Microsoft Copilot Data Oversharing Audit Checklist (2026)

Microsoft Copilot Data Oversharing Audit Checklist (2026)

The single biggest risk in Microsoft 365 Copilot deployment is oversharing — SharePoint sites with permissions accumulated over 5-15 years cause Copilot to surface content the user is technically authorized to see but shouldn't see in practice. HR documents, M&A planning, performance reviews, executive memos.

This is the working enterprise oversharing audit checklist EPC Group uses for Fortune 500 Microsoft 365 Copilot deployments. Built from 90+ Copilot deployments since the M365 Copilot GA wave.

TL;DR — 47-Point Oversharing Audit

Domain	Checks	Severity
SharePoint site permissions	12 checks	High
Microsoft 365 Group membership	6 checks	High
OneDrive sharing	5 checks	Medium
External sharing	8 checks	High
Microsoft Restricted Search	4 checks	Day-1 mitigation
Microsoft Purview labeling	6 checks	High
Microsoft Sentinel monitoring	4 checks	Continuous
Microsoft Purview AI Hub	2 checks	Day-1

Why Copilot Oversharing Happens

SharePoint permissions accumulate. Every site collection a knowledge worker provisions, every "share with everyone in marketing" approval, every legacy file-share migration that flattened complex on-prem ACL structures into broad SharePoint groups — each of these decisions made sense at the time. Pre-Copilot, the cost of broad permission was limited by the friction of a user actually navigating to the site and opening the file. Copilot eliminates that friction. A natural-language prompt can surface a Restricted-tier executive memo to a user who has nominal Read access through a legacy security group nobody has reviewed since 2018.

Oversharing is not a Copilot bug. It is a pre-existing data-governance debt that Copilot makes visible. The audit checklist below is the EPC Group method for finding and quantifying that debt before Copilot exposes it.

Domain 1: SharePoint Site Permissions (12 Checks)

• Sites with "Everyone except external users" permissions identified and flagged
• Sites with anonymous-link sharing on Confidential or higher tier identified
• Sites with broken inheritance documented
• Sites with item-level permissions (anti-pattern) identified for remediation
• Per-user SharePoint group additions converted to Microsoft Entra security groups
• Owner accountability verified for every site (named primary + backup)
• Stale site collection admin assignments removed
• Inactive site detection criteria configured (90-180 day window)
• Site permission audit cadence documented (quarterly minimum)
• Microsoft Entra security group naming pattern enforced (SP-{Site}-Owners/Members/Visitors)
• Site-level sensitivity label container labels applied
• Microsoft Defender for Cloud Apps Conditional Access App Control configured

Domain 2: Microsoft 365 Group Membership (6 Checks)

• Group expiration policy enabled (180 or 365 days)
• Group owner re-attestation cadence documented
• Inactive group detection running
• Group naming convention enforced (department code prefix)
• Group external membership audited for Highly Confidential / Restricted
• Microsoft Entra Identity Governance access reviews active

Domain 3: OneDrive Sharing (5 Checks)

• OneDrive folders shared with "Anyone with link" identified and flagged
• Stale OneDrive content from departed employees archived
• OneDrive sharing posture matches sensitivity labels
• OneDrive retention policy aligned to industry obligations
• Microsoft Purview Insider Risk monitoring on OneDrive activity

Domain 4: External Sharing (8 Checks)

• Tenant-level external sharing posture documented per sensitivity tier
• Domain allowlist for partner organizations configured
• Domain blocklist for known-bad domains configured
• Microsoft Entra B2B guest invitation requires sponsor
• Guest user 90-day expiration with sponsor re-attestation
• Guest user inactivity auto-disable (60-day default)
• Microsoft Defender for Cloud Apps monitoring on guest activity
• Quarterly external user access reviews

Domain 5: Microsoft Restricted SharePoint Search (4 Checks)

Day-1 mitigation. Restricted Search limits Copilot grounding to a curated allowlist:

• Restricted Search enabled tenant-wide
• Allowlist of "safe" sites curated (typically 50-200 sites)
• Microsoft 365 Copilot grounding scoped to allowlist
• Quarterly allowlist review as permission cleanup progresses

Set-SPOTenantRestrictedSearchMode -Mode Enabled
Add-SPOTenantRestrictedSearchAllowedList -Url "https://contoso.sharepoint.com/sites/HRPolicy"

Restricted Search is the single most important Day-1 control. Every Copilot rollout EPC Group has audited that skipped this step generated a compliance finding within the first 30 days of go-live. Enable it before the first license is assigned, even if the allowlist starts small.

Domain 6: Microsoft Purview Labeling (6 Checks)

• Sensitivity label taxonomy published (5-tier minimum)
• Restricted-tier configured to block Copilot grounding
• Auto-labeling rules deployed for industry-specific patterns
• Container labels applied at site level
• DLP policies for Restricted-tier blocking
• Coverage at 80%+ on regulated content (target within 90 days)

Domain 7: Microsoft Sentinel Monitoring (4 Checks)

• Custom analytics rule for high-volume Restricted-tier grounding attempts
• Custom analytics rule for anomalous bulk SharePoint download
• Custom analytics rule for anomalous OneDrive external share spikes
• Microsoft Defender for Cloud Apps anomalies ingested

Domain 8: Microsoft Purview AI Hub (2 Checks)

• Microsoft Purview AI Hub enabled Day-1
• Sensitive data exposure alerts routed to compliance review

Audit Script Library

EPC Group ships an audit-script bundle covering the PowerShell, KQL, and Microsoft Graph queries that automate the discovery phase of this checklist. Representative scripts:

• Site permission inventory — exports every site collection with its sharing setting, broken inheritance count, item-level permission count, sensitive content count by sensitivity label, and primary/secondary owner. Run weekly during cleanup, monthly thereafter.
• Microsoft 365 Group membership audit — flags groups with no owner, groups with stale guest members, groups whose membership has grown more than 50% month-over-month.
• OneDrive sharing scan — surfaces every OneDrive folder shared with "Anyone with link" plus the sensitivity label of the underlying content, ranked by sensitivity-tier-weighted risk.
• External sharing posture — exports all guest users, their last activity timestamp, sponsoring user, and the sensitivity labels of content they can currently access.
• Restricted Search allowlist tracker — diffs the current allowlist against a target list and surfaces drift.

