Skip to content

Control 4.1: SharePoint Information Access Governance (IAG) / Restricted Content Discovery

Overview

Control ID: 4.1 Control Name: SharePoint Information Access Governance (IAG) / Restricted Content Discovery Regulatory Reference: GLBA 501(b), 504(b), SEC Reg S-P, FINRA 4511 Setup Time: 1-2 hours License Requirement: SharePoint Advanced Management Plan 1

Purpose

Control which SharePoint sites and content can be accessed by Microsoft 365 Copilot and AI agents. This control prevents agents from discovering and surfacing sensitive content that users may have access to but should not be exposed through AI interactions.

Key Capabilities

Restrict Content from Microsoft 365 Copilot

Site-level setting that prevents Microsoft 365 Copilot from accessing site content, even if users have permissions.

Navigation: SharePoint Admin Center → Sites → Active sites → Select site → Settings tab

Options:

  • On: Microsoft 365 Copilot cannot access content from this site
  • Off: Microsoft 365 Copilot can access content per user permissions (default)

Restricted Site Access

Organization-level feature that limits site access to specific security groups.

Navigation: SharePoint Admin Center → Sites → Active sites → Select site → Settings tab → Restricted site access → Edit

Use cases:

  • Restrict sensitive sites to specific security groups
  • Prevent broad "Everyone except external users" access
  • Control agent access to confidential content

Restricted SharePoint Search (RSS) - Allow-List Approach

RCD vs RSS: Understanding the Difference

Restricted Content Discovery (RCD) is a block-list approach: specify sites to exclude from Copilot. Restricted SharePoint Search (RSS) is an allow-list approach: specify sites to include for Copilot (max 100 sites).

For FSI organizations deploying Microsoft 365 Copilot, RSS is often the preferred Zero Trust starting point because it limits exposure to only curated, reviewed sites.

Restricted SharePoint Search (RSS) limits Copilot to a curated list of up to 100 SharePoint sites. This is valuable when:

  • You want to review and approve each site before Copilot can access it
  • Your organization has significant oversharing concerns
  • You are rolling out Copilot in phases and want tight control
  • You prefer a Zero Trust model (deny by default, allow by exception)

Navigation: SharePoint Admin Center → Settings → Restricted SharePoint Search

Configuration:

Setting Description
Off (default) Copilot can access all SharePoint content per user permissions
On Copilot can ONLY access content from sites on the allow-list

Key Constraints:

  • Maximum 100 sites in the allow-list
  • Organization-wide setting (affects all Copilot users)
  • Does not affect web search or Graph-connected content

PowerShell Configuration:

# Enable Restricted SharePoint Search
Set-SPOTenant -RestrictedSearchEnabled $true

# Add sites to the allow-list
Add-SPOSearchSiteConfiguration -Sites @(
    "https://yourtenant.sharepoint.com/sites/ApprovedSite1",
    "https://yourtenant.sharepoint.com/sites/ApprovedSite2"
)

# Get current RSS configuration
Get-SPOTenant | Select-Object RestrictedSearchEnabled
Get-SPOSearchSiteConfiguration

FSI Recommendation:

Scenario Approach Rationale
Initial Copilot deployment Use RSS (allow-list) Zero Trust - only expose reviewed sites
Mature deployment with good hygiene Use RCD (block-list) More scalable; exclude sensitive sites only
Hybrid approach Start with RSS, transition to RCD Phased rollout with increasing scope

Source: Restricted SharePoint Search

Restricted Access Control (RAC) - Ethical Walls

FSI Critical: Information Barriers

Restricted Access Control (RAC) enables "ethical walls" or "Chinese Walls" required by many FSI regulations. This feature limits site access to specific security groups regardless of individual sharing permissions.

Restricted Access Control (RAC) is a SharePoint Advanced Management feature that:

  • Limits site access to members of specified security groups only
  • Acts as a blanket denial that supersedes previous sharing/access grants
  • Supports up to 10 security or M365 groups per site
  • Is ideal for enforcing information barriers between business units

FSI Use Cases:

Scenario Implementation
M&A Deal Rooms Restrict to deal team members only; block all other employees
Investment Banking / Research Separate IB and Research staff to prevent conflicts
Trading Desk Separation Isolate proprietary trading from client-facing teams
Regulatory Examination Restrict exam response sites to designated personnel

Navigation: SharePoint Admin Center → Sites → Active sites → Select site → Settings tab → Restricted site access

PowerShell Configuration:

