Dela via


Search for and delete Copilot data in eDiscovery (preview)

You can use eDiscovery (preview) and the Microsoft Graph Explorer to search for and delete user prompts and Microsoft 365 Copilot and Microsoft Copilot responses in supported applications and services. This feature can help you find and remove sensitive information or inappropriate content included in Copilot activities. This search and deletion workflow can also help you respond to a data spillage incident, when content containing confidential or malicious information is released through Copilot-related activity.

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Before you search and delete Copilot data

  • Create an eDiscovery (preview) case and search for Copilot activity data, you have to be a member of the eDiscovery Manager role group. To delete Copilot data, you have to be assigned the Search And Purge role. This role is assigned to the Data Investigator and Organization Management role groups by default. For more information, see Assign eDiscovery permissions.
  • A maximum of 10 items per mailbox can be removed at one time. Because the capability to search for and remove Copilot data is intended to be an incident-response tool, this limit helps ensure that this data is quickly removed.

Step 1: Create a case in eDiscovery (preview)

The first step is to create a case in eDiscovery (preview) to manage the search and deletion process.

Step 2: Create a search in eDiscovery (preview)

After you create a case, the next step is to search for the Copilot data that you want to delete. The deletion process you perform is Step 5 deletes all Copilot-related items that are found in the search (within the 10 item per location limit).

Data sources for Copilot data

The following table lists the applications and services that are sources for Copilot data. All user prompts to Copilot and responses from Copilot are stored in a user's mailbox.

For this type of Microsoft Copilot data... Search this item class...
Excel IPM.SkypeTeams.Message.Copilot.Excel
Loop IPM.SkypeTeams.Message.Copilot.Loop
Microsoft 365 App IPM.SkypeTeams.Message.Copilot.M365App
Microsoft Copilot for Bing (Bizchat) IPM.SkypeTeams.Message.Copilot.BizChat
Microsoft Forms IPM.SkypeTeams.Message.Copilot.Forms
OneNote IPM.SkypeTeams.Message.Copilot.OneNote
Outlook IPM.SkypeTeams.Message.Copilot.Outlook
PowerPoint IPM.SkypeTeams.Message.Copilot.Powerpoint
Teams AI notes in Chat IPM.SkypeTeams.Message.TeamCopilot.AiNotes.Teams
Teams Channel IPM.SkypeTeams.Message.Copilot.Teams
Teams Chat IPM.SkypeTeams.Message.Copilot.Teams
Teams Copilot Chat (Bizchat) IPM.SkypeTeams.Message.Copilot.BizChat
Teams Meeting IPM.SkypeTeams.Message.Copilot.Teams
Teams Microsoft 365 Chat (BF) IPM.SkypeTeams.Message
WebChat IPM.SkypeTeams.Message.Copilot.WebChat
Whiteboard IPM.SkypeTeams.Message.Copilot.Whiteboard
Word IPM.SkypeTeams.Message.Copilot.Word

Note

In Step 4, you also have to identify and remove any holds and retention policies assigned to the mailbox that contains the type of Copilot data that you want to delete.

Tips for searching for Copilot data

To help ensure the most comprehensive collection of Copilot data, use the Type condition and select the Copilot activity option when you build the search query. We also recommend including a date range or several keywords to narrow the scope of the search to items relevant to your search and delete investigation.

Identifying web queries in Microsoft 365 Copilot usage

With the web search enabled for Microsoft 365 Copilot or Microsoft Copilot to include the latest data from the web, the web search queries sent to Microsoft Bing are searchable in eDiscovery. For more information about web search, see Data, privacy, and security for web search in Microsoft 365 Copilot and Microsoft Copilot.

Complete the following steps for finding these web queries:

  1. Using the Condition builder in eDiscovery, search for Copilot activity using the filter Type, Equals any of, and Copilot activity.
  2. In the query results, download any single item.
  3. Open up the downloaded item in a text editor.
  4. Look for WebSearchQuery
  5. If the Copilot activity is involved in a Bing search query, WebSearchQuery is present in the downloaded file. It's followed by the specific query sent in the Microsoft Bing search query.

Step 3: Review and verify Copilot data to delete in eDiscovery (preview)

The deletion process in Step 5 deletes the items returned by the search. It's important that you review the search results to ensure that the search only returns the items that you want to delete.

Additionally, you can use the search statistics (specifically the Top Locations statistics) to generate a list of the data sources that contain items returned by the search. Use this list in the next step to remove hold and retention policies from the user mailboxes that contain search results.

Step 4: Remove holds and retention policies from data sources

Before you can delete Copilot data from a mailbox, you have to remove any hold or retention policy that is assigned to a target mailbox. If not, then the data you're trying to delete is retained.

