You want to control which users can use Copilot to query content from your SharePoint sites. Without access reviews, Copilot may surface sensitive data to people who should not see it. This article explains how to set up automated access reviews for SharePoint sites to govern Copilot data access. You will learn the prerequisite roles, the exact steps in the Microsoft 365 admin center, and how to avoid common configuration mistakes.
Key Takeaways: How to Govern Copilot Access to SharePoint
- Microsoft 365 admin center > Roles > Identity Governance administrator: Assign this role to the person who will create access reviews.
- Microsoft Entra admin center > Identity Governance > Access reviews > New: The exact menu path to start a new review for SharePoint site members.
- Review scope > Teams + Groups: Select the Microsoft 365 group linked to the SharePoint site to review all members and guests.
Why Copilot Access Reviews Matter for SharePoint
Copilot for Microsoft 365 can read content from any SharePoint site that a user has permission to access. If a site contains confidential project files or financial records, any user with guest or member access can ask Copilot to summarize, compare, or extract data from those files. Access reviews let you periodically verify that each person still needs their current access level. Without reviews, orphaned accounts or over-provisioned permissions remain active indefinitely. The Identity Governance administrator role in Microsoft Entra ID is required to create and manage these reviews. You also need a Microsoft 365 E5 or Microsoft Entra ID P2 license for the reviewer accounts.
What an Access Review Does for Copilot
An access review sends a notification to each site member or to a designated reviewer. The reviewer approves or denies continued access. When access is denied, the system removes the user from the SharePoint site group. Copilot then loses the ability to read that site’s content for that user. Reviews can be scheduled weekly, monthly, quarterly, or annually. You can scope the review to guest users only or to all members.
Steps to Create an Access Review for a SharePoint Site
Follow these steps to set up an access review that governs Copilot access to a specific SharePoint site. You must have the Identity Governance administrator role or higher. If you do not see the Access reviews menu, ask your Global administrator to assign the license and role.
- Open the Microsoft Entra admin center
Go to https://entra.microsoft.com and sign in with your work account. In the left navigation, select Identity Governance. - Start a new access review
Under Identity Governance, select Access reviews. Click New access review. - Select Teams + Groups as the review type
In the Select what to review step, choose Teams + Groups. Click Select group(s) and search for the Microsoft 365 group that owns the SharePoint site. For example, if your site is named “Project Alpha,” the group name is usually the same. Select the group and click Select. - Set the scope to members and guests
Under Scope, choose All users to review both members and guests. If you only want to review external users, choose Guest users only. Click Next: Reviews. - Choose who reviews the access
Under Select reviewers, pick Group owner(s) or Selected user(s). Group owners can see the group membership and decide who stays. If you choose Selected users, enter the email addresses of the reviewers. Click Next: Settings. - Configure recurrence and duration
Set Duration (in days) to a number that gives reviewers enough time. For a small team, 3 days is sufficient. Under Review recurrence, select Quarterly or your preferred frequency. Set Start date and End date. Click Next: Review + Create. - Name the review and finish
Give the review a name like Quarterly Copilot Access Review – Project Alpha. Add a description that explains the purpose: “This review verifies access to SharePoint content that Copilot can read.” Click Create.
Common Issues When Setting Up Copilot Access Reviews
The SharePoint site does not appear in the group list
Only Microsoft 365 groups appear in the Teams + Groups review scope. If the SharePoint site uses a different permission model like Windows Classic or SharePoint groups only, you cannot review it with this method. Convert the site to group-connected or create a separate review using the Applications scope for SharePoint Online.
Reviewers never receive the notification email
Check the spam or quarantine folder in the reviewer’s mailbox. Also confirm that the reviewer has a Microsoft Entra ID P2 license assigned. Without the license, the reviewer can see the review in the My Access portal but will not receive the email notification.
Copilot still shows content after access is denied
The access review removes the user from the SharePoint site group. However, Copilot may cache the content for up to 24 hours. Wait one full day. If the content still appears, run a manual permission check in SharePoint: go to the site, select Settings > Site permissions, and verify the user is removed.
| Item | Access Review via Entra ID | Manual Permission Audit in SharePoint |
|---|---|---|
| Automation | Fully automated with recurrence | Fully manual, no recurrence |
| Scope | Microsoft 365 groups only | Any SharePoint permission level |
| License needed | Microsoft Entra ID P2 or E5 | No extra license needed |
| Copilot impact | Removes user from group, stops Copilot access | Removes user from site, stops Copilot access |
| Notification | Email sent to reviewers automatically | No built-in notification |
Now you can set up recurring access reviews that remove stale permissions and prevent Copilot from exposing SharePoint data to unauthorized users. Start with a single review for your most sensitive site and verify the results. Next, schedule additional reviews for all group-connected sites using the same Entra ID template. For sites that are not group-connected, use SharePoint’s built-in permission audit reports to check access manually.