Skip to Content

MC1202962: Prevent/Fix Audit log property generated from Default Data Loss Prevention Policy for Microsoft 365 Copilot and Chat

By: Author Alex Lim

Posted on

Categories Update

Home » Update » MC1202962: Prevent/Fix Audit log property generated from Default Data Loss Prevention Policy for Microsoft 365 Copilot and Chat

Summary

  • An incorrect property in the audit log shows a Microsoft email address instead of “Microsoft Corporation” for a default DLP policy deployment.
  • The default DLP policy is in simulation mode to protect sensitive Microsoft 365 Copilot prompts.
  • Audit events may indicate creation by a Microsoft service engineer, which is expected behavior, not a security issue.
  • No action is required from organizations; the deployment was through secure automated infrastructure.
  • Microsoft will deploy a fix to ensure accurate representation of system-initiated activity in future audit logs.

Admin Impact: Low
User Impact: Low
Release Start: 15 Jan 2026
Release End: 31 Jan 2026
Services: Purview
Category: Prevent or fix issues
Tags: Admin Action

History

12/22/2025 Item Added to Message Center

Microsoft Message

An incorrect property was recorded in the audit log for a default Data Loss Prevention (DLP) policy deployment, showing a Microsoft email address instead of “Microsoft Corporation” as the user. Microsoft recently enabled a default DLP policy in simulation mode to help protect sensitive Microsoft 365 Copilot prompts, named “Default DLP policy – Protect sensitive M365 Copilot interactions”.

This is an informational update on how this default policy may appear in your audit logs.

How this will affect your organization

Some organizations may see audit events for the creation of the default DLP policy where the “User” field displays the name of a Microsoft service engineer rather than a system or service principal.

These entries may resemble:

  • Activity: Created DLP rule / Created DLP policy
  • User: Email address ending in “@microsoft.com”

This may cause the audit record to appear as if the policy was created by an external user.

Important: This is expected behavior and not a security incident

We want to assure you of the following:

  • There is no compromise of your tenant.
  • No Microsoft engineers accessed your tenant data.
  • The behavior is caused by a formatting issue in the audit log pipeline for this particular default policy deployment.
  • The policy was deployed using Microsoft’s secure, automated service infrastructure, and your organization’s data and admin boundaries remain fully respected.

Audit log entries are informational only and reflect the rollout mechanism, not user activity.

What you need to do to prepare

No action is required from your organization.

What Microsoft is doing:

Microsoft is deploying a fix to ensure future audit logs correctly reflect system-initiated activity. The rollout is expected to start during mid-January and compete by end of January 2026

The fix does not change your existing DLP configuration or protections.

Microsoft is also taking measures to ensure this issue does not recur in the future and to prevent further confusion, using “Microsoft Corporation” for any system-initiated changes.