Redgrave Legal 365: The Horse is Out of the Barn with Microsoft 365 Copilot Chat

Microsoft’s strategic shift has major implications for information governance and eDiscovery

Remember when Microsoft 365 Copilot first arrived?  Organizations had to commit to a minimum of 300 seats and sign up for a full-year subscription—no exceptions. Today, those requirements are long gone.  If desired, organizations can purchase even a single monthly license.  However, despite relaxing those initial licensing constraints, Microsoft’s more dramatic shift lies in its broader strategic goal: embedding some version of its Copilot products onto every desktop, in every organization, and making it indispensable for daily tasks.  The centerpiece of this strategy is Microsoft 365 Copilot Chat, a “free” version of Copilot that every user has access to, regardless of license level.  But free isn’t truly free—the introduction of Copilot Chat into the enterprise also brings significant legal and compliance risks that organizations must proactively address.

Introducing Microsoft 365 Copilot Chat

Microsoft 365 Copilot Chat is Microsoft’s bold step towards universal access to generative AI, included at no additional charge in nearly all commercial and education plans (except government plans, expected mid-2025).  It is Microsoft’s way of democratizing AI within the workplace.  Although officially launched in January 2025 (see announcement here), in reality, similar functionality has been available and evolving since July 2023, under a revolving door succession of names (“Bing Chat Enterprise,” “Copilot with Entra ID,” “Copilot with Graph-Grounded Data,” “BizChat,” “Business Chat,” “Copilot Chat,” and “Copilot for M365”). 

With Copilot Chat now embedded across the Microsoft ecosystem—from Teams and Outlook to the Microsoft Copilot App—it’s clear Microsoft aims to make this AI assistant the primary gateway for productivity, collaboration, information access, and a user’s first stop in their normal day-to-day work.   

Why Is the Horse out of the Barn When It Comes to Microsoft 365 Copilot Chat?

Here’s where things get tricky.  Enabled by default in every M365 tenant, Microsoft 365 Copilot Chat quietly captures every user interaction—every prompt, response, referenced file, and linked document—which are searchable and preservable via Purview eDiscovery.  Simultaneously, an audit record is captured for each interaction and retained for a minimum of six months (potentially longer depending on the organization’s configuration).  Unless your IT department explicitly disables this feature, your organization is unknowingly accumulating vast troves of digital artifacts ripe for information governance and eDiscovery issues.  Microsoft describes how to disable Microsoft 365 Copilot Chat here.        

If your organization’s IT team hasn’t taken steps to disable Microsoft 365 Copilot Chat, the horse is already out of the barn, galloping across your M365 tenant and leaving behind a trail of digital artifacts.  This poses critical information governance and eDiscovery questions:

• Do you have a retention strategy for Microsoft 365 Copilot Chat interactions?  How long should they be retained?
• Do you have a strategy for the identification, preservation, and collection of Microsoft 365 Copilot Chat interactions?
• What is your organization’s strategy for handling hyperlinked/files referenced in Microsoft 365 Copilot Chats (also referred to as “cloud attachments”)?  

A Critical Distinction: Microsoft 365 Copilot Chat vs. Microsoft 365 Copilot

While Microsoft 365 Copilot Chat may be prancing about your M365 environment, that does not mean Microsoft 365 Copilot is also enjoying a trot through your landscape.  Since Microsoft 365 Copilot requires a $30 per user per month license, many organizations have taken a deliberate approach towards acquiring and deploying this licensed version of Copilot, with some organizations electing not to invest in the tool at this time.  For many organizations, it’s likely less a question of “whether” and more a question of “when” with respect to deploying Microsoft 365 Copilot, given its proximity to the Office suite of applications.  With continued improvements and enhancements, the justification to acquire licenses will become more persuasive. 

When comparing Microsoft 365 Copilot Chat and Microsoft 365 Copilot, there are two key points to keep in mind:

First, while Microsoft 365 Copilot Chat grounds its answers on knowledge gleaned from the world-wide web (if permitted – otherwise its answers are based on what the large language model “knows”), Microsoft 365 Copilot grounds its responses in organizational data.  It “reasons” over the files, emails, chats, and other content that reside in your organization’s M365 tenant to which a user has access.  This means new content created by Copilot can leverage institutional knowledge. 

Second, Microsoft 365 Copilot is deeply integrated with Microsoft Word, PowerPoint, Excel, OneNote, and Whiteboard, and the list continues to grow.  Users can invoke Copilot within these applications to create new content, summarize existing files, create Excel formulas, and generate graphics for PowerPoint slides – the functionality is extensive and continues to expand rapidly.  Microsoft 365 Copilot Chat is not currently integrated with M365 applications, but the M365 Roadmap has clues that may indicate Microsoft may make some features available to unlicensed users in the near future (e.g., Roadmap ID 498320).

Whether an Organization Licenses Copilot or Not, the End Result is the Same from an Information Governance and eDiscovery Perspective: Digital Artifacts

Although Microsoft 365 Copilot and Microsoft 365 Copilot Chat have several distinct differences, they share a critical similarity with significant implications from an information governance and eDiscovery standpoint: both tools generate a common set of digital artifacts.  These artifacts include the interactions between a user and Copilot, i.e., prompts and responses, as well as files that a user explicitly asks Copilot to reference during an interaction (Microsoft treats these as “cloud attachments,” creating a reference relationship between the interactions and the file). 

A key point regarding these artifacts is that, regardless of which tool is used, the generated artifacts are stored in the same exact place: a hidden folder in the user’s Exchange Online mailbox (for interactions) and, for files, in OneDrive and SharePoint. 

