Microsoft 365 Copilot reads data from SharePoint Online to generate answers, summarize documents, and assist users. If your SharePoint sites have overly broad permissions, Copilot may expose sensitive content to users who should not see it. Auditing permissions before enabling Copilot prevents accidental data leaks and ensures compliance with your organization’s access policies. This article explains how to audit SharePoint permissions using built-in tools and third-party reports, and what specific permission changes to make before activating Copilot.
Key Takeaways: Permission Audit Checklist for Copilot Readiness
- SharePoint admin center > Site permissions > Permission reports: Generate a report of all unique permissions across site collections to identify overly broad access.
- Microsoft 365 admin center > Roles > Role assignments: Review which users have global admin or SharePoint admin roles that grant unrestricted site access.
- Microsoft Purview > Data classification > Content explorer: Scan for sensitive content types like credit card numbers or health data in SharePoint libraries.
Why SharePoint Permissions Matter for Copilot
Copilot uses the Microsoft Graph to retrieve data from SharePoint, OneDrive, and other Microsoft 365 services. It respects existing permissions: a user can only see content that they already have access to. However, many organizations have accumulated excessive permissions over time, such as “Everyone except external users” on document libraries or site-level “Full Control” for large groups. When Copilot surfaces data from these locations, any user with read access to the site can see the content in Copilot responses. This makes permission auditing a prerequisite for safe Copilot deployment. Without an audit, you risk exposing confidential contracts, financial data, or personal information to unintended audiences.
How Copilot Reads SharePoint Data
Copilot connects to SharePoint through the Microsoft Graph API. It indexes content from document libraries, list items, and pages. The index respects the access control list of each item. When a user asks Copilot a question, it searches the index and returns only results that the user has permission to view. This means permission misconfigurations directly affect what Copilot can expose. A site with “Everyone” or “All authenticated users” at the root level gives every licensed user access to all content in that site.
Steps to Audit SharePoint Permissions Before Enabling Copilot
Follow these steps to review and remediate permissions across your SharePoint environment. Perform these steps at least two weeks before enabling Copilot for your tenant.
- Generate a SharePoint Permission Report
Open the SharePoint admin center at https://admin.microsoft.com/SharePoint. In the left navigation, select Reports and then Permission reports. Click Create report and choose Site permissions. Select all site collections and click Generate. The report downloads as a CSV file. Open it in Excel to review each site’s permission groups and individual users. - Identify Sites with “Everyone” or Large Groups
In the CSV report, look for rows where the Principal name column contains “Everyone except external users” or “All authenticated users.” Also look for security groups with more than 50 members. These groups often grant unintended access. Make a list of these sites for remediation. - Review Unique Permissions on Subsites and Libraries
For each site on your list, open the site in SharePoint. Go to Site permissions and click Advanced permissions settings. Check if the site inherits permissions from its parent. If it does, the parent’s broad permissions apply. If it has unique permissions, review each group and user. Remove any group that does not need access. Repeat this for each document library and list that contains sensitive content. - Run a Microsoft Purview Data Scan
Go to the Microsoft Purview compliance portal at https://compliance.microsoft.com. Select Data classification and then Content explorer. Choose SharePoint as the location. Use filters to find sensitive information types such as credit card numbers, passport numbers, or health records. Note the site URLs where these items appear. These sites require strict permission controls before Copilot is enabled. - Remove Excessive Permissions Using the SharePoint Admin Center
For sites with broad groups, go to Active sites in the SharePoint admin center. Select the site, then click Permissions. Under Direct access, remove any group that is not explicitly required. Replace “Everyone” with a named security group that contains only the users who need access. If the site is a team site, consider using Microsoft 365 group membership instead of direct SharePoint permissions. - Verify Permissions with the “Check Permissions” Tool
On any site where you changed permissions, navigate to Site permissions and click Check permissions. Enter a test user account that should not have access. The tool shows the effective permissions for that user. Confirm that the user cannot view the site or its content. Repeat this test for a user who should have access to verify they can still reach the content.
Common Permission Issues That Affect Copilot Responses
Copilot Returns Content from Sites the User Should Not See
If a user sees content from a site they do not normally access, the site likely grants “Read” access to a broad group. Check the site’s permission inheritance. If the site inherits from a parent that has “Everyone,” break inheritance and apply explicit permissions. Then ask the user to refresh Copilot and test the same query again.
Copilot Cannot Find Content the User Should See
This usually happens when a user has only “Contribute” or “Edit” permissions but not “Read.” Copilot requires at least “Read” access to surface content. Verify the user’s permission level on the site and library. If they need to see the data, grant “Read” or add them to the “Members” group of the associated Microsoft 365 group.
Sensitive Data Appears in Copilot Responses
If Copilot returns content containing personal or confidential data, the site or library where that data resides has overly broad permissions. Use the Microsoft Purview content scan to locate the file. Remove the file or restrict permissions to a specific security group. You can also apply a sensitivity label that blocks Copilot from indexing the file. Go to Purview > Information protection > Sensitivity labels and configure a label with the “Let users assign permissions” setting disabled.
SharePoint Permission Models: Before vs After Copilot Readiness
| Item | Before Copilot | After Copilot Readiness Audit |
|---|---|---|
| Site-level access | “Everyone except external users” on root site | Named security group with explicit member list |
| Library permissions | Inherited from site, often too broad | Unique permissions or restricted to project team |
| External sharing | Enabled with “Anyone” links | Disabled or limited to “Specific people” |
| Guest users | Added individually without review | Reviewed and removed if inactive or unnecessary |
| Sensitive content | No classification or protection | Sensitivity labels applied, Copilot indexing blocked for high-risk items |
After completing the audit and remediation, enable Copilot for a pilot group first. Monitor Copilot responses for two weeks using audit logs in the Microsoft 365 admin center. Go to Reports > Usage > Copilot for Microsoft 365 to review queries and returned sources. Adjust permissions as needed before rolling out to the full organization.