Copilot surfaces content from sites users forgot they had access to

Copilot uses Microsoft Graph to search content. It respects existing permissions. Sounds secure, but in most tenants permissions are a mess. Sites with broad access groups, links shared years ago and never revoked, OneDrive files shared with the whole organisation.

Users do not know they have access to this content because they would never go looking for it. But Copilot does.

A user asked Copilot to summarise the retention strategy. Copilot returned salary bands from an HR spreadsheet because the HR site had 'Everyone except external users' in its members group. The user had technically had access for three years.

Another user asked about product plans. Copilot pulled from an M&A folder shared via a company-wide link two years ago for a town hall and never revoked.

SharePoint permissions accumulate over time. People share things for a meeting, a project, a one-off request, and never clean up. The defaults in most tenants are too permissive.

Before Copilot, this was theoretical. Now a natural language question can surface anything the user has access to, across their entire tenant, in seconds.

Run a SharePoint permissions audit before enabling Copilot. Use the SharePoint Admin Center sharing reports.

Fix the defaults. Switch to 'Specific people' as the default share type instead of 'Anyone in the organisation'.

Review sensitive sites: HR, Finance, Legal, Executive. Remove broad access groups, replace with specific security groups.

Use sensitivity labels with encryption at the content level. This protects content even if permissions are wrong.

Restricted SharePoint Search can limit which sites Copilot indexes during your cleanup. Blunt instrument, but it buys time.

Copilot does not create security problems. It exposes them. Every oversharing issue you have been ignoring becomes visible the moment users start asking questions. Clean up permissions before enabling Copilot, not after.