All scripts are delivered with the engagement and committed to a customer-owned Azure DevOps or GitHub repository so the customer can re-run them after EPC Group's engagement ends.

Common Findings During Audit

Severity 1 (Block Copilot rollout)

• 30%+ of sites with "Everyone except external users" permission
• Sensitivity label coverage <20% on regulated content
• Microsoft Purview Audit retention <90 days
• No Microsoft Purview AI Hub configured

Severity 2 (Remediate before phased rollout)

• 15-30% of sites with broad permissions
• Sensitivity label coverage 20-50%
• Microsoft Restricted Search not enabled
• Information Barriers not configured (financial services)

Severity 3 (Address during rollout)

• 5-15% of sites with broad permissions
• Sensitivity label coverage 50-80%
• Microsoft Sentinel custom analytics rules incomplete
• Quarterly access reviews not enforced

Remediation Timeline

EPC Group standard remediation:

• Microsoft Restricted Search Day 1
• Sensitivity label rollout: 90 days to 80%+ coverage
• Permission cleanup wave: 90-180 days
• Microsoft Purview AI Hub configuration: 30 days
• Total to clean posture: 4-6 months

The permission cleanup wave is the longest single line item. EPC Group runs it in three sub-waves: (1) sites flagged Severity 1 in the inventory get remediated by the central security/governance team in the first 30 days; (2) sites flagged Severity 2 get remediated by departmental owners with central coaching across days 30-90; (3) sites flagged Severity 3 get remediated as part of the next quarterly access review cycle. Trying to remediate all three severities centrally at once is the most common cause of cleanup-wave overruns.

Industry-Specific Considerations

Healthcare (HIPAA). Restricted-tier label maps to PHI. Microsoft Purview DLP blocks PHI in Copilot prompts and responses. Audit Premium retention set to 7 years. Microsoft Sentinel custom analytics rule monitors for anomalous PHI grounding patterns. Information Barriers may apply where research and clinical operations cannot cross-reference patient data.

Financial Services (SOX, FINRA, SEC). Restricted-tier label maps to MNPI. Communication Compliance applies supervisory review to Copilot-generated outbound. Information Barriers prevent research from grounding on investment-banking-side material. Audit Premium retention set to 7 years (FINRA) or 10 years (SEC broker-dealer).

Federal Contractors (CMMC, FedRAMP). Restricted-tier label maps to CUI. Microsoft Purview marks CUI banners as a labeling trigger. Azure Government routing for any tenant handling CUI. Sentinel anomalous-grounding rules tuned to flag CUI cross-boundary attempts.

Life Sciences (GxP). Restricted-tier label maps to Clinical Trial Data. Microsoft Purview labeling preserves data-integrity metadata. Change-control documentation captures every change to label policy, DLP policy, and AI Hub configuration. Audit Premium retention set to the longest of (a) the regulatory clock for the relevant clinical phase or (b) 7 years.

Frequently Asked Questions

How serious is oversharing risk?

Severe. EPC Group standard finding: 30-50% of Fortune 500 SharePoint tenants have significant oversharing — Microsoft 365 Copilot will surface HR documents, M&A planning, performance reviews, executive briefings to users who shouldn't see them. Compliance findings within 30 days of unmitigated rollout.

Can we deploy Copilot before fixing all 47 checks?

Microsoft Restricted SharePoint Search is the Day-1 mitigation. Pilot Copilot to allowlisted sites only while permission cleanup proceeds. Most enterprises deploy Copilot to 50-200 users on the allowlist within 30 days, then scale as cleanup progresses.

How does this differ from generic security audit?

Generic security audits assess identity, network, endpoint security. The Copilot oversharing audit is specifically about content authorization at the SharePoint level — a domain that generic security audits typically don't cover deeply.

Who delivers EPC Group oversharing audits?

EPC Group senior architects with combined SharePoint, Microsoft Purview, and Microsoft 365 Copilot experience. Errin O'Connor is a 4-time Microsoft Press author including a SharePoint book.

Can the audit script library run without EPC Group?

Yes. The scripts are delivered to a customer-owned repository and the customer's central security or governance team can run them on a quarterly cadence indefinitely. EPC Group also offers a 12-month managed-audit retainer where senior architects run the scripts, review the output, and route remediation tasks back to site owners on a quarterly cadence.

Next Steps

Schedule a 30-minute Copilot oversharing audit discovery call at /schedule or call (888) 381-9725. Senior architects (not sales) take discovery calls.

Related reading: Microsoft Copilot Oversharing Audit Enterprise Guide, SharePoint Permissions Best Practices, SharePoint Governance Best Practices Enterprise Framework, Microsoft Purview for Copilot Implementation, and Microsoft Copilot Governance Framework for Regulated Industries.