Copilot security and compliance for enterprise turns on four irreducible questions: does the data boundary actually segregate your prompts and grounding data from the foundation-model training surface, are your existing Microsoft Purview sensitivity labels and DLP policies enforced inside the Copilot reasoning path, can your eDiscovery and audit teams retrieve Copilot prompts and responses, and what is the licensing cost of the security stack that makes the answer to all three “yes.” The honest 2026 answer: the base Copilot for Microsoft 365 SKU at $30 per user per month is the cheap part. Doing it safely usually requires E5 (or E5 Compliance), Purview Information Protection, and an Entra ID P2 underpinning — pushing the all-in cost to $80–$120 per Copilot-licensed user per month.
Copilot security and compliance: why this is a procurement question
Copilot security and compliance for enterprise is a procurement question because every meaningful safeguard maps to a Microsoft licensing SKU. The base Copilot for Microsoft 365 entitlement at $30 per user per month buys you the foundation-model reasoning, the Microsoft 365 grounding via Graph, and the data-boundary commitments in the Online Services Terms. It does not buy you sensitivity-label enforcement during Copilot reasoning, it does not buy you eDiscovery over Copilot interactions, and it does not buy you the Conditional Access posture that keeps Copilot from being weaponised by a compromised account. Each of those sits behind a higher-priced security or compliance SKU.
The structural mistake we see is enterprises buying Copilot for Microsoft 365 against an E3 base, then discovering at month three that the legal, compliance, and security teams have stopped the rollout pending controls the licensing stack does not provide. The result is a stranded $30-per-user-per-month commitment with a 12-month minimum term and no clear path to deployment. The procurement discipline is to scope the security and compliance posture before the Copilot purchase, not after.
The Copilot data boundary — what Microsoft does and does not commit to
Microsoft commits, in the Online Services Terms and the Product Terms, that Copilot for Microsoft 365 prompts and responses are not used to train the foundation models, that grounding data from your Microsoft 365 tenant is processed within the tenant’s data residency commitments, and that the Customer Data classification in the OST applies. Microsoft does not commit that prompts cannot be subpoenaed, does not commit to a specific retention period on the back-end logging surface (the Copilot interaction log is governed by the M365 audit retention policy your tenant configures), and does not commit that the underlying foundation model is hosted in the EU Data Boundary (the EU Data Boundary commitment covers Customer Data in transit and at rest, not the model weights). Treat the data boundary as a contractual commitment that is enforced by your tenant configuration, not by default.
Purview Information Protection — the must-have layer
Sensitivity labels via Microsoft Purview Information Protection are the single most important security control in a Copilot deployment. Sensitivity labels follow the file and constrain what Copilot can reason over: a document labelled “Confidential / Restricted to Legal” will not surface in a Copilot response to a user outside that group. Purview Information Protection ships in two SKUs: Microsoft Purview Information Protection P1 (labelling, manual classification) is included in M365 E3; Microsoft Purview Information Protection P2 (auto-labelling, ML-based classification, on-prem scanner) is included in M365 E5 or available as a $7/user/month add-on.
The pragmatic rule: do not deploy Copilot for Microsoft 365 to any user who is not already covered by Purview Information Protection P1 at minimum, and prefer P2 for users handling regulated data. The Copilot reasoning path respects the label; the label has to exist before it can be respected. Re-tagging an entire SharePoint estate after Copilot is live is an 18-month exercise with no protection in the interim.
eDiscovery, audit, and the Copilot prompt log
Copilot prompts and responses are logged inside the Microsoft 365 substrate and are surfaceable via Microsoft Purview Audit and eDiscovery. The licensing implications:
- Audit (Standard). 90-day retention. Included in E3. Captures the fact of Copilot interactions but not the prompt text in a way most legal teams accept as defensible.
- Audit (Premium). 1-year default, configurable to 10 years. Included in E5 or as a $3/user/month add-on. Captures Copilot prompts and responses in the audit log with the granularity legal teams require.
- eDiscovery (Premium). Hold and review of Copilot interactions across the tenant. Included in E5 or as a $7/user/month add-on.
- Communication Compliance. Policy-based review of Copilot interactions for harassment, regulated communications, and supervisory review use cases. Included in E5 or as a $4/user/month add-on.
An enterprise that wants defensible Copilot eDiscovery on an E3 base is paying $30 (Copilot) + $3 (Audit Premium) + $7 (eDiscovery Premium) + $7 (Purview IP P2) = $47 of add-on stack per user per month before reaching parity with what E5 ships natively. At that price point the E3-vs-E5 step-up decision usually pivots in favour of E5.
Entra ID — the identity prerequisite
Copilot inherits the identity posture of the user it acts for. Conditional Access, MFA, risk-based sign-in, and Privileged Identity Management all matter to Copilot security because a compromised account is a compromised Copilot. The Entra ID baseline for safe Copilot deployment:
- Entra ID P1. Conditional Access, basic risk signals. Included in M365 E3. Mandatory.
- Entra ID P2. Identity Protection, PIM, access reviews. Included in M365 E5 or as a $9/user/month add-on. Strongly recommended for any user with elevated Copilot data access.
The realistic posture is Entra ID P2 for at least the population handling regulated data, and P1 as the floor across the rest of the Copilot-licensed estate.
The all-in cost of safe Copilot per user
| Scenario | Base stack | Security add-ons | Copilot | All-in |
|---|---|---|---|---|
| E3 base, base Copilot | $36 (E3) | None — not safe | $30 | $66 |
| E3 base, safe Copilot | $36 (E3) | $17 (IP P2 + Audit Prem + eDisc Prem) + $9 (Entra P2) | $30 | $92 |
| E5 base, safe Copilot | $57 (E5) | Included | $30 | $87 |
| E5 + Comm Compliance, safe Copilot | $57 + $4 | Included | $30 | $91 |
| E7 Frontier base, safe Copilot | $99 (E7) | Included + Defender XDR + Sentinel | $30 | $129 |
The arithmetic explains why Microsoft is so willing to discount the E5 step-up alongside Copilot purchases. E5 plus Copilot lands roughly five dollars cheaper per user than the E3-plus-add-on path while reducing the procurement complexity from seven SKUs to two. This is the lever to push at renewal — see our analysis of 2026 E5 and E7 promotional pricing.
Anonymised case study: 9,400 seats, eDiscovery rebuild
A 9,400-employee asset manager deployed Copilot for Microsoft 365 on an E3 base in late 2025. By month four the legal team had blocked further rollout pending defensible eDiscovery; the security team had escalated a Conditional Access gap on the Copilot-licensed population. The compliance retrofit landed at $54 per user per month of add-on stack on top of E3 plus Copilot — total all-in $120 per user. We modelled the alternative: E5 step-up plus Copilot at $87 per user, a $33 per user monthly saving on the affected 4,200 high-sensitivity users. Annualised saving: $1.66M. The asset manager renegotiated the E5 step-up at the next true-up and consolidated the seven-SKU posture into the E5 plus Copilot pair.
Copilot security and compliance is solvable, but it is a licensing-architecture problem before it is a technical one. Map the security and compliance posture against the SKUs that enforce it, take the all-in view, and use the result to drive the Copilot licensing strategy at the next EA renewal. Pair the analysis with a structured view of the EA tier-collapse landscape and the Copilot purchase stops being a $30 add-on and starts being a strategic licensing decision.