You want Copilot in Microsoft 365 to use only content from specific SharePoint sites when answering questions. By default, Copilot can access all SharePoint sites in your tenant if the user has permission. This can lead to irrelevant or unwanted data being included in responses. This article explains how to restrict Copilot Notebook sources to a defined set of SharePoint sites using Microsoft 365 admin settings.
Key Takeaways: Restricting Copilot to Approved SharePoint Sites
- Microsoft 365 admin center > Copilot > Data sources > SharePoint: Controls which SharePoint sites Copilot can use as sources for Notebook responses.
- SharePoint site URLs added to the allowed list: Only content from these sites is indexed and used by Copilot for grounded answers.
- User permissions still apply: Even if a site is allowed, users must have read access to the site content for Copilot to return it.
How Copilot Notebook Sources Work with SharePoint
Copilot Notebook is a feature in Microsoft 365 that lets users ask questions and get answers based on organizational data stored in SharePoint, OneDrive, and Microsoft Graph. When you ask a question, Copilot searches across all SharePoint sites you have permission to access. This broad search can include sites that contain irrelevant, outdated, or confidential information that should not be used for general queries.
The restriction is applied at the tenant level using the Microsoft 365 admin center. You define a list of SharePoint site URLs that Copilot is allowed to use as sources. Sites not on this list are excluded from Copilot Notebook searches. This does not remove user permissions to the sites, but it prevents Copilot from reading content from excluded sites when generating responses.
This setting applies only to Copilot Notebook, not to Copilot in other Microsoft 365 apps like Word or PowerPoint. Those apps may still access SharePoint content through other mechanisms. To fully restrict Copilot across all apps, you need to configure additional data source policies.
Steps to Limit Copilot Notebook Sources to Specific SharePoint Sites
- Sign in to the Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in with a Global Admin or SharePoint Admin account. - Open Copilot settings
In the left navigation, select Settings, then Org settings. Under the Services tab, select Copilot. - Navigate to Data sources
In the Copilot settings page, select the Data sources tab. This section controls which Microsoft Graph data Copilot can use. - Select SharePoint
Under SharePoint, click Manage. This opens a panel to configure allowed sites. - Add specific SharePoint site URLs
In the panel, select Add sites. Enter the full URLs of the SharePoint sites you want to allow. For example,https://contoso.sharepoint.com/sites/HRandhttps://contoso.sharepoint.com/sites/Finance. You can add up to 100 sites. Click Add after each URL. - Remove any unwanted sites
If the list includes sites you want to exclude, select the site and click Remove. Only sites on this list are used by Copilot Notebook. - Save the configuration
Click Save to apply the changes. The update may take up to 24 hours to fully propagate across the Microsoft 365 service.
Common Mistakes and Limitations When Restricting SharePoint Sources
Copilot still returns content from excluded sites
If you see results from a site you excluded, check two things. First, verify the site URL is not on the allowed list. Second, confirm the user has permission to the site. Even if a site is excluded, Copilot might still return content if the user accesses it through other Microsoft Graph queries. To fully block a site, also remove user permissions or apply sensitivity labels.
The allowed list does not affect Copilot in Word or PowerPoint
The SharePoint source restriction applies only to Copilot Notebook. Copilot in Word, PowerPoint, Excel, and Teams may still use content from other SharePoint sites. To extend the restriction, you need to configure data loss prevention policies or use Microsoft Purview to limit Copilot access across apps.
Users cannot see which sites are restricted
End users do not see a list of allowed or excluded sites. If a user asks a question and gets no results, they may not know why. Inform your users that Copilot Notebook uses only approved SharePoint sites. Provide documentation listing the allowed sites so users understand the scope.
Changes take up to 24 hours to apply
After saving the site list, Copilot may continue to use old data for up to 24 hours. This is a caching behavior. If you need immediate enforcement, temporarily disable Copilot Notebook for affected users until the cache clears.
Copilot Notebook Source Restriction vs Content Filtering
| Item | Source Restriction (Allowed Sites) | Content Filtering (Microsoft Purview) |
|---|---|---|
| Scope | Limits which SharePoint sites Copilot Notebook can query | Blocks specific content types or sensitivity labels across all apps |
| Granularity | Site-level only | File-level, label-level, or data classification |
| User impact | Users may get fewer results if their sites are excluded | Users see error messages when content is blocked |
| Setup location | Microsoft 365 admin center > Copilot > Data sources | Microsoft Purview compliance portal > Data loss prevention |
| Propagation time | Up to 24 hours | Near real-time |
You can now restrict Copilot Notebook to use only the SharePoint sites you specify. Start by listing the sites that contain approved content for Copilot queries. If you need broader control across all Copilot features, combine this setting with Microsoft Purview data loss prevention policies. For tighter security, also review user permissions on excluded sites to prevent direct access.