# Enable Restricted Access Control on a site
$SiteUrl = "https://yourtenant.sharepoint.com/sites/MandA-ProjectAlpha"
$SecurityGroupId = "00000000-0000-0000-0000-000000000000"  # Entra ID group ID

# Enable RAC
Set-SPOSite -Identity $SiteUrl -RestrictedAccessControl $true

# Add authorized security group (up to 10 groups allowed)
Set-SPOSite -Identity $SiteUrl -RestrictedAccessControlGroups $SecurityGroupId

# Add multiple groups
$GroupIds = @("group-id-1", "group-id-2", "group-id-3")
Set-SPOSite -Identity $SiteUrl -RestrictedAccessControlGroups $GroupIds

# Verify configuration
Get-SPOSite -Identity $SiteUrl | Select-Object Url, RestrictedAccessControl, RestrictedAccessControlGroups

Key Constraints:

  • Maximum 10 security/M365 groups per site
  • Does not apply to site owners (they retain access)
  • Supersedes all existing sharing permissions
  • Requires SharePoint Advanced Management license

Difference from RCD/RSS:

Feature Purpose Scope
RCD Block Copilot from accessing content AI only
RSS Allow-list sites for Copilot AI only
RAC Restrict ALL access to security groups Users AND AI

Source: Restricted Access Control

Prerequisites

Primary Owner Admin Role: SharePoint Admin Supporting Roles: SharePoint Site Collection Admin

Licenses Required

License Purpose Required For
SharePoint Advanced Management (SAM) IAG features, oversharing reports, restricted content discovery All governance levels
Microsoft 365 E5 Advanced compliance, audit capabilities Level 3-4 governance
Microsoft 365 Copilot AI assistant integration with SharePoint Copilot content restrictions

Permissions Required

Role Scope Purpose
SharePoint Administrator Tenant-wide Configure site-level IAG settings, run data access governance reports
Site Collection Administrator Site-level Manage site-specific access restrictions
Compliance Administrator Tenant-wide Review audit logs and compliance reports
Global Reader Tenant-wide View-only access to all IAG configurations

Dependencies

Dependency Relationship Notes
Control 1.3: SharePoint Content Governance Prerequisite Ensure base SharePoint permissions are configured
Control 1.5: DLP and Sensitivity Labels Recommended Labels can auto-trigger content restrictions
Control 4.2: Site Access Reviews Recommended Regular review of restricted sites
SharePoint Advanced Management Required Must be licensed and enabled for IAG features

Pre-Setup Checklist

  • [ ] SharePoint Advanced Management license assigned to tenant
  • [ ] SharePoint Administrator role assigned to implementation team
  • [ ] Governance tier classification completed for all SharePoint sites
  • [ ] Sensitive site inventory documented
  • [ ] Governance committee approval obtained (Level 3-4)
  • [ ] Change management ticket created (Level 4)

Governance Levels

Baseline (Level 1)

Requirement Implementation
Identify sensitive sites Audit sites containing regulated content (PII, financial, customer data)
Enable content restriction Toggle "Restrict content from Microsoft 365 Copilot" = On for regulated/enterprise-managed sites
Document restricted sites Maintain list of sites with Microsoft 365 Copilot restrictions enabled

Implementation Steps:

  1. Navigate to SharePoint Admin Center
  2. Go to SitesActive sites
  3. Select a site containing sensitive content
  4. Click Settings tab in the right panel
  5. Under "Restrict content from Microsoft 365 Copilot" select On
  6. Document the change in your governance records
Requirement Implementation
Governance-tier restriction policy Enable restrictions for all regulated/enterprise-managed sites by default
Restricted site access Configure site-level access restrictions for sensitive sites
Quarterly access reviews Review restricted sites list quarterly
Oversharing assessment Run oversharing assessment from Advanced management

Additional Steps:

  1. Navigate to Advanced managementOverview
  2. Click Start assessment to run Microsoft 365 Copilot readiness assessment
  3. Review "Oversharing" results for sites with broad permissions
  4. For flagged sites, enable "Restrict content from Microsoft 365 Copilot"
  5. Configure Restricted site access for enterprise-managed sites requiring group-based access

Regulated/High-Risk (Level 4)

Requirement Implementation
Mandatory enterprise restriction All regulated/enterprise-managed sites must have Copilot content restriction enabled
Admin-controlled access lists Restricted site access with documented security groups
Immutable access logs Audit all changes to restriction settings
Policy documentation Formal policy requiring IAG for regulated content

Additional Requirements:

  • Document all restricted sites in agent inventory
  • Require governance committee approval to disable restrictions
  • Archive configuration screenshots for audit evidence
  • Integrate restriction changes with change management process

