Key concepts - Copilot Studio security and governance

Copilot Studio follows a number of security and governance controls and processes, including geographic data residency, data loss prevention (DLP), multiple standards certifications, regulatory compliance, environment routing, and regional customization. See the Geographic data residency in Copilot Studio article for information and details on how data is handled in Copilot Studio.

This article provides an overview of the security practices followed by Microsoft Copilot Studio, a list of security and governance controls and features, and examples and suggestions for employing safety and security within Copilot Studio for your agent makers and end users.

Security and governance controls

Control Core scenario Related content
DLP controls Admins can use DLP policies in the Power Platform admin center to govern the use and availability of Copilot Studio features and agent capabilities, including:
  • Maker and end-user authentication
  • Knowledge sources
  • Actions, connectors, and skills
  • HTTP requests
  • Publication to channels
  • AppInsights
  • Triggers
Configure data loss prevention policies for copilots
Makers audit logs in Microsoft Purview for admins Admins have full visibility into maker audit logs in Microsoft Purview. View audit logs
Audit logs in Microsoft Sentinel for admins Admins can monitor and receive alerts on agent activities through Microsoft Sentinel. View audit logs
Run connectors and flows with end-user credentials Agent makers can configure connectors and flows to use the agent’s end-user’s credentials, as default. Use actions with custom copilots (preview)
Sensitivity label for Knowledge with SharePoint Agent makers and end users can see the highest sensitivity label applied to sources used in the agent's response and individual reference labels in the chat. View sensitivity labels for Sharepoint data sources
End-user authentication with certificates Admins and makers can configure agents to use Entra ID manual authentication with certificate provider. Configure user authentication
Maker security warning Makers can see security alerts for their agent before publishing it when security and governance default configurations are modified. Automatic security scan in Copilot Studio
Environment routing Admins can configure environment routing to provide their makers a safe space to build agents. Work with Power Platform environments
Maker welcome message Admins can configure a maker welcome message to inform makers about important privacy and compliance requirements. Work with Power Platform environments
Autonomous agents governance with DLP Admins can manage agent capabilities with triggers using DLP policies, ensuring protection against data exfiltration and other risks. Data loss prevention example - Block event triggers in agents

Security Development Lifecycle

Copilot Studio follows the Security Development Lifecycle (SDL). The SDL is a set of strict practices that support security assurance and compliance requirements. Learn more at Microsoft Security Development Lifecycle Practices.

Data processing and license agreements

The Copilot Studio service is governed by your commercial license agreements, including the Microsoft Product Terms and the Data Protection Addendum. For the location of data processing, refer to the geographical availability documentation.

Compliance with standards and practices

The Microsoft Trust Center is the primary resource for Power Platform compliance information.

Learn more at Copilot Studio compliance offerings.

Data loss prevention and governance

Copilot Studio has an extensive set of Data Loss Prevention features to help you manage the security of your data, along with Power Platform policies.

Additionally, to further govern and secure Copilot Studio using generative AI features in your organization, you can:

Finally, Copilot Studio supports securely accessing customer data using Customer Lockbox.