Restricted SharePoint Search for Copilot for Microsoft 365

If you have access to a file, you can get to it with or without Copilot... Copilot just makes it 10x easier to discover content we didn't know we had access to before, and in scenarios where organisations have mistakenly over shared the wrong content and adopted...
Restricted SharePoint Search for Copilot for Microsoft 365
Restrict SharePoint access for Copilot for M365
Restricted SharePoint Search for Copilot for Microsoft 365
Restrict SharePoint access for Copilot for M365
In: Copilot for Microsoft 365

Are you feeling a little bit behind with your readiness, preparation or rollout of Copilot for Microsoft 365 at your organisation? There's an enormous amount of work that has to go into the rollout of Copilot for Microsoft 365 for organisations covering a number of areas such as...

  • Data quality, access and use
  • Data handling
  • Security controls and governance
  • Various security measures and tools to look at such as Purview Information Protection
  • Readiness in terms of adoption of existing Microsoft 365 apps such as Outlook and Teams
  • Existing maintenance and guardrails wrap around for tools like SharePoint
  • External organisation data sources such as Azure SQL and Jira that don't pre-exist in the Microsoft Graph
  • Enablement preparation for Copilot for Microsoft 365
  • So much more!

Now, that's a whole lot of work you need to do before you might consider it appropriate to start rolling Copilot out to your organisation, and enabling your communities. So... in this blog post, I'm going to share a simple trick with you that might speed up the process for you, allowing you to roll out a more limited version of Copilot for Microsoft 365 whilst you get some of that guardrails work out the way for a full roll out.

Some background... why is SharePoint relevant?

Okay let's take a step back for a second... you now know there's a whole host of things you need to take care of as part of your Copilot for Microsoft 365 deployment... but, why is SharePoint relevant?

The graphic below is great in highlighting Copilot's connection to Microsoft Graph and the Semantic Index at both pre-processing and post-processing stages either side of LLM processing.

Microsoft Graph taps into a huge amount of productivity data we house in Microsoft 365 including our content in SharePoint. When it comes to our SharePoint data, Graph will be able to get hold of what the calling user has access to. So basically, SharePoint permissions on every site, every page, every file, and every list item will determine what Copilot uses to answer questions and generate content.

When did you last audit SharePoint permissions and content?

So, now we know Copilot is going to tap into all the content we have access to in SharePoint. When did you last complete an audit of SharePoint permissions and content in your organisation? Do you have any guardrails in place at all?

For a lot of organisations, the answer will be that they've never audited SharePoint permissions, and their guardrails aren't quite up to scratch either. Now up until now, whilst we have all had access to the same set of data we still will once we roll out Copilot, we didn't have Copilot to make it SUPER easy to find the data we probably shouldn't have had access to... 👀

Data Leak 101. SharePoint without guardails + Copilot = Hello data I never knew I had access to before and probably shouldn't have access to

Okay, so SharePoint's gonna take a while to tidy up n' secure

Hey blocker! 👋 Thanks for coming along to slow down my Copilot for Microsoft 365 deployment... Yup! Tidying up an entire tenant of SharePoint content, putting guardrails and information protection tooling (Purview) in place, getting sensitivity labels in place and more, is all going to take a while.

In the meantime, we can still let people supercharge their productivity with Copilot for Microsoft 365, we can just tone it back a bit and give it a LOT less access to SharePoint.

So, how do we go about toning Copilot back a bit and giving it less access to our SharePoint content? Well... luckily Microsoft noticed us having to scrap to tidy things up as fast as we could if we'd even want to consider Copilot deployments, and they gave us a middle ground to work with using Restricted SharePoint Search (RSS) to give Copilot less search access to our SharePoint content which we need to permission audit and wrap guardrails around.

With Restricted SharePoint Search, we can keep a list of 100 or less SharePoint sites which we have permission checked and applied data governance to, which Copilot get's to utilise to search against when providing responses to prompts. Anything else in the tenant, and it'll get ignored, unless directly referenced! Awesome, that makes the immediate job a LOT easier... ✅

⚠️
Users are also able to access content that they own or that they have previously accessed in Copilot with Restricted SharePoint Search enabled. Files directly referenced that the users have access to can also still be passed to the LLM for Copilot to respond on, however won't appear in search results (non direct reference) if not part of the allowed sites.
💡
Whilst hub sites are included in the 100 site limit for SharePoint sites you can 'allow list' for Copilot to search against, their associated sites do not count towards the 100 limit, however will still be searched against.

So before we get started here's some pre-requisites you'll need to have checked off in preparation for our next steps...

  1. Download the latest SharePoint Online Management Shell
  2. Ensure you have either the Global Administrator or SharePoint Administrator Entra ID / Microsoft 365 roles.
  3. Connect to SharePoint via the SPO Management Shell

Now by default, Restricted SharePoint Search will be disabled in your tenant. We can do a check on this by running the following command in PowerShell.

Get-SPOTenantRestrictedSearchMode

Let's see what response get's returned in my tenant now, where I haven't configured this before.

Screenshot of a PowerShell window showing a command made as above, with the response "Restricted search mode is currently not set."

Okay, so next up, let's look at the process to enable Restricted SharePoint Search so Copilot has a little less that it can search against, remembering that users can still reference any file they have access to and Copilot will respond having accessed that content...

💡
It's important to have your curated allowed list ready to enable Restricted SharePoint Search. Microsoft have guidance on building out this list here - https://learn.microsoft.com/en-us/sharepoint/restricted-sharepoint-search-allowed-list

Next we can look to enable SharePoint Restricted Search, which we'll do with the following command in PowerShell.

Set-SPOTenantRestrictedSearchMode -Mode Enabled

The next thing we need to do is at least give SharePoint Search something it can query against. For this we will add sites to the allowed list. We can add to the allowed list using the following command.

Add-SPOTenantRestrictedSearchAllowedList -SitesList @(“[https://contoso.sharepoint.com/sites/Marketing](https://contoso.sharepoint.com/sites/Marketing)”, “[https://contoso.sharepoint.com/sites/Benefits](https://contoso.sharepoint.com/sites/Benefits)”)

Replace your sites, and run the command to add them to your allowed list. You can also create a .csv file with the site url's listed in the first column and then run the following command to achieve the same result.

Add-SPOTenantRestrictedSearchAllowedList -SitesListFileUrl FilePath.csv

And now let's check out the result when we head over to Copilot for Microsoft 365.

We can now see that there's an information warning highlighting that our organisation restricts Copilot from accessing certain SharePoint sites.

Putting it to the test

Okay now testing things out, I'm going to reference a file which is stored in a SharePoint site outside of my allowed list...

As you can see, Copilot doesn't have a problem accessing the file at all! Copilot still has access to anything you as a user have access to.

So why is this helpful? Well here's the thing... if you have access to a file, you can get to it with or without Copilot... Copilot just makes it 10x easier to discover content we didn't know we had access to before, and in scenarios where organisations have mistakenly over shared the wrong content and adopted a share all approach, this can create data visibility concerns.

What SharePoint Restricted Search can do here, is it prevents Copilot searching for the things we didn't know we had access to, so unless we know about the content and directly reference it, it won't find it now.

How are you getting ready for Copilot?

I'd love to hear about how you're getting ready for Copilot for Microsoft 365. Reach out to me to discuss this topic! 🚀

Comments
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to LewisDoesDev.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.