3.5. Reflection Checkpoint

Key Takeaways

• Microsoft Purview is the governance platform: Information Protection (labels), DLP (prevent sharing), IRM (risky user behavior), Communication Compliance (policy violations), Data Lifecycle (retention), DSPM for AI (AI activity), eDiscovery (legal holds and search)
• Sensitivity labels apply to files, emails, Teams meetings, SharePoint sites, and M365 Groups — not just Office documents
• Copilot accesses data through Microsoft Graph using the signed-in user's permissions — it cannot access data the user can't access
• The root cause of Copilot data exposure is pre-existing oversharing — fix permissions before deploying Copilot
• Compliance Manager = posture scorecard and improvement roadmap. Activity Explorer = behavioral audit trail. DSPM for AI = AI activity discovery.
• Legal holds in eDiscovery preserve deleted content invisibly — users can delete, but M365 keeps it

Connecting Forward

Phase 4 covers the operational side: how to license, configure, monitor, and govern Copilot and agents. You'll see how the governance foundations from this phase — permissions, labels, DLP — apply directly to Copilot administration tasks.

Self-Check Questions

• A user reports that Copilot surfaced a document they believe is highly confidential. You check and confirm the user technically had access to the document's SharePoint library. What Purview tool would you use to investigate how that file got shared so broadly?
• An organization applies a sensitivity label of "Highly Confidential - Legal" to a contract document. This label enforces encryption. Will Copilot be able to summarize this document for a user who is not in the label's authorized recipients list? Why or why not?