SharePoint Online Site Administrators Can Now Control Restricted Content Discovery

Posted on by Tony Redmond

RCD an Essential Tool for Tenants with Microsoft 365 Copilot

In April 2025, I discussed how the SharePoint Online Restricted Content Discovery (RCD) feature works. In a nutshell, RCD blocks site content from Microsoft 365 Copilot, meaning that Copilot isn’t allowed to use site content in its responses. Because RCD limits SharePoint Search, content also doesn’t appear in organization-wide search results (Figure 1).

SharePoint highlights a site blocked by RCD.
Figure 1: SharePoint highlights a site blocked by RCD

RCD is licensed through SharePoint Advanced Management (SAM) and is one of the SAM features available to tenants with Microsoft 365 Copilot licenses. Given that all tenants store some form of confidential or sensitive information in SharePoint Online, RCD is something that tenants with Microsoft 365 Copilot should deploy to prevent the potential of inadvertent leakage of that information.

Applying RCD

Until recently, RCD was controlled by SharePoint administrators, who can apply RCD to a site through the SharePoint admin center (Figure 2) or with PowerShell.

Applying RCD to a site in the SharePoint admin center.
Figure 2: Applying RCD to a site in the SharePoint admin center

Administrators are used to taking responsibility, and enabling RCD for a site is usually a one-time operation. However, given the number of SharePoint sites in use (largely because of Teams), controlling RCD for a medium to large tenant can rapidly become a time soak.

Fortunately, Microsoft listened to customer feedback and has introduced the ability for site administrators to enable and disable RCD for their sites. The feature achieved general availability in early January 2026 and is documented here.

Allowing Site Administrators to Control RCD

Before site administrators can control RCD, the tenant must be enabled for what Microsoft calls delegated content discoverability. This is done by updating a tenant setting with PowerShell. When dealing with new features, it’s usually true that the latest version of the Microsoft.Online.SharePoint.PowerShell module is required, so I installed version 16.0.26712.12000 from the PowerShell gallery and then ran:

Set-SPOTenant -DelegateRestrictedContentDiscoverabilityManagement $true

Enabling RCD for a Site

Like all changes to SharePoint Online settings, it can take some time before the update is effective across a tenant. When delegated RCD is available, it appears in the Site Information panel under the heading Restrict content from M365 Copilot (Figure 3). If the site administrator changes the setting, they’re required to provide a justification similar to when downgrading a sensitivity label for a file.

A site administrator justifies enabling RCD.
Figure 3: A site administrator justifies enabling RCD

SharePoint Online generates audit records when a site administrator enables or disables RCD for a site. Here’s some PowerShell code to fetch and report the audit records:

[array]$Operations = "RestrictContentOrgWideSearchDisabled", "RestrictContentOrgWideSearchEnabled", "SharePointRCDUpdateJustification"
[array]$Records = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date) -Formatted `
    -SessionCommand ReturnLargeSet -ResultSize 5000 -Operations $Operations
$Records = $Records | Sort-Object Identity -Unique

$Report = [System.Collections.Generic.List[Object]]::new()
ForEach ($Rec in $Records) {
    $AuditData = $Rec.AuditData | ConvertFrom-Json
 
    Switch ($AuditData.Operation) {
        "RestrictContentOrgWideSearchEnabled" {
            $Action = ("Enabled RCD for {0}" -f $AuditData.ObjectId)
        }
        "SharePointRCDUpdateJustification" {
            $Action = ("RCD Justification: {0}" -f $AuditData.RCDJustification)
        }
        "RestrictContentOrgWideSearchDisabled" {
            $Action = ("Disabled RCD for {0}" -f $AuditData.ObjectId)
        }
        Default {
            $Action = $AuditData.Operation
        }
    }
    $ReportLine = [PSCustomObject][Ordered]@{
        TimeStamp       = Get-Date ($AuditData.CreationTime) -format 'dd-MMM-yyyy HH:mm'
        User            = $AuditData.UserId
        Action          = $AuditData.Operation
        SiteURL         = $AuditData.ObjectId
        EventInfo       = $Action

    }
    $Report.Add($ReportLine)
}
$Report = $Report | Sort-Object {$_.TimeStamp -as [datetime]} -Descending
$Report | Out-GridView -Title "Restricted Content Discovery Audit Records"

A Natural Evolution

It’s natural and good that Microsoft should augment tenant administrator control over RCD with site-level control. Site administrators tend to understand better than anyone else what kind of content is stored in the sites that they manage, so they’re best positioned to make the decision whether Microsoft 365 Copilot should be allowed to use that content.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.