You manage HR data in Microsoft 365 and you rely on Copilot to draft performance reviews or summarize employee records. But when a manager asks Copilot a question, it sometimes pulls sensitive HR files that should be hidden from that role. This exposure happens because Copilot respects the same permissions that the user already has in SharePoint and OneDrive, and default sharing settings often grant managers broader access than intended. This article explains why Copilot shows HR files to managers and provides the exact steps to lock down sensitive documents so Copilot respects those restrictions.
Key Takeaways: Restrict HR Files from Copilot Results
- Microsoft 365 admin center > SharePoint > Site permissions: Remove or limit manager access to HR document libraries to stop Copilot from surfacing those files.
- SharePoint site > Settings > Permission levels: Create a custom permission level that explicitly denies ‘View Items’ for sensitive HR folders.
- Microsoft Purview > Information protection > Sensitivity labels: Apply a ‘Highly Confidential’ label that blocks Copilot from processing labeled files.
Why Copilot Shows HR Files to Managers
Copilot does not apply its own access control layer. It uses the same Microsoft Graph data that the signed-in user can already see. If a manager has read access to an HR document in SharePoint or OneDrive, Copilot can include that document in its response. The root cause is almost always a permission configuration that is too broad. Common scenarios include:
- HR document libraries set to ‘Everyone except external users’ or ‘Company-wide’ sharing.
- Managers added to the HR site’s Members group instead of a restricted Visitors group.
- Inherited permissions from a parent site that grants edit or read access to all managers.
- Sensitivity labels not applied to HR files, so Copilot treats them as normal business data.
Copilot also indexes content from Microsoft Graph connectors, Viva Topics, and third-party sources. If an HR system is connected via a Graph connector, that data may also appear in Copilot results unless it is scoped or excluded.
How Copilot Scopes Its Search
When a manager asks Copilot a question, Copilot searches the Microsoft Graph for content the manager can access. It does not check HR-specific rules or departmental boundaries. If the manager’s Microsoft 365 account has view permission on a file, Copilot treats that file as fair game. The fix must happen at the permission or labeling level, not inside Copilot itself.
Steps to Stop Copilot from Exposing HR Files
Follow these steps in order. Each step closes a different gap.
- Audit current HR site permissions
Go to the Microsoft 365 admin center at admin.microsoft.com. Select SharePoint and then Active sites. Find your HR team site and open it. Click Permissions and review the list of users and groups. Remove any group that includes managers who should not see HR files. If your HR site uses a ‘Managers’ group, change its permission level from Edit or Contribute to Read only. For full restriction, remove the group entirely and add individual HR staff only. - Break permission inheritance on sensitive folders
Inside the HR SharePoint site, navigate to the document library that contains sensitive files. Select the folder or subfolder, click the ellipsis menu, and choose Manage access. Click Advanced settings and then Stop inheriting permissions. Remove all groups that include managers. Add only the HR team members with the Contribute permission level. This prevents Copilot from returning files in that folder to any manager who is not explicitly granted access. - Apply a sensitivity label that blocks Copilot
Open the Microsoft Purview compliance portal at compliance.microsoft.com. Go to Information protection and select Labels. Create a new label named ‘HR Confidential – No Copilot’. Under Auto-labeling, set it to apply to files that contain employee data patterns like SSN or salary. Under App protection, enable the setting that prevents Copilot from processing files with this label. Publish the label to all HR site members. Instruct HR staff to apply this label to every new document they upload. - Restrict OneDrive sharing for HR managers
If HR managers store personal HR files in their OneDrive, those files can also appear in Copilot results. Go to the Microsoft 365 admin center, select Users, and then Active users. Click the HR manager’s account, go to OneDrive, and set the default sharing link type to ‘Specific people’. This prevents files from being shared broadly by default. Also disable the ‘Allow direct sharing to all company users’ option for HR manager accounts. - Disable Microsoft Graph connectors that index HR systems
If your tenant uses a Graph connector to pull data from an HR platform like Workday or SAP SuccessFactors, that data may appear in Copilot. Go to the Microsoft 365 admin center, select Settings, then Org settings, and find Microsoft Graph connectors. Review each connector. For any connector that indexes HR data, edit its settings and restrict the data source to a specific security group that contains only HR staff. Alternatively, delete the connector if it is not needed. - Test Copilot with a manager account
Sign in to Microsoft 365 Copilot using a test account that represents a manager. Ask Copilot a question like “Show me the latest performance reviews for my team.” If any HR files appear, repeat steps 1 through 5 until no sensitive files are returned. Use the Copilot response feedback button to report false positives.
If Copilot Still Shows HR Files After the Main Fix
Some exposure cases require additional steps. The following scenarios cover the most common remaining issues.
Copilot returns files from a shared mailbox or Teams channel
HR files stored in a Teams channel or shared mailbox may inherit permissions from the parent team. Check the team’s privacy setting. If it is set to ‘Public’, any member of the organization can find its files via Copilot. Change the team to ‘Private’ and remove non-HR members. For shared mailboxes, restrict send-as and full access permissions to HR staff only.
Copilot shows cached or outdated versions of HR files
Microsoft Graph indexes content and may retain a cached version for up to 24 hours. After you change permissions, wait one full day before testing again. If the file still appears, use the Microsoft Graph Explorer to manually delete the cached item. Sign in to Graph Explorer with an admin account, run a GET request on the file’s driveItem, and then run a DELETE request on the same item. This forces a re-index.
Copilot returns results from a third-party HR app connected via Power Automate
Power Automate flows that copy HR data into SharePoint or OneDrive bypass the original app’s access controls. Review all Power Automate flows that involve HR data. Edit each flow to add a condition that checks the destination folder’s permissions before writing the file. If the destination folder is accessible to managers, redirect the file to a restricted folder.
| Item | SharePoint Permission Restriction | Sensitivity Label Restriction |
|---|---|---|
| Scope | Applies to folders and libraries | Applies to individual files |
| Enforcement | Blocks file access entirely | Blocks Copilot processing but allows manual access |
| User impact | Manager cannot open the file in browser | Manager can open the file but Copilot ignores it |
| Setup time | Minutes per site | Hours to create and publish label policy |
| Best for | Existing HR document libraries | New HR files that need consistent protection |
After you apply both methods, Copilot will no longer surface HR files to managers. Test with a real manager account and verify that the Copilot response contains only data that manager is allowed to see. Repeat the audit every quarter to catch new permissions that may have been granted through team membership changes or site migrations.