Skip to content

Control 2.6: Copilot Web Search and Web Grounding Controls

Control ID: 2.6 Pillar: Security & Protection Regulatory Reference: GLBA §501(b), Data Residency Considerations Last Verified: 2026-05-25 Governance Levels: Baseline / Recommended / Regulated

Objective

Govern the web search and web grounding capabilities within Microsoft 365 Copilot to control whether Copilot can retrieve information from the public internet (via Bing) when responding to user queries. For financial institutions, web search in Copilot raises data privacy, data residency, and regulatory concerns that must be evaluated against the productivity benefits. This control provides a risk-based framework for enabling, restricting, or disabling web search across different user populations.

Why This Matters for FSI

  • GLBA §501(b) requires safeguards for customer information — when web search is enabled, Copilot-generated search queries may be sent to Bing's search infrastructure, and firms must understand this data flow to assess risk to customer information
  • Data residency requirements may be impacted if generated search queries (which can be informed by business context) are processed through web search services located in different regions than the firm's M365 tenant
  • SEC Reg S-P requires protection of customer NPI — if generated search queries derived from prompts contain customer information and are routed to web search services, this may constitute disclosure to a third-party processor
  • FINRA Rule 3110 (Supervision) requires supervision of registered representatives' communications — web search queries from Copilot may not be captured in standard supervision workflows
  • Vendor risk management expectations from OCC Bulletin 2023-17 and FFIEC guidance require due diligence on data processing by third-party services — web search in Copilot involves Bing's infrastructure as an additional processing layer

Control Description

Microsoft 365 Copilot can optionally use web search to augment its responses with current public information. When enabled, Copilot sends a search query derived from the user's prompt to Microsoft Bing and incorporates web results into the response.

Web Search Data Flow

User Prompt → Copilot Service → Query Extraction
                              ┌───────┴───────┐
                              │               │
                       Web Search OFF    Web Search ON
                              │               │
                         M365 Data        Bing Search API
                         Only             │
                              │           ├─ Search query sent
                              │           ├─ Web results returned
                              │           ├─ Results integrated
                              │           └─ Search logs retained
                              │               │
                              └───────┬───────┘
                                  Response
                                  to User
Data Element When Web Search is ON When Web Search is OFF
User prompt Processed by Copilot; search query derived and sent to Bing Processed by Copilot only
Search query sent to Bing Derived from prompt (not the full prompt); attributed to organization, not individual Not applicable
Bing search results Returned to Copilot for response integration Not applicable
Search query retention Microsoft states queries are not used to train Bing or improve search Not applicable
User identity Not sent to Bing; search queries are anonymized Not applicable
Prompt content in Bing logs Microsoft states prompt content is not stored in Bing logs Not applicable

Web Search Risk Assessment for FSI

Risk Factor Low Risk Medium Risk High Risk
Data in prompts General business questions Industry-specific queries Prompts containing customer names/data
User population Back-office, administrative Front-office, general Registered reps, trading, compliance
Regulatory sensitivity General operations Moderate (internal controls) High (MNPI, customer data, regulatory)
Data residency Single-country operation Multi-country, same region Cross-border, multiple jurisdictions
Recommendation Enable web search Enable with monitoring Disable web search

Web Search Configuration Options

Setting Description Admin Control
Tenant web search policy Enable or disable web search for Microsoft 365 Copilot and Microsoft 365 Copilot Chat users Cloud Policy service for Microsoft 365 policy: Allow web search in Copilot
Group-based web search Enable web search for specific user groups only Cloud Policy service policy configuration scoped to security groups
Work/Web mode split Disable web search in Microsoft 365 Copilot Work mode while allowing Microsoft 365 Copilot Web mode and Microsoft 365 Copilot Chat Cloud Policy service policy option
Optional web content toggle Users can turn web content off in Microsoft 365 Copilot work chat when the admin policy allows web search User-level Web content toggle; not available in Microsoft 365 Copilot Chat
Mandatory disable Web search disabled with no user override Cloud Policy service policy set to disabled

Domain Exclusion for Web Grounding

In addition to the binary enable/disable and group-based scoping options above, administrators can exclude specific domains from Copilot web grounding results. This capability provides more nuanced control than disabling web search entirely — organizations can block specific problematic domains while keeping web grounding active for general use.

