When you ask Copilot a question in Microsoft 365, it can pull information from across your tenant, including SharePoint sites that contain sensitive or irrelevant content. This broad access may lead to answers that include data from sites you did not intend to expose. The root cause is the default Copilot configuration, which grants the AI assistant access to all SharePoint sites in your Microsoft 365 environment unless explicitly restricted. This article explains how to configure Copilot to answer questions using only approved SharePoint sites, ensuring compliance and data governance policies are enforced.
Key Takeaways: Restricting Copilot Access to Approved SharePoint Sites
- Microsoft 365 admin center > Copilot > Data sources > SharePoint: Controls which SharePoint sites Copilot can read for grounded responses.
- Copilot Graph grounding setting > All sites vs Selected sites: Choosing Selected sites lets you specify approved URLs.
- SharePoint site permissions and sensitivity labels: Even after configuration, Copilot respects existing site-level access controls and labels.
Why Copilot Accesses Unapproved SharePoint Sites by Default
Copilot uses Microsoft Graph to retrieve data from your tenant. By default, the Copilot configuration in the Microsoft 365 admin center grants Copilot access to all SharePoint sites. This means that when a user asks a question, Copilot searches across every site the user has permission to view, including team sites, communication sites, and hub sites. The technical root cause is that the Copilot data source setting is set to All sites instead of Selected sites. This setting is found under Copilot > Data sources > SharePoint in the admin center. When set to All sites, Copilot does not filter site URLs, leading to answers that may include content from sites that are not approved for AI-driven queries. The fix is to change this setting to Selected sites and then add only the approved SharePoint site URLs.
How the Copilot Graph Grounding Setting Works
The Copilot Graph grounding feature determines what data Copilot can use to generate answers. When you set the SharePoint data source to Selected sites, Copilot only searches the sites you specify. This setting applies globally to all users in the tenant. It does not override existing user permissions. If a user does not have access to an approved site, Copilot will not return content from that site even if it is in the approved list. The setting is tenant-wide and cannot be scoped to specific groups or users without additional PowerShell scripting or custom policies.
Steps to Limit Copilot Answers to Approved SharePoint Sites
Follow these steps to configure Copilot to use only specific SharePoint sites. You must have Global Administrator or SharePoint Administrator privileges in Microsoft 365.
- Sign in to the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with an account that has Global Administrator or SharePoint Administrator role. Navigate to the Copilot section by selecting Settings > Copilot. - Open the Data sources tab
In the Copilot settings page, click the Data sources tab. This tab lists all data sources Copilot can access, including SharePoint, OneDrive, and Microsoft Graph connectors. - Select SharePoint data source
Under the SharePoint section, click the dropdown menu. The default value is All sites. Change this to Selected sites. - Add approved SharePoint site URLs
In the text field that appears, enter the full URL of each SharePoint site you want Copilot to use. For example: https://contoso.sharepoint.com/sites/HR. Press Enter after each URL. You can add up to 100 site URLs. - Save the configuration
Click the Save button at the bottom of the page. The change takes effect within 15 minutes. After that, Copilot will only retrieve content from the sites you specified.
If Copilot Still Returns Answers from Unapproved Sites
After configuring the setting, you may still see answers that include content from sites you did not approve. This usually happens due to one of the following reasons.
Copilot Uses OneDrive Files in Addition to SharePoint
Copilot also accesses OneDrive files by default. If a user has files stored in OneDrive that contain similar information, Copilot may return answers from those files. To restrict OneDrive access, go to the Data sources tab and set OneDrive to Off or Selected users. Note that disabling OneDrive may affect other Copilot features like file summarization.
Site URL Was Not Saved Correctly
Verify that the site URLs you added do not include trailing slashes or query parameters. The correct format is https://tenant.sharepoint.com/sites/SiteName. Also confirm that the site exists and is active. Deleted or archived sites will not be recognized even if they appear in the list.
Configuration Propagation Delay
The setting can take up to 15 minutes to propagate across all Microsoft 365 services. If you check immediately after saving, Copilot may still use the old configuration. Wait 20 minutes and test again.
| Item | All Sites Default | Selected Sites Configuration |
|---|---|---|
| Description | Copilot searches every SharePoint site in the tenant | Copilot searches only sites you specify |
| Configuration location | Microsoft 365 admin center > Copilot > Data sources > SharePoint | Same location with dropdown changed to Selected sites |
| Maximum sites allowed | No limit | 100 site URLs |
| User permissions respected | Yes | Yes |
| Propagation time | Immediate | Up to 15 minutes |
After you configure Copilot to use only approved SharePoint sites, test with a question that targets content from both an approved and an unapproved site. Confirm that Copilot returns answers only from the approved site. To further refine data access, consider using sensitivity labels to block Copilot from indexing specific documents. This additional step ensures that even within approved sites, sensitive content remains excluded from Copilot answers.