TL;DR. Microsoft 365 Copilot respects existing SharePoint, OneDrive, and Teams permissions exactly — and that is the problem. Per Microsoft's official documentation, "Copilot only shows the data that users have permission to access." For most enterprises that means a decade of accumulated "everyone in the company" sharing is now queryable in natural language. Microsoft's own Copilot readiness guidance outlines five remediation steps and a set of admin tools (SharePoint Advanced Management, Restricted SharePoint Search, Microsoft Purview) — but most organizations need an additional runtime layer between Copilot and the underlying content.
How does Microsoft 365 Copilot decide what data to surface?
Microsoft 365 Copilot pulls from Microsoft Graph — emails, chats, documents, meetings, files in SharePoint and OneDrive — and surfaces only content the requesting user already has permission to access. As Microsoft's official overview states: "Copilot only shows the data that users have permission to access." Permissions are honored faithfully. The change is that discovery of overshared content has gone from effectively impossible to a single natural-language prompt.
Why is Copilot creating a new data-exposure surface if it respects permissions?
Because, for most enterprises, the underlying permissions model has been wide for years — protected only by the obscurity of weak search. Microsoft's own Copilot readiness documentation calls this out directly, citing risk signals that overlap to create "high-risk sites":
- "Broad sharing through 'Anyone,' 'Everyone,' and organization-wide links"
- "Large audiences with excessive permissions"
- "Broken permission inheritance and complex access models"
- "Sensitive content with weak protection"
- "Unlabeled or public sites"
- "Governance gaps with ownerless, inactive, or unreviewed sites"
That list, published by Microsoft, is a clinical description of nearly every M365 tenant we have audited. The permissions were always wrong. Copilot just made them discoverable.
The OWASP frame
The pattern maps cleanly to LLM02: Sensitive Information Disclosure in the OWASP Top 10 for Large Language Model Applications (2025) — failure to protect against the disclosure of sensitive information through LLM outputs. Copilot does not generate the leak; it surfaces content the underlying permissions already exposed.
What are the five Copilot oversharing patterns that actually cause incidents?
Five recurring oversharing patterns account for the majority of real-world Copilot data-exposure incidents. They are not exotic — they map to specific risk signals called out in Microsoft's Copilot readiness guidance.
1. The "Everyone except external users" HR site
Originally created so the People team could share the benefits handbook. Over time it accumulates org charts with comp bands, severance templates, and reduction-in-force planning folders. Microsoft's Everyone Except External Users (EEEU) data access governance report was built specifically to surface these sites; running it on a typical tenant returns hundreds.
2. The legacy M&A war room
A SharePoint site spun up for a deal that closed years ago. Membership was never cleaned up. The acquired company's old security team still has access. The site still contains the original term sheet. A diligence-flavored Copilot prompt from anyone in that membership group pulls it back.
3. The exec assistant's OneDrive
An EA stores the CEO's travel itineraries, board pre-reads, and personal correspondence in their own OneDrive, then shares folders with the broader admin pool "for coverage." Copilot, queried by another EA, returns the CEO's next month of meetings.
4. The Teams channel that became a knowledge base
A team uses a single Teams channel as their working memory — customer escalations, internal incident timelines, half-formed strategy. Two years in, the channel has tens of thousands of messages and a membership that ballooned during reorganizations. Copilot summarizes the whole thing for anyone who joins.
5. The shared mailbox catastrophe
A support@ or legal@ mailbox accumulates delegates over a decade. Copilot, asked to summarize "recent legal matters," draws from every email anyone in that delegate list can technically read.
Why do existing controls miss Copilot oversharing risk?
Each existing control was designed for a different threat model. Walking through the stack:
- Sensitivity labels only protect files they are actually applied to. In typical tenants we audit, label coverage on legacy content is in the low single digits. Copilot does not care about your taxonomy; it cares what is on the document right now.
- Microsoft Purview DLP is excellent at preventing new policy violations. It does little about ten years of accumulated oversharing already in the tenant. It is a future-tense tool against a past-tense problem.
- SharePoint admin reports identify what is overshared. They do not natively identify what is sensitive and overshared without combining multiple reports — Microsoft is closing this gap with the new AI insights feature in SharePoint Advanced Management, but most tenants have not enabled it.
- Copilot's own controls — including Restricted SharePoint Search and Restricted Content Discovery — work, but reduce the user experience the organization paid for. Many tenants disable them within a quarter.
The honest version: most tenants need a runtime layer that inspects Copilot prompts and responses, on top of the static labels and DLP they already have. That is the gap our Microsoft Copilot data security solution was built to address, but the principle holds whether you build, buy, or borrow.
What official Microsoft tools should I use for Copilot oversharing remediation?