Setup & Configuration

PowerShell Configuration

Prerequisites

# Install SharePoint Online Management Shell if not already installed
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser -Force

# Import the module
Import-Module Microsoft.Online.SharePoint.PowerShell

Connect to SharePoint Online

# Connect to SharePoint Online Admin Center
$AdminUrl = "https://yourtenant-admin.sharepoint.com"
Connect-SPOService -Url $AdminUrl

# Verify connection
Get-SPOTenant | Select-Object StorageQuota, ResourceQuota

Get Sites with Copilot Content Restrictions

# Get all sites and their Copilot restriction status
$AllSites = Get-SPOSite -Limit All

# Filter sites with Copilot restrictions enabled
$RestrictedSites = $AllSites | Where-Object { $_.RestrictContentOrgWideSearch -eq $true }

# Display restricted sites
$RestrictedSites | Select-Object Url, Title, RestrictContentOrgWideSearch | Format-Table -AutoSize

# Count restricted vs unrestricted
Write-Host "Total Sites: $($AllSites.Count)" -ForegroundColor Cyan
Write-Host "Restricted Sites: $($RestrictedSites.Count)" -ForegroundColor Yellow
Write-Host "Unrestricted Sites: $($AllSites.Count - $RestrictedSites.Count)" -ForegroundColor Green

Set Copilot Content Restrictions for a Site

# Enable Copilot content restriction for a specific site
$SiteUrl = "https://yourtenant.sharepoint.com/sites/FinanceConfidential"

# Restrict content from Microsoft 365 Copilot
Set-SPOSite -Identity $SiteUrl -RestrictContentOrgWideSearch $true

# Verify the setting
Get-SPOSite -Identity $SiteUrl | Select-Object Url, RestrictContentOrgWideSearch

# To disable restriction (use with caution)
# Set-SPOSite -Identity $SiteUrl -RestrictContentOrgWideSearch $false

Export IAG Configuration Report

# Export comprehensive IAG configuration report
$ReportDate = Get-Date -Format "yyyy-MM-dd"
$ReportPath = "C:\Reports\IAG-Configuration-$ReportDate.csv"

$AllSites = Get-SPOSite -Limit All | Select-Object `
    Url, `
    Title, `
    RestrictContentOrgWideSearch, `
    SharingCapability, `
    ConditionalAccessPolicy, `
    SensitivityLabel, `
    Owner, `
    LastContentModifiedDate

$AllSites | Export-Csv -Path $ReportPath -NoTypeInformation

Write-Host "IAG Configuration Report exported to: $ReportPath" -ForegroundColor Green
Write-Host "Total sites analyzed: $($AllSites.Count)" -ForegroundColor Cyan

Bulk Configure Sites by Zone

# Bulk enable Copilot restrictions for enterprise-managed sites
# Define enterprise-managed site URLs (from your governance inventory)
$EnterpriseSites = @(
    "https://yourtenant.sharepoint.com/sites/TradingData",
    "https://yourtenant.sharepoint.com/sites/CustomerPII",
    "https://yourtenant.sharepoint.com/sites/RegulatoryFilings",
    "https://yourtenant.sharepoint.com/sites/MergerAcquisition"
)

# Apply restrictions to all enterprise-managed sites
foreach ($SiteUrl in $EnterpriseSites) {
    try {
        Set-SPOSite -Identity $SiteUrl -RestrictContentOrgWideSearch $true
        Write-Host "Restricted: $SiteUrl" -ForegroundColor Green
    }
    catch {
        Write-Host "Failed to restrict: $SiteUrl - $($_.Exception.Message)" -ForegroundColor Red
    }
}

# Verify all enterprise-managed sites are restricted
Write-Host "`nVerification Report:" -ForegroundColor Cyan
foreach ($SiteUrl in $EnterpriseSites) {
    $Site = Get-SPOSite -Identity $SiteUrl
    $Status = if ($Site.RestrictContentOrgWideSearch) { "RESTRICTED" } else { "UNRESTRICTED" }
    Write-Host "$Status - $SiteUrl" -ForegroundColor $(if ($Status -eq "RESTRICTED") { "Green" } else { "Red" })
}

Configure Restricted Site Access

# Configure restricted site access (limits access to specific security groups)
$SiteUrl = "https://yourtenant.sharepoint.com/sites/FinanceConfidential"
$SecurityGroupId = "00000000-0000-0000-0000-000000000000"  # Replace with actual Entra ID group ID

