Skip to content

Control 1.3: Restricted SharePoint Search Configuration

Control ID: 1.3 Pillar: Readiness & Assessment Regulatory Reference: GLBA 501(b), FFIEC IT Handbook (Information Security Booklet), Data Minimization Principles Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated

Objective

Configure Restricted SharePoint Search (RSS) to limit the scope of content that Microsoft 365 Copilot can discover and use for grounding responses, implementing a curated allow-list approach that restricts Copilot's search to approved SharePoint sites rather than permitting full tenant-wide search. This control supports compliance with data minimization principles and helps prevent Copilot from accessing content on sites that have not been reviewed for data hygiene and appropriate permissions.

Why This Matters for FSI

  • GLBA 501(b): Data minimization is a core principle of information security programs required under GLBA. Restricting Copilot's search scope to vetted sites reduces the surface area for potential unauthorized disclosure of customer financial information. Per GLBA Section 501(b), least-privilege data access for AI tools directly supports the safeguard requirements for customer information — both RSS and RCD give institutions mechanisms to limit what Copilot can discover.
  • FFIEC IT Handbook (Information Security): The principle of least privilege extends to AI tools. RSS and RCD together implement least privilege at the search scope level, limiting Copilot to only the content it needs to function effectively.
  • SEC Regulation S-P: Limiting the scope of AI-accessible data supports technical safeguards for consumer financial information by reducing the number of data sources Copilot can query.
  • Data Minimization (NIST Privacy Framework): RSS directly implements data minimization by constraining the universe of content available to Copilot, aligning with NIST Privacy Framework Function: Data Processing, Category: Data Minimization. RCD provides complementary site-level data minimization without requiring a tenant-wide allow-list posture.
  • Information Barrier Support: For institutions with regulatory information barriers (e.g., between investment banking and research), RSS and RCD provide complementary control layers beyond user-level permissions. RSS excludes entire site categories from Copilot; RCD surgically excludes specific high-risk sites.

Control Description

Restricted SharePoint Search (RSS) is a tenant-level setting in SharePoint Online that changes Copilot's default behavior from searching all SharePoint sites a user can access to searching only sites on an approved allow-list.

Aspect Full Tenant Search (Default) Restricted SharePoint Search
Copilot search scope All SharePoint sites the user has permission to access Only sites on the curated allow-list (up to 100 sites)
Default behavior Opt-out (all sites included unless specifically excluded) Opt-in (no sites included unless specifically added)
Management model Must identify and exclude problematic sites Must identify and include approved sites
Risk profile Higher -- unknown content may be surfaced Lower -- only reviewed content is in scope
Site limit No limit 100 sites maximum on the allow-list
User direct access Unchanged -- users can still navigate to any site they have permission for Unchanged -- RSS only affects Copilot search, not direct access

Key Architectural Detail

RSS affects Copilot's grounding search scope only. It does not change:

  • User permissions (users can still directly access any site they have permission for)
  • SharePoint search results when users search directly in SharePoint
  • OneDrive content accessibility
  • Exchange, Teams, or other workload content accessibility

RSS is specifically designed for the scenario where an organization wants to enable Copilot but has not yet completed full data hygiene remediation across all SharePoint sites.

The 100-Site Governance Limit

RSS supports a maximum of 100 SharePoint sites on the allow-list. This creates a governance decision:

Organization Size Approach Considerations
Small (<100 active sites) Add all reviewed sites to RSS allow-list May be able to include all relevant sites within the limit
Medium (100-500 active sites) Prioritize high-value, low-risk sites Must make governance decisions about which sites to include
Large (500+ active sites) Use RSS as transitional control only Plan migration to site-level controls and full tenant search as remediation progresses

RSS and Restricted Content Discovery: Complementary Tools

Restricted SharePoint Search (RSS) and Restricted Content Discovery (RCD) are two complementary SharePoint Advanced Management tools that address different aspects of Copilot scope governance. Organizations may use both tools simultaneously.

Feature RSS (Restricted SharePoint Search) RCD (Restricted Content Discovery)
Scope Tenant-wide allow-list of sites visible to Copilot Per-site opt-out from Copilot content discovery
Configuration Set-SPOTenant -IsRestrictedSharePointSearch $true + allow-list Set-SPOSite -RestrictContentOrgWideSearch $true per site
Use case Strict positive-list: only approved sites are searchable by Copilot Surgical exclusion: remove specific sensitive sites from Copilot discovery
User impact Only allow-listed sites appear in Copilot results Excluded sites invisible to Copilot but directly accessible to users with permissions
Admin effort Higher (must maintain allow-list as sites are created) Lower (opt-out specific sites as needed)
Recommended for Regulated tier (maximum control) Baseline/Recommended tier (targeted exclusion)

Organizations may use both tools simultaneously — RSS to establish a tenant-wide positive-list of Copilot-eligible sites, and RCD to surgically exclude specific sites within that list that contain sensitive content not yet fully remediated.