Microsoft has published a documented set of tools and a five-step readiness plan in the Copilot readiness with SharePoint Advanced Management guide. The most relevant tools, with what each does:
| Microsoft tool | What it does | When to use it |
|---|---|---|
| Content Management Assessment | Runs guided reports surfacing overshared sites, ownerless sites, inactive sites | Step 1 of any Copilot readiness program |
| Data Access Governance reports (EEEU, sharing links activity, site permissions baseline) | Identifies overshared and sensitive content | Continuous monitoring |
| SharePoint Advanced Management (SAM) | Bundles governance, lifecycle, and oversharing tooling | Org-wide rollout |
| Restricted SharePoint Search (RSS) | Limits Copilot search to an explicit site allowlist while remediation runs | Short-term containment |
| Restricted Content Discovery (RCD) | Prevents specific high-risk sites from appearing in Copilot or org-wide search | Per-site protection of identified risk |
| Microsoft Purview | Sensitivity labels, DLP, and AI-aware data security | Foundation for everything above |
| Microsoft 365 Archive | Moves inactive sites to archive storage; Copilot is not trained on archived content | Reduce blast radius from old content |
Note that none of these are AI-specific products. They are existing Microsoft governance tools that — used correctly — substantially reduce Copilot's exposure surface. The most common failure mode we see is organizations that bought Copilot and did not enable SAM, RSS, or RCD.
How do I remediate Copilot oversharing in 90 days?
Most enterprises will need 6–12 months of remediation work to close the underlying permissions problem completely. A focused 90-day program can materially reduce the risk surface and build a defensible posture for board and audit committee review.
Days 0–30: See what you actually have
- Run the Content Management Assessment and the EEEU data access governance report. Rank sites by the overlap of sensitivity and accessibility.
- Identify your top 50 sites by risk score. These will produce most of your real Copilot incidents.
- Turn on Restricted SharePoint Search for unlabeled legacy content until triage completes. Users will complain. They will complain less than they would about being on the front page of the Wall Street Journal.
Days 30–60: Put inspection in the Copilot path
- Inspect prompts and responses in the Copilot data path. You want to know — in real time — when Copilot is about to return content tagged as MNPI, PHI, comp data, or M&A material to a user with permission but no business need. Permission is necessary; in 2026 it is no longer sufficient.
- Enable Microsoft Purview AI Hub data security controls for generative AI. Wire response redaction for your highest-sensitivity categories.
- Log every Copilot interaction with sources cited, user identity, and sensitivity classification. If an auditor asks "what did Copilot tell which employee about the merger last Tuesday," you should be able to answer in under five minutes.
Days 60–90: Fix the underlying permissions, not just the symptoms
- Run a sensitivity-label coverage push on your top 200 highest-risk sites. Unglamorous, mostly manual, and the single highest-leverage thing your data governance team can do this year.
- Implement just-in-time access for board materials, M&A, and HR investigations. Standing access for sensitive content is the original sin; Copilot just turns it into a sermon.
- Build a recurring Copilot governance review into your existing access certification cadence. Treat Copilot as a privileged identity, because functionally it now is one.
What does "good" Copilot governance look like?
You should be able to answer, on demand:
- How many sites in our tenant are both overshared (per the EEEU report) and contain sensitivity-classified content, and what is the 90-day trend?
- For the last 24 hours of Copilot activity: how many responses surfaced content classified above "Internal"? To which users? Was any of it outside their established business context?
- For our top ten most sensitive document types: is there a redaction policy in the Copilot response path, and when was it last tested?
- For the last externally-reported Copilot data-exposure incident: would our controls have caught it, and if not, what is on the roadmap?
- For the next board meeting: can we produce, in one page, a Copilot data exposure profile an audit committee chair will trust?
The strategic reality
The hardest part of this conversation, every time, is the part where we have to say: Copilot is not the risk. Your permissions model is the risk. Copilot is the X-ray.
The instinct, when leadership sees what Copilot surfaces, is to turn Copilot down or off. That instinct is almost always wrong. The data was already exposed; the right move is to fix the exposure, not put the X-ray back in its box. Competitors who do the harder, slower work of cleaning up the underlying tenant — and putting a runtime governance layer on top — will ship, hire, and onboard faster than the ones who panic-disable Copilot for six months while a committee debates.
FAQ
Does Microsoft 365 Copilot bypass SharePoint permissions?
No. Microsoft's official documentation is explicit: "Copilot only shows the data that users have permission to access." Copilot honors existing SharePoint, OneDrive, Teams, and Exchange permissions. The exposure risk comes from overly broad permissions that already existed before Copilot was deployed.
What is the EEEU report and why does it matter for Copilot?
EEEU stands for "Everyone Except External Users." It is a data access governance report in SharePoint Advanced Management that identifies the top sites where content has been shared with the entire organization. Because Copilot honors those broad permissions, EEEU-flagged sites are the highest-priority Copilot oversharing risk.
