As organizations across the globe prepare to adopt Microsoft Copilot, securing your environment becomes more critical than ever. Copilot can surface vast amounts of content across Microsoft 365, which is a powerful feature—but only if the right access controls are in place. Before you roll out Copilot, here’s a practical checklist to ensure your SharePoint and Microsoft 365 data is protected, discoverable only by those who truly need it.
Configure SharePoint Sharing Settings
Start with the basics: ensure your SharePoint Online sharing settings are properly configured both at the tenant and site level. This foundational step can prevent accidental exposure of sensitive information.
Recommendation:
- Avoid enabling broad sharing defaults such as “Everyone except external users.”
To hide this option:
Install-Module -Name Microsoft.Online.SharePoint.PowerShell
Connect-SPOService -Url https://"yourtenant-admin".sharepoint.com
Set-SPOTenant -ShowEveryoneExceptExternalUsersClaim $falseAssign Site Visibility and Ownership
Clearly define whether each site should be Public or Private, depending on its purpose and audience.
Each SharePoint site must have designated owners responsible for site governance. Implementing site lifecycle policies helps track inactive or unmanaged sites—but note, this may require additional licensing.
Run Monthly Data Governance Reports
Microsoft 365 provides useful, though somewhat delayed, governance reporting. These reports can take up to 5 days to generate and are available only once a month—so set a reminder to run them regularly.
Here’s how to generate an Oversharing Baseline Report using PowerShell:
- Connect to the SharePoint Admin Center:
Connect-SPOService -Url https://"yourtenant-admin".sharepoint.com - Start the report:
Start-SPODataAccessGovernanceInsight -ReportEntity PermissionedUsers -ReportType Snapshot -Workload SharePoint -CountOfUsersMoreThan 0 -Name "OversharingReport" - Retrieve the report ID:
Get-SPODataAccessGovernanceInsight -ReportEntity PermissionedUsers - Monitor progress and export:
Get-SPODataAccessGovernanceInsight -ReportID <YourReportID> Export-SPODataAccessGovernanceInsight -ReportID <YourReportID> -DownloadPath "C:\SPReport"
This gives you a snapshot of how many users have access to which sites—critical visibility before enabling Copilot.
Control Access and Limit Overexposure
Taking access management a step further:
- Site Access Reviews
Use Microsoft’s built-in capabilities to initiate access reviews for SharePoint sites. This ensures only the right people retain access over time.
- Implement Access Control Policies
If your license permits, configure Restricted Access Control Policies to limit access to content based on site-level rules. This is especially important in high-risk or compliance-sensitive environments.
Restrict Copilot Content Discovery Per Site
One of the key security strategies with Copilot is controlling what it can discover and use in responses. For sensitive or internal-only SharePoint sites, restrict Copilot discovery at the site level using Microsoft 365 compliance settings.
Final Thoughts
With Microsoft Copilot entering the modern workplace, it’s not just about enabling AI—it’s about doing so responsibly. By proactively tightening your data governance and SharePoint access controls now, you can roll out Copilot with confidence and reduce the risk of unintentional data leaks.
Need help preparing your environment for Copilot? Contact us for a security audit or a governance health check.