SAM Licensing Note

Both RSS and RCD are SharePoint Advanced Management (SAM) features. SAM is included with Microsoft 365 Copilot licenses at no additional cost, enabling SharePoint administrators to deploy these governance capabilities without a separate purchase. Organizations managing SharePoint governance without Copilot licenses require the standalone SAM add-on to access RSS and RCD.

When to Use RSS vs. RCD vs. Both

Scenario Recommended Approach
Initial Copilot deployment, data hygiene not yet complete RSS — restrict to known-good sites during remediation
Ongoing operations with mature data hygiene RCD — use per-site opt-out to exclude specific sensitive sites from Copilot
Very large tenants (1000+ sites) RCD — RSS 100-site limit is insufficient for coverage at scale
Regulatory requirement for explicit allow-listing RSS — provides the strictest default-deny posture
Phased rollout by department RSS per phase — add department sites as each phase deploys
Sites with known sensitive content that can't yet be remediated RCD — surgically exclude those sites from Copilot without disrupting access
Defense-in-depth for regulated data RSS + RCD — use RSS as the primary allow-list posture with RCD for additional surgical exclusions

RSS Transition Planning

RSS is typically a transitional control. Organizations should plan the transition:

Phase 1: RSS Enabled (Months 1-3)
├── Copilot search limited to 50-100 curated sites
├── Parallel: Remediate oversharing on remaining sites
└── Monitor: Track Copilot usage patterns on allowed sites

Phase 2: Expanded RSS (Months 4-6)
├── Rotate sites on allow-list as remediation completes
├── Parallel: Continue remediation, implement site-level controls
└── Evaluate: Assess readiness for full tenant search

Phase 3: Full Tenant Search (Month 7+)
├── Disable RSS, enable full tenant search
├── Apply Restricted Content Discovery (RCD) to specific excluded sites
└── Ongoing: Monitor via DSPM for AI, maintain site-level controls

Copilot Surface Coverage

Copilot Surface Affected by RSS Notes
Microsoft 365 Copilot Chat Yes RSS restricts SharePoint content in Copilot Chat grounding
SharePoint Copilot Yes Directly governed by RSS site allow-list
Word / Excel / PowerPoint Partially RSS affects "Reference" and "Draft from" features that pull from SharePoint
Teams Copilot Partially Affects SharePoint-backed file content in Teams channels
Outlook Copilot No RSS does not affect Exchange content
OneDrive Copilot No RSS does not affect OneDrive content
Copilot Pages Partially RSS affects SharePoint content used to generate Pages
Loop Copilot Partially RSS affects SharePoint content referenced in Loop components
Viva Copilot Partially RSS affects SharePoint content used in Viva surfaces

Governance Levels

Level Requirement Rationale
Baseline Evaluate both RSS and RCD for initial deployment. As a simpler starting point, enable RCD to surgically exclude known high-risk sites from Copilot discovery. If deploying RSS, define site selection criteria and add minimum 10 high-value sites. Document configuration and site selection rationale. RCD provides targeted exclusion with lower administrative overhead — a viable Baseline approach for organizations with identifiable sensitive sites that need immediate exclusion. RSS adds a broader positive-list posture when needed.
Recommended Enable RSS for initial Copilot deployment. Curate allow-list of 50-100 sites based on data hygiene assessment results. Apply RCD to specific high-risk sites not yet remediated for additional protection. Establish site nomination and approval process. Define transition plan to full tenant search. Review allow-list monthly. Combines RSS's positive-list approach with RCD's surgical exclusion for defense-in-depth Copilot scope governance. The combination provides coverage as remediation progresses.
Regulated Enable RSS with formal site vetting process. Each site on allow-list must pass data hygiene checklist (permissions reviewed, labels applied, stale content archived). Apply RCD to any site with sensitive content that doesn't fully meet the vetting checklist as a supplementary control. Document site vetting results. Maintain allow-list change log and RCD configuration log. Review allow-list bi-weekly. Establish formal transition criteria with compliance sign-off before moving to full tenant search. Provides examination-ready governance of Copilot search scope with documented vetting processes. Using RSS as the primary posture with RCD as supplementary exclusion provides the strictest possible scope control, supporting GLBA and FFIEC least-privilege expectations.

