Man in a hat peeking over a desk
|

Worth Reading – Is Microsoft 365 Copilot Tracking Your Prompts? The Real Enterprise Answer

I don’t often talk about this with non-IT people because I’m always afraid they will start to get paranoid, but I also wonder why they would be surprised.

Yes, your Copilot prompts and responses are stored in the M365 tenant when you’re using an Enterprise account, and someone “could” read them.

This is also true:

Microsoft’s retention documentation explains that generative AI message data can be stored behind the scenes in hidden mailbox folders. These folders are not meant to be directly browsed by ordinary users or administrators. They exist so compliance administrators can search them through eDiscovery tools.

That is an important boundary. The data can exist. It can be searched. But the intended access path is compliance tooling, not casual workplace monitoring.

https://open.substack.com/pub/the365edge/p/is-microsoft-365-copilot-tracking

You may read that and think that means your employer can see every prompt you enter in Copilot. To some extent, that is true; in the same way, they can see every email message or Teams chat you type with your work account. It is a work account after all. The key piece missing from that simple statement is that it’s not easy to do, and, by design, there are usually very few people who can collect and review that data. Usually, the effort required to do that isn’t worth it. So, if it has happened to you, it’s likely because someone or something has raised a suspicion that warranted an investigation. Most users never reach this level of scrutiny.

As one of the people who could do that, let me also assure you, we don’t have time to go through your Copilot prompts for fun. It’s not something I’m volunteering to do, and even when asked, I’ll push back on the need to spend that much time on it. Your manager can’t do it without me. I don’t want to do it unless it’s absolutely necessary, and Microsoft is storing them, not reading and cataloging them. (Unless you do something that violates a policy, like prompting Copilot about committing violence, but you’re not doing that, are you?)

We’ve all got better things to do than read all your Copilot interactions, but it wouldn’t hurt to remember that they are kept for however long your employer decides to keep them, too. They may come back to embarrass you down the road.

By the way, I’m going to be conducting a webinar for the International Data Protection User Group on June 10, explaining how Copilot and other interactions show up in Purview eDiscovery. You can register for the event and start getting involved in future events here: https://luma.com/hx9jm3oy. I’ve attended some of the previous sessions, and it’s a great way to learn more about Purview. 

Similar Posts

  • Copilot Bug is a Big Deal for Confidentiality, But Not That Big

    Here’s why this is such a big problem. Microsoft recommends blocking Copilot from accessing sensitive information in emails, meetings, documents, and related content by assigning a label to those items and creating a DLP policy that defines the block. This bug renders the system unusable for the affected emails. You simply can’t provide a governance tool that doesn’t deliver the governance it claims to provide. It’s a bad look, Microsoft. It doesn’t help build customer trust. 

    No, Copilot did not make these emails public or access private information and make it non-private. It accessed information in response to your prompt that it should ignore. That creates a risk that many users might assume does not exist. That is a significant issue, but it’s not equivalent to a data breach. There is another check in place before data leaks out: the end user. 

  • Worth Reading – Microsoft Copilot Email and Teams Summarization Vulnerability Enables Phishing Attacks

    If you can get Copilot to drop a link into the auto-summary, it would be less suspicious than an email sent from outside with a link. That’s probably true. After all, if you trust your AI Summarization tool to summarize the email instead of reading it, why wouldn’t you trust any links it included? 

  • M365 News for October 2025

    This post will be updated throughout the month as new items are added to the tag.

    Be sure to subscribe to my M365 Newsletter for more M365 expertise and news.

  • M365 News for May 2026

    This post will be updated throughout the month as new items are added to the tag.

  • M365 News for March 2026

    This post will be updated throughout the month as new items are added to the tag.

    Be sure to subscribe to my M365 Newsletter for more M365 expertise and news.

Likes

Leave a Reply

Your email address will not be published. Required fields are marked *

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Find out more about Webmentions.)