Microsoft 365 Copilot can access content across your entire SharePoint tenant by default. This broad access may expose sensitive documents to users who should not see them. Restricted SharePoint Search lets you limit which SharePoint sites and content Copilot can index and return in responses. This article explains how to configure the restricted search setting in the Microsoft 365 admin center and what each option does.
Without restricted search, Copilot uses the Microsoft Graph to search all SharePoint sites a user can access. If a user has read permissions to a site, Copilot can pull data from that site. Restricted search changes this behavior by allowing you to define a specific set of sites. Copilot will only search those sites, even if the user has broader permissions.
This guide covers the prerequisites, the step-by-step configuration process, and common pitfalls to avoid when setting up restricted search for your organization.
Key Takeaways: Restricted SharePoint Search for Copilot
- Microsoft 365 admin center > Copilot > Restricted SharePoint Search: Lets you limit Copilot to search only specific SharePoint sites instead of the entire tenant.
- PowerShell cmdlet Set-SPOTenant –RestrictedSearchMode: Enables or disables restricted search mode at the tenant level.
- Site collection admin > Site Settings > Search and offline availability: Controls whether a specific site is included or excluded from restricted search.
What Restricted SharePoint Search Does and Why You Need It
Restricted SharePoint Search is a tenant-level setting that changes how Copilot discovers and returns SharePoint content. When enabled, Copilot no longer searches all SharePoint sites a user can access. Instead, Copilot only searches sites that you explicitly include in a restricted search scope. This scope is defined by adding site collections to an allow list.
The feature is designed for organizations that need to prevent Copilot from surfacing sensitive information from sites that are broadly shared. For example, a site with read access for all employees might contain financial projections that should not appear in Copilot responses. By excluding that site from the restricted search scope, Copilot will not index or return its content.
Prerequisites for using restricted search:
- A Microsoft 365 subscription that includes Copilot for Microsoft 365
- Global admin or SharePoint admin permissions in the Microsoft 365 admin center
- SharePoint sites must be configured as site collections (modern team sites or communication sites)
Steps to Enable Restricted SharePoint Search in the Admin Center
Use the Microsoft 365 admin center to turn on restricted search and add sites to the allowed list. The change applies tenant-wide within 15 minutes.
- Sign in to the Microsoft 365 admin center
Go tohttps://admin.microsoft.comand sign in with an account that has Global admin or SharePoint admin permissions. - Open the Copilot settings page
In the left navigation pane, select Settings then Org settings. On the Org settings page, find and select Copilot from the list of services. - Select Restricted SharePoint Search
In the Copilot settings pane, choose the Restricted SharePoint Search tab. If the tab is not visible, verify you have the correct admin role and that your tenant has Copilot for Microsoft 365 licenses assigned. - Turn on restricted search
Toggle the switch to On. A dialog box will appear explaining that only sites you add will be searchable by Copilot. Click Confirm to proceed. - Add sites to the allowed list
Click Add sites. In the panel, enter the URL of each SharePoint site collection you want to include. You can add up to 100 site collections. Use the full URL format, for examplehttps://contoso.sharepoint.com/sites/Finance. Click Add after each entry. - Review and save
After adding all desired sites, click Save. The changes will apply to all Copilot interactions within 15 minutes. Copilot will now only search the sites you added.
Alternative Method: Enable Restricted Search Using PowerShell
If you prefer scripting or need to automate the configuration, use the SharePoint Online Management Shell. This method is also useful for bulk operations across multiple tenants.
- Install the SharePoint Online Management Shell
Open Windows PowerShell as an administrator and runInstall-Module -Name Microsoft.Online.SharePoint.PowerShell. If the module is already installed, ensure it is version 16.0.24519.12000 or later. - Connect to SharePoint Online
RunConnect-SPOService -Url https://contoso-admin.sharepoint.comand sign in with your admin credentials. - Enable restricted search mode
RunSet-SPOTenant -RestrictedSearchMode $true. This enables the restricted search scope at the tenant level. - Add a site to the allowed list
RunSet-SPOSite -Identity https://contoso.sharepoint.com/sites/Finance -RestrictedSearch $true. Repeat this command for each site you want to include. Sites not set to$truewill be excluded from Copilot search. - Verify the configuration
RunGet-SPOSite | Where-Object {$_.RestrictedSearch -eq $true}to list all sites that are currently allowed in the restricted search scope.
Common Mistakes and Things to Avoid
Copilot still returns content from excluded sites
If users report that Copilot is returning data from a site you excluded, first confirm the restricted search toggle is enabled in the admin center. A common mistake is turning on the toggle but not adding any sites. When no sites are added, Copilot falls back to the default behavior of searching all accessible sites. Add at least one site to the allowed list to activate the restriction.
Users see a Copilot error about missing data
When restricted search is enabled and a user asks a question that requires data from an excluded site, Copilot will respond that it cannot find the information. This is expected behavior. To fix it, add the relevant site to the allowed list. Ensure the user also has permission to access that site.
Restricted search affects Copilot in Teams and Outlook
The restricted search setting applies to all Copilot experiences that use SharePoint data, including Copilot in Teams, Copilot in Word, and Copilot in Outlook. If you want Copilot in Teams to search a specific SharePoint site, that site must be in the allowed list.
Maximum site limit is 100
The restricted search scope supports up to 100 site collections. If your organization has more than 100 sites that need to be searchable, consider using the default unrestricted search or restructuring your site hierarchy to reduce the number of site collections.
Restricted Search vs Default Search: Comparison
| Item | Restricted Search | Default Search (Unrestricted) |
|---|---|---|
| Scope of search | Only sites in the allowed list | All SharePoint sites the user can access |
| Configuration effort | Requires manual site addition or PowerShell | No configuration needed |
| Maximum sites | 100 site collections | Unlimited (tenant-wide) |
| User permissions | User must have access to the site AND the site must be in the allowed list | User only needs access to the site |
| Ideal for | Organizations with sensitive content that should not be surfaced broadly | Organizations that want maximum Copilot utility across all content |
You can now control exactly which SharePoint sites Copilot searches. Start by enabling the restricted search toggle in the Microsoft 365 admin center, then add the sites that contain content you want Copilot to use. Review the allowed list quarterly to ensure new sensitive sites are not accidentally included. As an advanced step, combine restricted search with sensitivity labels to further limit Copilot access to documents with specific labels.