Skip to main content
  1. Blog/

Microsoft 365 Copilot: Should You Enable or Disable Web Search?

Daniel Kordes
Author
Daniel Kordes
Microsoft 365 Consultant and Microsoft MVP based in Zurich. I blog about Microsoft 365, Azure and cloud technologies.
Table of Contents

–> Auch auf deutsch verfügbar!

This article was translated from German with the help of AI.

Microsoft 365 Copilot becomes much more useful when answers are not only contextualized internally, but can also include current public information when needed. This is exactly what Web Search or web grounding is for. From an admin and compliance perspective, this is not just a convenience feature. You need to understand which data remains within the Microsoft 365 boundary, which search terms can be sent to Bing, and which setting controls the behavior.

What is web grounding?
#

When Web Search is enabled, Microsoft 365 Copilot can use public web information to improve answers. Copilot analyzes the prompt, decides whether web information would be helpful, creates a separate search query, and sends it to the Bing Search service. The returned web information can then be included in the answer. The important part: according to Microsoft, the full prompt is not generally sent to Bing. Copilot usually creates a short search query derived from the prompt. Microsoft explicitly names the relevant exception: for very short prompts, for example “local weather”, the full prompt can effectively become the search query. Microsoft also documents that full Microsoft 365 files, full emails, uploaded files, and Entra ID identifiers such as username, domain, or tenant ID are not sent to Bing. That is the key distinction: web grounding does not mean Copilot uploads internal documents to the internet. But it does mean that search terms can be created from an internal context and sent to Bing.

Why you might want to enable Web Search #

The main benefit is freshness. Without Web Search, Copilot is limited for external topics such as Microsoft roadmap items, Learn documentation, security advisories, regulatory developments, market information, or public company information. This matters especially for knowledge work and admin questions. If users need to research anyway, it makes sense for Copilot to include current web information instead of answering only from static model knowledge or internal data. Microsoft also points out that Web Search is not required for features such as Researcher and Analyst, but is recommended to get more value from them.

Why admins should still be careful
#

The real question is not whether Web Search is useful. The question is which information can end up in the search query. Microsoft clearly says that full documents or prompts are not sent to Bing. However, a search query can be influenced by internal content if users reference an internal document or work in a Microsoft 365 app with a document open. In most cases this will not be critical, but it can become sensitive. Examples include internal project names, codenames, M&A topics, customer names, product strategies, security incidents, or HR and legal matters. If a single term is already confidential, even a short search query can become a problem. That is why Web Search belongs in the governance discussion and should not be enabled or disabled casually.

The most important compliance point
#

For prompts and responses in Microsoft 365 Copilot, the known Microsoft 365 commitments apply. Microsoft describes, among other things, Enterprise Data Protection, Product Terms, and the Data Protection Addendum. According to Microsoft, prompts, responses, and Microsoft Graph data are not used to train foundation models. Generated web search queries need to be assessed differently. Microsoft documents that Bing Search is operated separately from Microsoft 365. The search queries are sent to Bing without user and tenant identifiers and, according to Microsoft, are not used for advertising, ranking, tracking, or training generative foundation models. Still, the legal framework is different: for these generated Web Search queries, Microsoft acts as a Data Controller. Microsoft also states that the Microsoft Products and Services Data Protection Addendum, HIPAA compliance, and the EU Data Boundary do not apply to these generated search queries. This is already the second point in this series where the EU Data Boundary does not apply the way many admins would intuitively expect. A similar point came up with Flex Routing in Microsoft 365. From my point of view, this is the central point for data protection, compliance, and CISO discussions.

Which admin setting matters?
#

The central policy is called Allow web search in Copilot. According to Microsoft, it is available only in Cloud Policy service for Microsoft 365, meaning config.office.com. For practical implementation, you should therefore not rely on a Copilot settings page in the Microsoft 365 admin center. This policy controls Web Search for Microsoft 365 Copilot and Microsoft 365 Copilot Chat. Microsoft lists three options:

  • Web Search enabled in Microsoft 365 Copilot and Microsoft 365 Copilot Chat
  • Web Search disabled in Microsoft 365 Copilot and Microsoft 365 Copilot Chat
  • Web Search disabled in Microsoft 365 Copilot Work mode, but enabled in Microsoft 365 Copilot Web mode and Microsoft 365 Copilot Chat If Web Search is not configured, Microsoft says it is generally available unless other policies such as “Allow the use of additional optional connected experiences in Office” prevent it. Not configuring the policy is therefore also a decision.

Is there a user toggle?
#

Yes, but not everywhere. In Microsoft 365 Copilot Work Chat, there is a Web content toggle. If admins allow Web Search, users can turn this toggle off themselves. If admins disable Web Search, the toggle is unavailable or greyed out. However, this toggle is not a full governance solution. The actual control belongs at admin level.

Audit and transparency
#

A good argument for controlled enablement is transparency. Microsoft documents Web Search query logging. Admins can use the generated search queries for search, audit, and eDiscovery. There is also transparency for users: in Microsoft 365 Copilot Chat, the exact Web Search queries can be shown in the citation area of the answer. Microsoft notes, however, that these query citations are only available in Copilot Chat and are only shown in the chat thread for 24 hours. For admins, Purview is also relevant. In Microsoft Purview Data Security Posture Management for AI, the actual web search terms can be visible in Activity Explorer alongside the prompt, response, and supporting resources, provided the required features and licenses are available. This does not make web grounding risk-free. But it makes the feature easier to explain, review, and control.

How I would decide
#

I would enable Web Search when Copilot is being introduced productively, users have a basic AI guideline, privacy and security teams understand how the feature works, and audit or Purview options are known. Enablement is especially useful for general knowledge work, research, communication, and admin questions. I would initially keep Web Search disabled or limited if Copilot was introduced without governance, users do not know what web grounding means, particularly sensitive areas are involved, or internal codenames and confidential project names regularly appear in prompts. But for me, that would not be the desired permanent state. It would be a clean interim state until the organization is ready.

My recommendation
#

I would not disable Web Search across the board. The value is too high, and Microsoft provides enough technical and administrative information to assess the topic properly. But I also would not simply enable it tenant-wide without documenting the decision. The better path is a pilot group, short user guidance, a clear note about sensitive terms, and a review of audit or Purview options after a few weeks. My recommendation: Enable it, but deliberately. As a controlled admin decision with pilot, communication, and governance.

Sources
#

Related