Microsoft 365 Copilot is a double-edged sword: it massively increases productivity, but at the same time increases the risk of uncontrolled data leakage (oversharing). The technical answer to this problem is Restricted Content Discovery (RCD).
For a long time, this feature was a purely administrative tool that was centrally controlled, which inevitably leads to an operational bottleneck as tenant structures grow. Since the beginning of January 2026, Microsoft has decentralized control, allowing you to delegate decision-making power to site administrators to ensure governance takes place where content knowledge is greatest.
The architecture behind restricted content discovery
Restricted Content Discovery is not a superficial filter, but intervenes deeply in the search index of SharePoint Online. When RCD is enabled for a site, the system explicitly excludes that content from organization-wide search and thus from access by Microsoft 365 Copilot. This is technically necessary because Copilot is based on the graph index. Without RCD, AI would use any document a user has access to as a potential source of knowledge, even if that information was never intended for AI processing.
To use RCD, your tenant needs the SharePoint Advanced Management (SAM) add-on. SAM bundles advanced governance capabilities and is often already an integral part of the security strategy for customers with Microsoft 365 Copilot licenses. The technical logic behind RCD ensures that the site content remains findable for users within the site via local search, but becomes “invisible” in the global context of AI. This prevents Copilot from flushing information from orphaned or poorly authorized sites to the surface.
Delegation of Control: Why Centralization Fails
In practice, it is impossible for central SharePoint administrators to manually assess the confidentiality of each individual site in a tenant with several thousand instances. An incorrect classification leads to either data leaks or unproductive knowledge silos.
With the new possibility of delegation, Microsoft shifts the responsibility to the site owners. They know exactly the context of their data and can decide whether a project folder is suitable for AI indexing or not.
However, before your site administrators can do it themselves, you need to enable the feature at the tenant level. This step is designed as an opt-in so that you retain full control over the rollout.
Step 1: Activate delegation via PowerShell
Activation takes place exclusively via the SharePoint Online Management Shell. You need at least version 16.0.26712.12000 of the Microsoft.Online.SharePoint.PowerShell module, as older versions do not recognize the corresponding parameter. First, connect with your tenant:
Connect-SPOService -Url https://deintenant-admin.sharepoint.com
Then activate delegated management with the following command:
Set-SPOTenant -DelegateRestrictedContentDiscoverabilityManagement $true
This command customizes the user interface in both the admin center and site settings for site administrators. Note that replicating this setting within the Microsoft 365 infrastructure may take some time.
Step 2: Configuration by the site administrator
Once tenant-level delegation is active, site owners can control the discoverability of their content. This decentralized approach is technically necessary to shift the burden of governance from central IT to data owners.
- Navigate to the SharePoint site in question.
- Click on the gear icon (Settings) in the top navigation bar.
- Select the “Site Information” menu item.
- In the panel that appears, scroll down to the “Restrict content from M365 Copilot” section.
If the site administrator activates the toggle, a mandatory text box will open for the justification. This step is firmly integrated into the logic, which ensures that any limitation of the AI search is stored in the audit log with a comprehensible reason. Without this information, the change cannot be saved.
Once saved, the site is marked for organization-wide search, and therefore for Microsoft 365 Copilot. Keep in mind that it can take up to 24 hours for the search index to fully process the change and for the content to actually stop appearing in Copilot responses.
Step 3: Monitoring and auditing of RCD activities
Since potentially hundreds of users now have an influence on the searchability of content, effective monitoring in the Unified Audit Log (UAL) is essential. You can use the following PowerShell script to retrieve the activities of the last 24 hours:
# Definition der relevanten Operationen
[array]$Operations = "RestrictContentOrgWideSearchDisabled", "RestrictContentOrgWideSearchEnabled", "SharePointRCDUpdateJustification"
# Abruf der Audit-Daten
[array]$Records = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date) -Formatted `
-SessionCommand ReturnLargeSet -ResultSize 5000 -Operations $Operations
$Report = [System.Collections.Generic.List[Object]]::new()
ForEach ($Rec in $Records) {
$AuditData = $Rec.AuditData | ConvertFrom-Json
Switch ($AuditData.Operation) {
"RestrictContentOrgWideSearchEnabled" {
$Action = ("RCD aktiviert für {0}" -f $AuditData.ObjectId)
}
"SharePointRCDUpdateJustification" {
$Action = ("Begründung: {0}" -f $AuditData.RCDJustification)
}
"RestrictContentOrgWideSearchDisabled" {
$Action = ("RCD deaktiviert für {0}" -f $AuditData.ObjectId)
}
Default {
$Action = $AuditData.Operation
}
}
$ReportLine = [PSCustomObject][Ordered]@{
Zeitstempel = Get-Date ($AuditData.CreationTime) -format 'dd.MM.yyyy HH:mm'
Benutzer = $AuditData.UserId
Aktion = $AuditData.Operation
SiteURL = $AuditData.ObjectId
Details = $Action
}
$Report.Add($ReportLine)
}
$Report | Out-GridView -Title "RCD Audit Report"
in the SPO Admin Center
Even if you have enabled delegation, the SPO Admin Center remains your primary tool for bulk operations and reviews. You don’t use it for micro-managing every single site, but for enforcing compliance guardrails.
- Navigate to Active Sites in the SPO Admin Center.
- Select the site and open the Settings panel.
- Here you can see the content restriction status for Microsoft 365 Copilot, which the site admin may have already set.
The advantage: You can immediately see which site admins have fulfilled their responsibilities. If you find that a site with the label “Secret” is not marked for RCD, you can intervene here centrally, closing the governance gap left by the site admin.
Critical appraisal and safety aspects
Moving RCD control to the site level is a necessary evolution, but it also brings new risks. You need to be aware that site administrators now have the power to massively curtail Copilot’s effectiveness. If users activate RCD for non-critical sites out of ignorance, the utility value of the expensive Copilot licenses decreases, as the AI no longer has access to relevant knowledge databases.
On the other hand, the danger of “shadow data” is real. A site owner who enables RCD actively protects the company from the accidental disclosure of confidential information by the AI. From a performance point of view, it should be noted that RCD changes do not take effect immediately. The search index takes time to process the exclusion criteria. It usually takes between 24 and 48 hours for content from a newly restricted site to actually disappear from Copilot responses.
My advice for your strategy: Activate the delegation, but accompany it with a clear guideline. Site owners need to understand that RCD is not a tool for “hiding clutter”, but a precise tool for highly sensitive data. Also, always combine RCD with Sensitivity Labels. While RCD regulates access for the AI, labels secure the document itself – even if it leaves the site. Only through this interaction can you achieve resilient cyber resilience in the era of generative AI.
Other sources
| Microsoft Learn | Set-SPOTenant cmdlet documentation | https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant |
Be the first to comment