Table of Contents
Use the BlockContentAnalysisServices Setting to Stop Microsoft 365 Copilot and Other Connected Services Accessing Office File Content
Message center notification MC1297982 (May 5, 2026) announces that “Microsoft is updating an existing sensitivity label setting that controls whether certain connected experiences can analyze file content. This change extends support of this label setting to additional platforms and extends coverage of the label setting to include all connected experiences that analyze content in Word, Excel, and PowerPoint, rather than a subset of these experiences.”
The announcement then goes on to discuss a “sensitivity label configured with “Prevent some connected experiences that analyze content.” Sounds good, but don’t be disappointed if you cannot find such a setting in the Microsoft Purview portal interface for configuring sensitivity labels. The description in the message center post lacks clarity, including telling readers how to find and manage the sensitivity label setting.
The Setting to Block Access to File Content
In any case, the setting is an “advanced setting” to prevent Microsoft 365 Copilot and other services from processing the file content. As an advanced setting, it can only be configured through PowerShell. The Purview portal UI for creating or editing a sensitivity label (Figure 1) offers many options but contains no trace of advanced settings.
In this case, the BlockContentAnalysisServices setting first appeared in mid-2024 as a solution to mark individual documents that Microsoft 365 Copilot should not process. It would have been nice if MC1297982 mentioned this small but important detail. An example of updating a sensitivity label to block connected experiences is:
Set-Label -Identity 'Market Sensitive' -Settings @{BlockContentAnalysisServices ="true"}
(in passing, let me note that the Set-Label cmdlet can use either the Settings or AdvancedSettings parameter to update a setting. Both have the same result – they update the Settings property for a sensitivity label.)
By blocking Word, Excel, and PowerPoint from sending content for processing by Microsoft Content Services, Microsoft 365 Copilot cannot access that content. The change now being made is to expand the set of connected experiences which will be blocked by files assigned a sensitivity label with the setting enabled. The change seems reasonable because it ensures that the block works everywhere instead of with selected services.
The downside that other services which depend on being able to access content, such as the client-side checks for potential DLP rule violations (but only for Outlook classic), suggested replies in Outlook, and text predictions in Outlook and Word, also stop working. If you look through the set of connected experience used in Microsoft 365, you can appreciate just how much use clients make of service resources to power functionality.
Reviewing Sensitivity Label Settings
MC1297982 recommends that tenants review the settings of sensitivity labels that block access to connected experiences to ensure that they’re doing the right thing. Without UX in the Purview portal, finding the relevant sensitivity labels must also be done with PowerShell.
This code connects to the Security and Compliance endpoint and calls the Get-Label cmdlet to find the set of labels with BlockContentAnalysisServices configured as true:
Connect-ExchangeOnline
Connect-IPPSSession -EnableSearchOnlySession
Get-Label | Where-Object { $_.Settings -match '^\[blockcontentanalysisservices,\s*True\]$' } | Select-Object DisplayName, ImmutableId, Priority | Sort-Object Priority
DisplayName ImmutableId Priority
----------- ----------- --------
Market Sensitive f3b23fed-2839-4270-9b35-1d634c84b2e9 27
Personally Identifiable Information (PII) a4744c58-5077-4005-ac40-c16e9c007cc5 30
The code to match the setting value is a little funky because of the way that the Get-Label cmdlet outputs the label settings in a string array rather than a hash table. PowerShell is very flexible, and there are usually several ways to extract information. I take a different approach in the script I wrote to generate a report of sensitivity labels and their settings, but the code shown above is a quick way to find the set of labels to check.
Individual Blocks are Highly Valuable
The best way to think about the BlockContentAnalysisServices setting is that it’s a way to protect the content of highly sensitive files. Files protected by sensitivity labels that block content services can still be found (because they are indexed), but Copilot cannot extract their content for processing. For instance, the automatic document summary feature doesn’t work and the Copilot option is disabled for these files. SharePoint Online’s Restricted Content Discovery (RCD) feature blocks AI access for complete sites, and it’s preferable to hold critical information in those sites. However, sensitive information isn’t always neatly collected into sites, and that’s why having a method to block access at the file level is so valuable.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.