What is Restricted SharePoint Search?
Restricted SharePoint Search (RSS) is a Microsoft feature that limits Copilot's search scope to an explicit allowlist of SharePoint sites. It is designed as a temporary control while organizations review and correct site permissions before broad Copilot rollout.
Can Microsoft Purview prevent Copilot data leaks?
Microsoft Purview provides data security and compliance controls for generative AI including sensitivity labels, DLP policies, and review of Copilot prompts and responses. It is foundational but not sufficient alone — Purview enforces labels that have been applied, and most legacy content is unlabeled.
What is the difference between Restricted SharePoint Search and Restricted Content Discovery?
RSS restricts Copilot search at the tenant level to an allowlist. Restricted Content Discovery (RCD) restricts discovery at the per-site level, preventing specific high-risk sites from appearing in Copilot or org-wide search while leaving direct site access unchanged.
How long does Copilot oversharing remediation typically take?
A 90-day program produces a defensible posture: top-50 risk sites triaged, runtime inspection in place, board-ready reporting. Full remediation of the underlying permissions model in a large enterprise tenant typically takes 6–12 months and is best run as a continuous program rather than a project.
What's the difference between Copilot permissions sprawl and a traditional M365 over-permission problem?
They are the same underlying defect — wide standing access across SharePoint, OneDrive, Teams, and shared mailboxes — but with a radically different exploitability profile. Traditional over-permission was latent because content was protected by the obscurity of weak keyword search and the cognitive cost of navigating thousands of sites. Copilot collapses that friction to a natural-language prompt, so a tenant that had a tolerable risk posture on a Friday has an intolerable one on Monday morning, with no permission actually changed.
Why didn't Microsoft Purview catch this when we configured it correctly?
Purview DLP and sensitivity labels only enforce on content that has been labeled, and in the tenants we audit, legacy content label coverage is usually in the low single digits. Purview is a forward-looking control: it prevents new violations and protects already-classified files, but does nothing about a decade of unlabeled documents sitting in EEEU-shared sites. The fix is a sensitivity-label coverage push on your highest-risk sites combined with Purview AI Hub controls and a runtime response-inspection layer — Purview alone is necessary but not sufficient.
How do we audit who has access to what Copilot can see — at scale across our tenant?
Start with the SharePoint Advanced Management Data Access Governance reports — specifically the EEEU report, sharing links activity, and the site permissions baseline — and rank sites by the overlap of broad sharing and sensitivity-labeled content. For per-user exposure, the Microsoft Graph permissions APIs let you enumerate effective access by identity, which is what you want when an executive asks "what could my new VP actually see if they asked Copilot." Expect the first scan to surface hundreds of high-risk sites; that is normal and not a sign you have done something wrong.
Will Microsoft's Restricted Content Discovery roll-out solve this?
RCD is a useful per-site scalpel — it prevents specified high-risk sites from appearing in Copilot or org-wide search while leaving direct access intact — but it is not a tenant-wide solution. You still have to identify the sites, and most tenants have far more high-risk sites than the operations team can hand-curate. Treat RCD as a containment tool for your top 50–200 sites during triage, paired with RSS for broader containment, while the real remediation work on permissions and labels runs in parallel.
We're a HIPAA-covered organization — does this change our risk profile?
Yes, materially. PHI sitting in EEEU-shared SharePoint sites, clinical Teams channels, or shared intake@ mailboxes becomes queryable by any workforce member with Copilot, and a single overshared site can constitute a reportable disclosure under the HIPAA Breach Notification Rule even without external exfiltration. Prioritize a PHI-focused sensitivity-label sweep, enable Purview AI Hub redaction for HIPAA-classified content in the Copilot response path, and log every Copilot interaction with sources cited so you can answer an OCR inquiry about what was disclosed, to whom, and when.
What's the right answer in the next 90 days: turn off Copilot, restrict it, or accept the risk with controls?
Restrict it temporarily, then re-open it with controls — almost never turn it off, and never accept the risk without remediation. Turn on Restricted SharePoint Search for unlabeled legacy content while you triage your top-50 risk sites, deploy Purview AI Hub response inspection for your highest-sensitivity categories, and put just-in-time access on board, M&A, and HR investigation content. Panic-disabling Copilot leaves the underlying exposure intact while costing you the productivity you paid for; the defensible posture is contained-then-re-opened with logging, redaction, and a 90-day remediation plan the audit committee can see.
Where to take this next
If you want a faster path — including a tenant-wide oversharing-and-sensitivity scan that produces a prioritized remediation list, plus a working pilot of runtime Copilot response inspection — that is exactly the conversation our team is running this week. Book 30 minutes with our security team and we will walk your tenant with you.