Setup & Configuration

Step 1: Enable Restricted SharePoint Search (RSS)

Navigate to SharePoint Admin Center > Settings > Search > Restricted SharePoint Search or use PowerShell:

# PowerShell reference (see Playbook 1.3.2 for full walkthrough):
# Set-SPOTenant -IsRestrictedSharePointSearch $true

Step 1b: Enable Restricted Content Discovery (RCD) for Specific Sites

RCD can be enabled independently of RSS (or alongside it). Apply RCD to specific sites that should be excluded from Copilot discovery:

Portal: SharePoint Admin Center > Sites > Active sites > [select site] > Settings

Navigate to the site settings and enable "Restrict content org-wide search" to exclude the site from Copilot discovery. Alternatively, use PowerShell:

# PowerShell reference (see Playbook 1.3.2 for full walkthrough):
# Set-SPOSite -Identity "https://tenant.sharepoint.com/sites/sensitive-site" -RestrictContentOrgWideSearch $true

RCD does not affect direct user access to the site — users with permissions can still navigate to and use the site. Only Copilot discovery of the site's content is restricted.

Step 2: Add Sites to the RSS Allow-List

Add approved sites via SharePoint Admin Center or PowerShell:

# PowerShell reference:
# Add-SPOTenantRestrictedSearchAllowedList -SiteUrl "https://tenant.sharepoint.com/sites/approved-site"

Step 3: Define Site Selection Criteria

Establish criteria for which sites are added to the RSS allow-list:

Criterion Requirement Verification Method
Permission review complete No "Everyone" or EEEU access SharePoint DAG report
Sensitivity labels applied >80% of documents labeled DSPM label coverage report
Stale content reviewed Content older than 2 years reviewed/archived Site analytics review
Site owner identified Active site owner who can manage permissions Site collection admin check
Content classification Content types documented and appropriate for Copilot Manual review

Step 4: Establish Change Management Process

Document a process for adding/removing sites from the RSS allow-list:

  1. Site owner submits nomination request
  2. IT/compliance reviews site against selection criteria
  3. Approval documented with sign-off
  4. Site added to allow-list
  5. Verification that site appears in Copilot search scope
  6. Change logged in RSS governance log

Step 5: Plan Transition

Document transition criteria for moving from RSS to full tenant search:

  • Percentage of sites remediated
  • DSPM oversharing score thresholds
  • Compliance sign-off requirements
  • Monitoring controls that must be in place

Financial Sector Considerations

  • Information Barriers: RSS provides an additional control layer for institutions with Chinese wall requirements. Sites containing MNPI (material non-public information) can be excluded from the allow-list entirely, providing defense-in-depth beyond user-level information barriers.
  • Departmental Phasing: Many financial institutions deploy Copilot by department (e.g., operations first, then wealth management, then compliance). RSS supports this by allowing the allow-list to be updated as each department's sites are vetted.
  • Regulatory Examination Posture: RSS demonstrates proactive data minimization to examiners. The ability to show a documented, curated list of AI-accessible sites with vetting records is a strong governance indicator.
  • Trading Floor Considerations: Sites containing trading algorithms, position data, or market-sensitive information should generally be excluded from RSS allow-lists during initial deployment phases.
  • Client-Facing Sites: Sites used for client portal content or external collaboration should be carefully evaluated before inclusion, as Copilot grounding on client-facing content could surface information across client boundaries.
  • Transition Risk Management: Moving from RSS to full tenant search is a significant governance decision. Financial institutions should treat this transition as a change management event with appropriate risk assessment, testing, and rollback planning.

Verification Criteria

  1. RSS and/or RCD configuration state is documented and aligns with the organization's intended governance posture
  2. If RSS is enabled, the allow-list contains an appropriate number of sites for the governance level (minimum 10 / 50-100 / all vetted sites)
  3. Each site on the RSS allow-list has documented evidence of passing the site selection criteria (permission review, label coverage, stale content review)
  4. If RCD is deployed, a log of RCD-enabled sites is maintained with business justification for each excluded site
  5. A site nomination and approval process is documented and being followed for RSS allow-list changes
  6. RCD configuration changes follow a documented change control process
  7. The RSS allow-list is reviewed at the specified cadence (monthly / bi-weekly per governance level)
  8. A change log documents all additions and removals from the RSS allow-list and RCD site list with dates and rationale
  9. A transition plan from RSS to full tenant search is documented with specific criteria and compliance sign-off requirements
  10. Users are aware that Copilot search scope is restricted (communication to affected user populations)
  11. Monitoring confirms Copilot is respecting RSS restrictions (test queries against non-listed sites return no results)
  12. For RCD-configured sites, testing confirms that Copilot does not surface content from excluded sites while users can still navigate to the sites directly
  13. RSS and RCD configurations are included in the organization's Copilot governance documentation and regulatory examination file

Additional Resources

FSI Copilot Governance Framework v1.2.1 - March 2026