Dela via


Search for and delete Copilot data

Tip

eDiscovery (preview) is now available in the new Microsoft Purview portal. To learn more about using the new eDiscovery experience, see Learn about eDiscovery (preview).

You can use eDiscovery (Premium) and the Microsoft Graph Explorer to search for and delete user prompts and Microsoft 365 Copilot and Microsoft Copilot responses in supported applications and services. This feature can help you find and remove sensitive information or inappropriate content included in Copilot activities. This search and deletion workflow can also help you respond to a data spillage incident, when content containing confidential or malicious information is released through Copilot-related activity.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you search and delete Copilot data

  • To create an eDiscovery (Premium) case and use collections to search for Copilot activity data, you have to be a member of the eDiscovery Manager role group in the Microsoft Purview compliance portal. To delete Copilot data, you have to be assigned the Search And Purge role. This role is assigned to the Data Investigator and Organization Management role groups by default. For more information, see Assign eDiscovery permissions.

  • A maximum of 100 items per mailbox can be removed at one time. Because the capability to search for and remove Copilot data is intended to be an incident-response tool, this limit helps ensure that this data is quickly removed.

Step 1: Create a case in eDiscovery (Premium)

The first step is to create a case in eDiscovery (Premium) to manage the search and deletion process. For information about creating a case, see Use the new case format.

Step 2: Create a collection estimate

After you create a case, the next step is to create a collection estimate to search for the Copilot data that you want to delete. The deletion process you perform is Step 5 deletes all Copilot-related items that are found in the collection estimate (within the 10 item per location limit).

In eDiscovery (Premium), a collection is an eDiscovery search of the content locations that contain Copilot data that you want to delete. Create the collection estimate in the case that you created in the previous step. For more information, see Create a collection estimate.

Data sources for Copilot data

The following table lists the applications and services that are sources for Copilot data. All user prompts to Copilot and responses from Copilot are stored in a user's mailbox.

For this type of Microsoft Copilot data... Search this item class...
Excel IPM.SkypeTeams.Message.Copilot.Excel
Loop IPM.SkypeTeams.Message.Copilot.Loop
Microsoft 365 App IPM.SkypeTeams.Message.Copilot.M365App
Microsoft Copilot for Bing (Bizchat) IPM.SkypeTeams.Message.Copilot.BizChat
Microsoft Forms IPM.SkypeTeams.Message.Copilot.Forms
OneNote IPM.SkypeTeams.Message.Copilot.OneNote
Outlook IPM.SkypeTeams.Message.Copilot.Outlook
PowerPoint IPM.SkypeTeams.Message.Copilot.Powerpoint
Teams AI notes in Chat IPM.SkypeTeams.Message.TeamCopilot.AiNotes.Teams
Teams Channel IPM.SkypeTeams.Message.Copilot.Teams
Teams Chat IPM.SkypeTeams.Message.Copilot.Teams
Teams Copilot Chat (Bizchat) IPM.SkypeTeams.Message.Copilot.BizChat
Teams Meeting IPM.SkypeTeams.Message.Copilot.Teams
Teams Microsoft 365 Chat (BF) IPM.SkypeTeams.Message
WebChat IPM.SkypeTeams.Message.Copilot.WebChat
Whiteboard IPM.SkypeTeams.Message.Copilot.Whiteboard
Word IPM.SkypeTeams.Message.Copilot.Word

Note

In Step 4, you also have to identify and remove any holds and retention policies assigned to the mailbox that contains the type of Copilot data that you want to delete.

Tips for searching for Copilot data

To help ensure the most comprehensive collection of Copilot data, use the Type condition and select the Copilot activity option when you build the search query for the collection estimate. We also recommend including a date range or several keywords to narrow the scope of the collection to items relevant to your search and delete investigation.

For more information, see Build search queries for collections.

Identifying web queries in Microsoft 365 Copilot usage

With the web search enabled for Microsoft 365 Copilot or Microsoft Copilot to include the latest data from the web, the web search queries sent to Microsoft Bing are searchable in eDiscovery. For more information about web search, see Data, privacy, and security for web search in Microsoft 365 Copilot and Microsoft Copilot.

Complete the following steps for finding these web queries:

  1. Using the Condition builder in eDiscovery, search for Copilot activity using the filter Type, Equals any of, and Copilot activity.
  2. In the query results, download any single item.
  3. Open up the downloaded item in a text editor.
  4. Look for WebSearchQuery
  5. If the Copilot activity is involved in a Bing search query, WebSearchQuery is present in the downloaded file. It's followed by the specific query sent in the Microsoft Bing search query.

Step 3: Review and verify Copilot data to delete

The deletion process in Step 5 will delete the items returned by the collection. It's important that you review the collection estimate results to ensure that the collection only returns the items that you want to delete. To review a sample of items in a collection estimate, see the Next steps after a collection estimate is complete section in Create a collection estimate.

Additionally, you can use the collection statistics (specifically the Top Locations statistics) to generate a list of the data sources that contain items returned by the collection. Use this list in the next step to remove hold and retention policies from the user mailboxes that contain search results. For more information, see Collection statistics and reports.

