Notes from the field: What really drives Copilot Prompt Gallery’s “suggested files”
Understanding the signals behind Copilot’s file suggestions and why governance still matters.
During a rollout discussion for Copilot, a colleague received a question that revealed a common misunderstanding:
Why does the Prompt Gallery suggest three files when starting a prompt like “List key points from <file>,” when Copilot Graph Connectors are disabled?
This question matters because transparency is critical for adoption in regulated environments. Some clients, including this one, intentionally turn off the Graph Connectors for Microsoft 365 Copilot service plan, as they’re not ready yet to start indexing external data sources into Microsoft Graph. Disabling Graph Connectors limits Copilot’s reach to third-party or line-of-business systems, but it does not affect the signals already present in Microsoft 365 nor does it disable access to Microsoft Graph in general. Lack of transparency or clarity is a key concern organization have when it comes to adopting new technology.
It’s easy for technical people to take things for granted, and this was one of those moments for me. The file suggestions in Prompt Gallery are not random. Officially, all suggestions are powered by ContextIQ but it’s likely that this is an orchestrator service connecting to various other endpoints. In the case of files, I think ContextIQ leverages Microsoft Graph item insights, specifically the used insight, which surfaces files a user has recently viewed or modified in OneDrive or SharePoint. In either case, both ContextIQ and Graph Item Insights are separate from the Graph Connectors feature that extends Copilot’s data sources. All of them live under the broader Microsoft Graph umbrella, which is probably why the confusion exists. In short, Prompt Gallery is not inventing context; it is surfacing signals that already exist in Microsoft 365.
The Delve legacy and why this matters in the age of Copilot
When Delve first arrived, many enterprises reacted by disabling it after users saw files in the UI they shouldn’t have access to, and teams worried about exposure. Such a move never addresses the root cause, but sweeps the issue under the virtual carpet. If a user can see a file in Delve or via item insights today, it is because permissions already allowed it. The real issue is overprivileged and overshared data.
The access risks organizations faced with Delve and are facing with Copilot today, is likely an evolution in how we manage access to files:
Back in the day, everything was stored on file shares. IT granted access on a per-request basis initiated by the data owner. There was little to no real self-service and access reviews where not as common as they are today. Control was centralized and change was slow.
Taking a leap forward entering the world as we know it today. With Microsoft 365, self service and rapid enablement became the norm, allowing users to self-create groups and teams which improved cross-team collaboration. It was awesome! It also meant that end-users are self-managing security boundaries and much of the traditional IT gatekeeping was removed.
The result might have been predictable and we called it “oversharing” - the act of sharing sensitive data beyond the intended or required audience. Sadly, we’ve seen many cases where highly sensitive data was shared too broadly, which led to internal overexposure and has contributed to external data leaks.
Disabling Delve then, or disabling Graph Item Insights now, is only effective for hiding the symptoms. It does not reduce the overexposure of data but makes it less visible, and a such reduces the likelihood an end-user accesses a sensitive file they shouldn’t have access to. Classic risk management tactics at its finest.
From Delve to Item Insights: why this matters for Copilot governance
Delve was retired in December 2024, but the same signals now power Copilot experiences through Microsoft Graph item insights. Delve was built on the Office Graph, which evolved into Microsoft Graph. The same collaboration signals that once drove Delve’s “Discover” experience now power item insights across Microsoft 365, including the file suggestions you see in the Copilot Prompt Gallery.
This transition matters because the privacy controls have changed. In the Delve era, admins could toggle Delve on or off in the SharePoint admin center, and that setting indirectly influenced other insights-driven experiences. Since July 2021, those legacy controls no longer apply. Microsoft Graph privacy settings for item insights fully replaced the old Delve controls. If you disable item insights at the tenant or group level, you remove the signals that power recommendations in Microsoft 365, including Prompt Gallery suggestions.
Key differences from the Delve model:
Granularity: Item insights can now be controlled at the organization, group, or user level through the Microsoft 365 admin center or Graph API.
Scope: These settings govern all experiences powered by item insights, not just one app. Turning them off affects Copilot, Microsoft Search, and profile cards.
Transparency: Users can view and adjust their own item insights settings in My Account, which was not possible in the same way with Delve.
Why this matters for Copilot adoption
When users see file suggestions in Prompt Gallery, they might assume Copilot is doing something new or risky. In reality, these are similar to signals that powered Delve’s “Recent” and “Trending” cards. The difference is that Copilot makes them more visible in a conversational context. Understanding these governance nuances is only part of the story. To fully appreciate how Copilot behaves, we also need to look at the two primary contexts in which it operates: Web and Work.
Web versus Work, the eternal struggle
In the early days of Copilot, the difference between Web and Work contexts was crystal clear. Work mode operated entirely within your organization’s Microsoft 365 environment, leveraging Microsoft Graph to access emails, documents, calendars, and other internal resources. Web mode, on the other hand, relied solely on public internet data for tasks like research and market analysis.
That distinction still exists, but the lines have blurred. Today, both Web and Work contexts can use ContextIQ. This allows users to reference files, people, meetings, and emails when in Work mode. However, currently Web mode is limited to files only. A user cannot reference other resources (email, chat, etc.) and the LLM cannot reason over resources or utilize signals beyond the referenced scope. Soon, Microsoft will add the ability to also reference emails.
What does this mean in practice? Both modes can reason over files stored in OneDrive for Business or SharePoint Online, but only Work mode can extend beyond those files to other enterprise signals like conversations or meetings. This difference matters because it impacts the depth of context Copilot can apply when generating responses. If your prompt requires organizational nuance, such as referencing recent Teams discussions, using the Work mode is essential. Web mode remains ideal for external research or when you need a broader perspective.
Some key takeaways
Although Microsoft 365 Copilot launched in 2023, we cannot assume every client is at the same technical maturity level. Misunderstandings are common, and each one is an opportunity to raise awareness on how Copilot works, beyond the marketing slides and high-level documentation.
Sometimes it is a “simple fix”, like connecting the dots between the common understanding of Graph Item Insights (or ContextIQ) and the suggested files in Prompt Gallery. Other times, it means navigating the complexity of license and service plans, feature limitations, and understanding how Microsoft Purview policies interact with GenAI services to enforce data security and governance.
Here are four principles that consistently help:
Understand the difference between Graph connectors and ContextIQ
Graph Connectors extend Copilot to external data sources. ContextIQ surface signals from content already in Microsoft 365, similar to how Microsoft Graph Item Insights surfaces relevant content. Disabling one does not disable the other.Disabling item insights hides symptoms, but is ineffective risk management
Just because you can’t see something doesn’t mean it isn’t there. Turning off insights removes visibility on overshared data, but does not resolve overprivileged access. The real issue here is the lack of data governance or data hygiene, not the Graph-powered recommendation feature.Transparency builds trust in Copilot adoption
Users do not need a deep dive into data-retrieval pipelines. They need a clear answer to “why am I experiencing this?” When we tie what they see to how the system works, the feature becomes predictable, governable, and easier to accept in regulated environments. Unfortunately, the detailed information on how ContextIQ operates is missing from public documentation pages, making it less transparent and impacts trust.User expectations shape the Work vs Web distinction
Microsoft 365 Copilot operates in two primary contexts: Work and Web. Work context is grounded in your organization’s Microsoft 365 data, giving Copilot access to emails, chats, calendars, and files the user has permission to access. Web context relies on public internet data and can optionally reference files you provide from OneDrive or SharePoint, but it cannot access any other enterprise resources or signals. This distinction matters not only for governance but also for setting clear user expectations.