# Enable restricted access
Set-SPOSite -Identity $SiteUrl -RestrictedAccessControl $true

# Add authorized security group
Set-SPOSite -Identity $SiteUrl -RestrictedAccessControlGroups $SecurityGroupId

# Verify configuration
Get-SPOSite -Identity $SiteUrl | Select-Object Url, RestrictedAccessControl, RestrictedAccessControlGroups

Step 1: Inventory Sensitive Sites

Run Data access governance reports to identify sites requiring restriction:

  1. Navigate to ReportsData access governance
  2. View "Site permissions across your organization" report
  3. Identify sites with broad permissions (Everyone except external users)
  4. Cross-reference with enterprise-managed agent knowledge sources

Step 2: Enable Content Restrictions

For each identified site:

  1. Go to SitesActive sites
  2. Select the site
  3. Open Settings tab
  4. Set "Restrict content from Microsoft 365 Copilot" to On
  5. If needed, configure "Restricted site access" for group-based access

Step 3: Document Configuration

Record in your governance system:

  • Site URL and name
  • Restriction setting enabled date
  • Reason for restriction
  • Approving authority
  • Review schedule

Step 4: Verify Effectiveness

Test that agents cannot access restricted content:

  1. Log in as a user with site access
  2. Ask Copilot a question that would require content from the restricted site
  3. Verify Copilot does not return content from the restricted site
  4. Document test results

Step 5: Establish Review Cycle

  • Quarterly: Review restricted sites list
  • On agent deployment: Verify knowledge sources are appropriately restricted
  • On regulatory change: Assess new restriction requirements

Financial Sector Considerations

Regulatory Mapping

Regulation Section Requirement IAG Implementation
GLBA 501(b) Safeguard customer NPI Enable content restrictions on sites containing customer financial data
GLBA 504(b) Restrict disclosure to affiliates Configure restricted site access for affiliate-sensitive content
SEC Reg S-P Rule 30 Protect customer records and information Restrict Copilot access to customer records repositories
FINRA Rule 4511 Books and records requirements Maintain audit trail of IAG configuration changes
FINRA Rule 3110 Supervision of associated persons Document AI access restrictions in supervisory procedures
SOX Section 302 Internal controls over financial reporting Restrict access to financial reporting sites

Governance Tier IAG Configuration

Tier Classification Copilot Content Restriction Restricted Site Access Review Frequency
Tier 1 Public / General Off (default) Not required Annual
Tier 2 Internal / Confidential Case-by-case Recommended Semi-annual
Tier 3 Regulated / Sensitive Always On Required Quarterly

FSI Example: IAG Policy YAML

# FSI SharePoint IAG Configuration Policy
iag_policy:
  name: "FSI-SharePoint-IAG-Policy"
  description: "Information Access Governance policy for financial services"
  effective_date: "2025-01-01"

  zone_configurations:
    zone_1:
      copilot_content_restriction: false
      restricted_site_access: false
      review_frequency: "annual"
      approval_required: false

    zone_2:
      copilot_content_restriction: "case-by-case"
      restricted_site_access: "recommended"
      review_frequency: "semi-annual"
      approval_required: true
      approvers:
        - "site_owner"
        - "compliance_officer"

    zone_3:
      copilot_content_restriction: true
      restricted_site_access: true
      review_frequency: "quarterly"
      approval_required: true
      approvers:
        - "ai_governance_committee"
        - "compliance_officer"
        - "legal_counsel"
      retention_period: "6 years"

    zone_4:
      copilot_content_restriction: true
      restricted_site_access: true
      conditional_access_required: true
      review_frequency: "monthly"
      approval_required: true
      approvers:
        - "ciso"
        - "ai_governance_committee"
        - "regulatory_affairs"
      retention_period: "7 years"

  sensitive_site_categories:
    - name: "Customer PII"
      zone: 3
      regulations: ["GLBA", "SEC Reg S-P"]
      auto_restrict: true

    - name: "Trading Data"
      zone: 3
      regulations: ["FINRA 4511", "SEC 17a-4"]
      auto_restrict: true

    - name: "M&A Activities"
      zone: 4
      regulations: ["SEC Reg FD", "SOX"]
      auto_restrict: true

    - name: "Regulatory Filings"
      zone: 3
      regulations: ["SEC", "FINRA", "OCC"]
      auto_restrict: true

Regulatory Context

Primary Regulations: GLBA 501(b), 504(b), SEC Reg S-P, FINRA 4511

Regulation Requirement How This Control Addresses
GLBA 501(b) Protect customer NPI Prevents AI from surfacing NPI from restricted sites
SEC Reg S-P Safeguard customer information Controls AI access to customer data
FINRA 4511 Records integrity Maintains governance over AI content access

Zone-Specific Configuration

Zone 1 (Personal Productivity):

  • Apply a baseline minimum of SharePoint Information Access Governance (IAG) / Restricted Content Discovery controls that impacts tenant-wide safety (where applicable), and document any exceptions for personal agents.
  • Avoid expanding scope beyond the user’s own data unless explicitly justified.
  • Rationale: reduces risk from personal use while keeping friction low; legal/compliance can tighten later.

