You configured Copilot in Microsoft 365 to block a specific internal SharePoint site, but Copilot still includes content from that site in its responses. This happens because the data source exclusion list in the Copilot admin settings does not apply retroactively to cached or indexed content. This article explains why the block fails, how to enforce the restriction, and what to do if Copilot continues to return blocked data.
Key Takeaways: Blocking SharePoint Sites in Copilot
- Microsoft 365 admin center > Copilot > Data sources: Add site URLs to the exclusion list to prevent Copilot from reading that content.
- SharePoint site permissions: Remove all users or groups from the site to block access at the permission level, which overrides the exclusion list lag.
- Microsoft Graph index refresh: After changing the exclusion list, wait up to 24 hours for the index to update and stop returning blocked content.
Why Copilot Still Returns Data From a Blocked SharePoint Site
The root cause is a delay between when you add a site to the exclusion list and when the Microsoft Graph search index removes that site’s content. Copilot retrieves answers by querying the Microsoft Graph index, not the live SharePoint site. When you block a site, the admin setting tells Copilot to ignore that site for future queries. However, the index still contains the cached content from that site for up to 24 hours. During this window, Copilot can still return answers based on the cached data.
A second cause is that the exclusion list only applies to Copilot’s grounded responses, which use Microsoft Graph data. If Copilot is configured to use web search or Bing, blocked SharePoint content may still appear if it is publicly indexed. This is rare for internal sites but possible if the site is shared externally.
How the Exclusion List Works
The exclusion list is part of the Copilot data source configuration in the Microsoft 365 admin center. You enter the full URL of a SharePoint site or OneDrive path. Copilot then excludes that source when generating responses. The list applies to all users in the tenant. Changes to the list do not affect content already indexed. The index refreshes on a schedule, typically every 12 to 24 hours.
Why Permissions Are More Reliable
SharePoint site permissions control access at the user and group level. If a user does not have permission to view a site, Copilot cannot return content from that site because the Microsoft Graph API enforces permissions before returning search results. Using permissions instead of the exclusion list gives immediate effect because the API checks permissions on every query. The exclusion list is a secondary filter that only prevents Copilot from reading the site, but it does not remove the user’s underlying access.
Steps to Enforce the Block and Stop Copilot From Answering From Blocked Sites
Follow these steps in order. The first method uses the exclusion list. The second method uses SharePoint permissions for immediate enforcement.
Method 1: Add the Site URL to the Copilot Exclusion List
- Open the Microsoft 365 admin center
Sign in with a Global Administrator or SharePoint Administrator account. Go to admin.microsoft.com. - Navigate to Copilot settings
In the left navigation, select Settings then Org settings. Scroll to find Copilot and click it. - Open the Data sources tab
In the Copilot settings pane, select the Data sources tab. This shows the list of sources Copilot can read. - Add the blocked site URL
Under Excluded sources, click Add source. Enter the full URL of the SharePoint site you want to block. For example:https://contoso.sharepoint.com/sites/blockedsite. Click Add. - Save the changes
Click Save at the bottom of the pane. The exclusion list is now active. Wait up to 24 hours for the index to refresh.
Method 2: Remove User Permissions on the SharePoint Site
- Open the SharePoint admin center
Sign in to admin.microsoft.com. In the left navigation, select SharePoint. - Find the site you want to block
Under Sites, select Active sites. Locate the site in the list. Click the site name to open its details pane. - Manage site permissions
In the site details pane, click the Permissions tab. Under Site admins and Site members, remove all users and groups that should not have access. Click Remove next to each entry. - Break permission inheritance if needed
If the site inherits permissions from the parent, click Stop inheriting permissions. Then remove the inherited groups. This ensures no user in the tenant can access the site. - Save and verify
Click Save. Test by asking Copilot a question that should return content from that site. If you no longer have access, the answer will not include that site’s data.
If Copilot Still Has Issues After the Main Fix
Copilot Returns Generic Output Instead of Tenant-Specific Data
If you blocked the site but Copilot still returns generic or public information, check whether Copilot is using web search. Open the Copilot settings pane in the Microsoft 365 admin center. Under Data sources, ensure Web search is turned off if you only want internal data. If web search is on, Copilot may pull public indexed versions of your blocked site if it was shared externally.
Blocked Site Still Appears in Copilot Responses After 24 Hours
If more than 24 hours have passed and the blocked site still appears, verify that the URL you entered in the exclusion list is correct. Use the exact URL that appears in the browser address bar when you open the site. Do not include trailing slashes or query parameters. Also check that the site URL is not part of a larger site collection that is still allowed. For example, if you blocked /sites/blockedsite but allowed /sites, the parent path may still match.
Copilot Answers From a Blocked OneDrive Folder
OneDrive folders are blocked the same way as SharePoint sites. In the exclusion list, enter the full OneDrive URL. For example: https://contoso-my.sharepoint.com/personal/user_contoso_com/Documents/blockedfolder. Then remove the user’s permissions on that folder if needed. The same 24-hour index delay applies.
| Item | Exclusion List | Permission Removal |
|---|---|---|
| Effectiveness | Delayed up to 24 hours | Immediate |
| Administrative effort | Single URL entry | Remove users or groups per site |
| Scope | Applies to all users | Applies per user or group |
| Index dependency | Yes, relies on Microsoft Graph index refresh | No, API enforces permissions live |
| Impact on other services | Only affects Copilot | Affects all access to the site |
Now you can block a SharePoint site in Copilot using the exclusion list or by removing permissions. The exclusion list is simpler but has a 24-hour delay. Permission removal works immediately but affects all access. For urgent blocks, use permission removal first. Then add the exclusion list as a permanent filter. After 24 hours, verify the block by asking Copilot a question that previously returned data from that site.