You need to restrict which data Microsoft 365 Copilot can access when employees in different departments use it. Without boundaries, Copilot can surface information from any part of your tenant, which may violate internal policies or compliance rules. This article explains how to configure Copilot data boundaries using Microsoft 365 administrative settings. You will learn the prerequisite licenses, the exact steps to apply a boundary policy, and common pitfalls to avoid.
Key Takeaways: Configuring Copilot Data Boundaries by Department
- Microsoft 365 admin center > Copilot > Data boundaries: The primary location to define which SharePoint sites, OneDrive folders, and Teams channels Copilot can read for each department group.
- Azure AD dynamic groups: Use department attributes to automatically include or exclude users from a boundary policy without manual updates.
- Copilot Graph grounding setting: Toggle between “All organization data” and “Specific data sources” to enforce the boundary at the search and response level.
How Copilot Data Boundaries Work for Departments
Copilot data boundaries control which Microsoft Graph content Copilot can use to generate responses. When a user asks a question, Copilot searches only the data sources you have explicitly allowed. For department-level boundaries, you assign different policies to different Azure AD groups. A group representing the Finance department, for example, can be restricted to only the Finance SharePoint site and Finance Teams channels. Users outside that group cannot see Finance data through Copilot, even if they have read permissions to that content.
The feature relies on two core components. First, Azure AD security groups define who belongs to which department. Second, the Copilot settings in the Microsoft 365 admin center let you map each group to a set of allowed data sources. The boundary is enforced both when Copilot generates a response and when it suggests files or conversations in the Copilot pane.
Prerequisites
Before you configure data boundaries, ensure you have the following:
- A Microsoft 365 E5 or Microsoft 365 Business Premium subscription
- Copilot for Microsoft 365 licenses assigned to all users who will be subject to the boundary
- Global Administrator or Copilot Administrator role in the Microsoft 365 admin center
- Azure AD Premium P1 or P2 licenses for dynamic group membership rules
- SharePoint sites, OneDrive folders, and Teams channels already organized by department
Steps to Configure Copilot Data Boundaries for Departments
Follow these steps to create a department-specific data boundary. The example uses a Finance department group restricted to a Finance SharePoint site and Finance Teams channel.
- Create an Azure AD security group for the department
Sign in to the Azure portal. Go to Azure Active Directory > Groups > New group. Select Security as the group type. Set the membership type to Dynamic User. Add a rule such asuser.department -eq "Finance". Name the group “Finance Copilot Boundary”. Click Create. Wait for the group to populate with users whose department attribute is set to Finance. - Identify the data sources for the department
Open the SharePoint admin center. Locate the Finance team site URL, for examplehttps://contoso.sharepoint.com/sites/Finance. Open the Teams admin center and find the Finance channel ID or name. Write down the SharePoint site URL and the Teams channel name exactly as they appear. - Open the Copilot data boundaries settings
Go to the Microsoft 365 admin center athttps://admin.microsoft.com. In the left navigation, expand Settings, then select Copilot. Under the Data boundaries tab, click Add boundary policy. - Select the department group
In the Add boundary policy pane, click Select group. Search for the group you created in step 1, for example “Finance Copilot Boundary”. Select it and click Add. - Define allowed SharePoint sites
Under SharePoint sites, click Add sites. Paste the Finance team site URL. Click Add. Repeat if the department uses multiple sites. Only sites added here will be searchable by Copilot for members of this group. - Define allowed Teams channels
Under Teams channels, click Add channel. Enter the channel name exactly as it appears in Teams, for example “Finance-General”. Select the associated team from the dropdown. Click Add. - Define allowed OneDrive folders optional
If the department stores critical data in OneDrive, click Add OneDrive folder. Enter the user principal name of the folder owner and the folder name. This step is optional for most departments. - Set the grounding mode
Under Grounding, select Specific data sources only. This ensures Copilot does not fall back to the entire tenant when it cannot find an answer in the allowed sources. Click Save. - Verify the boundary policy
Sign in as a user who is a member of the Finance group. Open Copilot in Word or Teams. Ask a question about a document that exists only on the Finance site. Confirm Copilot returns the expected result. Then ask a question about a document on the Sales site. Copilot should respond that it cannot find the information or that the data is not available. - Repeat for each department
Create a separate boundary policy for each department group. Each policy can point to different SharePoint sites, Teams channels, and OneDrive folders. Policies are additive for users who belong to multiple groups.
Common Mistakes When Setting Up Department Data Boundaries
Copilot still shows data from outside the department
This usually happens when the grounding mode is set to All organization data instead of Specific data sources only. Go to the boundary policy in the Microsoft 365 admin center and change the grounding toggle. Also verify that the user is a member of the correct Azure AD group and that the group membership has synced. Dynamic groups can take up to 30 minutes to update.
Copilot returns no results even for allowed data
Check that the SharePoint site or Teams channel has been indexed by Microsoft Search. Go to the SharePoint admin center > Search > Manage search schema. Confirm the site is not excluded. Also ensure the user has at least read permissions on the site or channel. Data boundaries restrict Copilot’s search scope but do not override existing permissions.
Users in multiple departments get inconsistent results
When a user belongs to two or more boundary groups, Copilot merges the allowed data sources from all groups. If you need strict isolation, create a single group that contains the user and assign only one boundary policy. Use nested groups to combine department memberships without merging boundaries.
Copilot Data Boundaries vs SharePoint Permission Filtering
| Item | Copilot Data Boundaries | SharePoint Permission Filtering |
|---|---|---|
| Scope of restriction | Limits which data sources Copilot can query | Limits which files a user can open directly |
| Enforcement point | Copilot response generation | File-level access control in SharePoint |
| User impact | Copilot cannot see data outside boundary | User cannot open or download restricted files |
| Configuration location | Microsoft 365 admin center > Copilot > Data boundaries | SharePoint admin center > Site permissions |
| License requirement | Copilot for Microsoft 365 | Any SharePoint Online license |
| Best for | Department-level Copilot compliance | Granular document security |
Use both features together for defense in depth. Data boundaries prevent Copilot from even indexing restricted content, while SharePoint permissions block direct access if someone bypasses Copilot.
You can now configure Copilot data boundaries for any department in your organization. Start with one department group and verify the behavior before rolling out to all teams. To further refine access, combine data boundaries with sensitivity labels to prevent Copilot from processing files with specific classification levels.