Control 4.1: SharePoint Information Access Governance (IAG) - Portal Walkthrough

This playbook provides portal configuration guidance for Control 4.1.

Prerequisites

SharePoint Admin role assigned
Access to SharePoint Admin Center
SharePoint Advanced Management Plan 1 license assigned to tenant
Governance tier classification completed for all SharePoint sites
Sensitive site inventory documented

Step-by-Step Configuration

Step 1: Inventory Sensitive Sites

Run Data access governance reports to identify sites requiring restriction:

Navigate to SharePoint Admin Center (https://admin.sharepoint.com)
Go to Reports > Data access governance
View "Site permissions across your organization" report
Identify sites with broad permissions (Everyone except external users)
Cross-reference with enterprise-managed agent knowledge sources

Step 2: Enable Restricted Content Discovery (RCD) for Sensitive Sites

For each identified site:

Go to Sites > Active sites
Select the site containing sensitive content
Open Settings tab in the right panel
Locate "Restrict content from Microsoft 365 Copilot"
Set the toggle to On
Document the change in your governance records

Reindexing Latency

Enabling Restricted Content Discovery triggers a site reindexing process. Full reindex completion can take 24-72 hours depending on site size. Information barriers and sensitivity label-based access restrictions will not take effect until reindexing completes. Plan for this delay in your rollout schedule. See Control 4.1 for details.

Repeat for all regulated/enterprise-managed sites.

Step 3: Configure Restricted SharePoint Search (RSS) - Allow-List Approach

For organizations preferring Zero Trust (allow-list approach):

Navigate to SharePoint Admin Center > Settings > Restricted SharePoint Search
Toggle Restricted SharePoint Search to On
Click Add sites to build your allow-list
Add up to 100 sites that Copilot may access
Save changes

Key Constraints: - Maximum 100 sites in the allow-list - Organization-wide setting (affects all Copilot users) - Does not affect web search or Graph-connected content

Step 4: Configure Restricted Access Control (RAC) for Ethical Walls

For sites requiring information barriers (M&A deal rooms, trading desks):

Navigate to Sites > Active sites
Select the site requiring ethical walls
Open Settings tab
Click Restricted site access > Edit
Enable restricted access
Add authorized security groups (up to 10 groups)
Save changes

FSI Use Cases for RAC: - M&A Deal Rooms - Restrict to deal team members only - Investment Banking / Research separation - Trading Desk isolation - Regulatory examination sites

Step 5: Document Configuration

Record in your governance system:

Site URL and name
Restriction setting enabled date
Reason for restriction
Approving authority
Review schedule

Step 6: Establish Review Cycle

Quarterly: Review restricted sites list
On agent deployment: Verify knowledge sources are appropriately restricted
On regulatory change: Assess new restriction requirements

Configuration by Governance Level

Setting	Baseline	Recommended	Regulated
RCD for sensitive sites	Case-by-case	Zone 2+ sites	All Zone 3 sites
Restricted site access (RAC)	Not required	Recommended	Required
Review frequency	Annual	Semi-annual	Quarterly
Approval required	No	Yes	Governance committee

RCD vs RSS: Choosing the Right Approach

Approach	Use Case	When to Use
Restricted Content Discovery (RCD)	Block-list: exclude specific sites	Mature deployment, good hygiene
Restricted SharePoint Search (RSS)	Allow-list: include only approved sites	Initial Copilot deployment, Zero Trust
Hybrid	Start with RSS, transition to RCD	Phased rollout

Validation

After completing these steps, verify:

RCD enabled for all regulated/enterprise-managed sites
RSS configured (if using allow-list approach)
RAC configured for information barrier sites
Copilot does not return content from restricted sites (test with authorized user)
Audit logs capture setting changes

Back to Control 4.1 | PowerShell Setup | Verification Testing | Troubleshooting

Updated: January 2026 | Version: v1.2