You are an admin managing a Microsoft 365 tenant. A user reports that Copilot in Microsoft Teams, Word, or the web interface returned a file or document in a search result that the user should not have access to. This is a permissions exposure issue that can cause data leaks and compliance violations. The root cause is almost never a Copilot bug. Instead, it is a misconfiguration in how your tenant grants file-level permissions. This article explains why Copilot surfaces files that appear restricted and provides the exact steps to audit, restrict, and prevent this behavior.
Key Takeaways: Why Copilot Exposes Files and How to Stop It
- Microsoft 365 admin center > SharePoint > Site permissions > Sharing settings: Controls whether files with “Anyone with the link” sharing are visible to Copilot across the tenant.
- Microsoft 365 admin center > Copilot > Data sources > Microsoft Graph connectors: Determines which external or internal data sources Copilot indexes; remove any that contain overshared content.
- Microsoft 365 admin center > Roles > Search admin > Manage search schema: Lets you block specific document libraries or site collections from appearing in Copilot results.
Why Copilot Returns Files a User Should Not See
Copilot in Microsoft 365 does not bypass existing security permissions. It respects the same access control lists that SharePoint, OneDrive, and Exchange enforce. If a user sees a file they should not see, it means the file is actually accessible to that user through one of these mechanisms:
Shared Links with Broad Permissions
A user or an external partner shared a document using the “Anyone with the link” option. This grants access to anyone who has the link, including users who are not members of the site. Copilot can return this document in search results because the user technically has access through the link. The problem is that the user who sees the file did not receive the link directly. Copilot surfaces it based on the file being indexed and the user having a valid access token.
Inherited Permissions from a Parent Site
A document library inherits permissions from the parent site. If the site is open to all employees, every file in the library is accessible to everyone in the organization. Copilot will return any file from that library to any authenticated user. The site owner may believe they have restricted access by setting unique permissions on a folder, but a broken inheritance on a subfolder can still expose files.
Guest User or External Sharing Overlap
Your tenant may allow guest users to have the same search and access rights as internal users. If a guest user has been granted access to a site that contains sensitive files, Copilot will surface those files to the guest. This is not a Copilot issue. It is a direct result of the guest permission assignment.
Steps to Identify and Fix Overshared Files in Copilot
Follow these steps in order. Do not skip the audit step. You must confirm exactly which files are accessible before you apply restrictions.
Step 1: Audit Overshared Files with Microsoft Purview
- Open Microsoft Purview compliance portal
Go to compliance.microsoft.com and sign in as a Compliance admin or Global admin. In the left navigation, select Data classification > Content explorer. This tool shows every file in your tenant and its current permission state. - Run a query for overshared content
In the Content explorer, select Filter and add a condition: Permission type > Anyone with the link. This returns all files shared with the broadest link type. Review the list and note which sites or libraries contain these files. - Export the report
Select Export to download a CSV. Use this file to identify the documents that are visible to Copilot but should not be.
Step 2: Restrict SharePoint Site Sharing Settings
- Open SharePoint admin center
Go to admin.microsoft.com > SharePoint. In the left menu, select Policies > Sharing. - Set default sharing link type
Under File and folder links, change the default to Only people in your organization. Clear the checkbox for Anyone with the link if it is selected. This prevents new overshared links from being created. - Block external sharing for sensitive sites
Select Site-level sharing policies. Choose the site collection that contained the overshared files. Set External sharing to Only people in your organization. Select Save.
Step 3: Remove Overshared Links from Existing Files
- Open the affected document library
Navigate to the SharePoint site that contains the files. Open the document library. Select the file that appears in Copilot results. - Manage access
Select the Share button or the three dots menu > Manage access. In the panel that opens, find the Links section. Select the three dots next to the Anyone with the link entry and choose Remove link. - Replace with a restricted link
Select Share again. Choose People with existing access or Specific people. Add only the users who should have access. Select Apply.
Step 4: Configure Copilot Data Sources
- Open Microsoft 365 admin center
Go to admin.microsoft.com. In the left navigation, select Copilot. - Manage data sources
Select Data sources. Under Microsoft Graph connectors, review each connected data source. If a connector pulls content from a source that contains overshared files, remove it by selecting the three dots and choosing Remove. - Limit Copilot search scope
Under Search & intelligence, select Verticals. Create a new vertical or edit an existing one. Add a filter to exclude specific site collections or document libraries. For example, add a filter Path not starts with and enter the URL of the site that contained the overshared files.
If Copilot Still Returns Restricted Files After the Fix
After you apply the steps above, Copilot may still surface a file that a user should not see. This happens because of residual permissions or cached data. Check these scenarios.
Copilot Returns a File from a Site the User is a Member Of
The user may be a member of a SharePoint site that contains the file. Even if the file itself has unique permissions, the user might have been added to the site with at least Read access. Review site membership in SharePoint admin center > Sites > Active sites. Select the site and choose Membership. Remove any user who should not have access to files in that site.
Copilot Returns a File from a Shared OneDrive Folder
A user may have shared a OneDrive folder with the entire organization. Copilot indexes OneDrive files the same way it indexes SharePoint files. Go to OneDrive admin center > Sharing. Set the default sharing link to Only people in your organization and disable Anyone links. Then ask the user who owns the folder to remove the broad share and re-share with specific people only.
Copilot Returns a File After You Removed the Link
Copilot caches search results for up to 24 hours. A file that was previously shared with a broad link may still appear in results until the cache refreshes. Wait 24 hours and then test again. If the file still appears, run the Purview audit again to confirm the link was actually removed. A user may have re-shared the file after you removed the link.
Copilot Overshared Files vs Standard SharePoint Overshared Files: What Changes
| Item | Copilot Overshared File | Standard SharePoint Overshared File |
|---|---|---|
| Visibility trigger | User searches via Copilot in Teams, Word, or web | User navigates to the site or receives a direct link |
| Permission requirement | User must have at least Read access to the file | Same Read access required |
| Detection method | Purview Content explorer filter for “Anyone with the link” | Same Purview filter or manual site audit |
| User awareness | User may not know they have access because Copilot surfaces it | User knows they have access because they opened the link |
| Remediation | Remove link + restrict site sharing + configure Copilot data sources | Remove link only |
Now you can audit your tenant, remove overshared links, and configure Copilot data sources to prevent unauthorized file exposure. Start with the Purview Content explorer report to identify the exact files. Then apply the sharing restrictions at the site level. Finally, review your Copilot data source configuration to block any connector that brings in overshared content. For ongoing protection, schedule a weekly Purview report and set up an alert in Microsoft 365 Defender for any new file shared with the “Anyone with the link” permission.