When you ask Copilot in Microsoft 365 a question about a document stored in SharePoint, it returns a generic answer or says it cannot find the information. This happens even though you know the file exists and you have access to it. The most common cause is a misconfiguration in the SharePoint search permissions or in the Copilot data source settings. This article explains why restricted SharePoint search fails and provides step-by-step fixes to restore grounded responses from your tenant content.
Key Takeaways: Restoring Copilot Access to Restricted SharePoint Content
- Microsoft 365 admin center > Settings > Copilot > Data sources: Controls which Microsoft Graph data Copilot can read for grounded responses.
- SharePoint site permissions > Site collection administrators: Ensures Copilot can crawl the site through its service account.
- Search schema > Managed properties: Verifies that custom properties are mapped correctly for Copilot indexing.
Why Copilot Cannot Search Restricted SharePoint Sites
Copilot relies on Microsoft Graph and SharePoint Online search to index content from your tenant. When a SharePoint site is set to restricted access — meaning only specific users or groups can view its content — Copilot may not be able to crawl that site at all. The root cause is almost always one of three things:
Copilot Data Source Settings Exclude the Site
The Copilot configuration in the Microsoft 365 admin center includes a list of data sources that Copilot is allowed to query. If the restricted SharePoint site is not included in this list, Copilot will not return content from it. This setting overrides individual user permissions. Even if a user has direct access to the file, Copilot cannot surface it unless the site is listed as a data source.
SharePoint Site Permissions Block the Service Account
Copilot uses a service principal to crawl SharePoint content. That principal must be added as a site collection administrator on any restricted site. If the site uses unique permissions or is part of a private channel, the service account may be denied access. The result is a search that returns no results or only partial results.
Search Index or Custom Properties Are Misconfigured
SharePoint Online search indexes all content by default, but custom managed properties require manual mapping. If your organization uses custom columns or metadata to restrict content, those properties must be mapped in the search schema. Without proper mapping, Copilot cannot filter or find the restricted content.
Steps to Fix Restricted SharePoint Search for Copilot
- Verify Copilot data source inclusion in the admin center
Go to the Microsoft 365 admin center at admin.microsoft.com. Navigate to Settings > Copilot > Data sources. Under SharePoint, confirm that the restricted site URL is listed. If it is missing, click Add a data source, paste the site URL, and save. Wait 15 minutes for the change to propagate. - Add the Copilot service account as a site collection administrator
Open the restricted SharePoint site. Click the gear icon and select Site permissions. Click Site collection administrators. Add the service account named Microsoft Copilot Service (or the account listed in your tenant as the Copilot principal). Click OK and save. This grants crawling access without granting users additional permissions. - Reindex the site collection
On the same site, go to Site settings > Search and offline availability > Reindex site. Click Reindex. This forces SharePoint to rescan all content and update the search index. Indexing can take several hours depending on site size. - Check custom managed properties in the search schema
Go to the SharePoint admin center at admin.microsoft.com > SharePoint > Search > Manage Search Schema. Look for any custom managed properties that match the metadata you use to restrict content. For each property, ensure Searchable is set to Yes and Queryable is set to Yes. Click OK and then click Run full crawl in the Search administration page. - Test with a simple Copilot prompt
Open Copilot in Teams or on the web. Type a prompt that includes a specific file name or phrase from the restricted site. Example: Find the budget proposal from the Finance restricted site. If Copilot returns the file, the fix is complete. If not, wait one hour and test again because indexing changes can take up to 60 minutes to reflect.
If Copilot Still Has Issues After the Main Fix
Copilot Returns Generic Output Instead of Tenant-Specific Data
If Copilot answers with general web results or says it cannot access tenant data, the data source setting may still be incorrect. Go back to Settings > Copilot > Data sources and verify that the toggle for Microsoft Graph is turned on. Without this toggle, Copilot cannot read any SharePoint or OneDrive content. Also check that the restricted site is not blocked by a SharePoint site policy that disables external sharing or search indexing.
Search Results Show Only Files the User Already Has Open
Copilot often surfaces documents that are already in the user’s recent files or open tabs. To test whether search is truly working, use a prompt that references a file the user has never opened. If Copilot still cannot find it, the issue is likely with the search index. Run a full crawl again from the SharePoint admin center and monitor the crawl log for errors. Common errors include Access denied for the service account or Property mapping not found for custom metadata.
Changes to Permissions Do Not Take Effect
SharePoint permission changes can take up to 24 hours to propagate in the search index. If you added the Copilot service account as a site collection administrator but search still fails, wait at least 4 hours. Then trigger a reindex from the site settings. You can also use the SharePoint Online Management Shell to force a crawl: run Request-SPOPersonalSiteReindex -Url "site URL". This command forces a reindex of the entire site.
| Item | Correct Configuration | Common Misconfiguration |
|---|---|---|
| Copilot data source list | Restricted site URL is included under SharePoint data sources | Site URL is missing or the Microsoft Graph toggle is off |
| Site collection administrator | Copilot service account is added as a site collection admin | Service account has only visitor or member permissions |
| Search schema managed properties | Custom properties are set to Searchable and Queryable | Properties are set to Searchable only or not mapped |
| Site reindex status | Reindex was triggered after permission changes | No reindex was performed after adding the service account |
Now you can diagnose and fix restricted SharePoint search failures in Copilot. Start by verifying the data source list in the admin center, then add the Copilot service account as a site collection administrator on the restricted site. After reindexing, test with a specific file name prompt. For ongoing monitoring, use the SharePoint admin center crawl logs to catch permission errors before they affect users. A regularly scheduled full crawl once a month keeps the index in sync with permission changes.