Skip to content

Control 2.6: Copilot Web Search and Web Grounding Controls

Control ID: 2.6 Pillar: Security & Protection Regulatory Reference: GLBA 501(b), Data Residency Considerations Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated

Objective

Govern the web search and web grounding capabilities within Microsoft 365 Copilot to control whether Copilot can retrieve information from the public internet (via Bing) when responding to user queries. For financial institutions, web search in Copilot raises data privacy, data residency, and regulatory concerns that must be evaluated against the productivity benefits. This control provides a risk-based framework for enabling, restricting, or disabling web search across different user populations.

Why This Matters for FSI

  • GLBA 501(b) requires safeguards for customer information — when web search is enabled, user prompts may be sent to Bing's search infrastructure, and firms must understand this data flow to assess risk to customer information
  • Data residency requirements may be impacted if user prompts (which could contain business context) are processed through web search services located in different regions than the firm's M365 tenant
  • SEC Reg S-P requires protection of customer NPI — if user prompts contain customer information and are routed to web search services, this may constitute disclosure to a third-party processor
  • FINRA Rule 3110 (Supervision) requires supervision of registered representatives' communications — web search queries from Copilot may not be captured in standard supervision workflows
  • Vendor risk management expectations from OCC and FFIEC require due diligence on data processing by third-party services — web search in Copilot involves Bing's infrastructure as an additional processing layer

Control Description

Microsoft 365 Copilot can optionally use web search to augment its responses with current public information. When enabled, Copilot sends a search query derived from the user's prompt to Microsoft Bing and incorporates web results into the response.

Web Search Data Flow

User Prompt → Copilot Service → Query Extraction
                              ┌───────┴───────┐
                              │               │
                       Web Search OFF    Web Search ON
                              │               │
                         M365 Data        Bing Search API
                         Only             │
                              │           ├─ Search query sent
                              │           ├─ Web results returned
                              │           ├─ Results integrated
                              │           └─ Search logs retained
                              │               │
                              └───────┬───────┘
                                  Response
                                  to User
Data Element When Web Search is ON When Web Search is OFF
User prompt Processed by Copilot; search query derived and sent to Bing Processed by Copilot only
Search query sent to Bing Derived from prompt (not the full prompt); attributed to organization, not individual Not applicable
Bing search results Returned to Copilot for response integration Not applicable
Search query retention Microsoft states queries are not used to train Bing or improve search Not applicable
User identity Not sent to Bing; search queries are anonymized Not applicable
Prompt content in Bing logs Microsoft states prompt content is not stored in Bing logs Not applicable

Web Search Risk Assessment for FSI

Risk Factor Low Risk Medium Risk High Risk
Data in prompts General business questions Industry-specific queries Prompts containing customer names/data
User population Back-office, administrative Front-office, general Registered reps, trading, compliance
Regulatory sensitivity General operations Moderate (internal controls) High (MNPI, customer data, regulatory)
Data residency Single-country operation Multi-country, same region Cross-border, multiple jurisdictions
Recommendation Enable web search Enable with monitoring Disable web search

Web Search Configuration Options

Setting Description Admin Control
Org-wide web search Enable or disable web search for all Copilot users M365 Admin Center toggle
Group-based web search Enable web search for specific groups only Group-scoped policy
Optional web search Users can toggle web search on/off per query User-level control (if org-wide enabled)
Mandatory disable Web search completely disabled, no user override Admin enforcement

Copilot Surface Coverage

M365 Application Web Search Available Admin Controllable User Toggle Notes
Microsoft 365 Copilot Chat Yes Yes Yes (if enabled) Primary web search surface
Word Limited Yes No Web search for research/drafting
Excel No N/A N/A Data analysis does not use web search
PowerPoint Limited Yes No Web content for presentations
Outlook Limited Yes No Web context for email drafting
Teams Yes Yes Yes (if enabled) Web search in Teams Copilot
OneNote No N/A N/A Not applicable
Loop Limited Yes No Web content in Loop components
Copilot Pages Yes Yes Yes (if enabled) Web content in Pages
SharePoint (Agents) Configurable Yes No Per-agent web search setting

