Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Security is foundational to Microsoft's approach to Microsoft 365 Copilot. This article explains how Microsoft secures Copilot and how it inherits Microsoft 365 security, compliance, and privacy protections.
Note
This article describes Microsoft's security approach for Microsoft 365 Copilot. It doesn't include deployment or data-readiness steps.
For rollout planning and readiness guidance, see Configure a secure and governed data foundation for Microsoft 365 Copilot.
For deep technical details about data flow, protections, and auditing, see:
Microsoft's defense-in-depth approach
Microsoft applies a multilayered, defense-in-depth strategy to secure Microsoft 365 Copilot at every level, grounded in enterprise security, privacy, and compliance standards. This layered approach helps ensure that if one control is compromised, other protections remain in place.
For more information, see Data, Privacy, and Security for Microsoft 365 Copilot.
Identity and access protection
Microsoft 365 Copilot is built on Microsoft 365 identity and access controls and aligns with Zero Trust principles such as strong identity verification, least-privilege access, and continuous evaluation.
For more information, see Apply principles of Zero Trust to Microsoft 365 Copilot.
Data protection and compliance
Microsoft 365 Copilot honors your organization's existing security and data protection controls. Copilot only accesses data that users are authorized to access, and it respects Microsoft 365 compliance, privacy, and data residency commitments.
For more information, see How data is protected and audited in Microsoft 365 and Microsoft 365 Copilot.
Enterprise data protection
Enterprise data protection (EDP) describes the contractual and technical commitments that apply to customer data for Microsoft 365 Copilot and Microsoft 365 Copilot Chat under Microsoft Product Terms and the Data Protection Addendum.
For details, see the following articles:
- Enterprise data protection in Microsoft 365 Copilot and Microsoft 365 Copilot Chat
- Data, Privacy, and Security for Microsoft 365 Copilot
Preventing oversharing
Microsoft 365 Copilot operates within existing permissions and access controls. Overshared or poorly governed content can affect Copilot results and increase risk.
For prescriptive remediation guidance, see the following articles:
- Secure & governed data foundation for Microsoft 365 Copilot: A deployment blueprint
- How to configure a secure and governed foundation for Microsoft 365 Copilot
- Get ready for Microsoft 365 Copilot and agents with SharePoint Advanced Management
Security dashboard
Microsoft 365 Copilot includes built-in security controls from Microsoft Purview. To help you monitor, investigate, and act on AI-related risk, Microsoft provides two complementary dashboards:
- The Copilot security dashboard in the Microsoft 365 admin center focuses on Microsoft 365 Copilot data protection, oversharing, and compliance insights.
- The Microsoft Security Dashboard for AI provides a cross-product view of AI risk that spans Microsoft 365 Copilot, Copilot Studio agents, Microsoft Foundry apps and agents, and third-party AI apps and agents.
Use the Microsoft 365 admin center dashboard for day-to-day Copilot data governance, and use the Security Dashboard for AI when you need a unified, organization-wide view of AI security posture across Microsoft Defender, Microsoft Entra, and Microsoft Purview.
Copilot security dashboard in the Microsoft 365 admin center
The Copilot security dashboard provides insights and controls to help you:
- Prevent data leaks with a data loss prevention (DLP) policy.
- Manage data oversharing.
- Strengthen data compliance.
To view the dashboard in the Microsoft 365 admin center, select Copilot > Overview > Security.
To display the Security section, you need the Global Reader role. To make changes, the AI administrator role is required.
Microsoft Security Dashboard for AI
Microsoft Security Dashboard for AI is a unified dashboard that helps CISOs and AI risk leaders understand and address AI risk across the enterprise. It aggregates posture and real-time risk signals from Microsoft Defender, Microsoft Entra, and Microsoft Purview into a single interactive experience. Security leaders can govern and collaborate while security teams continue to work in the tools they already use.
The dashboard provides:
- Real-time AI risk visibility. An AI risk scorecard on the Overview tab highlights where risks exist and assesses your organization's implementation of Microsoft security-for-AI capabilities.
- Comprehensive AI inventory. Broad coverage of AI assets, including:
- Microsoft 365 Copilot
- Microsoft Copilot Studio agents
- Microsoft Foundry applications and agents
- Third-party AI models, applications, and agents such as Google Gemini, OpenAI ChatGPT, and MCP servers
- Unmanaged and shadow AI agents discovered in your environment
- AI-powered insights with Security Copilot. Suggested prompts help you drill down into risk assessments, correlate identity, data, and security signals, and prioritize the incidents that matter most for Microsoft 365 Copilot and related agentic workloads.
- Tailored recommendations and remediation paths. The dashboard surfaces prioritized recommendations, supports task delegation, and integrates with Microsoft Teams to coordinate remediation of oversharing and data-leak risks in Copilot and other AI agents.
- Executive reporting. Board-ready analytics and compliance insights for leadership reviews.
Access and permissions
Open the Security Dashboard for AI at ai.security.microsoft.com, or enter it from the Microsoft Defender, Microsoft Entra, or Microsoft Purview portals.
The dashboard uses your existing Defender, Entra, and Purview permissions - no separate role is required. Eligible Defender, Entra, and Purview customers can access the Security Dashboard for AI at no additional licensing cost.
For the full list of supported products, permissions details, and how to review and assign security recommendations, see Assess your organization's AI risk with Microsoft Security Dashboard for AI.
Compare the two dashboards
| Capability | Copilot security dashboard (Microsoft 365 admin center) | Microsoft Security Dashboard for AI |
|---|---|---|
| Primary scope | Microsoft 365 Copilot data protection, DLP, oversharing, and compliance | Cross-product AI risk across agents, apps, and platforms |
| AI asset coverage | Microsoft 365 Copilot | Microsoft 365 Copilot, Copilot Studio agents, Microsoft Foundry apps and agents, and third-party models/apps/agents (for example, Google Gemini, OpenAI ChatGPT, MCP servers), including unmanaged and shadow AI agents |
| Signals aggregated | Microsoft Purview signals for Copilot | Microsoft Defender + Microsoft Entra + Microsoft Purview signals |
| AI-powered insights | — | Security Copilot–powered prompts, summaries, and risk prioritization |
| Remediation workflow | Purview-based policies (for example, DLP) | Tailored recommendations, task delegation, and Microsoft Teams integration |
| Access path | admin.microsoft.com → Copilot > Overview > Security | ai.security.microsoft.com or entry points in Defender, Entra, and Purview portals |
| Roles / licensing | Global Reader to view; AI Administrator to make changes | Uses existing Defender/Entra/Purview permissions; no additional licensing for eligible customers |
| Availability | Generally available | Public preview |
Note
The Security Dashboard for AI is currently in preview. Capabilities and coverage might change before general availability. Check the security for ai article for the latest supported products and permissions.
Related guidance
Use these articles for deeper coverage of related articles:
Deployment and readiness
Architecture and data handling
Oversharing remediation