Portal: Microsoft 365 admin center > Copilot > Settings > Web Content (or Web search and web content in some tenant UI versions)

Aspect Detail
How it works Admins specify domains that Copilot should not retrieve web content from during web grounding
Scope Tenant-wide; applies to all users with web search enabled
Key distinction Unlike disabling web search entirely, domain exclusion allows selective blocking while preserving the productivity benefits of web grounding

FSI relevance:

  • Competitor sites: Block competitor firm websites to prevent inadvertent sourcing of competitor marketing materials or research in Copilot-generated content
  • Unverified news sources: Exclude unreliable or sensationalized news outlets that may produce misleading financial content
  • Non-compliant content providers: Block domains known to host content that conflicts with the firm's compliance posture or contains outdated regulatory guidance

Domain Exclusion Governance Tiers:

Level Requirement Rationale
Baseline Review available domain exclusion settings; document whether the feature is in use or not Awareness of the capability and an initial assessment of whether domain exclusion is appropriate
Recommended Maintain a documented list of excluded domains with business justification for each; review the exclusion list quarterly; assign ownership of the exclusion list to a designated governance role Active management of domain exclusions with documented rationale supports examination readiness
Regulated All Recommended requirements plus: require compliance approval before adding or removing domains from the exclusion list; conduct periodic review (at least quarterly) of the excluded domain list against the firm's vendor risk and content governance standards; retain change history for the exclusion list Comprehensive governance of domain exclusions with approval workflows and audit trail

Copilot Surface Coverage

M365 Application Web Search Available Admin Controllable User Toggle Notes
Microsoft 365 Copilot Chat Yes Yes Yes (if enabled) Primary web search surface
Word Limited Yes No Web search for research/drafting
Excel No N/A N/A Data analysis does not use web search
PowerPoint Limited Yes No Web content for presentations
Outlook Limited Yes No Web context for email drafting
Teams Yes Yes Yes (if enabled) Web search in Teams Copilot
OneNote No N/A N/A Not applicable
Loop Limited Yes No Web content in Loop components
Copilot Pages / Notebooks (Copilot Cowork) Yes Yes Yes (if enabled) Include Pages and Notebooks co-authoring in web-grounding scope decisions
SharePoint (Agents) Configurable Yes No Per-agent web search setting

Governance Levels

Level Requirement Rationale
Baseline Disable web search org-wide during initial Copilot deployment; document the decision and rationale; review quarterly Reduces web search data-flow risk by removing public-web grounding during initial AI adoption
Recommended Enable web search for non-regulated user groups (HR, marketing, general operations) via group-based policy; disable for registered representatives, traders, compliance, and executive leadership; monitor web search usage via Copilot analytics; quarterly review of group assignments Balanced approach that provides web search value where risk is low while maintaining restrictions for high-risk user populations
Regulated Disable web search org-wide; if business need arises, require formal risk assessment and CISO approval before enabling for any group; document exceptions with business justification and compensating controls; annual review of web search policy Maximum data containment — appropriate for firms where any external data flow from user prompts is unacceptable based on regulatory posture

Setup & Configuration

Step 1: Access the Copilot Control System

Portal: Microsoft 365 admin center > Copilot

Use the Copilot Control System as the centralized admin surface to review Copilot license status, security and compliance controls, plugin permissions, user feedback, and web data grounding. Record the tenant UI label for web settings, which may appear as Settings > Web Content or Settings > Web search and web content.

Step 2: Configure the Cloud Policy Web Search Control

Portal: Cloud Policy service for Microsoft 365 (config.office.com)

  1. Open Cloud Policy and create or update the policy configuration for the intended tenant, pilot, or exception scope
  2. Search for Allow web search in Copilot
  3. Select the governance-approved option:
    • Enabled in Microsoft 365 Copilot and Microsoft 365 Copilot Chat
    • Disabled in Microsoft 365 Copilot and Microsoft 365 Copilot Chat
    • Disabled in Microsoft 365 Copilot Work mode; Enabled in Microsoft 365 Copilot Web mode and Microsoft 365 Copilot Chat
  4. Assign the policy to the approved security groups and allow policy propagation before user testing

If enabling web search for specific groups:

  1. Create a security group for web-search-enabled users (e.g., "Copilot-WebSearch-Enabled")
  2. Add appropriate users (non-regulated populations)
  3. Assign the Allow web search in Copilot Cloud Policy configuration to this group
  4. Verify that users outside the group cannot access web search in Copilot

Step 4: Configure Web Content Settings and Domain Exclusions

Portal: Microsoft 365 admin center > Copilot > Settings > Web Content (or Web search and web content)

  1. Review the tenant web-content status shown in the Copilot Control System
  2. Configure excluded domains if selective blocking is part of the approved governance decision
  3. Document any tenant UI differences and the relationship between Copilot Control System settings and Cloud Policy scope

For declarative agents created from SharePoint:

  1. Each agent can have web search independently configured
  2. Set default to "disabled" for all new agents
  3. Require approval for agents with web search enabled

Step 6: Monitor Web Search Usage

# Search audit logs for web search activity in Copilot
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) `
  -RecordType CopilotInteraction -ResultSize 5000 |
  Where-Object { $_.AuditData -match "WebSearch" }

Step 7: Document the Decision

Regardless of setting chosen, document:

  1. Cloud Policy configuration and assigned groups
  2. Copilot Control System web-content setting status and any excluded domains
  3. Risk assessment summary
  4. Business justification
  5. Approver (CISO or equivalent)
  6. Review cadence
  7. Date of last review

Financial Sector Considerations

  • Registered Representatives: Web search should be disabled for registered representatives. Their Copilot queries may contain client names, ticker symbols, or investment context that should not flow to external search services, even in anonymized form.
  • Trading Desks: Proprietary trading information and strategies must never be exposed through web search queries. Disable web search for all trading personnel.
  • Compliance Teams: Compliance staff working on regulatory matters, examinations, or investigations should not have web search enabled, as their queries may contain sensitive regulatory context.
  • Research Analysts: Consider the implications of enabling web search for research analysts. While public market information is valuable, analyst queries may inadvertently reveal research coverage changes or opinion shifts.
  • Vendor Risk Assessment: If enabling web search, document Bing's data processing practices in the firm's third-party vendor risk assessment. Microsoft's commitments regarding prompt data handling should be evaluated against the firm's vendor management standards.
  • Data Residency Impact: Evaluate whether web search processing locations align with the firm's data residency requirements. Web search queries may be processed in locations different from the M365 tenant region.
  • Examination Preparedness: Be prepared to explain the web search configuration decision to examiners. Whether enabled or disabled, having a documented, risk-based rationale demonstrates sound governance.

Verification Criteria

  1. Web Search Status: Verify the Allow web search in Copilot Cloud Policy selection and the Copilot Control System web-content status match the intended governance level
  2. Group Scoping: If using group-based web search, verify that only assigned Cloud Policy groups can access web search functionality in Copilot
  3. User Experience Test (Disabled): As a user with web search disabled, ask Copilot a question that would require web data — confirm no web results appear and response is based solely on M365 data
  4. User Experience Test (Enabled): As a user with web search enabled, ask a current events question — confirm web results are integrated and properly attributed
  5. Regulated User Exclusion: As a registered representative or trading desk user, verify web search is not available in Copilot
  6. SharePoint Agent Configuration: Verify default web search setting for new SharePoint agents is "disabled"
  7. Audit Trail: Confirm Copilot interaction and web search query events are captured in audit logs or Purview DSPM for AI activity views where available
  8. Decision Documentation: Verify that a documented risk assessment, Cloud Policy assignment, Copilot Control System setting record, and approval record exist for the web search configuration
  9. Review Cadence: Confirm quarterly (Baseline/Recommended) or annual (Regulated) review of web search policy is scheduled
  10. Vendor Risk Assessment: Verify that Bing/web search data processing is included in the firm's third-party vendor risk assessment (if web search is enabled for any users)

Additional Resources