When you use Copilot in Microsoft 365, it can access content from SharePoint sites by default. This means Copilot might return information from sites you want to keep confidential. The Restricted SharePoint Search setting lets you limit which SharePoint sites Copilot can use as a data source. This article explains how to configure Restricted SharePoint Search to control exactly what content Copilot can reference.
The feature works by creating an allowlist of SharePoint sites. Copilot will only search and retrieve information from the sites you explicitly add. All other SharePoint sites become invisible to Copilot. This is a tenant-level setting managed by a SharePoint Online administrator.
You will learn the prerequisites, the step-by-step configuration process, and common mistakes to avoid. By the end, you will know how to prevent Copilot from surfacing content from restricted or sensitive SharePoint sites.
Key Takeaways: How to Restrict Copilot in SharePoint With Restricted SharePoint Search
- SharePoint Online Management Shell: Use the
Set-SPOTenant -RestrictedSearchScopecmdlet to enable and configure the allowlist of sites. - PowerShell script with site URLs: Add each SharePoint site URL to the
-RestrictedSearchScopeListparameter to grant Copilot access only to those sites. - Microsoft 365 admin center > Settings > Org settings > SharePoint: Verify the restriction is active and test Copilot responses after configuration.
What Is Restricted SharePoint Search and Why Use It
Restricted SharePoint Search is a tenant-level setting in SharePoint Online that limits which sites Copilot can search for content. When you enable this setting, Copilot will only retrieve data from SharePoint sites you explicitly add to an allowlist. All other sites are excluded from Copilot queries.
The feature is designed for organizations that need to protect sensitive information. For example, a legal department might want Copilot to access only the Legal SharePoint site while preventing it from reading HR records or financial documents stored elsewhere. Without this restriction, Copilot can theoretically surface content from any SharePoint site the user has permission to view.
Restricted SharePoint Search works by modifying the search scope Copilot uses. It does not change user permissions or delete content. Users can still browse restricted sites normally. The restriction only applies to Copilot queries.
Prerequisites
Before you begin, confirm the following requirements are met:
- You must be a SharePoint Online administrator or a Global administrator in Microsoft 365.
- PowerShell version 5.1 or later must be installed on your machine.
- The SharePoint Online Management Shell module must be installed. Run
Install-Module -Name Microsoft.Online.SharePoint.PowerShellif it is not already present. - You need the full URL of each SharePoint site you want to allow. Example:
https://contoso.sharepoint.com/sites/Legal. - Copilot must be enabled for your tenant. Restricted SharePoint Search does not work if Copilot is disabled.
Steps to Enable Restricted SharePoint Search
Follow these steps to restrict which SharePoint sites Copilot can access. All configuration is done through PowerShell. There is no graphical interface for this setting.
- Connect to SharePoint Online
Open Windows PowerShell as an administrator. Run the commandConnect-SPOService -Url https://contoso-admin.sharepoint.com. Replacecontosowith your tenant name. Enter your admin credentials when prompted. - Check the current search scope setting
RunGet-SPOTenant | Select-Object RestrictedSearchScope, RestrictedSearchScopeList. This shows whether the restriction is already enabled and which sites are currently allowed. IfRestrictedSearchScopeisNone, the feature is disabled. - Enable Restricted SharePoint Search
Run the cmdletSet-SPOTenant -RestrictedSearchScope Tenant. This activates the restriction and blocks Copilot from searching all SharePoint sites by default. - Add sites to the allowlist
RunSet-SPOTenant -RestrictedSearchScopeList @("https://contoso.sharepoint.com/sites/Legal","https://contoso.sharepoint.com/sites/Marketing"). Replace the example URLs with your own site URLs. You can add up to 100 sites in a single command. To add sites later, run the same cmdlet with the full updated list. The setting overwrites the previous list. - Verify the configuration
RunGet-SPOTenant | Select-Object RestrictedSearchScope, RestrictedSearchScopeListagain. Confirm thatRestrictedSearchScopeshowsTenantand the list contains the correct URLs. - Test Copilot in a client app
Open Copilot in Microsoft Teams or a SharePoint page. Ask a question that should return content from an allowed site. Then ask a question that should return content from a site not on the list. Copilot should only respond with data from the allowed sites. If it returns data from a restricted site, recheck the URL list.
Common Mistakes and Limitations
Copilot Still Returns Content From Restricted Sites
If Copilot surfaces data from a site you did not add to the allowlist, the most common cause is that the site URL is misspelled. Verify the exact URL by navigating to the site in a browser and copying the address from the address bar. Also confirm that the RestrictedSearchScope is set to Tenant and not None.
Copilot Returns No Results After Restriction
If Copilot stops returning any SharePoint content, the allowlist may be empty. Run Get-SPOTenant | Select-Object RestrictedSearchScopeList to check. If the list is empty, no sites are allowed and Copilot cannot search any SharePoint content. Add at least one site to resolve this.
Users Cannot Access SharePoint Sites in Copilot
Restricted SharePoint Search only affects Copilot queries. Users retain their normal SharePoint permissions. If a user cannot access a site through Copilot but can access it directly in the browser, the site is simply not on the allowlist. Add the site URL to the list.
The Setting Does Not Apply to Microsoft Graph Connectors
Restricted SharePoint Search only controls Copilot access to SharePoint sites. It does not restrict Copilot from using data ingested through Microsoft Graph connectors, such as external databases or file shares. To control those sources, configure separate search permissions for each connector.
Changes Take Up to 24 Hours to Propagate
After you run the Set-SPOTenant cmdlet, the change may take up to 24 hours to apply across all Microsoft 365 services. Test Copilot after 24 hours if the restriction does not appear to work immediately.
Restricted SharePoint Search vs Standard SharePoint Search: Key Differences
| Item | Restricted SharePoint Search | Standard SharePoint Search |
|---|---|---|
| Copilot data source scope | Only sites in the allowlist | All SharePoint sites the user can access |
| Configuration method | PowerShell only | No configuration needed |
| User permission behavior | Unaffected | Unaffected |
| Update propagation time | Up to 24 hours | Instant |
| Number of sites supported | Up to 100 | Unlimited |
| Applies to Microsoft Graph connectors | No | No |
You can now control exactly which SharePoint sites Copilot uses as a data source. Start by identifying the sites that contain content appropriate for Copilot to reference. Use the PowerShell commands to enable the restriction and add those sites to the allowlist. After the change propagates, verify by testing Copilot queries in Teams or SharePoint. For tighter control, consider combining Restricted SharePoint Search with sensitivity labels to further restrict content access.