Investigate and delete Copilot interactions with Microsoft Purview eDiscovery (Premium)

Completed

Microsoft Purview eDiscovery is a tool for handling digital data in legal cases and compliance. It can also be used to search and delete Copilot data within Microsoft 365, making it valuable for managing data interactions with Copilot.

There are two versions available: Standard and Premium, each catering to different needs. The Standard version offers basic search and case management functions, suitable for everyday data tasks. On the other hand, the Premium version, designed for more complex investigations, includes advanced data analysis, machine learning-based culling, and extensive custodian management.

Conduct investigations and deletions of Copilot data with eDiscovery (Premium)

Prerequisites

Step	Description	Learn more
Understand eDiscovery (Premium) and its search capabilities	Get familiar with how Microsoft Purview eDiscovery's search functions work.	- Microsoft Purview eDiscovery solutions - Overview of Microsoft Purview eDiscovery (Premium)
Check licensing requirements for eDiscovery	Ensure you have the right Microsoft 365 E3/E5 licenses for Copilot and Microsoft Purview eDiscovery (Premium).	Microsoft Purview eDiscovery service description
Ensure appropriate eDiscovery (Premium) permissions are in place	- To create a case, you must be a member of the eDiscovery Manager role group - To delete Copilot data, the Search And Purge role is needed.	Assign eDiscovery permissions in the compliance portal

Note, a maximum of 10 items per mailbox can be removed at one time. The capability to search for and remove Copilot data is intended to be an incident-response tool. This limit helps ensure that this data is quickly removed.

Search for and delete Microsoft 365 Copilot data

Step 1: Create an eDiscovery (Premium) case

Start your investigation by setting up an eDiscovery (Premium) case. This case acts as your control center for Copilot interaction investigations. For information about creating a case, see Use the new case format.

For a list of data sources for Copilot data, see Data sources for Copilot data

Step 2: Define the scope

After creating a case, the next step is to a collection estimate. This helps you find the Copilot data you want to delete. In Step 5, you delete all Copilot-related items discovered in the estimate.

In eDiscovery (Premium), a collection is an eDiscovery search of the content locations that contain Copilot data that you want to delete. Create the collection estimate in the case that you created in the previous step. For more information, see Create a collection estimate.

Step 3: Analyze the data

In Step 5, the deletion process removes items found in the collection. Ensure the collection estimate includes only the items you want to delete by reviewing its results. To review a sample, see the Next steps after a collection estimate is complete section in Create a collection estimate. You can also use collection statistics like Top Locations to list data sources with collected items for the next step of removing hold and retention policies from user mailboxes. For more information, see Collection statistics and reports.

Step 4: Prepare for deletion

Before deleting Copilot data from a mailbox, remove any hold or retention policies assigned to it. If you don't, the data you're trying to delete is retained.

Check the mailboxes with Copilot data for assigned hold or retention policies. Remove these policies, making sure to note which ones you remove for reassignment in Step 7. For instructions about how to identify and remove holds and retention policies, see Step 3: Remove all holds from the mailbox in Delete items in the Recoverable Items folder of cloud-based mailboxes on hold

Step 5: Execute Copilot data deletion

To delete Copilot data from user mailboxes, there are two options:

1. Microsoft Graph Explorer:

   1. Get the ID of the eDiscovery (Premium) case you created in Step 1. This case contains the collection from Step 2.
   2. Retrieve the ID of the collection you created in Step 2, where you verified the search results in Step 3. This collection's search query identifies the Copilot data for deletion.
   3. Delete the Copilot data identified by the collection.
   • For more detailed information on deleting Copilot data with the Microsoft Graph Explorer, see Delete Copilot data.
   • To learn more about using Graph Explorer, see Use Graph Explorer to try Microsoft Graph APIs.

2. PowerShell:

   If you're in a US Government cloud like GCC High or DOD where Microsoft Graph Explorer isn't available, you can use PowerShell.

   • For information on deleting Copilot data in PowerShell, see Delete Copilot data with PowerShell.

Step 6: Verify Copilot deletion

After running the POST request to delete Copilot data, the data is removed from the user's mailbox without any visible notification. The deleted Copilot data is temporarily stored in the hidden SubstrateHolds folder for at least 1 day and is permanently deleted during the next timer job (usually within 1-7 days)

Step 7: Reinstate policies

After you verify that the Copilot data is deleted, you can reapply the holds and retention policies to user mailboxes that you removed in Step 4.

Apply using eDiscovery (Premium) with Copilot

Now, let's see how to use eDiscovery (Premium) in real situations. Let's look at two scenarios: investigating a data breach and doing a compliance audit for inappropriate content. These examples show you how you can use eDiscovery (Premium) for managing Copilot interactions in your organization.

Scenario 1: Investigate unauthorized disclosure of sensitive information

Background: A large financial institution discovers that sensitive client data is potentially shared externally via Microsoft Teams, where Copilot is extensively used for drafting and summarizing communications. The legal team needs to investigate this potential data breach to understand the scope and mitigate any risks.

eDiscovery steps:

1. Create an eDiscovery (Premium) case: The legal team creates a new eDiscovery (Premium) case named Sensitive Data Breach Investigation.
2. Define the scope: They define a collection estimate focusing on Teams communications looking for keywords related to the sensitive data and using item classes like IPM.SkypeTeams.Message.Copilot.Teams.
3. Analyze the data: The team reviews the collection estimate results to identify any instances where sensitive information was shared. They pay special attention to the user prompts and Copilot responses in Teams chats.
4. Prepare for deletion: After identifying the specific items that contain sensitive data, the team ensures no holds or retention policies are obstructing the deletion of these items.
5. Execute Copilot data deletion: They use the Microsoft Graph Explorer to delete the identified items, thus containing the data breach.
6. Verify Copilot deletion: The team monitors the SubstrateHolds folder to confirm that the data is permanently deleted and reapply any necessary policies to the mailboxes.
7. Reinstate policies: Finally, they reinstate any removed holds or retention policies to ensure ongoing compliance.

Scenario 2: Audit compliance in a healthcare organization

Background: A healthcare organization uses Copilot across various Microsoft 365 applications, including Teams and Word. To adhere to healthcare privacy regulations like HIPAA, they need to ensure that no protected health information (PHI) is being improperly shared or stored due to user interactions with Copilot.

eDiscovery steps:

1. Create an eDiscovery case: The compliance team creates a case named HIPAA Compliance Audit in eDiscovery (Premium).
2. Define the scope: They set up a collection estimate focusing on searching for PHI-related keywords and item classes such as IPM.SkypeTeams.Message.Copilot.Teams and IPM.SkypeTeams.Message.Copilot.Word.
3. Analyze the data: The team analyzes the results to identify instances of PHI being shared or generated in communications with Copilot, which could constitute a compliance breach.
4. Prepare for deletion: They check for legal holds or retention policies on mailboxes containing potential compliance violations.
5. Execute Copilot data deletion: Using Microsoft Graph Explorer, the team deletes items that contain PHI and don't comply with HIPAA regulations.
6. Verify Copilot deletion: Post-deletion, they ensure that the PHI data is removed from the mailboxes and monitor the SubstrateHolds folder for confirmation.
7. Reinstate policies: After confirming deletion, any previously removed holds or policies are reapplied to the mailboxes.

Learn more

• Get started with eDiscovery (Premium)
• Search for and delete Microsoft 365 Copilot data
• Content stored in Exchange Online mailboxes for eDiscovery
• Use Graph Explorer to try Microsoft Graph APIs