Control 4.7: Microsoft 365 Copilot Data Governance - Troubleshooting
This playbook provides troubleshooting guidance for Control 4.7.
Common Issues and Solutions
Issue: Copilot Returning Content from Excluded Site
Symptoms: User sees content from site with RCD enabled
Resolution:
- Verify RCD setting on the site:
# Replace 'tenant' and 'SiteName' with your actual tenant name and site name Get-SPOSite -Identity "https://tenant.sharepoint.com/sites/SiteName" | Select-Object Url, RestrictContentOrgWideSearch - Allow 24 hours for index propagation
- Check if content exists in multiple locations
- Verify user doesn't have direct access bypassing RCD
- Contact Microsoft support if persistent
Issue: Plugin Not Available After Approval
Symptoms: Approved plugin not appearing for users
Resolution:
- Verify plugin is enabled in Admin Center
- Check user has required license
- Verify plugin assignment (all users vs. specific groups)
- Clear browser cache and retry
- Check for Conditional Access policies blocking plugin
Issue: Usage Analytics Not Showing Data
Symptoms: Copilot usage reports empty or incomplete
Resolution:
- Verify users have M365 Copilot licenses
- Allow 48-72 hours for data population
- Check reporting permissions for admin account
- Verify no data export restrictions
- Review Microsoft 365 service health
Issue: Sensitivity Labels Not Respected
Symptoms: Copilot surfaces content despite sensitivity labels
Resolution:
- Verify label includes Copilot restrictions
- Check label policy assignment to users
- Verify label is applied to content (not just site)
- Review DLP policy enforcement
- Contact Purview support if needed
Diagnostic Commands
# Check site exclusion status
# Replace 'tenant' and 'SiteName' with your actual tenant name and site name
Get-SPOSite -Identity "https://tenant.sharepoint.com/sites/SiteName" |
Select-Object Url, RestrictContentOrgWideSearch, SensitivityLabel
# Verify Graph Connector status
Get-MgExternalConnection | ForEach-Object {
Write-Host "$($_.Name): $($_.State)"
}
# Count excluded vs included sites
$sites = Get-SPOSite -Limit All | Where-Object { $_.Template -notlike "*SPSPERS*" }
$excluded = ($sites | Where-Object { $_.RestrictContentOrgWideSearch -eq $true }).Count
$included = ($sites | Where-Object { $_.RestrictContentOrgWideSearch -ne $true }).Count
Write-Host "Excluded: $excluded | Included: $included"
Escalation Path
| Issue Severity | Escalation Path | SLA |
|---|---|---|
| Content surfacing from excluded site | AI Governance Lead > Security > Microsoft Support | Same day |
| Plugin access issues | IT Admin > Microsoft Support | 2 business days |
| Usage analytics gaps | M365 Admin > Microsoft Support | 2 business days |
| Sensitivity label issues | Purview Admin > Microsoft Support | 1 business day |
Prevention Best Practices
- Document all exclusion decisions with business justification
- Test exclusions before announcing Copilot availability
- Publish acceptable use policy before rollout
- Train users on appropriate use and limitations
- Monitor usage patterns for anomalies
- Review plugin inventory quarterly
- Establish output review processes before enabling for external communications
Related Resources
- Microsoft 365 Copilot overview
- Microsoft 365 Copilot data, privacy, and security
- Manage Microsoft 365 Copilot
- Restricted Content Discovery
Back to Control 4.7 | Portal Walkthrough | PowerShell Setup | Verification Testing
Updated: January 2026 | Version: v1.2