Introduction

Welcome to part one of our guide on getting your content ready for Copilot. As Copilot becomes a powerful tool in the modern workplace, it’s more important than ever to ensure your data is well-managed, protected, and optimized for AI-driven workflows.

While many discussions focus solely on securing data with Microsoft Purview, we go further. We’ll explore how to understand, protect, and manage sensitive information, old data, and the risks of oversharing—all crucial aspects to maintaining security and efficiency in an AI-powered environment.

Big update: SharePoint Advanced Management (SAM) licenses are now included in Copilot for Microsoft 365, making them just as relevant today as when I first wrote about them. Check out this SAM overview.

Let’s dive into the first step: reviewing your tenant settings and understanding your data.

Challenges

• Content oversharing: Without clear access controls and protection policies, oversharing happens easily—especially since Microsoft 365 prioritizes open collaboration. Striking the right balance between accessibility and security is key.

• Content sprawl: The ease of creating sites, files, and workspaces leads to an explosion of digital content, making governance a major headache for IT teams.

• Content lifecycle management: Tracking inactive sites and aging content is crucial. Without proper lifecycle management, low-value, outdated files can clutter storage and expose sensitive information.

AI <3 Content

Copilot brings powerful discovery capabilities, meaning that unrestricted, unclassified sensitive files—including forgotten documents buried deep in SharePoint folders—could surface. The good news? Copilot only accesses content users already have permission to see.

Five-step plan

Here’s a simple yet effective approach to prepping your content for Copilot:

1. Review Tenant settings – Ensure sharing and guest settings are properly configured.
2. Understand your data and risks – Identify critical content and prioritize security measures.
3. Protect your data – Implement robust safeguards, sensitivity labels, and security policies.
4. Educate end-users – Create training materials and enforce security best practices.
5. Maintain cleanliness – Keep your environment organized and manage content lifecycle effectively.

1. Review Tenant settings

Tenant-level configurations set the foundation for security and collaboration across Microsoft services. Here’s where to start:

Key Tenant-level configurations

• Entra ID – External Collaboration – Manage external access and guest settings.
• Teams Admin Center – Guest Settings – Control guest permissions within Microsoft Teams.
• Microsoft 365 Groups Settings – Define sharing policies across Microsoft 365.
• SharePoint Admin Center – Sharing – Set up site-sharing rules and external collaboration settings.

Starting with the most permissive settings at the tenant level ensures flexibility, while granular restrictions can be applied at the site level when needed.

SharePoint default settings

By default, SharePoint allows anonymous sharing with the “Anyone with the link” option. I highly recommend lowering this setting to “New and Existing Guests” or something that aligns with your organization’s security policies.

When restricting “Anyone with the link”, you’ll have the option to choose “People in Your Organization” or “Specific People”—both are solid choices, but the most common default is People in Your Organization.

A lesser-known fact: Each shared link generates a new access token, similar to creating a new password for every access attempt.

• Tip: If you’re sharing within an existing team, use “People with Existing Access” to maintain current permissions without generating new links.

Once tenant-wide sharing policies are set, you can use Sensitivity Labels to enforce site-level protections, default link settings, and external collaboration rules for added security.

2. Understand your data and risks

Before securing content, organizations need to identify their high-value data, their crown jewels, and define what “sensitive” means in their business context. Migrating content to Microsoft 365 and Azure simplifies protection under a unified security model.

Locate sensitive data with Microsoft Purview

Microsoft Purview provides powerful tools for discovering and classifying sensitive data, but success requires collaboration between IT and business teams.

Using classifiers

Microsoft Purview offers two primary ways to classify content: manual labeling and automatic labeling.

• Manual labeling – Users apply sensitivity labels directly to files and emails.
• Automatic labeling – Labels are assigned based on predefined rules, sensitive information types, or trainable classifiers.

Organizations can leverage Microsoft’s built-in classifiers or create custom detection models. Once classification is reliable, automatic labeling ensures protection without user intervention.

Additionally, Data Loss Prevention (DLP) in audit mode provides insights into how sensitive data moves across environments.

Content explorer

Content explorer visualizes sensitive data locations based on classifier detections.

