How to Prepare Your SharePoint for Microsoft Copilot

The governance and data-quality steps every organisation must complete before enabling Copilot — so the AI finds the right content and never surfaces what it shouldn't.

Copilot May 23, 2026 11 min read

Microsoft 365 Copilot is grounded in your organisation's data via the Microsoft 365 Graph. That means it can only be as good as your SharePoint is clean, well-governed, and correctly permissioned. Organisations that skip this preparation phase experience two painful outcomes: Copilot surfaces confidential documents to people who shouldn't see them, and it returns poor answers because it's searching through years of outdated, redundant, and trivial content. This guide walks through every remediation step — in the right order — to get SharePoint Copilot-ready.

Why this matters: Copilot respects M365 permissions exactly. If a user has access to a file through an overly broad sharing link or an overpermissioned SharePoint group, Copilot will include that file's content in responses to that user's queries — even if the access was never intentional. Fixing permissions before Copilot launch is not optional.

Step 1: Run an Oversharing Audit with SharePoint Advanced Management

SharePoint Advanced Management (SAM) provides governance tools that help administrators understand and remediate oversharing at scale. It is available as a standalone SharePoint Advanced Management add-on, and many SAM capabilities are also included for Microsoft 365 Copilot licensed environments. Before enabling Copilot for any user, run a full oversharing assessment using SAM's built-in reports where your licensing allows it.

Key SAM reports to run

  • Data Access Governance (DAG) reports: Show which sites have "Anyone" links active, how many external users have access, and which sites have oversharing signals. Available from the SharePoint Admin Centre under Reports > Data Access Governance.
  • Sharing links report: Surfaces active sharing links across your tenant, including Anyone links. Anyone links bypass sign-in and group membership controls — any person with the link can access the content if anonymous sharing is enabled.
  • Oversharing baseline report: A site-by-site summary showing the percentage of content accessible to everyone in the organisation vs. specific groups.
  • Site access review: Sends automated review requests to site owners asking them to confirm or revoke access for listed users — useful for scaling governance across hundreds of sites.
📄 SharePoint Advanced Management documentation — learn.microsoft.com/en-us/sharepoint/advanced-management

Oversharing remediation priorities

Not all oversharing is equally risky for Copilot. Prioritise in this order:

  1. Disable or expire all tenant-wide "Anyone" (anonymous) sharing links on sensitive sites
  2. Audit "Organisation-wide" sharing links — these grant access to every M365 user in the tenant
  3. Remove ex-employee guest accounts still in SharePoint groups
  4. Review sites with "Everyone" or "Everyone except external users" in their member lists
  5. Identify and restrict sites with highly sensitive content (HR, Finance, Legal, Executive)

Step 2: Enable Restricted SharePoint Search

Restricted SharePoint Search (RSS) is a tenant-level setting that limits which SharePoint sites appear in organisation-wide search, Copilot chat, and agentic experiences while you clean up permissions. It is useful as a temporary rollout control, not a long-term security boundary.

How Restricted SharePoint Search works

When RSS is enabled, Copilot and Microsoft 365 Chat prioritise a curated allowed list of up to 100 SharePoint sites while still respecting existing permissions. Users can also continue to see content they own, recently accessed, frequently visit, or that was shared directly with them. RSS reduces the blast radius while you complete broader governance remediation, but it does not replace permission cleanup.

Recommended approach: Start with RSS enabled and a list of your 20–30 highest-quality, well-governed sites. Expand the allowed list monthly as you validate each site's content quality and permissions. This gives users a great Copilot experience from day one while giving IT time to audit the rest of the tenant.

Configuring RSS

RSS is configured via PowerShell using the SharePoint Online Management Shell:

  • Connect to SharePoint Online as a Global Administrator or SharePoint Administrator
  • Run Set-SPOTenantRestrictedSearchMode -Mode Enabled to enable RSS
  • Add sites with Add-SPOTenantRestrictedSearchAllowedList -SiteUrl "https://yourorg.sharepoint.com/sites/sitename"
  • View the current allowed list with Get-SPOTenantRestrictedSearchAllowedList
📄 Restricted SharePoint Search documentation — learn.microsoft.com/en-us/sharepoint/restricted-sharepoint-search

Step 3: Apply Microsoft Purview Sensitivity Labels

Sensitivity labels are metadata tags applied to content that carry protection policies — encryption, access restrictions, visual markings, and DLP (Data Loss Prevention) rules. For Copilot, sensitivity labels serve two critical functions: they tell Copilot which content is confidential (and how to handle it), and they prevent Copilot from including encrypted content in responses for users without decryption rights.

Planning your label taxonomy

Microsoft recommends starting with a simple, widely understood taxonomy rather than a complex hierarchy. A common starting point:

LabelTypical useCopilot behaviour
PublicMarketing materials, public docsFully searchable, includable in responses
GeneralDay-to-day business contentSearchable for all org users
ConfidentialInternal projects, strategic plansOnly surfaced to users with access; label visible in responses
Highly ConfidentialHR, legal, executive, financialEncrypted; Copilot cannot include in responses without decryption rights

Auto-labelling vs manual labelling

Manual labelling by end users is unreliable at scale. Supplement it with:

  • Auto-labelling policies: Purview scans SharePoint content and applies labels based on content matches — credit card numbers, national ID patterns, keywords like "board only" or "attorney-client privilege"
  • Default site sensitivity labels: Assign a default label to entire SharePoint sites (e.g., all HR site content defaults to Confidential) so new documents are labelled automatically
  • Client-side auto-labelling: Office apps suggest labels based on document content as users work
📄 Microsoft Purview Sensitivity Labels documentation — learn.microsoft.com/en-us/purview/sensitivity-labels

Step 4: Clean Stale and Low-Quality Content

Copilot searches across your SharePoint environment and synthesises answers from what it finds. If your SharePoint is full of outdated policy documents from 2018, duplicated project folders, and half-finished draft files that were never deleted, Copilot will confidently cite them in its responses — and those responses will be wrong.

