When you use Copilot in Microsoft 365, it can read data from SharePoint sites to answer questions and generate content. By default, Copilot indexes all SharePoint sites in your tenant that are not explicitly excluded. This means sensitive or confidential content on specific sites may appear in Copilot responses. You can block Copilot from accessing specific SharePoint sites by configuring site-level permissions or using the Microsoft 365 admin center. This article explains the two methods to restrict Copilot access to selected SharePoint sites.
Key Takeaways: Blocking Copilot from SharePoint Sites
- Microsoft 365 admin center > Copilot > Data sources > SharePoint: Exclude entire site collections from Copilot indexing.
- SharePoint site permissions > Site visitors group: Remove user licenses or restrict read access to prevent Copilot from returning site content.
- Sensitivity labels > Encryption settings: Apply a label that blocks Copilot from reading documents on a site.
How Copilot Accesses SharePoint Sites and Why You Need to Block Some
Copilot uses the Microsoft Graph to index content from SharePoint sites that are enabled for search and have the appropriate permissions. When a user asks a question, Copilot searches across all sites the user has access to and returns relevant results. If a site contains confidential business plans, employee records, or client contracts, blocking Copilot access prevents that data from appearing in responses.
There are two layers of control. The first is at the tenant level where an admin can exclude entire site collections from Copilot indexing. The second is at the site or document level where permissions and sensitivity labels restrict what Copilot can read. You must use both layers for full protection because a user with direct access to a site can still see its content through Copilot unless the site is excluded from indexing.
Before you start, verify that you have at least the SharePoint administrator role or the global administrator role in Microsoft 365. You also need access to the Microsoft 365 admin center and the SharePoint admin center.
Method 1: Exclude a SharePoint Site Collection from Copilot Indexing
This method prevents Copilot from reading any content on the entire site collection. Users will not see results from that site in Copilot responses even if they have direct access to the site.
- Open the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with your administrator account. - Navigate to Copilot settings
In the left navigation, select Settings then Org settings. Find and click Copilot. - Open the Data sources tab
In the Copilot settings page, click Data sources. This tab lists all Microsoft Graph data sources that Copilot can access. - Select SharePoint
Under SharePoint, click Manage. A list of all site collections in your tenant appears. - Exclude the site collection
Find the site you want to block. Click the toggle next to its name to set it to Excluded. Copilot will stop indexing that site within 15 minutes. - Save changes
Click Save at the bottom of the page. The exclusion takes effect immediately for new queries.
Method 2: Restrict Permissions on the SharePoint Site
If you cannot exclude the site collection at the tenant level, you can restrict permissions so that Copilot cannot access the site content. Copilot respects the same permissions as the user asking the question. If a user has no read access to a site, Copilot will not return results from that site.
- Open the SharePoint admin center
Go to admin.microsoft.com/SharePoint and sign in. - Select the site
Under Sites, click Active sites. Find the site you want to block and click its URL. - Review existing permissions
In the site settings, click Permissions. Check which users or groups have Read or higher access. - Remove users or groups from the Site visitors group
If you want to block all Copilot access, remove all users from the Site visitors group. Copilot will then return no results from this site for any user. - Apply a sensitivity label with encryption
In the site settings, click Sensitivity. Choose a label that has encryption enabled. Copilot cannot read content encrypted with a sensitivity label. This blocks Copilot even if a user has read access to the site.
If Copilot Still Returns Content from a Blocked Site
Copilot shows results from a site I excluded in the admin center
The exclusion setting can take up to 15 minutes to propagate. Clear your browser cache and sign out of Microsoft 365, then sign back in. If the issue persists, verify that the site collection is correctly listed as Excluded in the Data sources tab. Also check that no other global administrator has re-enabled the site.
Copilot returns content from a site where I removed all users
If you removed users from the Site visitors group but Copilot still returns content, check the site permissions for any group that includes external users or service accounts. Copilot can read content if any user with a Microsoft 365 license has access through a different group. Remove all direct and group permissions for the site.
Copilot reads documents that have a sensitivity label applied
Verify that the sensitivity label is configured with encryption. A label without encryption does not block Copilot. In the Microsoft Purview compliance portal, go to Information protection > Sensitivity labels. Edit the label and confirm that Encryption is set to Apply encryption. Re-publish the label if needed.
Blocking Copilot from SharePoint Sites: Admin Center vs Site Permissions
| Item | Admin Center Exclusion | Site Permissions Restriction |
|---|---|---|
| Scope | Entire site collection | Site or document level |
| Effect on users with direct access | Copilot returns no content regardless of user permissions | Copilot returns content only if the user has read access |
| Time to take effect | Up to 15 minutes | Immediate after permissions update |
| Requires admin role | Yes, SharePoint or global admin | Yes, site owner or admin |
| Can be overridden by another admin | Yes, any global admin can change the exclusion | Yes, a site owner can grant permissions |
You now know two methods to block Copilot from accessing specific SharePoint sites. Use the admin center exclusion for a broad, tenant-wide block that applies to all users. Use site permissions or sensitivity labels for granular control over individual sites or documents. After applying either method, test by asking Copilot a question about content on the blocked site to confirm it returns no results. As an advanced step, consider creating a PowerShell script that loops through all site collections and sets the exclusion status based on a metadata property like department or project code.