![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 82%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 24%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Hi Sreejith,
Thank you for sharing the details and follow-up. From your description, this clearly looks like a service-side intermittent issue with M365 Copilot’s ability to access sensitivity-labeled documents rather than something caused by your custom agent or tenant settings. The fact that the error resolves itself after about six hours, and has now occurred twice within two weeks, strongly suggests a token refresh or policy evaluation cycle issue within the Microsoft Graph or Purview Information Protection layers. Essentially, Copilot relies on Graph to fetch and decrypt content, but when documents are labeled “Confidential,” Copilot must validate usage rights such as EXTRACT and VIEW. If there’s even a temporary delay in token refresh, permission caching, or label decryption, Copilot can mistakenly return the “file is protected” error despite the user having proper access.
This behavior aligns with Microsoft’s own documentation, which states that Copilot enforces sensitivity labels and can only return results if the EXTRACT usage right is granted (Microsoft Learn: Sensitivity labels). The architecture documentation for Copilot also highlights how document protection and auditing are tightly integrated with Purview policies, meaning any latency in policy enforcement can temporarily block Copilot’s access (Microsoft Learn: Copilot data protection and auditing). Furthermore, Microsoft lists known issues with sensitivity labels across Office and SharePoint/OneDrive environments that may occasionally affect content access (Known issues with sensitivity labels).
Given the recurrence pattern, I recommend monitoring for the next occurrence and capturing timestamps, error messages, and correlation IDs from Graph logs if possible. This data will be valuable if you escalate internally via ICM to the Copilot or Graph engineering teams. In the meantime, you may want to implement retry logic in your agent so that temporary failures don’t block entire workflows. Since most of your workload relies on confidential documents, this is important feedback for the Copilot product group, and raising it internally could help improve reliability and error messaging for enterprise scenarios.
Thanks,
Karan Shewale.
*************************************************************************
If the response is helpful, please click "Accept Answer" and upvote it. You can share your feedback via Microsoft Copilot Developer Community Response Feedback
link. Click here to escalate.