How to Prepare SharePoint Advanced Management for Copilot

You want Copilot to generate accurate answers from your SharePoint content, but you are not sure how to configure SharePoint Advanced Management for that purpose. SharePoint Advanced Management provides governance controls that directly affect what data Copilot can access and how it surfaces information from your tenant. This article explains which policies to enable, which settings to adjust, and how to verify that your SharePoint environment is ready for Copilot queries.

What SharePoint Advanced Management Does for Copilot

SharePoint Advanced Management is a set of governance tools available in Microsoft 365 E5 or as an add-on for E3 tenants. These tools let you control data access, retention, and security at a granular level. When Copilot processes a query, it searches through SharePoint sites, document libraries, and files that the user has permission to view. Without Advanced Management, Copilot may surface content from sites that contain sensitive data, outdated files, or ungoverned external sharing.

The key capabilities that affect Copilot include Data Access Governance, Conditional Access policies, site lifecycle management, and restricted content discovery. Each of these features must be configured to match your organization’s data sensitivity requirements. If you skip this preparation, Copilot may return results that violate compliance rules or confuse users with irrelevant data.

Data Access Governance

Data Access Governance scans your SharePoint environment for sites that contain sensitive information such as personally identifiable information or financial records. It generates reports and allows you to apply access restrictions. For Copilot, you want to identify sites that contain highly confidential data and either restrict access to those sites or exclude them from Copilot’s search scope.

Conditional Access Policies

Conditional Access policies in SharePoint Advanced Management let you block or limit access to SharePoint content based on device compliance, network location, or risk level. When Copilot retrieves content, it respects these policies. If a policy blocks access from unmanaged devices, Copilot will not return content from sites that require managed device access when the user is on an unmanaged device.

Site Lifecycle Policies

Site lifecycle policies automatically detect inactive sites and apply actions such as archiving or deletion. Copilot should not return content from sites that have not been updated in months or years because that information is likely outdated. By configuring lifecycle policies, you reduce the volume of stale data that Copilot can index.

Steps to Configure SharePoint Advanced Management for Copilot

Complete these steps in the order shown. Each step builds on the previous one to ensure Copilot only surfaces governed, accurate, and secure content.

1. Enable SharePoint Advanced Management in your tenant
   Go to the Microsoft 365 admin center, select Settings > Org settings > SharePoint Advanced Management. Turn on the toggle for Data Access Governance, Conditional Access, and Site Lifecycle Policies. Without this step, none of the governance features are available for Copilot to use.
2. Run a Data Access Governance scan
   In the Microsoft 365 admin center, go to SharePoint > Advanced Management > Data Access Governance. Click Create scan. Select all site collections. Set the scan to run weekly. After the first scan completes, review the report for sites flagged as containing sensitive content. For each flagged site, decide whether to restrict access or exclude it from Copilot search by applying a site-level permission policy.
3. Restrict sensitive sites from Copilot indexing
   For each site that should not appear in Copilot results, go to the site’s Site permissions in SharePoint. Remove all external users and ensure only the minimum required internal users have access. Optionally, use the SharePoint admin center > Policies > Access policies to create a custom policy that blocks the site from being indexed by search services. Copilot respects search indexing exclusions.
4. Configure Conditional Access policies for SharePoint
   In the Microsoft 365 admin center, go to SharePoint > Advanced Management > Conditional Access. Click Add policy. Select Device compliance and Location as conditions. For example, block access from countries where your organization does not operate. Assign the policy to all SharePoint sites. This ensures Copilot does not surface content to users who connect from non-compliant devices or restricted locations.
5. Set up site lifecycle policies
   In the Microsoft 365 admin center, go to SharePoint > Advanced Management > Site Lifecycle Policies. Click Create policy. Name it “Archive inactive sites.” Set the inactivity threshold to 180 days. Choose Archive as the action. Apply the policy to all site collections. After 180 days of no activity, Copilot will stop returning content from archived sites.
6. Verify that Copilot respects the new policies
   Open Copilot in Microsoft Teams or at copilot.microsoft.com. Ask a question that should return content from a site you restricted. Copilot should not return results from that site. If it does, double-check that the site’s indexing exclusion policy is active and that the user’s permissions match the policy conditions.

Common Configuration Mistakes and How to Avoid Them

Copilot returns content from restricted sites

If Copilot still surfaces content from a site you restricted, the most common cause is that the site’s indexing exclusion policy was not applied to the search service. Go to SharePoint admin center > Search > Managed paths and confirm that the restricted site path is listed under Excluded paths. Also verify that the user querying Copilot does not hold direct access permissions that bypass the policy.

Inactive sites still appear in Copilot results

Site lifecycle policies only apply to sites that have been inactive for the defined period. If a site was active within the threshold, Copilot will still index it. Check the site’s last activity date in the SharePoint admin center > Active sites list. If the site is within the threshold, either wait for the policy to trigger or manually archive the site using the Archive button.

Conditional Access policies block legitimate Copilot queries

If users report that Copilot returns no results even though they have permission to view content, the Conditional Access policy may be too restrictive. Review the policy conditions in the Microsoft 365 admin center. Add an exception for trusted IP ranges or compliant device platforms. Test the policy with a small group of users before applying it tenant-wide.

SharePoint Advanced Management Features: What to Enable for Copilot

Feature	Without Configuration	With Configuration for Copilot
Data Access Governance	No scanning for sensitive content	Scans and flags sensitive sites for restriction
Conditional Access Policies	Default device and location policies only	Blocks non-compliant devices and restricted locations from Copilot access
Site Lifecycle Policies	No automatic archiving of inactive sites	Archives sites after 180 days of inactivity
Restricted Content Discovery	Copilot indexes all accessible sites	Excludes sites with sensitive or outdated content from Copilot search

You now have a configured SharePoint Advanced Management environment that governs what Copilot can access and surface. Run a test query in Copilot weekly to confirm that new policies are applied correctly. As a next step, review the Data Access Governance reports monthly to catch any new sensitive sites that appear. For advanced control, combine these policies with Microsoft Purview sensitivity labels to further restrict Copilot from processing labeled content.