Microsoft Copilot for Microsoft 365 - best practices with SharePoint

Microsoft Copilot for Microsoft 365 provides value by connecting Large Language Models (LLMs) to your organizational data. Copilot for Microsoft 365 accesses content and context through Microsoft Graph and can generate responses based on your organizational data. The data sources include user documents stored in SharePoint and OneDrive, emails, calendars, chats, meetings, and contacts. Copilot for Microsoft 365 combines this content with the user’s working context, such as the meeting a user is in now, the email exchanges the user had on a topic, or the chat conversations the user had last week. Copilot for Microsoft 365 uses this combination of content and context to help provide accurate, relevant, and contextual responses.

How do SharePoint permissions affect your users’ Copilot for Microsoft 365 experience?

Copilot for Microsoft 365 only surfaces organizational data to which individual users have at least view permissions. It's important to use the permission models in SharePoint to ensure the right users or groups have the right access to the right content within your organization. This article provides guidance and best practices that you, as a SharePoint administrator, can take control of the SharePoint permissions model before your organization enable Copilot for Microsoft 365 for your users.

Before enabling Copilot for Microsoft 365

Organizations operate at various levels of maturity in governing SharePoint data. While some enterprises strictly monitor permissions and oversharing of content, others don't. The situation is further complicated because many enterprises have legitimate reasons to share "some" data widely within the organization. Sometimes, end users in your organization make choices that result in the oversharing of SharePoint content. As an example, it's noticed that end users don't always pay attention to the permissions of the site/library/folder where they're uploading files. They may end up uploading or saving business critical content in locations where other users may have access and may include external users. It's also observed that some end users tend to prefer sharing files in SharePoint with large groups rather than with individuals. This practice can result in oversharing.
Copilot for Microsoft 365 utilizes all data that a user has access to, which may include broadly shared files that the user is unaware of. As a result, users might see Copilot for Microsoft 365 as exposing content that was overshared. To identify and remediate overshared content in SharePoint, follow these best practices.


  • These steps are provided exclusively for SharePoint administrators.
  • Some of the following features require a SharePoint Advance Management license.

Step 1: Review site-level sharing controls and remove "Everyone Except External Users" from people picker

  • Educate site admins on the site-level controls they can use to restrict members from sharing. One key setting here ensures that Site Owners are the recipients of access requests.
  • Consider hiding broad-scope permissions from your end users to reduce risks around accidental misuse. This example hides the "Everyone Except External Users" in the People Picker control so that no end user can use it.
  • Consider adopting sharing best practices like changing sharing link defaults from companywide sharing to specific people links.

Step 2: Identify inactive sites, then restrict access or delete

Reduce your surface area for potentially overshared content by identifying SharePoint sites that have been inactive for a long time. See how you can easily do that via the Inactive Site Policies in SharePoint Advanced Management. You can then lock down permissions on these sites via the Restricted Access Control policy. You can also consider deleting these sites.

Step 3: Identify potentially overshared content

A SharePoint admin can run reports in the SharePoint Admin Center to discover broad sharing activity happening over the last month. SharePoint Advanced Management’s new data access governance reports can help here. A SharePoint admin can run reports on:

These reports can be downloaded as CSV files. You can also build your own report by using Microsoft Graph Data Connect for SharePoint.


Reports on "Everyone Except External Users" is currently (March 2024) in private preview.Use this link to sign up.

Step 4: Take remediation actions to address oversharing

Once you have identified the SharePoint sites with potential oversharing issues, it's time to act. Your actions should consider several factors, including data sensitivity, the severity of the oversharing, and the need to maintain business operations. These actions include:

  1. For content that has been overshared and needs immediate action:
    1. The SharePoint admin should configure Restricted Access Control Policy for such sites. As a result, all existing access to the site is restricted to only the group of users configured by the admin. Accordingly, the content from this site is visible in the Copilot for Microsoft 365 experience only for this restricted group of users. This policy works for both OneDrive and SharePoint.
    2. For high-profile instances, you may want to determine who/how/when the oversharing took place. Use the Change History feature to see what changes may have contributed to the oversharing.
  2. For cases where SharePoint admin needs to consult with site owners/admins for action:
    1. The SharePoint admin can reach out to the owners of sites identified in data access governance reports. SharePoint admin can advise site owners on the overshared files/folders in that site and request them to act to manually remove unnecessary access.
    2. In the spring of 2024, we'll be releasing a new SharePoint Advanced Management feature called "Site Access Review" that a SharePoint admin can initiate from any 'Data Access Governance' report. Site owners will use a new Site Access Review UI to review broadly shared content on their side and either take remediation action to remove overly broad permissions or provide business justification to the SharePoint admin.

Step 5: Set restricted access control and block file download policies on business-critical sites