Identifying stale content

Use SharePoint's built-in site storage reports and the Microsoft 365 Usage Analytics workbook to identify high-volume, low-activity areas:

  • Documents not accessed in 18+ months with no ongoing project association
  • Sites with zero activity in the past 6 months (candidate for archival)
  • Multiple near-identical documents in the same library (duplicates from iterative saves)
  • Personal OneDrive content shared broadly that should be in a team site

Content lifecycle governance

After initial cleanup, put forward-looking governance in place to prevent re-accumulation:

  • Set retention labels on document libraries to automatically expire and delete content after defined periods (Purview Compliance Portal)
  • Designate site owners responsible for quarterly content reviews
  • Use Power Automate flows to flag documents unmodified for 12 months and notify owners — see our Power Automate guide for the stale content alert flow
  • Establish an official "archive" site collection for completed projects rather than leaving old content in active sites

Step 5: Improve Metadata and Content Searchability

Copilot uses the same Microsoft Search index that powers SharePoint's search experience. The richer your metadata, the more accurately Copilot can retrieve and contextualise your content. This step is often skipped but significantly improves Copilot response quality.

Metadata improvements to prioritise

  • Document titles: Many SharePoint documents have generic names like "Final v3 REVISED.docx". Rename key documents with descriptive, searchable titles.
  • Managed metadata: Use the SharePoint Term Store to create controlled vocabularies for Department, Project, Content Type, and Status columns. These become filterable facets in search and give Copilot structured context.
  • Page descriptions: SharePoint pages with empty or thin descriptions score poorly in search. Add meaningful descriptions to all important pages.
  • Content types: Associate document libraries with content types so Copilot understands what kind of document it's reading (Policy, Procedure, Report, Project Brief, etc.).

Step 6: Validate Search Quality Before Copilot Launch

Copilot answers are only as good as what Microsoft Search surfaces. Before enabling Copilot, run search quality validation tests using queries representative of what your employees will ask.

Search quality testing methodology

  1. Identify 20–30 representative employee queries across key use cases (HR policies, project documentation, product specs, process guides)
  2. Run each query in Microsoft Search and assess whether the top 5 results are accurate and current
  3. For queries returning poor results, investigate: is the content missing? Poorly titled? Not crawled? Overly restricted?
  4. Use the SharePoint Admin Centre's Search Configuration to set up promoted results (Best Bets) for high-priority queries
  5. Add synonyms in Microsoft Search admin for common internal acronyms and product names

Copilot readiness benchmark: As an internal readiness target, aim for at least 70% of your test queries to return accurate, current results in the top three before Copilot is enabled for that user segment. If you're below that bar, search quality remediation — not AI enablement — should be the priority.

The Copilot Readiness Checklist

  • Oversharing audit complete

    SAM Data Access Governance reports run; Anyone links reviewed; ex-employee guests removed; high-risk sites identified and remediated.

  • Restricted SharePoint Search configured

    RSS enabled at tenant level; initial allowed-site list of 20–30 curated, high-quality sites defined and added.

  • Sensitivity labels deployed

    Label taxonomy agreed with Information Security; auto-labelling policies active; at least Highly Confidential sites have encryption enforced.

  • Stale content removed

    Sites inactive for 6+ months archived; documents older than 3 years reviewed; duplicate content eliminated from key libraries.

  • Metadata enriched

    Key document libraries have content types; Term Store managed metadata active; important pages have search descriptions.

  • Search quality validated

    Representative query set tested; promoted results configured for top use cases; synonyms added for internal terminology.

Common Mistakes Organisations Make

  • Enabling Copilot immediately after licence purchase — without governance remediation, this is the fastest way to a data exposure incident and an executive-level escalation about confidential documents appearing in AI summaries
  • Treating RSS as a permanent solution — Restricted SharePoint Search is a temporary safety net during remediation, not a long-term governance strategy; maintain a roadmap to expand the allowed list as sites are validated
  • Applying sensitivity labels as a one-time project — labelling is a continuous process; new content is created daily, and auto-labelling policies need regular tuning
  • Skipping search validation — teams often assume Microsoft Search "just works" without verification; poor baseline search quality directly causes poor Copilot response quality
  • Not communicating the permission audit to staff — when IT revokes access that users have held for years (even inappropriately), it causes friction; communicate why access changes are happening ahead of Copilot launch

Need help getting SharePoint Copilot-ready?

OceanCloud's Copilot Readiness Assessment covers oversharing audits, Restricted SharePoint Search configuration, sensitivity label deployment, and search quality validation — delivered in 4 weeks with clear remediation priorities.

Start Your Readiness Assessment

Related Guides

Copilot Microsoft 365 Copilot: The Complete Business Guide 10 min read → SharePoint SharePoint Permissions: A Complete Guide 9 min read → SharePoint Build a SharePoint Intranet: Step-by-Step Guide 10 min read →