• Displays files linked to sensitivity classifications.
• Allows match/not-match feedback, improving classifier accuracy.

Activity explorer

Activity explorer tracks interactions with labeled content and Sensitive Information Types (SITs).

• Monitors data uploads to cloud storage, including Endpoint DLP activity.
• Shows Exchange email traffic for labeled files.
• Provides a historical view of sensitive content movement, integrated with Microsoft 365 unified audit logs.

eDiscovery

For deep searches into sensitive information, organizations can use eDiscovery Content Search in Microsoft Purview.

• Helps locate sensitive data in SharePoint, OneDrive, or Exchange.
• Supports targeted security actions like removing, moving, or protecting classified files.
• Learn more about eDiscovery Premium for legal investigations and audits: eDiscovery Documentation.

Insider risk management

Insider risk management helps detect risky behavior by analyzing user activity patterns.

• Uses machine learning to assess data-handling trends.
• Identifies anomalies that could indicate security threats.
• Includes indicators for generative AI, improving proactive governance.

Understanding and managing oversharing

Oversharing of data can pose security risks, but with the right tools, organizations can monitor and control access effectively. Below are key solutions for identifying and managing overshared content in Microsoft 365 and SharePoint.

Microsoft 365 usage reports

Microsoft 365 Usage Reports provide valuable insights into how services are used across an organization.

• These reports help administrators track sharing activities, user engagement, and overall service utilization.
• They can identify frequent users and those who may not require a Microsoft 365 license, optimizing licensing costs.
• Reports are available for 7 days, 30 days, 90 days, and 180 days, allowing organizations to analyze trends over time.

Data access governance (DAG)

DAG reports help organizations govern access to SharePoint data by identifying sites with potential oversharing or sensitive content.

• Sharing Links Reports – Highlights sites where users have created the most sharing links, including “Anyone” links, “People in the organization” links, and externally shared “Specific people” links.
• Sensitivity Labels Reports – Identifies sites containing files labeled with sensitivity labels, helping organizations locate and secure sensitive content.
• Oversharing Baseline Report – Establishes a baseline for oversharing by analyzing permissions and large-scale sharing activities, such as “Everyone except external users”.
• PowerShell Integration – Administrators can generate DAG reports using PowerShell commands, enabling deeper analysis and automation.
• Learn more about Data Access Governance.

Site access reviews

Site Access Reviews allow IT administrators to delegate data access governance reviews to site owners of overshared sites.

• Since IT administrators cannot access file-level details due to compliance reasons, site owners are best positioned to review and address oversharing issues.
• Reviews can be initiated for the top 100 sites listed in DAG reports, focusing on specific sharing concerns.
• Site owners receive context-specific emails prompting them to review and take necessary actions.
• Reviews can be tracked via the SharePoint admin center or initiated using PowerShell commands.
• Learn more about Site Access Reviews.

Restricted access control (RAC)

RAC policies provide granular access control by restricting access to SharePoint sites based on group membership.

• Users outside the specified group cannot access the site or its content, even if they previously had permissions or a shared link.
• Helps organizations enforce zero-trust security principles by ensuring only authorized users can access sensitive data.
• Learn more about Restricted Access Control.

Public teams

Public Teams in Microsoft Teams allow open collaboration, but they also introduce potential security risks.

• Anyone in the organization can join a public team without approval, gaining access to shared content.
• Organizations should regularly review team settings to ensure sensitive discussions and files are not unintentionally exposed.
• IT administrators can use Microsoft 365 Usage Reports to monitor public team activity and adjust settings accordingly.

Microsoft Graph Data Connect for SharePoint (MGDC)

MGDC, combined with Azure Synapse and Power BI, provides big data tools for analyzing permissions and other SharePoint information.

• Enables large enterprise tenants to manage thousands of sites, users, and files efficiently.
• Helps organizations identify trends in data access, permissions, and sharing behaviors.
• Supports advanced analytics for compliance and security monitoring.

To be continued

In the next part of this guide, we’ll focus on protecting data, educating users, and maintaining a structured, secure environment.

Thanks for reading!
/Simon