CASB with a Custom Gatelet configured for Microsoft Copilot

• Currently the Custom Gatelet is unable to block content for Microsoft Copilot or Bing Chat as the upload is injected into the header.

For Gatelets: Feature Request  "ISFR-3036: Gatelet for Microsoft Copilot" has been created requesting full gatelet functionality.

For Securlets: (API): Securlet is not yet possible without further Microsoft development of an API.

Microsoft has suggested one of the following approaches to restrict sensitive information in response to users' prompts. In other words, preventing the accidental leakage of sensitive information by Copilot to an employee as a response to a prompt from the employee.

Approach 1 "Restricted SharePoint Search"

Restricted SharePoint Search allows admins to disable organization-wide search, and to restrict Copilot to a curated set of SharePoint sites. Admins can set up an allowed list of curated SharePoint sites.

Additional Documentation:

Restricted SharePoint Search

Approach 2 "BlockContentAnalysisService"

This approach uses Microsoft sensitivity labels with the new BlockContentAnalysisService setting to restrict the content.  The label can be applied to content automatically through a DLP incident were the response action sets the MPIP label.  The content would need to be labeled before the BlockContentAnalysisService applies.

Additional documentation:

Block Copilot Access to Individual Office Documents

BlockContentAnalysisService

Symantec DLP / MIP Integration

Remediation with Microsoft Purview MPIP using the o365 Securlet and DLP Enforce

Protecting data through copilot.microsoft.com

• Content inspection of chat messages is not supported through a custom gatelet
• Files uploaded through copilot use Sharepoint can be blocked through a custom Gatelet with the following configuration.
• Create a custom gatelet.
  • Domains: sharepoint.com, copilot.microsoft.com
  • Enable Scan request payload

Bing has copilot.  Uploads were blocked, chats were not blocked.