Formerly known as Azure AI Services or Azure Cognitive Services is a unified collection of prebuilt AI capabilities within the Microsoft Foundry platform
Hello @beguem
Welcome to Microsoft Q&A .Thank you for reaching out to us.
Thank you for sharing the detailed observations and sensitivity label configuration. The behavior described helps clearly narrow down the scenario.
From the validation provided, the following is confirmed:
- The Retrieval API request is successfully processed (HTTP 200)
- Authentication and permissions are valid
- Graph Search returns the same SharePoint content
- Retrieval API and Foundry grounding execute but return empty results
This confirms that the issue is not related to connectivity or permissions, but rather how content is processed for AI grounding.
The difference lies in how each service works:
- Graph Search API returns documents from the search index (discovery)
- Copilot Retrieval API returns text extracts used for grounding AI responses
Therefore:
- Appearance in search confirms indexing and access
- Empty retrievalHits indicates that no usable grounding content was produced
The Retrieval API depends on the Copilot semantic index and grounding pipeline, which processes and extracts content rather than returning documents directly.
As per the guidance and observed behaviour -
- Content protected with user-defined permissions can block Copilot and agents from extracting content
- Unopened SharePoint documents with such protection may not be accessible to background grounding scenarios
Regarding the preview limitation and architectural constraint - the behavior aligns with current service behavior / known limitation scenarios for background grounding.
- It is not an indexing or permission issue
- It is not documented as a permanent constraint
- As the Retrieval API is in preview, behavior may evolve
However, no official commitment or change timeline is published.
Supported configurations that can be validated include:
Yes, supported configurations that can be validated include:
- SharePoint-permission-based access (no user-defined encryption)
- Default sensitivity labels at the document library level
- Labels that extend SharePoint permissions to documents
These configurations allow content to be processed more reliably by the grounding pipeline.
Regarding the reason for native Copilot working while Retrieval API does not is that
The difference is due to processing paths:
Native Copilot (interactive)
- Works with content when opened (“data-in-use”)
- Applies user permissions at runtime
Retrieval API / Foundry grounding
- Performs background retrieval
- Depends on semantic indexing and extractable content
Because of this, encrypted documents may work in interactive Copilot but not in grounding-based retrieval scenarios.
Please note that as of now there is no public timeline is available as this remains a product roadmap topic and updates will only be communicated through official documentation or release notes.
Please check if the following steps help-
- Validating label configuration
- Confirm use of user-defined permissions
- Confirm encryption settings and EXTRACT rights
- Performing a controlled test
- Select one affected document
- Test current configuration
- Modify:
- Remove encryption temporarily, or
- Apply SharePoint-permission-based / default label
- Re-run the same Retrieval API request
- Validating API and identity configuration
- Use delegated authentication
- Ensure:
- Files.Read.All
- Sites.Read.All
- Use natural language query
- Confirm dataSource: "sharePoint"
- Validating Foundry grounding setup
- Ensure user identity passthrough (On-Behalf-Of)
- Avoid relying only on managed identity
- Treat PAYG as secondary
- PAYG propagation may take a few hours
- Initial calls may behave inconsistently
The following references might be helpful , please check them out
- Microsoft 365 Copilot Retrieval API Overview | Microsoft Learn
- Use the Microsoft 365 Copilot Retrieval API to Retrieve Grounding Data | Microsoft Learn
- Microsoft 365 Copilot data protection architecture | Microsoft Learn
- Considerations for Microsoft Purview to manage Microsoft 365 Copilot and Channel Agent in Teams for security and compliance | Microsoft Learn
- Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn
- Use SharePoint content with agent API - Microsoft Foundry | Microsoft Learn
- Microsoft 365 Copilot Retrieval API pay-as-you-go consumption (preview) | Microsoft Learn
- Configure SharePoint with a sensitivity label to extend permissions to downloaded documents | Microsoft Learn
- Enable sensitivity labels for files in SharePoint and OneDrive | Microsoft Learn
Please let us know if the response was helpful
Thank you
Please "Accept" the answer with an "Upvote" if the response was helpful. This will be benefitting other community members who face the same issue.