Step 4: Remove holds and retention policies from data sources

Before you can delete Copilot data from a mailbox, you have to remove any hold or retention policy that is assigned to a target mailbox. If not, then the data you're trying to delete is retained.

Use the list of mailboxes that contain the Copilot data that you want to delete and determine if there's a hold or retention policy assigned to those mailboxes, and then remove the hold or retention policy. Be sure to identify the hold or retention policy that you remove so that you can reassign to the mailboxes in Step 7.

For instructions about how to identify and remove holds and retention policies, see Step 3: Remove all holds from the mailbox in Delete items in the Recoverable Items folder of cloud-based mailboxes on hold.

Step 5: Delete Copilot data

Note

Because Microsoft Graph Explorer is not available in some US Government clouds (GCC High and DOD), you must use PowerShell to accomplish these tasks. See the Delete Copilot data with PowerShell for details.

Now you're ready to delete Copilot data from user mailboexes. Use the Microsoft Graph Explorer to perform the following three tasks:

  1. Get the ID of the eDiscovery (Premium) case that you created in Step 1. This is the case that contains the collection created in Step 2.
  2. Get the ID of the collection that you created in Step 2 and verified the search results in Step 3. The search query in this collection returns the Copilot data to be deleted.
  3. Delete the Copilot data returned by the collection.

For information about using Graph Explorer, see Use Graph Explorer to try Microsoft Graph APIs.

Important

To perform these three tasks in Graph Explorer, you may have to consent to the eDiscovery.Read.All and eDiscovery.ReadWrite.All permissions. For more information, see the "Consent to permissions" section in Working with Graph Explorer.

Get the case ID

  1. Go to https://developer.microsoft.com/graph/graph-explorer and sign in to the Graph Explorer with an account that's assigned the Search And Purge role in the Microsoft Purview compliance portal.

  2. Run the following GET request to retrieve the ID for the eDiscovery (Premium) case. Use the value https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases in the address bar of the request query. Be sure to select v1.0 in the API version dropdown list.

    This request returns information about all cases in your organization on the Response preview tab.

  3. Scroll through the response to locate the eDiscovery (Premium) case. Use the displayName property to identify the case.

  4. Copy the corresponding ID (or copy and paste it to a text file). You'll use this ID in the next task to get the collection ID.

Tip

Instead of using the previous procedure to obtain the case Id, you can open the case in the Microsoft Purview compliance portal and copy the case Id from the URL.

Get the eDiscoverySearchID

  1. In Graph Explorer, run the following GET request to retrieve the ID for the collection that you created in Step 2, and contains the items you want to delete. Use the value https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases/{ediscoveryCaseID}/searches in the address bar of the request query, where {ediscoveryCaseID} is the CaseID that you obtained in the previous procedure.

  2. Scroll through the response to locate the collection that contains the items that you want to delete. Use the displayName property to identify the collection that you created in Step 3.

    In the response, the search query from the collection is displayed in the contentQuery property. Items returned by this query are deleted in the next task.

  3. Copy the corresponding ID (or copy and paste it to a text file). You'll use this ID in the next task to delete Copilot data.

Tip

Instead of using the previous procedure to obtain the search Id, you can open the case in the Microsoft Purview compliance portal. Open the case and navigate to the Jobs tab. Select the relevant collection and under Support information, find the job ID (the job ID displayed here is the same as the collection ID).

Delete Copilot data

  1. In Graph Explorer, run the following POST request to delete the items returned by the collection that you created in Step 2. Use the value https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases/{ediscoveryCaseID}/searches/{ediscoverySearchID}/purgeData in the address bar of the request query, where {ediscoveryCaseID} and {ediscoverySearchID} are the IDs that you obtained in the previous procedures.

    If the POST request is successful, an HTTP response code is displayed in a green banner stating that the request was accepted.

For more information on purgeData, see sourceCollection: purgeData.

Delete Copilot data with PowerShell

Note

Because Microsoft Graph Explorer is not available in the US Government cloud (GCC, GCC High, and DOD), you must use PowerShell to accomplish these tasks.

You can also delete Copilot data using PowerShell. For example, to delete Copilot data in the US Government cloud you could use a command similar to:

Connect-MgGraph -Scopes "ediscovery.ReadWrite.All" -Environment USGov

Invoke-MgGraphRequest -Method POST -Uri '/v1.0/security/cases/ediscoveryCases/<ediscoverySearchID>/searches/<search ID>/purgeData'

For more information on using PowerShell to delete Copilot data, see ediscoverySearch: purgeData.

Step 6: Verify Copilot data is deleted

After you run the POST request to delete Copilot data, this data is removed from the user's mailbox. There isn't any visible notification or confirmation for the user that the data has been deleted.

Deleted Copilot data is moved to the SubstrateHolds folder, which is a hidden mailbox folder. Deleted Copilot data is stored there for at least 1 day and then are permanently deleted the next time the timer job runs (typically between 1-7 days).

Step 7: Reapply holds and retention policies to user mailboxes

After you verify that the Copilot data is deleted, you can reapply the holds and retention policies to user mailboxes that you removed in Step 4.