you drill down into risk assessments, correlate identity, data, and security signals, and prioritize the incidents that matter most for Microsoft 365 Copilot and related agentic workloads.
  • Tailored recommendations and remediation paths. The dashboard surfaces prioritized recommendations, supports task delegation, and integrates with Microsoft Teams to coordinate remediation of oversharing and data-leak risks in Copilot and other AI agents.
  • Executive reporting. Board-ready analytics and compliance insights for leadership reviews.

Access and permissions

Open the Security Dashboard for AI at ai.security.microsoft.com, or enter it from the Microsoft Defender, Microsoft Entra, or Microsoft Purview portals.

The dashboard uses your existing Defender, Entra, and Purview permissions - no separate role is required. Eligible Defender, Entra, and Purview customers can access the Security Dashboard for AI at no additional licensing cost.

For the full list of supported products, permissions details, and how to review and assign security recommendations, see Assess your organization's AI risk with Microsoft Security Dashboard for AI.

Compare the two dashboards

Capability Copilot security dashboard (Microsoft 365 admin center) Microsoft Security Dashboard for AI
Primary scope Microsoft 365 Copilot data protection, DLP, oversharing, and compliance Cross-product AI risk across agents, apps, and platforms
AI asset coverage Microsoft 365 Copilot Microsoft 365 Copilot, Copilot Studio agents, Microsoft Foundry apps and agents, and third-party models/apps/agents (for example, Google Gemini, OpenAI ChatGPT, MCP servers), including unmanaged and shadow AI agents
Signals aggregated Microsoft Purview signals for Copilot Microsoft Defender + Microsoft Entra + Microsoft Purview signals
AI-powered insights Security Copilot–powered prompts, summaries, and risk prioritization
Remediation workflow Purview-based policies (for example, DLP) Tailored recommendations, task delegation, and Microsoft Teams integration
Access path admin.microsoft.comCopilot > Overview > Security ai.security.microsoft.com or entry points in Defender, Entra, and Purview portals
Roles / licensing Global Reader to view; AI Administrator to make changes Uses existing Defender/Entra/Purview permissions; no additional licensing for eligible customers
Availability Generally available Public preview

Note

The Security Dashboard for AI is currently in preview. Capabilities and coverage might change before general availability. Check the security for ai article for the latest supported products and permissions.

Use these articles for deeper coverage of related articles: