When Copilot in Microsoft 365 generates answers from your tenant data, it reads content from SharePoint sites that you have indexed for Microsoft Search. If a sensitive site collection appears in search results, Copilot can use that content in its responses. This happens because Copilot relies on the same search index that powers Microsoft Search. This article explains how to block Copilot from reading specific SharePoint site collections by controlling which sites are included in the search index and by applying conditional access policies.
Key Takeaways: Blocking SharePoint Sites from Copilot
- Microsoft 365 admin center > Search & intelligence > Content sources: Remove or exclude site collections from the Microsoft Search index to prevent Copilot from reading them.
- SharePoint admin center > Site collections > Site permissions: Use site-level sharing settings and access requests to restrict user access, which limits what Copilot can surface.
- Azure AD conditional access policy: Create a policy that blocks access to specific SharePoint sites from Copilot-enabled apps using the SharePoint Online app and site condition.
How Copilot Accesses SharePoint Content
Copilot for Microsoft 365 uses the Microsoft Search index to retrieve content from SharePoint site collections. When a user asks a question, Copilot queries the search index and returns results from sites that the user has permission to view. If a site collection is indexed and the user has at least read access, Copilot can include that content in its generated responses. The Microsoft Search index is built from all site collections that are marked as searchable in the SharePoint admin center. To block Copilot from reading a specific site collection, you must either remove it from the search index or restrict user access to that site.
Permissions and Search Index Scope
Copilot does not bypass SharePoint permissions. It only returns content from sites where the signed-in user already has access. However, if a user has read access to a sensitive site collection, Copilot can surface that content even if the user never navigated to the site manually. The search index is the gatekeeper: if a site is not indexed, Copilot cannot read it regardless of user permissions.
Steps to Remove a Site Collection from the Microsoft Search Index
- Sign in to the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with a Global admin or Search admin account. - Open the Search & intelligence section
In the left navigation, select Search & intelligence. If you do not see this option, click Show all first. - Go to the Content sources tab
Under Search & intelligence, select Content sources. This page lists all indexed SharePoint site collections and external data sources. - Find the site collection you want to block
Scroll through the list or use the search box to locate the specific SharePoint site collection. Note the site URL. - Remove the site collection from the index
Click the site collection row to select it, then click Remove from the toolbar. Confirm the removal when prompted. This action deletes the site from the Microsoft Search index within a few hours. - Verify the removal
After 24 hours, perform a test search in SharePoint or using Copilot to confirm that content from that site no longer appears in results.
Alternative Method: Exclude a Site Collection Using PowerShell
For bulk operations or automation, use the SharePoint Online Management Shell. Run the following cmdlet to remove a site collection from the search index:
Set-SPOTenant -ExcludedContentTypes "https://yourtenant.sharepoint.com/sites/SensitiveSite"
Replace the URL with your site collection URL. This cmdlet excludes the site from the default search index. After running the command, run Request-SPOPersonalSite to ensure the change propagates.
Restrict User Access to Block Copilot Responses
If you cannot remove a site collection from the search index due to business requirements, restrict user permissions to that site. Copilot will then not surface content from that site for users who lack access.
- Go to the SharePoint admin center
Sign in to admin.microsoft.com and select SharePoint from the admin centers list. - Open the site collection settings
Under Sites, select Active sites. Find the site collection you want to restrict, click its URL, then select Settings. - Change sharing settings
Under External sharing, set the sharing level to Only people in your organization or Anyone based on your security needs. For maximum restriction, select Only people in your organization and disable sharing with new external users. - Remove unnecessary user permissions
Go to Site permissions, review the list of users and groups, and remove any users who do not need access. Use the Check permissions tool to see which users have access via group membership. - Enable access requests
On the Site permissions page, select Access requests settings. Turn on Allow access requests and set an email address for notifications. This prevents users from gaining access without approval.
If Copilot Still Returns Content from a Blocked Site
Copilot Returns Content from a Site You Removed from the Index
The Microsoft Search index can take up to 48 hours to fully update after removing a site collection. During this period, Copilot may still return cached results. Wait 48 hours and test again. If content still appears, verify that the site collection is not included in a SharePoint hub site or a content source that aggregates multiple sites.
Copilot Returns Content from a Site Where User Access Was Revoked
Copilot respects user permissions in real time. If a user still sees content from a site after you removed their access, check for group memberships. The user may be part of a Microsoft 365 group, a security group, or a SharePoint group that still grants access to the site. Remove the user from all relevant groups or create a new group with explicit deny permissions using SharePoint advanced permissions.
Copilot Returns Content from a Site That Was Never Indexed
If you never added the site collection to the Microsoft Search index, Copilot should not return its content. However, if the site is part of a SharePoint hub site that is indexed, the hub site index may include content from all associated sites. Remove the site from the hub site or exclude the hub site from the search index.
Index Removal vs Permission Restriction: Key Differences
| Item | Remove from Search Index | Restrict Permissions |
|---|---|---|
| Effect on Copilot | Copilot cannot read the site content for any user | Copilot cannot read the site content for users without access |
| User experience | Site still appears in SharePoint navigation but not in search or Copilot | Site appears in search and Copilot only for authorized users |
| Propagation time | Up to 48 hours for index update | Immediate after permission change |
| Best for | Site collections that should never be surfaced by Copilot | Site collections where some users need Copilot access but others do not |
You now have two reliable methods to block Copilot from reading specific SharePoint site collections: removing the site from the Microsoft Search index or restricting user permissions. Start with the index removal approach for sites that should never appear in Copilot responses. For sites where access control is sufficient, use the permission restriction method. As a next step, review your other sensitive sites such as HR portals or legal document libraries and apply the same configuration. For advanced protection, combine both methods and audit your search index monthly using the Search & intelligence reports in the Microsoft 365 admin center.