Table of Contents
Restricted SharePoint Search Confines Copilot for Microsoft 365 Access to Curated Sites and User Content
The lights are obviously burning late in SharePoint engineering as Microsoft figures out new methods to help customers avoid inadvertent disclosure of confidential information through text generated by Copilot for Microsoft 365. Last month, we discussed how to exclude SharePoint Online sites and document libraries from search results to block Copilot access. Now, Microsoft has created Restricted SharePoint Search to deliver a more elegant (but possibly flawed) solution to allow organizations to control the sites accessible to Copilot.
Tenants with Copilot for Microsoft 365 licenses can enable Restricted SharePoint Search “from April onward.” By default, Restricted SharePoint Search is disabled and administrators will have to run some PowerShell commands to enable it for a tenant.
What is Restricted SharePoint Search?
Essentially, Restricted SharePoint Search disables enterprise-wide search. Instead, tenants can select up to 100 SharePoint Online sites that users can access (subject to the access defined for the sites). In this context, “users” includes Copilot for Microsoft 365 because when Copilot is active, it always operates as the signed-in user.
The restriction placed on enterprise search is pretty severe. Given the profusion of Microsoft 365 Groups and Teams, each of which has their own SharePoint Online site (and possibly several sub-sites for shared and private channels), limiting search to a curated list of 100 sites excludes most sites in anything but small tenants. Even my own small tenant supports over 400 sites.
Easing the Restrictions to Accommodate User Data
Microsoft will no doubt argue that the impact of limiting search to 100 sites is ameliorated by allowing users to search content from:
- Frequently visited SharePoint Online sites. However, Microsoft has not defined how many sites are in this category and how users can add sites to the list. For instance, does marking a site as a favorite put it on the list?
- Files in OneDrive for Business accounts that they have access to. This includes the user’s own OneDrive account, so they have full access to all their personal documents and other information stored in OneDrive.
- Files that are directly shared with users.
- Files that users create, edit, or view. In other words, if you touch a file stored in SharePoint Online, Copilot for Microsoft 365 can find and use that content.
I don’t know how Microsoft determined that 100 was a good number for the curated sites list. Determining what sites go onto the list and what sites are excluded will be an interesting exercise for many organizations. It seems like the intention is for tenants to include important corporate sites that everyone needs access to, like those holding HR information or details of released products and public documentation while relying on the frequently visited sites lists to deliver user-specific search results. It would be interesting to know how Microsoft uses Restricted SharePoint Search and if so, how they selected the 100 sites.
Restricted SharePoint Search does not affect how Microsoft Purview solutions like eDiscovery work. One way of thinking about the restriction is that it’s a form of trimming similar to the security trimming that Search already does to make sure that users only ever see sites and files in search results that they are entitled to access. This trimming further limits results to the 100 curated files plus the user’s OneDrive for Business account and files shared with them.
The Impact of Restricted SharePoint Search
It could be that this scheme will work well, but as Microsoft points out, Restricted SharePoint Search “limits the content Copilot can search and reference when responding” and “may impact its ability to provide accurate and comprehensive responses to prompts.”
Microsoft says that the new solution will help customers review and audit site permissions while continuing to deploy Copilot for Microsoft 365. A cynic might say that Restricted SharePoint Search is a cobbled together patch rushed out to assuage the concerns of customers who have heard about potential data disclosure problems and slowed the planning process for Copilot. It’s absolutely the right thing for Microsoft to address those concerns, but Restricted SharePoint Search seems like a sticking plaster that’s been applied until Microsoft can come up with a more flexible long-term solution. I guess we’ll know more when the software reaches customers in April and can assess just how well the 100 site limit works.