In This Article
- What Just Changed, and Why Your Copilot Plan Depends On It
- The Retirement Timeline You Cannot Miss
- What Restricted SharePoint Search Was Doing for You
- Restricted Content Discovery Is Not a Drop-In Replacement
- The Exposure When the Guardrail Lapses
- The Migration Playbook for Banks, Credit Unions, and Mortgage Companies
- Why This Doubles as an Access-Controls Health Check
- Frequently Asked Questions
For the last two years, a single tenant-wide switch let cautious institutions deploy Microsoft 365 Copilot before they had finished cleaning up who can see what. Restricted SharePoint Search was that switch. It held SharePoint content back from Copilot and organization-wide search while administrators worked through their permissions, and a lot of banks, credit unions, and mortgage companies leaned on it as the thing that made an early Copilot rollout feel safe. Microsoft is now retiring it.
On June 18, 2026, the notice landed in the Microsoft 365 admin center as Message Center post MC1395311. Restricted SharePoint Search is going away on a fixed schedule, with no extensions, and Microsoft has been clear that it will not move your settings to the replacement for you. The successor control, Restricted Content Discovery, works differently enough that treating this as a like-for-like swap is the fastest way to end up exposed. For an institution that used Restricted SharePoint Search as a Copilot panic button, this is a dated obligation that has just appeared on the calendar.
This article lays out what is changing, the deadlines that matter, how the new per-site control differs from the old tenant-wide one, and the migration steps a regulated institution should run before the guardrail lapses. The productivity upside of Copilot has not changed. What has changed is that the interim shortcut is expiring, and the real governance work it was buying time for is now due. If you want the broader pre-flight picture, our guide on Copilot oversharing for financial institutions covers the full readiness path; this piece zooms in on the deadline that just got set.
The Short Version
Microsoft is retiring Restricted SharePoint Search, the tenant-wide control that held SharePoint content back from Copilot and search while you remediated oversharing. New enablement is blocked starting July 31, 2026, and the feature is fully retired January 31, 2027 with no extensions. Microsoft will not migrate your configuration to the replacement, Restricted Content Discovery, which is a per-site control rather than a tenant-wide one. If you used Restricted SharePoint Search as a Copilot guardrail, content it was holding back may become discoverable once it lapses, unless you apply Restricted Content Discovery or fix the underlying permissions first. The migration is the access-controls cleanup your next examiner will ask about anyway.
What Just Changed, and Why Your Copilot Plan Depends On It
Start with what Restricted SharePoint Search actually was, because the value it provided is the value now at risk. It was a tenant-wide guardrail: switch it on, and only the SharePoint sites you placed on an allowed list could appear in organization-wide search and in Microsoft 365 Copilot. Everything else was held back from discovery. Microsoft always described it as a temporary measure, a curtain to draw while administrators reviewed and corrected permissions, not a permanent security boundary.
That temporary framing is the whole point of the retirement. Microsoft built a durable, surgical successor, Restricted Content Discovery, and is pulling the interim tool out of service to push every organization onto it. Message Center post MC1395311, published on June 18, 2026, sets the schedule and states the part that catches people off guard: Microsoft will not automatically migrate Restricted SharePoint Search configurations to Restricted Content Discovery. The audit, the site identification, and the new configuration are work the institution has to do.
For most institutions outside financial services, this is a housekeeping item. For a regulated institution that turned on Restricted SharePoint Search specifically to keep an unremediated tenant from broadcasting member account numbers and loan files to a Copilot prompt, it is a deadline with teeth.
The Retirement Timeline You Cannot Miss
Microsoft has laid out a staged retirement rather than a single cutoff, and each date matters for planning. The window to act is the second half of 2026. Mark these on the same calendar you use for examination prep and license renewals.
Microsoft publishes the Restricted SharePoint Search retirement notice in the Microsoft 365 admin center, naming Restricted Content Discovery as the successor and confirming there will be no automatic migration.
Organizations can no longer turn on Restricted SharePoint Search. If you have not enabled it by this date, that door is closed and Restricted Content Discovery becomes your only option.
The transition period. Existing Restricted SharePoint Search configurations keep working while you audit your sites, identify what the allowed list was protecting, and apply Restricted Content Discovery to the sites that need it.
The feature stops working entirely, with no extensions. Content the control was holding back may become discoverable by Copilot and organization-wide search unless Restricted Content Discovery or corrected permissions are in place.
The Restricted SharePoint Search PowerShell cmdlets are retired. Any scripts or runbooks that reference them stop functioning and need to move to the Restricted Content Discovery commands.