The Practical Impact You Can’t Afford to Ignore

Even if your IT team and leadership have decided not to deploy Microsoft 365 Copilot (the licensed version), unless Microsoft 365 Copilot Chat is actively disabled/blocked, the following is already happening at your organization:  

• Microsoft 365 Copilot Chat interactions are being captured in a hidden folder within user mailboxes, making them accessible for discovery and likely included in eDiscovery collections from user mailboxes.
• Microsoft 365 Copilot Chat interactions are being retained and/or deleted according to Purview Retention Policies for Microsoft Teams chats, which may not align with your organization’s information governance goals and objectives.
• Microsoft 365 Copilot Chat interactions are generating hyperlink file references for cited files, resulting in a potentially staggering volume of additional files that could be included in eDiscovery collections.
• Copilot “Pages” are being created, introducing a new and challenging artifact category into your M365 tenant.  Copilot Pages are in the .loop file format, which can present challenges from an eDiscovery search and collection perspective.  

The Bottom Line: You May Already be a “Copilot Shop” (Whether You Know It or Not)

Unless an organization’s IT team has proactively taken steps to disable or restrict access to Microsoft 365 Copilot Chat (and some assuredly have), then that organization is likely already a “Copilot shop,” with thousands – perhaps millions – of Copilot artifacts lurking in user mailboxes and OneDrive’s.  If this is the case, the horses are out of the barn, running free and wild.  It is critical for information governance and eDiscovery professionals to take the lead, corral the herd, and ensure there are policies, processes, and workflows in place to address the digital artifacts Copilot leaves behind.  

Checklist for Information Governance and eDiscovery Teams

As your organization evaluates the impact and implications of Microsoft 365 Copilot Chat, consider the following critical questions:

1. Copilot Chat Enablement
• Has your organization explicitly disabled Microsoft 365 Copilot Chat?
• Remember: If Copilot Chat is turned off, users may resort to unsanctioned Generative AI platforms, like ChatGPT, creating additional risks.  It may be preferable—from a risk management perspective—to enable and govern Copilot Chat rather than deal with uncontrolled external services.
2. Retention and Discovery Strategy
• If Copilot Chat is enabled, has your organization established retention policies specifically addressing the lifecycle of Copilot interactions, including prompts and responses?
• Do you have defined workflows for identifying, preserving, and collecting Copilot interaction data for eDiscovery purposes?
• Have you determined a strategy to manage and collect the files referenced within Copilot Chat interactions, which Microsoft classifies as “cloud attachments”?
• Remember: Microsoft Purview can support retention and eDiscovery of this data.
3. Copilot Pages and Notebooks
• Have you evaluated whether Copilot Pages and Notebooks are enabled in your Microsoft 365 environment?  If enabled, does your organization understand the types of artifacts created and precisely where they are stored?
• Have you implemented specific retention and deletion policies governing content created within Copilot Pages and Notebooks?
• Do you have an established strategy for identifying and collecting Copilot Pages content during discovery?
• Remember: These newer features, integrated within Copilot Chat, generate additional digital artifacts requiring new governance and discovery strategies.
4. Assessing Copilot Chat Usage
• Do you understand how your organization’s workforce currently uses Microsoft 365 Copilot Chat?  For instance, is Copilot Chat supplementing or even replacing traditional search engines and external information sources?
• Remember: If Copilot Chat is replacing internet-based search behaviors, recognize that this shift carries significant governance and eDiscovery implications.  Unlike traditional internet searching, Copilot interactions generate persistent, retrievable digital artifacts and audit logs.  This fundamentally alters the evidentiary landscape, leaving behind an extensive, easily discoverable digital breadcrumb trail that organizations must proactively manage.

By addressing these areas proactively, your organization can maximize the benefits of Copilot Chat while effectively managing associated legal and compliance risks.

How Redgrave LLP Can Help

Redgrave LLP, a boutique law firm focused on Information Law, has both the legal skill and technical expertise needed to assess your organization’s risk profile with respect to Microsoft 365 Copilot Chat – and help you create a defensible strategy and plan that addresses the information governance and eDiscovery implications of the service while ensuring your organization can take full advantage of the benefits the technology can deliver.  Redgrave is uniquely positioned to help organizations like yours maximize the benefits of Generative-AI technology, such as Microsoft 365 Copilot Chat, while addressing and minimizing the legal risks these tools introduce.

Redgrave Legal 365

These developments underscore the importance of maintaining close alignment between IT, Legal, and Information Governance teams as AI tools become increasingly embedded in daily workflows.  Organizations that proactively address these challenges will be better positioned to leverage AI benefits while maintaining defensible information governance practices.

Redgrave continues to monitor Microsoft’s AI developments and their implications for eDiscovery, information governance, and privacy.  Redgrave Legal 365 offers a comprehensive framework of insights, strategies, and targeted solutions, designed to navigate the complexities inherent in Microsoft 365 environments.  Among Legal 365’s offerings are fixed-fee, modular legal advisory tracks that integrate deep Microsoft 365 technical expertise with privileged legal insight to identify hidden eDiscovery, information governance, and AI risks, transforming them into clear, actionable plans.  Delivered via single-day, cross-functional workshops and concise executive read-outs, our legal advisory tracks empower corporate legal and IT leaders with actionable perspectives on configuration gaps, Copilot readiness, legal risk management, and prioritized next steps, enabling innovation without compromising compliance.

For assistance with assessing these new features’ impact on your organization, updating your eDiscovery procedures, or learning more about our Legal 365 offerings, please contact John Collins, Managing Director [jcollins@redgravellp.com] or Staci Kaliner, Managing Director [skaliner@redgravellp.com].

The views expressed in this article are those of the authors and do not necessarily represent the views of the Firm or any of its clients.