How to Audit Copilot Connector Access for Sensitive Data

You need to confirm which Microsoft 365 connectors Copilot is reading and whether any of those connectors expose sensitive data such as HR records, legal documents, or financial reports. Without an audit, a connector that pulls data from a SharePoint site with confidential content can feed that information into Copilot responses seen by users who should not have access. This article explains how to use the Microsoft 365 admin center, the Purview compliance portal, and PowerShell to audit Copilot connector access and identify sensitive data sources.

Why Copilot Connectors Can Expose Sensitive Data

Copilot connectors link to external data sources such as SharePoint sites, OneDrive folders, Microsoft Graph connectors, and third-party services like ServiceNow or Salesforce. When a connector is active, Copilot can read content from that source to generate grounded responses for users who have permission to access the source. The risk is that a connector may be configured with overly broad permissions, or it may connect to a site containing sensitive data that is not properly classified.

Permission Inheritance vs Connector Scope

A common root cause is that the connector inherits permissions from the site or service it connects to. For example, if a SharePoint site has a group called “Everyone except external users” with read access, the connector will surface content from that site to any Copilot user who is a member of that group. The connector itself does not apply additional filtering beyond the source permissions. This means a connector on a site labeled “HR Documents” can expose salary data to Copilot users who have site access but should not see that data in Copilot responses.

Connector Types and Data Sensitivity

There are two main connector types. First-party connectors connect to Microsoft 365 data such as SharePoint, OneDrive, and Exchange. Third-party connectors connect to external services using Microsoft Graph connectors. Both types can access sensitive data if the underlying source contains files with credit card numbers, social security numbers, or other sensitive information types defined in Microsoft Purview Data Loss Prevention.

Steps to Audit Copilot Connector Access

The audit process has three phases. First, identify all active connectors. Second, review the data sources each connector accesses. Third, scan those sources for sensitive data types. The following steps use the Microsoft 365 admin center and Microsoft Purview.

1. Open the Microsoft 365 admin center
   Sign in with an account that has the Global Administrator or Knowledge Administrator role. Go to Settings > Copilot > Data sources. This page shows all connectors that Copilot can read from.
2. Review each connector entry
   For each connector, note the Name, Type, Status, and Last sync. A status of “Connected” means the connector is active and serving data to Copilot. Click the connector name to see the specific sites, libraries, or folders it connects to.
3. Identify sensitive data sources with Microsoft Purview
   Open the Microsoft Purview compliance portal at https://compliance.microsoft.com. Go to Data Classification > Content Explorer. This tool shows files that contain sensitive information types across your tenant.
4. Filter by connector source location
   In Content Explorer, use the filter panel to select the SharePoint site URL or OneDrive folder that appears in the connector details from step 2. The Content Explorer will display all files in that location that contain sensitive data types such as U.S. Social Security Number, Credit Card Number, or Azure SQL Connection String.
5. Document each sensitive file found
   Export the results using the Export button in Content Explorer. Save the CSV file for your audit records. This file lists the file name, location, sensitive info type, and confidence level.
6. Cross-reference connector permissions
   For each connector source that contains sensitive data, check the permission settings. Go to the SharePoint site or OneDrive folder, select Settings > Site permissions, and review which groups or users have access. If a group like “Everyone except external users” has access, the connector will expose that sensitive data to all members of that group through Copilot.

Using PowerShell for Automated Auditing

For tenants with many connectors, manual review is time-consuming. Use the Exchange Online PowerShell module to retrieve connector metadata programmatically.

1. Install the Exchange Online Management module
   Open PowerShell as an administrator and run Install-Module -Name ExchangeOnlineManagement. After installation, run Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com and sign in with your admin credentials.
2. Run Get-CopilotConnector
   Execute Get-CopilotConnector | Format-List Name, Type, Status, SourceUrl. This cmdlet returns all connectors, their types, and the URLs of the data sources they connect to.
3. Export the results
   Run Get-CopilotConnector | Export-Csv -Path "C:\audit\connectors.csv" -NoTypeInformation. Open the CSV in Excel to filter and sort connectors by status and source URL.
4. Check each source URL for sensitive data
   For each unique source URL in the CSV, use the Microsoft Purview Content Explorer or the Get-DlpSensitiveInformationType cmdlet to scan that location. The cmdlet Get-DlpSensitiveInformationType | Where-Object {$_.Name -like "Social Security"} lists all sensitive information types available in your tenant.

If Connector Access Exposes Sensitive Data

Connector Shows Sensitive Data in Content Explorer but Copilot Should Not Access It

The fix is to restrict permissions on the source location. Remove the broad group from the SharePoint site or OneDrive folder and add only the specific users or groups that need access. After the change, the connector will respect the new permissions and Copilot will not surface the sensitive data to users who no longer have access.

Connector Has Incorrect Scope or Target

If the connector is pointing to the wrong site or folder, delete the connector and create a new one with the correct scope. In the Microsoft 365 admin center, go to Settings > Copilot > Data sources, select the connector, and click Remove. Then click Add a data source and choose the correct site or service.

Third-Party Connector Exposes Sensitive Data

For third-party connectors such as ServiceNow or Salesforce, the data source itself may contain sensitive fields. Review the connector configuration in the third-party service’s admin panel. Most connectors allow you to select specific tables, objects, or fields to sync. Remove any fields that contain sensitive information like salary, performance ratings, or personal contact details.

Copilot Connector Audit: Manual Review vs PowerShell Automation

Item	Manual Review in Admin Center	PowerShell Automation
Time required for 10 connectors	30 to 60 minutes	5 to 10 minutes
Connector details retrieved	Name, type, status, last sync	Name, type, status, source URL, permissions
Sensitive data scan	Manual in Content Explorer	Automated via PowerShell and Content Explorer export
Best for	Small tenants with fewer than 5 connectors	Large tenants with 10 or more connectors

Conclusion

You can now audit every Copilot connector in your tenant and determine whether it exposes sensitive data. Use the Microsoft 365 admin center to view active connectors and their source locations. Use Microsoft Purview Content Explorer to scan those locations for sensitive information types such as credit card numbers or social security numbers. For larger environments, automate the audit with the Get-CopilotConnector PowerShell cmdlet and export the results to a CSV file. After identifying risky connectors, restrict source permissions or reconfigure the connector scope. As a next step, set up a recurring monthly audit using a PowerShell script that runs Get-CopilotConnector and checks each source URL against a list of sensitive data types.