The trap is the gap between feeling done and being done. The real work, auditing every site the allowed list was shielding and deciding what to do with each one, takes longer than flipping a switch, and the July 31 cutoff on new enablement means there is no fallback if you wait. Treat the retirement window as the time you have to finish, not the time you have to start.
What Restricted SharePoint Search Was Doing for You
To migrate well, you have to be honest about what the old control was and was not doing. Restricted SharePoint Search limited how SharePoint content appeared in Microsoft Search and Microsoft 365 Copilot during a permissions and governance review. It was a discovery control, never an access control, and that distinction is the one that trips institutions up.
Restricted SharePoint Search never changed a single permission. A site held back from Copilot was still fully openable by every person who had been granted access to it, through a direct link, a bookmark, or a saved search. The control kept content from surfacing in a Copilot answer or an organization-wide search result. It did nothing about the underlying oversharing. It was a curtain, not a wall, and Microsoft said as much every time it documented the feature.
The Detail That Decides Your Risk on February 1, 2027
Because Restricted SharePoint Search only governed discovery, the institutions most exposed by its retirement are the ones that used it instead of fixing permissions, rather than alongside fixing them. If the allowed list was the entire plan, then on the day the control retires, every overshared site it was hiding becomes discoverable to Copilot again. If the allowed list was a temporary curtain while a real remediation happened underneath, the retirement is a non-event because the access was corrected. The retirement does not create new risk. It reveals whether the original cleanup ever happened.
Restricted Content Discovery Is Not a Drop-In Replacement
Restricted Content Discovery solves the same problem with a different shape, and the shape is the reason there is no automatic migration. Where Restricted SharePoint Search was tenant-wide and worked from an allow list, Restricted Content Discovery is a per-site setting you apply to specific sites you want to keep out of discovery. You are no longer drawing one curtain across the whole tenant and listing the exceptions; you are flagging the individual sites that should not surface.
Restricted SharePoint Search (retiring)
- Tenant-wide control, one switch for the whole organization
- Allow list model: only listed sites surface in search and Copilot
- Allowed list capped, so it does not scale to a large tenant
- Positioned by Microsoft as a short-term measure only
- Configured and removed through its own PowerShell cmdlets
- Fully retired January 31, 2027
Restricted Content Discovery (successor)
- Per-site control, applied to specific high-risk sites
- Block model: flagged sites are kept out of search and Copilot
- Scales site by site, with management delegable to site admins
- Built as the durable governance control going forward
- Set with Set-SPOSite -RestrictContentOrgWideSearch $true
- Changes captured in the Microsoft 365 unified audit log
The mechanics matter as much as the model. When you enable Restricted Content Discovery for a site, that site no longer surfaces in organization-wide search or in Microsoft 365 Copilot Business Chat, with one nuance: a user who had a recent interaction with the site may still see it. Like its predecessor, it changes discovery, not permissions, so anyone who already has access can still open the files directly. It cannot be applied to OneDrive, and changes propagate through the search index over time rather than instantly, so you plan for a lag. Microsoft documents the full behavior in its guidance on restricting discovery of SharePoint sites and content.
SharePoint Advanced Management is the prerequisite that matters, the management add-on that powers Restricted Content Discovery. Microsoft's documentation notes the control can be applied once at least one user in the organization is assigned a Microsoft 365 Copilot license, a bar institutions deploying Copilot already clear. Administrators can delegate Restricted Content Discovery management to site administrators, who must supply a justification when they apply it, and every change is recorded in the Microsoft 365 unified audit log. That audit trail is exactly the kind of evidence that makes the control defensible in an examination.
There is also a cost to overusing it: the more sites you wall off, the less content Copilot has to ground its answers on, and answer quality degrades. The goal is to restrict the genuinely sensitive sites and remediate the rest, which is the same data-classification discipline that drives data loss prevention for financial institutions.
The Exposure When the Guardrail Lapses
It helps to make the risk concrete, because "content may become discoverable" does not land until you picture it inside your own institution. Microsoft 365 Copilot only surfaces content the signed-in user can already open. The danger is not that Copilot breaks a rule. It is that an old oversharing problem, quietly contained by Restricted SharePoint Search, becomes a loud answer the moment the curtain lifts.
A mortgage company turned on Restricted SharePoint Search in 2024 so it could deploy Copilot quickly, with a plan to clean up permissions "later." Later never came. A SharePoint site from an old core conversion, still open to the whole company and full of borrower account numbers, was simply kept off the allowed list. On February 1, 2027, the control is gone. An employee asks Copilot a routine question, and because the permissions were never corrected, Copilot reads that site and answers with the confidential figures. No rule was broken. The access always said she could see it.
