Oversharing in SharePoint
Oversharing is the #1 risk when deploying Copilot. If your SharePoint permissions are too broad, Copilot will surface sensitive data to anyone who asks. Here's how to find and fix it.
Why oversharing is Copilot’s biggest risk
Oversharing is like leaving your office doors unlocked for years — nobody noticed because nobody wandered in. Then Copilot arrives, and suddenly it’s guiding everyone to every open door.
Before Copilot, an intern might technically have access to the Board’s SharePoint site but would never navigate there directly. After Copilot, they ask “What was discussed in the latest board meeting?” and Copilot finds and summarises it — because the permissions allow it.
Copilot doesn’t create the problem. It reveals the problem that was always there.
The oversharing → Copilot pipeline
| Before Copilot | After Copilot |
|---|---|
| ”Everyone” permission on SharePoint sites → nobody notices | Copilot surfaces sensitive content to anyone who asks |
| Sharing links set to “Anyone” → link not widely shared | Copilot finds the linked content and includes it in responses |
| Old project sites with stale permissions → forgotten | Copilot queries historical content and brings it back to life |
| Guest access enabled broadly → guests rarely visit | Copilot shows guests internal content they technically can see |
Exam tip: “Fix oversharing BEFORE deploying Copilot” is the #1 best practice. Every Copilot deployment guide starts here.
Tool 1: Data Access Governance (DAG) reports
DAG reports in the SharePoint admin center show you where oversharing exists:
| Report | What It Shows |
|---|---|
| Sharing links | Sites with “Anyone” links or “People in your org” links |
| Sensitivity labels | Sites with sensitive content and their sharing settings |
| ”Everyone except external users” | Sites shared with all internal users (oversharing indicator) |
| Oversharing baseline | Identifies the biggest risk areas before Copilot deployment |
Where: SharePoint admin center → Reports → Data access governance
Scenario: Northwave's pre-Copilot audit
Before deploying Copilot, Maya runs DAG reports:
Findings:
- 🔴 47 sites shared with “Everyone except external users” (most are old project sites)
- 🟡 23 sites have “Anyone” sharing links active (some are 3+ years old)
- 🟢 12 sites with sensitivity labels and appropriate sharing restrictions
Actions:
- Remove “Everyone” permissions from 47 sites → restrict to specific groups
- Expire 23 “Anyone” links → set expiration to 30 days max going forward
- Audit the 12 labelled sites → confirm restrictions are correct
- Set a policy: new sites default to “Specific people” sharing (not “Everyone”)
Timeline: 2 weeks of cleanup before Copilot pilot begins.
Tool 2: SharePoint Advanced Management (SAM)
SAM provides enterprise-grade governance features:
| Feature | What It Does | Why It Matters for Copilot |
|---|---|---|
| Restricted site access | Limits site access to members of the site's M365 Group ONLY | Prevents 'Everyone' access from leaking data to Copilot |
| Site lifecycle policies | Automatically identify and manage inactive sites | Old sites with stale permissions are cleaned up |
| Conditional access for sites | Apply Conditional Access at the site level | Require compliant devices for sensitive SharePoint sites |
| Block downloads | Prevent downloads from specific sites | Sensitive content can be viewed but not taken offline |
| Data access governance reports | Enhanced oversharing detection | Comprehensive pre-Copilot audit capability |
Restricted site access — the key feature
Restricted site access is a SAM feature that limits who can access a SharePoint site to ONLY the members of its associated M365 Group. Even if other users technically have permissions through inherited or legacy sharing, restricted access overrides them.
Why this matters for Copilot: When restricted site access is enabled, Copilot can only surface content from that site to group members — even if other users were previously able to access the site.
Restricted access vs permission cleanup
You have two approaches to fix oversharing:
Approach 1: Manual permission cleanup
- Review each site’s permissions individually
- Remove “Everyone” groups, fix inheritance, correct sharing links
- Thorough but time-consuming (weeks for large tenants)
Approach 2: Restricted site access (SAM)
- Enable restricted access on sensitive sites
- Access is automatically limited to group members regardless of other settings
- Fast but requires SAM license
Best practice: Use restricted access for immediate Copilot safety, then do thorough cleanup in the background.
Pre-Copilot checklist — the exam expects this
- ✅ Run DAG reports to identify overshared sites
- ✅ Remove “Everyone except external users” permissions from sensitive sites
- ✅ Expire old “Anyone” sharing links
- ✅ Enable restricted site access on sensitive sites (SAM)
- ✅ Apply sensitivity labels to critical content
- ✅ Set default sharing to “Specific people” (not “People in your org”)
- ✅ Review guest access permissions
- ✅ Clean up inactive sites with stale permissions
🎬 Video walkthrough
🎬 Video coming soon
Oversharing in SharePoint — AB-900 Module 20
Oversharing in SharePoint — AB-900 Module 20
~10 minFlashcards
Knowledge Check
Northwave is preparing to deploy Copilot. Maya discovers 47 SharePoint sites shared with 'Everyone except external users'. What should she do FIRST?
🎉 Congratulations! You’ve completed all 10 modules in Domain 2: Data Protection & Governance. You now understand Purview, sensitivity labels, DLP, insider risk, responsible AI, and the critical oversharing problem.
You’ve completed all 28 modules across all 3 domains. Time to test yourself with the Practice Lab!