Governance Levels

Level Requirement Rationale
Baseline Disable web search org-wide during initial Copilot deployment; document the decision and rationale; review quarterly Eliminates web search data flow risk entirely — simplest approach for firms prioritizing data containment during initial AI adoption
Recommended Enable web search for non-regulated user groups (HR, marketing, general operations) via group-based policy; disable for registered representatives, traders, compliance, and executive leadership; monitor web search usage via Copilot analytics; quarterly review of group assignments Balanced approach that provides web search value where risk is low while maintaining restrictions for high-risk user populations
Regulated Disable web search org-wide; if business need arises, require formal risk assessment and CISO approval before enabling for any group; document exceptions with business justification and compensating controls; annual review of web search policy Maximum data containment — appropriate for firms where any external data flow from user prompts is unacceptable based on regulatory posture

Setup & Configuration

Step 1: Access Web Search Settings

Portal: Microsoft 365 Admin Center > Settings > Copilot > Web search

Step 2: Configure Org-Wide Setting

  1. Navigate to the Copilot settings page
  2. Locate "Allow Copilot to reference web content"
  3. Set to Off for Baseline/Regulated or On for Recommended (with group restrictions)

If enabling web search for specific groups:

  1. Create a security group for web-search-enabled users (e.g., "Copilot-WebSearch-Enabled")
  2. Add appropriate users (non-regulated populations)
  3. In Copilot settings, scope web search to this group
  4. Verify that users outside the group cannot access web search in Copilot

For declarative agents created from SharePoint:

  1. Each agent can have web search independently configured
  2. Set default to "disabled" for all new agents
  3. Require approval for agents with web search enabled

Step 5: Monitor Web Search Usage

# Search audit logs for web search activity in Copilot
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) `
  -Operations "CopilotInteraction" -ResultSize 5000 |
  Where-Object { $_.AuditData -match "WebSearch" }

Step 6: Document the Decision

Regardless of setting chosen, document:

  1. Web search configuration (enabled/disabled/group-scoped)
  2. Risk assessment summary
  3. Business justification
  4. Approver (CISO or equivalent)
  5. Review cadence
  6. Date of last review

Financial Sector Considerations

  • Registered Representatives: Web search should be disabled for registered representatives. Their Copilot queries may contain client names, ticker symbols, or investment context that should not flow to external search services, even in anonymized form.
  • Trading Desks: Proprietary trading information and strategies must never be exposed through web search queries. Disable web search for all trading personnel.
  • Compliance Teams: Compliance staff working on regulatory matters, examinations, or investigations should not have web search enabled, as their queries may contain sensitive regulatory context.
  • Research Analysts: Consider the implications of enabling web search for research analysts. While public market information is valuable, analyst queries may inadvertently reveal research coverage changes or opinion shifts.
  • Vendor Risk Assessment: If enabling web search, document Bing's data processing practices in the firm's third-party vendor risk assessment. Microsoft's commitments regarding prompt data handling should be evaluated against the firm's vendor management standards.
  • Data Residency Impact: Evaluate whether web search processing locations align with the firm's data residency requirements. Web search queries may be processed in locations different from the M365 tenant region.
  • Examination Preparedness: Be prepared to explain the web search configuration decision to examiners. Whether enabled or disabled, having a documented, risk-based rationale demonstrates sound governance.

Verification Criteria

  1. Web Search Status: Verify the current web search setting in M365 Admin Center matches the intended governance level
  2. Group Scoping: If using group-based web search, verify that only intended users can access web search functionality in Copilot
  3. User Experience Test (Disabled): As a user with web search disabled, ask Copilot a question that would require web data — confirm no web results appear and response is based solely on M365 data
  4. User Experience Test (Enabled): As a user with web search enabled, ask a current events question — confirm web results are integrated and properly attributed
  5. Regulated User Exclusion: As a registered representative or trading desk user, verify web search is not available in Copilot
  6. SharePoint Agent Configuration: Verify default web search setting for new SharePoint agents is "disabled"
  7. Audit Trail: Confirm web search usage events are captured in audit logs
  8. Decision Documentation: Verify that a documented risk assessment and approval record exists for the web search configuration
  9. Review Cadence: Confirm quarterly (Baseline/Recommended) or annual (Regulated) review of web search policy is scheduled
  10. Vendor Risk Assessment: Verify that Bing/web search data processing is included in the firm's third-party vendor risk assessment (if web search is enabled for any users)

Additional Resources