Most people’s first reaction to Copilot and SharePoint goes something like this: “Wait — Copilot can see all of that?”
Then they panic. Then they Google. Then they find Restricted SharePoint Search and flip it on like it’s a fire extinguisher.
I get it. The instinct is right — you should care about what Copilot can reach. But RSS isn’t a security control. It’s a stalling tactic. And if you leave it on too long, it’ll cause more problems than the one you were trying to solve.
What is Restricted SharePoint Search, really?
RSS lets a SharePoint admin maintain an allowed list of up to 100 SharePoint sites. Only those sites show up in organisation-wide search results and Copilot chat responses.
That’s it. It doesn’t change a single permission on a single site. It doesn’t block anyone from accessing anything. It just hides sites from search and Copilot — unless the user has recently visited the site, or it was shared with them in Teams or Outlook. In which case, it shows up anyway.
That’s not a security boundary. That’s a curtain.
Microsoft’s own documentation on RSS says it plainly: this is designed as a short-term solution while you audit permissions and apply proper governance. It’s not meant to stay on.
Step-by-step: Setting up RSS the right way
If you’re going to use RSS — and there are situations where it makes sense — do it in this order.
Audit your active sites first
Open the SharePoint admin centre > Active sites. Filter by activity in the last 30 days. Customise columns to show page views, file counts, and last activity. Export the list to CSV. This is your starting inventory — the sites people actually use.
Review permissions on each candidate site
For every site you’re considering for the allowed list, open its details and check the Permissions tab. Look for “Everyone except external users” or company-wide groups. Those are the oversharing patterns you’re really worried about.
Enable RSS and build the allowed list
RSS is managed through PowerShell — there’s no toggle in the admin centre GUI for this one.
Set-SPOTenantRestrictedSearchMode -Mode Enabled
Add-SPOTenantRestrictedSearchAllowedList -SitesList @("https://contoso.sharepoint.com/sites/intranet","https://contoso.sharepoint.com/sites/hr")Notice what’s missing? A portal button. That’s deliberate. Microsoft wants friction here because they don’t want you to leave this on.
Plan your exit from day one
Before you enable RSS, set a calendar reminder for 30 days out. That’s your deadline to fix the permissions that made you turn it on in the first place — and then turn it off.
When RSS backfires
Here’s where most people get into trouble. They enable RSS, breathe a sigh of relief, and forget about it. Months later, three things have gone wrong:
Search breaks for everyone. RSS doesn’t just limit Copilot — it limits all organisation-wide search. Your finance team can’t find the policy site. Your HR team can’t find the onboarding hub. Nobody told them you turned this on, so they log a ticket blaming SharePoint.
Copilot gets dumber. With only 100 sites to draw from, Copilot has less information to reference. Answers get vague. Users lose trust. You’ve just paid for Copilot licences and then blindfolded the thing.
False confidence sets in. The admin thinks the problem is solved. It isn’t. RSS doesn’t stop Copilot from surfacing content a user has already accessed. If someone opened that sensitive spreadsheet last week, Copilot can still reference it — allowed list or not.
The actual fix: permissions, not curtains
RSS buys you time. Use it. But spend that time on the thing that actually matters: fixing your SharePoint permissions.
Start with Data Access Governance reports in SharePoint Advanced Management. These reports show you exactly which sites have broad sharing, “Everyone” links, or sensitivity labels missing. That’s your real oversharing map.
Then work through it site by site. Remove company-wide sharing links. Tighten group memberships. Apply sensitivity labels where they belong. This is the work that actually makes Copilot safe — not hiding sites from search and hoping for the best.
Once permissions are clean, disable RSS. Let Copilot use the full breadth of your tenant. That’s how you get value from it.
“We turned on RSS six months ago and Copilot still isn’t helpful.”
That’s not a Copilot problem. That’s an RSS problem.
My recommendation?
Use RSS if you’re deploying Copilot to a tenant you haven’t audited yet and you need breathing room. Thirty days. Not six months. Not “until we get to it.”
Set the allowed list. Fix the permissions behind the scenes. Then take the training wheels off.
If you’re an MSP and you’re not walking clients through this sequence — temporary RSS, permission remediation, RSS removal — you’re either leaving them exposed or leaving them hobbled. Neither looks good at renewal time.
RSS isn’t there to protect your tenant. It’s there to give you a window to actually protect your tenant. Don’t confuse the window with the wall.
CIAOPS 