When you ask Copilot a question in Microsoft 365, it should pull answers from your company’s SharePoint sites. But sometimes Copilot returns generic web results or says it cannot find information that you know exists in SharePoint. This problem is almost always caused by how SharePoint permissions interact with Copilot’s data grounding feature. This article explains why Copilot grounding fails with SharePoint permissions and gives you the exact steps to fix it.
Key Takeaways: Fixing Copilot Grounding with SharePoint Permissions
- Microsoft 365 admin center > Copilot > Data sources > SharePoint: Controls which SharePoint sites Copilot can read for grounded responses.
- SharePoint site permissions > Site members group: Users must have at least Read access to the site for Copilot to return content from that site.
- Microsoft Graph permissions > Sites.Read.All delegated: The Copilot service requires this permission to search across all SharePoint sites assigned to the user.
Why Copilot Grounding Fails with SharePoint Permissions
Copilot grounding means the AI limits its answers to data from your Microsoft 365 tenant instead of the public internet. For SharePoint content, Copilot uses Microsoft Graph to search sites and documents. The service uses the signed-in user’s identity to determine which sites and files it can read.
If a user does not have explicit permission to a SharePoint site, Copilot cannot access that site’s content. This is true even if the site is listed in the Copilot data sources configuration. The user must have at least Read access on the site’s permissions page.
Another common cause is incorrect Microsoft Graph application permissions. The Copilot service needs the Sites.Read.All delegated permission in Azure AD. If this permission is missing or has been revoked, Copilot cannot search SharePoint at all.
The Role of SharePoint Permission Levels
SharePoint uses permission levels like Read, Contribute, Edit, and Full Control. Copilot only returns content from sites where the user has at least Read access. If a user is a member of a site but has a custom permission level that restricts list access, Copilot may still fail to return results from that site.
How Copilot Data Source Settings Interact with Permissions
In the Microsoft 365 admin center, you can configure which SharePoint sites Copilot uses as data sources. This setting acts as an allowlist. But even if a site is in the allowlist, Copilot will not return content unless the user also has permission to that site. Both conditions must be true: the site must be in the data source list, and the user must have at least Read access.
Steps to Restore Copilot Grounding for SharePoint Content
Follow these steps in order. After each step, test Copilot by asking a question that references a specific SharePoint document or site.
- Verify Copilot data source configuration
Go to Microsoft 365 admin center > Copilot > Data sources. Under SharePoint, confirm that the relevant sites are listed. If a site is missing, click Add a data source and select the site collection URL. Click Save. - Check user SharePoint permissions at the site level
Open the SharePoint site where the content lives. Click Settings gear > Site permissions. Check if the affected user is in the Site members group or another group with Read access. If the user is not listed, add them to the Site members group. - Confirm Microsoft Graph delegated permissions in Azure AD
Sign in to the Azure portal as a Global Administrator. Go to Azure Active Directory > Enterprise applications > Microsoft Copilot Service. Under Permissions, verify that Sites.Read.All (Delegated) is granted. If it is missing, click Add a permission > Microsoft Graph > Delegated permissions > select Sites.Read.All > Grant admin consent. - Clear the Copilot cache for the affected user
In the Copilot pane or at copilot.microsoft.com, click the user profile icon > Settings > Clear cache. This forces Copilot to reauthenticate and reload permission data. Sign out of Microsoft 365 and sign back in. - Test with a specific query that includes a site name
Type a query like “Find the quarterly report from the Marketing SharePoint site.” If Copilot returns the document, grounding is working. If it still fails, proceed to the next step. - Check for SharePoint permission inheritance breaks
Navigate to the specific document library or folder in SharePoint. Click Settings > Library settings > Permissions for this document library. If inheritance is broken, verify that the user has at least Read access at the library or folder level. Restore inheritance if possible, or grant explicit Read access. - Verify that the site is indexed for Microsoft Search
Go to Microsoft 365 admin center > Search & intelligence > Content sources. Ensure the SharePoint site is listed and the index status is Healthy. If the site is not indexed, click Add content source and select the site. Wait up to 24 hours for indexing to complete. - Review audit logs for permission denied events
In the Microsoft 365 admin center, go to Audit under Compliance. Search for “Copilot” and “SharePoint” with the affected user’s name. Look for events with result code AccessDenied. This confirms the permission issue.
If Copilot Still Has Issues After the Main Fix
Copilot Returns Generic Web Results Instead of SharePoint Content
This usually means the user has no permission to any SharePoint site that contains the answer. Check the data source configuration again. Also verify that the user is not in a restricted SharePoint group that blocks access to all sites except a few. If the user is a guest in the tenant, guest accounts must be explicitly added to SharePoint sites.
Copilot Says It Cannot Access the Organization’s Data
This error appears when the Microsoft Graph delegated permission is missing or has been revoked. Recheck Azure AD enterprise application permissions for the Copilot service. In rare cases, a Conditional Access policy blocks the Copilot app from reading SharePoint. Check Azure AD > Conditional Access > Policies and ensure the Copilot service app is not blocked.
Copilot Grounding Works for Some Users but Not Others
This is almost always a SharePoint permission difference. Compare the working user’s group memberships with the non-working user. Use the SharePoint site’s Check Permissions tool to see exactly what access the non-working user has. Add the user to the same SharePoint group as the working user.
Copilot Grounding vs SharePoint Search: Key Differences
| Item | Copilot Grounding | SharePoint Search |
|---|---|---|
| Data source | Microsoft Graph and configured data sources | SharePoint search index only |
| Permission model | Uses delegated user token from Microsoft 365 | Uses user token from SharePoint |
| Requires explicit site allowlist | Yes in admin center data sources | No, searches all sites user can access |
| Returns answers from | Documents, pages, lists, and files | Documents, pages, lists, and files |
| Fails when user lacks Read access | Yes | Yes |
| Affected by Conditional Access | Yes | No |
Copilot grounding is more restrictive than SharePoint search because it requires both the data source allowlist and the user’s delegated permissions. SharePoint search returns results from any site the user can access without an extra allowlist step.
After applying the fixes above, test Copilot with a question that includes a specific file name from a SharePoint site you know the user can access. If the result still fails, run the Azure AD permission check again and clear the user’s cache. For persistent issues, open a support ticket with Microsoft and include the audit log event ID showing AccessDenied.