A credit union turned on the same control for the same reason, but used the retirement window to do the real work. It audited the sites the allowed list was shielding, corrected the permissions on the overshared ones, and applied Restricted Content Discovery to the few that are legitimately sensitive. When Restricted SharePoint Search retires, nothing changes. Copilot answers from content the employee is actually supposed to use, the sensitive sites stay out of discovery by design, and the audit log shows exactly who restricted what and why.
What separates those two institutions is not budget or appetite for AI. It is whether the migration was treated as a cleanup or a checkbox. An institution that does nothing inherits, on a specific date, every oversharing problem it had postponed.
The Migration Playbook for Banks, Credit Unions, and Mortgage Companies
Microsoft's own sequence is consistent across its oversharing guidance: discover what is overshared, contain the worst of it, remediate the access, then govern it going forward. Here is that path as a project a regulated institution can actually run inside the retirement window.
Audit current Restricted SharePoint Search usage
Start by confirming whether the control is even on, and if it is, what its allowed list contains. That allowed list, and the sites it implicitly excluded, is the scope of your migration. Do not assume you know what is on it from memory; pull the actual configuration before the cmdlets stop working.
Identify the overshared and high-risk sites
Run the SharePoint Data Access Governance reports to produce a ranked list of the sites with the broadest access and the most live sharing links, then cross-reference that list against the Restricted SharePoint Search allowed list. The sites held back from discovery, especially the ones open to the whole organization, are where nonpublic personal information, board materials, and credit files are most likely sitting in the open. This is where you learn the real shape of your tenant. Our walkthrough of the Microsoft 365 Copilot readiness assessment covers how this discovery fits the larger readiness picture.
Apply Restricted Content Discovery to the sites that need it
For the genuinely sensitive sites that should stay out of organization-wide search and Copilot, enable Restricted Content Discovery per site using Set-SPOSite -RestrictContentOrgWideSearch $true, with a justification recorded for each. This replaces the discovery protection the tenant-wide control was providing, but only where it is warranted. Resist the urge to wall off everything; over-restricting starves Copilot of the content that makes it useful.
Remediate the underlying permissions
This is the step that turns containment into a cure, and the one Restricted SharePoint Search was always buying time for. For each overshared site, remove the broad groups, kill the stale sharing links, and assign access to the people who genuinely need it. Apply Microsoft Purview sensitivity labels so that protection travels with the file, and put site access reviews in place so owners re-confirm membership on a schedule. Our walkthrough of Microsoft Purview DLP for AI and Copilot covers how those controls extend to AI specifically. A site whose permissions are correct does not need a discovery control at all.
Validate, document, and decommission the old control
Confirm that Restricted Content Discovery is applied where intended, that the unified audit log captured every change, and that the previously overshared sites now have correct access. Keep the artifacts: the ranked list of overshared sites, the record of what was restricted and why, and the labels applied. Then let Restricted SharePoint Search retire on schedule. The curtain comes down because the room behind it is finally in order.
Run those steps in order and the work stays bounded. Most of the effort lands in the discovery and the permission corrections, not in flipping controls.
The institutions that quietly turned on Restricted SharePoint Search to ship Copilot fast are the ones this retirement is aimed squarely at. Across the Microsoft 365 tenants we manage for financial institutions, the pattern is consistent: the interim control got switched on, the permissions cleanup got deferred, and the allowed list became the de facto governance plan. The good news is that once the Data Access Governance reports turn the unknown into a ranked list, the number of sites that genuinely need Restricted Content Discovery is usually a few dozen, not a few thousand. The rest is permission cleanup that should have happened anyway.
This work lands differently for an institution with a managed Microsoft 365 partner. A lean credit union or mortgage company IT team is not going to track a Microsoft 365 admin center retirement notice, audit a SharePoint allowed list, and re-architect site-level discovery against a deadline on top of everything else they own. It is also where a license reseller and a specialized partner part ways: selling Copilot licenses ends the day they are provisioned, while managing the tenant they run in and absorbing changes like this retirement is the ongoing job. ABT manages Microsoft 365 tenants, including SharePoint, Microsoft Purview, and Microsoft Entra, for 750+ financial institutions through delegated administration. The audit, the per-site configuration, the labeling, and the access reviews are the work ABT already performs under the M365 Guardian operating model, which turns a one-time scramble into a standing capability.
Beat the Restricted SharePoint Search deadline before the guardrail lapses
The retirement clock is running, and the content your old allowed list was shielding becomes discoverable when it stops. ABT audits your Restricted SharePoint Search usage, finds the overshared sites, applies Restricted Content Discovery where it belongs, and remediates the permissions underneath, so your Microsoft 365 Copilot deployment stays safe and your tenant stays examiner-ready. Let our team scope the migration for your institution.