Use the list of mailboxes that contain the Copilot data that you want to delete and determine if there's a hold or retention policy assigned to those mailboxes, and then remove the hold or retention policy. Be sure to identify the hold or retention policy that you remove so that you can reassign to the mailboxes in Step 7.

Step 5: Delete Copilot data in Microsoft Graph Explorer

Note

Because Microsoft Graph Explorer is not available in some US Government clouds (GCC High and DOD), you must use PowerShell to accomplish these tasks. See the Delete Copilot data with PowerShell for details.

Now you're ready to delete Copilot data from user mailboxes. Use the Microsoft Graph Explorer to perform the following three tasks:

  1. Get the ID of the eDiscovery case that you created in Step 1. This is the case that contains the search created in Step 2.
  2. Get the ID of the search that you created in Step 2 and verified the search results in Step 3. The query in this search returns the Copilot data to be deleted.
  3. Delete the Copilot data returned by the search.

For information about using Graph Explorer, see Use Graph Explorer to try Microsoft Graph APIs.

Important

To perform these three tasks in Graph Explorer, you may have to consent to the eDiscovery.Read.All and eDiscovery.ReadWrite.All permissions. For more information, see the "Consent to permissions" section in Working with Graph Explorer.

Get the case ID in Microsoft Graph Explorer

  1. Go to https://developer.microsoft.com/graph/graph-explorer and sign in to the Graph Explorer with an account that's assigned the Search And Purge role in the Microsoft Purview portal.
  2. Run the following GET request to retrieve the ID for the eDiscovery case. Use the value https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases in the address bar of the request query. Be sure to select v1.0 in the API version dropdown list. This request returns information about all cases in your organization on the Response preview tab.
  3. Scroll through the response to locate the eDiscovery case. Use the displayName property to identify the case.
  4. Copy the corresponding ID (or copy and paste it to a text file). You'll use this ID in the next task to get the search ID.

Tip

Instead of using the previous procedure to obtain the case Id, you can open the case in the Microsoft Purview portal and copy the case Id from the URL.

Get the eDiscoverySearchID in Microsoft Graph Explorer

  1. In Graph Explorer, run the following GET request to retrieve the ID for the search that you created in Step 2, and contains the items you want to delete. Use the value https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases/{ediscoveryCaseID}/searches in the address bar of the request query, where {ediscoveryCaseID} is the CaseID that you obtained in the previous procedure.
  2. Scroll through the response to locate the search that contains the items that you want to delete. Use the displayName property to identify the search that you created in Step 3. In the response, the search query from the search is displayed in the contentQuery property. Items returned by this query are deleted in the next task
  3. Copy the corresponding ID (or copy and paste it to a text file). You'll use this ID in the next task to delete Copilot data.

Tip

Instead of using the previous procedure to obtain the search Id, you can open the case in the Microsoft Purview portal. Open the case and navigate to the Jobs tab. Select the relevant search and under Support information, find the job ID (the job ID displayed here is the same as the search ID).

Delete Copilot data in Microsoft Graph Explorer

  1. In Graph Explorer, run the following POST request to delete the items returned by the search that you created in Step 2. Use the value https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases/{ediscoveryCaseID}/searches/{ediscoverySearchID}/purgeData in the address bar of the request query, where {ediscoveryCaseID} and {ediscoverySearchID} are the IDs that you obtained in the previous procedures.

    If the POST request is successful, an HTTP response code is displayed in a green banner stating that the request was accepted.

For more information on purgeData, see sourceCollection: purgeData.

Delete Copilot data with PowerShell

Note

Because Microsoft Graph Explorer is not available in the US Government cloud (GCC, GCC High, and DOD), you must use PowerShell to accomplish these tasks.

You can also delete Copilot data using PowerShell. For example, to delete Copilot data in the US Government cloud you could use a command similar to:

Connect-MgGraph -Scopes "ediscovery.ReadWrite.All" -Environment USGov

Invoke-MgGraphRequest -Method POST -Uri '/v1.0/security/cases/ediscoveryCases/<ediscoverySearchID>/searches/<search ID>/purgeData'

For more information on using PowerShell to delete Copilot data, see ediscoverySearch: purgeData.

Step 6: Verify Copilot data is deleted

After you run the POST request to delete Copilot data, this data is removed from the user's mailbox. There isn't any visible notification or confirmation for the user that the data has been deleted.

Deleted Copilot data is moved to the SubstrateHolds folder, which is a hidden mailbox folder. Deleted Copilot data is stored there for at least 1 day and then are permanently deleted the next time the timer job runs (typically between 1-7 days).

Step 7: Reapply holds and retention policies to user mailboxes

After you verify that the Copilot data is deleted, you can reapply the holds and retention policies to user mailboxes that you removed in Step 4.