SharePoint and OneDrive Copilot Settings
Learn to configure SharePoint and OneDrive Copilot settings for government environments. This video covers Restricted Access Control policies, Restricted Content Discovery, and site-level controls to govern what Copilot can access and surface in responses.
Overview
Microsoft 365 Copilot accesses content based on user permissions. That’s the foundation. But in government environments, you need more than permission inheritance—you need targeted controls to prevent Copilot from accessing overshared sites, surfacing sensitive content, or grounding responses in outdated information.
SharePoint Advanced Management provides Copilot-specific governance capabilities designed for exactly these scenarios. This video walks through the key controls: Restricted Access Control policies, Restricted Content Discovery, and OneDrive access restrictions. You’ll learn what each control does, when to use it, and how to configure it in your GCC, GCC High, or DoD tenant.
What You’ll Learn
- Permission Governance Basics: How Copilot access works and why permission hygiene is critical
- Restricted Access Control: Limit site access to specific security groups to isolate sensitive content
- Restricted Content Discovery: Flag sites to prevent Copilot from surfacing them in responses
- OneDrive Controls: Apply access restrictions to OneDrive for targeted user groups
- Rollout Checklist: Pre-deployment steps for SharePoint Copilot governance
Script
Hook: Copilot sees what users see—unless you configure otherwise
Copilot respects SharePoint permissions. That’s true, and it’s important.
But here’s what that actually means in practice. If your users can access a site, Copilot can access it too. If you have overshared sites, stale permissions, or forgotten content scattered across SharePoint, Copilot will surface it. And in government environments, that becomes a compliance problem fast.
The good news is SharePoint Advanced Management gives you targeted controls to govern what Copilot sees. This video shows you what those controls are and how to configure them.
The core principle: permissions determine access
Let’s start with the foundation.
Copilot can only access content that users can already access. It respects your existing SharePoint permissions, sensitivity labels, and data loss prevention policies. This is by design. It’s part of how Copilot operates inside the Microsoft 365 security boundary.
But here’s the implication. If you have permission hygiene problems—sites with “Everyone except external users” access, stale group memberships, or shared links that never expire—those problems become Copilot problems the moment users start querying their data.
That’s why SharePoint Advanced Management provides Copilot-specific controls. These controls give you additional layers of governance beyond basic permissions. They let you isolate sensitive sites, exclude content from discovery, and restrict access by security group.
One note on licensing. To use these controls, your organization needs either a Microsoft 365 Copilot license with at least one user assigned, or a standalone SharePoint Advanced Management license.
Now let’s look at what you can actually do.
Restricted Access Control policy
The first control is Restricted Access Control. This policy lets you limit site access to specific security groups.
Here’s what that means. You can configure a policy so that only users in designated security groups can access a site or OneDrive—even if they had prior permissions or were given a shared link.
The configuration path is: SharePoint admin center, Policies, Access control, then Site access restriction. You enable the policy, specify your security groups—up to ten per policy—and apply it to the sites you want to protect.
When you do this, users who aren’t in those groups simply can’t access the content. Copilot can’t access it either, because Copilot operates with the user’s permissions.
This is powerful for government scenarios. Let’s say you have sites containing classified information, controlled unclassified information, or active investigations. You can restrict those sites to a specific security group before you enable Copilot for your broader user population.
The policy works for both SharePoint sites and OneDrive. That’s important if you have contractors, temporary staff, or cross-agency collaborators who shouldn’t have broad access.
Restricted Content Discovery policy
The second control is Restricted Content Discovery.
This one works differently. It doesn’t block access. What it does is flag sites so that Copilot won’t surface them in responses or org-wide search results.
Users with direct permissions can still access the content if they navigate to it. But Copilot won’t use it to ground answers. It won’t show it in search. It won’t suggest it in prompts.
Why would you use this?
One scenario: you’re running a pilot in a specific department. You don’t want Copilot surfacing pilot content to users outside that group. Flag the pilot sites with restricted content discovery.
Another scenario: you have merger and acquisition planning content, HR investigations, or legacy project folders that are technically accessible but shouldn’t be broadly discoverable. Flag those sites.
Or maybe you have outdated documentation that you haven’t archived yet. You don’t want Copilot pulling from stale content. Flag it.
This control is about reducing noise and accidental exposure. It’s a governance layer on top of permissions.
OneDrive-specific considerations
OneDrive works the same way. You can apply site access restriction to individual OneDrive accounts.
The use case here is often about role-based scoping. Let’s say you have contractors who need OneDrive for their work files, but you don’t want them having broad access to organizational content. You can limit OneDrive access to a specific security group.
The configuration is: SharePoint admin center, Policies, Access control, OneDrive access restriction. Same pattern as site access restriction, just scoped to OneDrive.
This is useful when you’re doing phased Copilot rollouts. You might enable Copilot for full-time employees first and hold contractors or temporary staff in a separate group with tighter access boundaries.
Close: layered governance in practice
So here’s your checklist before Copilot rollout.
First, audit your site sharing settings and remediate oversharing. Go after “Everyone except external users” access and stale shared links. That’s not optional—it’s foundational.
Second, identify your sensitive sites. Apply restricted access control to sites containing classified information, CUI, active investigations, or HR-sensitive content.
Third, flag sites that shouldn’t be discoverable. Pilot sites, outdated content, merger planning—anything where accidental exposure creates risk.
Fourth, consider OneDrive access restrictions for contractors or role-based scoping.
And finally, document all of this in your ATO package and governance artifacts. Auditors want to see that you’ve thought through data access before you enabled AI capabilities.
These controls don’t replace permission hygiene. They augment it. Use them to create defense in depth for Copilot in government environments.
That’s how you configure SharePoint and OneDrive Copilot settings. Thanks for watching.
Sources & References
- Get ready for Microsoft 365 Copilot with SharePoint Advanced Management — Primary guidance for SharePoint Advanced Management controls that govern Copilot access to SharePoint content
- Restrict access to a user’s OneDrive content to people in a group — Details on restricting SharePoint and OneDrive site access to specific groups
- Restrict OneDrive access by security group — OneDrive access restriction configuration and use cases
- Microsoft 365 Copilot data protection architecture — Data protection architecture context for understanding Copilot’s service boundary
- Copilot skills in SharePoint admin centers — Overview of Copilot configuration in SharePoint admin centers