Why This Doubles as an Access-Controls Health Check
There is a second payoff to this migration, and it is the one your examiner cares about. The cleanup you do to migrate off Restricted SharePoint Search safely is, nearly line for line, the access-controls evidence regulators already expect. The deadline simply gives you a reason to confirm a posture you should be able to demonstrate anyway.
Supervisory direction is consistent. The FTC Safeguards Rule, which governs nonbank financial institutions under the Gramm-Leach-Bliley Act, requires institutions to implement and periodically review access controls that limit access to customer information to the people who need it. The FFIEC's Information Security guidance presses the same least-privilege principle for banks, and the NCUA examines credit unions' access and authentication controls against that framework. That is exactly what a permissions remediation produces: a defensible answer to who can see customer data, and why.
Oversharing is the textbook weakness those expectations are written against, and a tenant that papered over it with a discovery control rather than fixing it is precisely the gap an examiner is trained to probe. The artifacts your migration generates, a ranked list of overshared sites, a record of what was restricted with Restricted Content Discovery, the sensitivity labels you applied, and the unified audit log of every change, are the kind of evidence that turns an examination question into a short conversation.
That is the reframe worth keeping. Migrating off Restricted SharePoint Search is not a side quest pulled away from compliance work. It is compliance work, with a safer Copilot deployment attached. You end up with a cleaner tenant, examiner-ready evidence, and an AI assistant that makes your team faster without making your members' or borrowers' data findable by the wrong person.
Frequently Asked Questions
Microsoft announced the retirement in Message Center post MC1395311 on June 18, 2026. New enablement of Restricted SharePoint Search is blocked starting July 31, 2026, the retirement window runs from July 2026 through January 2027, and the feature is fully retired on January 31, 2027 with no extensions. The associated PowerShell cmdlets are discontinued on February 28, 2027. Existing configurations keep working during the retirement window, which is the time organizations have to migrate to Restricted Content Discovery.
It can. After Restricted SharePoint Search retires, content it was holding back may become discoverable by Microsoft 365 Copilot and organization-wide search unless Restricted Content Discovery or corrected permissions are in place. Copilot still only surfaces content a user can already access, so the exposure is limited to sites that are overshared. If the permissions on those sites were never corrected, the content the control was hiding becomes findable again through a Copilot prompt. Applying Restricted Content Discovery to sensitive sites and remediating the underlying permissions before January 31, 2027 prevents that.
Restricted Content Discovery is the successor control and the replacement Microsoft is moving organizations toward. The key difference is scope. Restricted SharePoint Search was a tenant-wide control that worked from an allowed list, where only listed sites could surface in search and Copilot. Restricted Content Discovery is a per-site setting you apply to specific sites you want kept out of organization-wide search and Microsoft 365 Copilot Business Chat. Both control discovery rather than permissions, so users with access can still open files directly. Restricted Content Discovery cannot be applied to OneDrive, changes propagate through the search index over time, and every change is recorded in the Microsoft 365 unified audit log. It is set with the PowerShell command Set-SPOSite -RestrictContentOrgWideSearch $true.
No. Microsoft has stated in MC1395311 that it will not automatically migrate Restricted SharePoint Search configurations to Restricted Content Discovery. Organizations must manually audit their current Restricted SharePoint Search usage, identify the affected sites and allowed URL lists, and apply Restricted Content Discovery to the sites that need it before the deadline. Because the migration is manual, the safest approach is to pull the existing configuration early, while the feature and its PowerShell cmdlets still work, and use the retirement window to remediate permissions rather than simply recreating the old restrictions.
The migration is a five-step project: audit current Restricted SharePoint Search usage and capture the allowed list before the cmdlets retire; run SharePoint Data Access Governance reports to identify the overshared sites the control was shielding; apply Restricted Content Discovery to the genuinely sensitive sites; remediate the underlying permissions by removing broad groups, killing stale sharing links, applying Microsoft Purview sensitivity labels, and scheduling site access reviews; then validate the configuration, keep the audit artifacts, and let Restricted SharePoint Search retire on schedule. Most of the effort is in discovery and permission correction, and the cleanup doubles as access-controls evidence for examinations.
The prerequisite that matters is SharePoint Advanced Management, the add-on that powers Restricted Content Discovery. Microsoft's documentation notes the control can be applied once at least one user in the organization is assigned a Microsoft 365 Copilot license, a bar institutions deploying Copilot already clear. Administrators can delegate Restricted Content Discovery management to site administrators, who must supply a justification when they apply it, and every change is captured in the Microsoft 365 unified audit log. One planning note: over-restricting sites reduces the content Copilot can ground its answers on, so the goal is to restrict genuinely sensitive sites and remediate the rest, not to wall off everything.