Zone 2 (Team Collaboration):

  • Apply the control for shared agents and shared data sources; require an identified owner and an approval trail.
  • Validate configuration in a pilot environment before broader rollout; retain evidence (screenshots/exports/logs).
  • Rationale: shared agents increase blast radius; controls must be consistently applied and provable.

Zone 3 (Enterprise Managed):

  • Require the strictest configuration for SharePoint Information Access Governance (IAG) / Restricted Content Discovery controls and enforce it via policy where possible (not manual-only).
  • Treat changes as controlled (change ticket + documented testing); retain evidence (screenshots/exports/logs).
  • Rationale: enterprise agents handle the most sensitive content and are the highest audit/regulatory risk.

Verification & Testing

Test Procedure

  1. Navigate to SharePoint Admin Center → Sites → Active sites
  2. Select a regulated/enterprise-managed site and verify Settings panel opens
  3. Confirm "Restrict content from Microsoft 365 Copilot" setting is visible
  4. Verify setting is On for regulated sites
  5. Check "Restricted site access" status
  6. Test by asking Copilot about content from a restricted site

Expected Results:

  • [ ] Settings panel shows Copilot restriction toggle
  • [ ] Regulated/enterprise-managed sites have restriction set to On
  • [ ] Copilot does not surface content from restricted sites
  • [ ] Audit logs capture setting changes

Verification Evidence

Evidence Type Location Retention
Configuration screenshot Site Settings panel 1 year
Restricted sites list Governance documentation 6 years
Setting change audit Unified Audit Log Per retention policy

Troubleshooting & Validation

Common Issues and Solutions

Issue Symptoms Root Cause Solution
Content restriction not working Copilot still returns content from restricted sites Setting not propagated or cached Wait 24-48 hours for propagation; clear Copilot cache; verify setting via PowerShell
Cannot enable restriction "Restrict content" option grayed out Missing SharePoint Advanced Management license Verify SAM license is assigned to tenant; contact Microsoft support
Audit logs missing Configuration changes not appearing in audit log Unified Audit Log not enabled Enable Unified Audit Log in Purview compliance portal
PowerShell connection fails Connect-SPOService returns authentication error Expired credentials or MFA required Use modern authentication; ensure admin account has MFA configured
Bulk update failures Some sites fail during bulk restriction update Insufficient permissions or site-level overrides Verify Site Collection Admin rights; check for site-level policies

Diagnostic Commands

# Verify SharePoint Advanced Management license
Get-SPOTenant | Select-Object EnableAIPIntegration, AIBuilderEnabled

# Check site-specific IAG status
$SiteUrl = "https://yourtenant.sharepoint.com/sites/TestSite"
Get-SPOSite -Identity $SiteUrl | Select-Object Url, RestrictContentOrgWideSearch, RestrictedAccessControl, SensitivityLabel

# Review recent IAG audit events
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -Operations "SiteRestrictedFromOrgSearch" -ResultSize 100

Escalation Path

  1. Level 1: SharePoint Administrator - Basic configuration issues
  2. Level 2: Microsoft 365 Admin - License and tenant-level settings
  3. Level 3: Microsoft Support - Product bugs or feature limitations
  4. Level 4: AI Governance Committee - Policy exceptions

Additional Resources

Control Relationship
1.3 SharePoint Governance Broader SharePoint security settings
1.5 DLP and Sensitivity Labels Labels can trigger access restrictions
1.14 Data Minimization Limit agent data access scope
2.3 Agent Auditing and Monitoring Monitor IAG configuration changes
4.2 Site Access Reviews Reviews for restricted sites
4.3 Oversharing Detection Identify sites needing IAG restrictions
4.4 Guest Access Controls External sharing settings work with IAG

Support & Questions

For implementation support or questions about this control, contact:

  • SharePoint Administrator: Technical configuration
  • AI Governance Lead: Policy decisions
  • Compliance Officer: Regulatory requirements

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification