Frontrow Technology
← All insights & guides
Guide

Modern Workplace

Restricted SharePoint Search — the Copilot scoping control most tenants haven't enabled

A practical guide to the tenant-level control that scopes SharePoint search and Copilot retrieval to a curated allow-list of sites. What it does, when to use it, and how to deploy it.

Simon Aspinall · 22 April 2026 · 7 min read

Restricted SharePoint Search is one of the most useful Microsoft 365 controls for anyone rolling out Copilot in a tenant that isn't yet perfectly hygienic. It is also one of the most under-used. In the last twelve months we have introduced it to more than a dozen Australian tenants who already had Copilot licences purchased and hadn't switched it on — not because they didn't want it, but because nobody had surfaced what it does or when to use it.

What it actually does

By default, Microsoft 365 tenant-wide search indexes every SharePoint site in the tenant. Users searching from anywhere in Microsoft 365 can find content in any site their permissions allow. Copilot, by design, retrieves from the same index under the user's identity.

Restricted SharePoint Search constrains this at the tenant level. When enabled, only an administrator-curated allow-list of sites is searchable by the tenant-wide search experience and Copilot. Users continue to access sites they're members of directly — nothing breaks for the people working inside a given site — but tenant-wide retrieval is narrowed to the governed subset.

In practical terms, it is the "Copilot rollout gate" control. You flip it on, build your allow-list of 20 to 200 well-governed sites, and enable Copilot licences across the org. Copilot works. Tenant-wide retrieval is scoped. Oversharing risk is constrained to the sites you explicitly vetted. The remainder of your tenant can be remediated in the background over the next six months without blocking the rollout.

When to use it

The specific scenarios where we turn it on:

  • Large tenants with historical SharePoint sprawl and no recent permissions audit. The most common case — moving from "cleanup must come first" to "cleanup can run in parallel".
  • Regulated industries where a board is explicitly uncomfortable with tenant-wide Copilot retrieval until data classification work is complete.
  • Organisations running Copilot in a targeted business unit first (finance, legal, exec team) and want the tool to stay scoped to that unit's content.
  • M&A situations where a newly acquired subsidiary's tenant is being merged in and you want to quarantine the retrieval surface during integration.

When not to use it

Restricted SharePoint Search does introduce friction for legitimate tenant-wide search. Users who relied on global search to find content in sites they weren't members of will notice the reduction. If your organisation has a culture of open knowledge sharing and deliberately shares many sites broadly, the restriction model may conflict with that intent. In that case the better path is permissions cleanup first, label deployment second, Copilot rollout third — which takes longer but preserves the open-search experience.

The decision is a judgement call and reasonable people land on both sides. We lean toward enabling it for the first 90 days of any Copilot rollout in a tenant with more than about 500 SharePoint sites, then re-evaluating with real usage data.

How to deploy it

The control lives in the SharePoint Admin Center. The deployment pattern we use:

  1. 1Run the SharePoint Advanced Management "Sharing Links" and "Oversharing" reports to establish a baseline of which sites are in scope and what risk posture each site has.
  2. 2Identify the 50 to 200 sites that genuinely need to be searchable tenant-wide for your Copilot use cases. These are typically the organisational intranet, key policy sites, the HR information hub, project portfolio, and well-governed departmental document libraries.
  3. 3Validate each allow-listed site's permissions model before adding it. A site on the allow-list with broken sharing is worse than one you never added.
  4. 4Enable Restricted SharePoint Search and add the allow-list. The change is immediate but non-destructive — users keep all their direct access.
  5. 5Communicate the change. Most users won't notice, but the ones who will (analysts, project managers searching across sites) should know what changed and who to ask to add a site.
  6. 6Review the allow-list monthly for the first six months. Expand as content is governed. Contract if anything slipped through.

Try it

Check your tenant before flipping the switch

The Essential Eight tool gives you the identity and endpoint baseline that pairs with Restricted SharePoint Search on the content side.

Score each of the 8 strategies

Where are you on the Essential Eight — honestly?

Eight strategies. Four levels each. Pick the statement closest to your reality today. We'll map it to the Microsoft 365 tooling that closes the gap.

What's your target Maturity Level?

Maturity Level 2 — most orgs' pragmatic target

  • 01

    Application control

    Only approved applications can execute on workstations and servers.

  • 02

    Patch applications

    Internet-facing apps, browsers, Office, PDF readers patched promptly.

  • 03

    Microsoft Office macros

    Macros disabled unless from trusted locations and signed by a trusted publisher.

  • 04

    User application hardening

    Web browsers and productivity apps hardened against the most common attacks.

  • 05

    Restrict administrative privileges

    Admin accounts limited, separated and reviewed — the crown jewels of the tenant.

  • 06

    Patch operating systems

    Operating system patches applied on a schedule that matches the risk.

  • 07

    Multi-factor authentication

    MFA everywhere that matters — privileged accounts, remote access, important data.

  • 08

    Regular backups

    Backups of important data, configuration and software — and restores you have actually tested.

The framing for leadership

If you are taking a Copilot business case to an exec team or board, Restricted SharePoint Search is one of the cleaner risk-management talking points. The logic is: Microsoft has built an explicit tenant-level control that scopes Copilot retrieval to a curated, auditable list of sites. We have enabled it. The list is reviewed monthly. Copilot cannot retrieve from sites outside the list. That is a verifiable, documented control that most Australian boards are satisfied with.

It is not a substitute for long-term tenant hygiene. But it is a genuine Microsoft-provided mechanism that lets the Copilot rollout move forward while the hygiene work runs in the background — which in a practical Australian mid-market business is usually the difference between Copilot going live this quarter and Copilot slipping another six months.

Want us to run this with your team?

30 minutes. No deck. We'll walk through your tenant, your priorities, and the next sensible move.

Book a chat1300 012 466