Microsoft Copilot Data Oversharing Audit Checklist (2026)

Microsoft Copilot Data Oversharing Audit Checklist (2026)

Updated: April 25, 2026 · By: Errin O'Connor, Founder & Chief AI Architect, EPC Group · Reading time: 19 min

Microsoft Copilot grounds on everything the user can access. If your SharePoint permissions are loose, Copilot becomes a permission-amplification machine — surfacing content the user shouldn't have seen. EPC Group's first task on every Copilot rollout is the Data Oversharing Audit. This is our 40-item checklist.

Why oversharing matters more in Copilot than in search

Without Copilot, an employee wanting to find HR records would need to: (1) know the site exists, (2) navigate to it, (3) search, (4) skim. Copilot collapses all four steps. Ask "summarize our most recent compensation discussions" and Copilot returns oversharing-exposed HR documents in 2 seconds.

EPC Group has audited 80+ Fortune 500 tenants. 100% had at least one oversharing risk; the median had 47 distinct issues. Worst tenant we audited had 312 issues.

The 40-item Oversharing Audit Checklist

Section A: Tenant-Level (10 items)

1. Tenant default sharing setting is "People in your organization" or stricter (not "Anyone with the link").
2. Guest access is not "Off" but is governed (Entra B2B with periodic review).
3. Default link type is "People with existing access," not "Anyone."
4. Sharing limited by domain allowlist for sensitive content.
5. External sharing per-site set to most restrictive needed (not blanket "Anyone").
6. Site Owner approval required for sensitive site creation.
7. SharePoint site provisioning template enforces governance baseline.
8. Microsoft Entra ID groups used for permissions (not individual user grants at scale).
9. Group lifecycle policy active (auto-delete inactive M365 Groups after N months).
10. Unified audit log enabled tenant-wide.

Section B: SharePoint Site-Level (10 items)

11. No site has "Everyone except external users" with Edit / Owner permissions on sensitive content.
12. No site has 100+ users with Owner permission.
13. Sensitive sites have explicit Site Owner accountable.
14. Inactive sites (>180 days no activity) reviewed for retention or archive.
15. Sensitive site URLs not predictable / discoverable.
16. Site permissions inheritance broken only when justified.
17. Permission groups follow naming convention.
18. External users on sensitive sites reviewed quarterly.
19. Site sharing reports reviewed monthly (Microsoft Purview).
20. Sensitivity labels applied at site level (Confidential, Restricted, Highly Confidential).

Section C: Document-Level (10 items)

21. Sensitivity labels applied to ≥85% of documents in sensitive sites.
22. Documents marked Confidential / Restricted have label-based encryption.
23. DLP policies block sensitive content from being shared externally.
24. Auto-labeling running for known sensitive document types (resumes, contracts, financials).
25. Existing-document classification scan completed.
26. Documents with broad permissions (Everyone except external) reviewed.
27. Files in OneDrive that should be in Teams sites moved.
28. "Shared with everyone in the company" link policy reviewed.
29. Versioning enabled on all sensitive sites.
30. Retention policies aligned to data class.

Section D: Copilot-Specific (10 items)

31. Restricted SharePoint Search (RSS) excludes sensitive sites from Copilot grounding when needed.
32. Microsoft 365 Copilot configured to honor sensitivity labels in citations.
33. Restricted Content Discovery enabled for sensitive sites.
34. Copilot grounding sources documented per use case.
35. Copilot interactions logged in Microsoft Purview Audit Premium.
36. Custom Copilot Studio agents configured with explicit grounding scope.
37. Auto-redaction policy active for PII in Copilot responses.
38. End-user training covers "what not to ask" for sensitive contexts.
39. Periodic prompt-pattern review for accidental sensitive-data exposure.
40. Quarterly executive briefing on Copilot governance posture.

Tools we run pre-rollout

EPC Group's audit script library:

• PnP PowerShell: tenant-wide site permission audit, broken-inheritance detection, "Everyone except external users" exposure scan.
• Microsoft Graph PowerShell: M365 Group membership and lifecycle audit.
• Microsoft Purview eDiscovery: sensitive-content discovery + classification gap analysis.
• Microsoft Purview Audit Search: previous-30-day sharing event audit.
• Microsoft 365 DLP Reports: rule-violation analysis.

Output: 40-item finding spreadsheet ranked by risk score. Average remediation: 4-12 weeks.

What changes after audit

EPC Group's typical findings remediation:

• 60-100 sites with broken inheritance restored to inheritance.
• 5,000-50,000 documents auto-labeled.
• 10-30 "Everyone except external users" exposures removed.
• 100-500 OneDrive files moved to proper Teams sites.
• 5-15 sensitive sites added to Restricted Content Discovery list.

Frequently Asked Questions

How long does the oversharing audit take?

For a Fortune 500 tenant: 2-4 weeks for the audit + 4-12 weeks for remediation. Total 6-16 weeks.

Can we run Copilot during remediation?

For pilot users (50) yes. For broader rollout, wait until top-50 oversharing risks are remediated.

What is Restricted Content Discovery?

A Microsoft Copilot setting that excludes specific SharePoint sites from Copilot grounding. Use for highly-sensitive content where you want users to access via direct navigation only, not Copilot.

What is the riskiest oversharing pattern?

"Everyone except external users" with Edit permission on documents containing PII or financial data. EPC Group has seen this in HR sites, finance sites, M&A sites, and litigation hold sites.

Should we use Microsoft Syntex for sensitivity labeling?

Yes — Syntex auto-classification is the most efficient way to label tens of thousands of documents. Rule-based labeling alone cannot keep up with content velocity.

Does Copilot honor sensitivity labels?

Yes — Copilot inherits the most restrictive label from grounded content and applies it to outputs. Configure tenant settings to enable this.

What is data oversharing in Microsoft Teams?

Same risk in Teams as SharePoint, since Teams uses SharePoint under the hood. Audit covers both.

How do we handle external sharing?

Default-deny external sharing on sensitive sites. Use Microsoft Entra B2B with explicit guest accounts for required external collaboration. Avoid "Anyone with the link."

What about OneDrive personal sharing?

OneDrive default sharing is per-user; can be tightened tenant-wide. EPC Group's policy: external sharing from OneDrive blocked tenant-wide; users use Teams sites for external collaboration.

How often should we re-audit?

Quarterly for sensitive tenants. Annually for stable tenants.

Need a Copilot data oversharing audit before rollout? EPC Group's 4-week sprint includes the 40-item checklist + remediation roadmap. Schedule an audit or see our AI Governance services.