- Run data-access-governance reports to find oversharing first.
- Fix anyone-with-the-link files and over-permissioned groups before turning Copilot on.
- Restructure libraries by department and apply sensitivity labels.
- Pilot with a small group, then re-run the reports before expanding.
This guide is for an IT admin or operations lead who is about to turn on Microsoft 365 Copilot and wants to do the prep work first. By the end, you'll have run an oversharing report, fixed the worst exposure, organized your content by department, applied sensitivity labels, and piloted Copilot with a small group instead of unleashing it on a messy tenant.
The reason this matters: Copilot surfaces anything a given person already has permission to open. If your SharePoint is overshared, Copilot becomes a very efficient way to stumble onto files that were never meant to be seen. Microsoft's own data suggests most environments have a real oversharing problem to fix before rollout.
Before you start
You'll need SharePoint Administrator (or Global Administrator) rights, and access to the SharePoint admin center at admin.microsoft.com under SharePoint. To run the full set of oversharing reports and use Restricted SharePoint Search, you'll want SharePoint Advanced Management, which is included with a Microsoft 365 Copilot license. Confirm that's in place before you begin.
Step 1: Run a Data Access Governance report
In the SharePoint admin center, go to Reports > Data access governance. This is where SharePoint Advanced Management surfaces oversharing risk across your tenant.
- Run the Sharing links reports to see sites with active "Anyone" links (the "anyone with the link" type that needs no sign-in).
- Run the Sites shared with "Everyone except external users" report to find content open to your whole organization.
- Run the Oversharing baseline report and the Permissioned users report to see which sites have the most people with access.
Export these so you have a before-and-after record. This is your worklist.
Step 2: Fix "anyone with the link" files
"Anyone with the link" sharing means anyone who has the URL can open the file with no sign-in, and Copilot can surface it to people inside your tenant too. Work down the report from Step 1:
- For each flagged site or file, open its sharing settings and replace "Anyone" links with "People in your organization" or "Specific people."
- At the tenant level, under Policies > Sharing, consider setting the default link type to "Specific people" and turning off Anyone links for sites that don't need them.
Step 3: Tighten over-permissioned groups
Years of ad hoc access changes leave groups that grew far beyond their original purpose. Using the Permissioned users report:
- Find sites where far more people have access than should, then remove broad groups (like a company-wide group) from sensitive libraries.
- Replace "everyone has Edit" with read-only where edit isn't needed.
- Remove guests who no longer need access.
It's tempting to fix permissions file by file, but unique permissions on thousands of individual items become unmanageable fast. Fix structure at the site and library level instead, and reserve item-level permissions for genuine exceptions.
Step 4: Restructure libraries by department
Copilot answers better on organized content. If everything lives in one giant catch-all site, split it:
- Create or confirm a clear site or library per department (Finance, HR, Sales, Operations).
- Move content so each library holds one department's material, with permissions scoped to that department.
- Flatten deep folder nesting where you can, and use consistent naming so files are findable.
This is the unglamorous work, and it's the work that makes Copilot trustworthy.
Step 5: Apply sensitivity labels
Sensitivity labels (from Microsoft Purview) let you mark content as Confidential, Internal, and so on, and enforce protection. In the Microsoft Purview portal under Information protection > Sensitivity labels:
- Publish a small, simple label set (three or four labels, not twenty).
- Apply labels to your most sensitive libraries, and consider auto-labeling rules for obvious cases.
- Labeled content can be excluded or protected so Copilot handles it appropriately.
Step 6: Consider Restricted SharePoint Search or Restricted Content Discovery
If you have sites you're not ready to expose yet, you have two tenant-level options while you finish cleanup:
- Restricted SharePoint Search limits Microsoft Search and Copilot to an allow-list of up to 100 SharePoint sites. It's a temporary safety net, not a permanent fix.
- Restricted Content Discovery removes a specific site from Copilot and search results unless the user recently opened a file from it.
Use either as a stopgap while you work through Steps 1 through 5, then remove the restriction as sites become ready.
The order is the whole game: clean up permissions and structure first, then enable Copilot. Turning it on over a messy tenant is how a useful tool earns a bad reputation in its first week.
Step 7: Enable Copilot and pilot with a small group
Once your worklist is clear, assign Copilot licenses to a small pilot group (ten to twenty people across a couple of departments). Have them use it on real work for a few weeks and report back: Were answers accurate? Did anything surface that shouldn't have? Fix what they find, then expand. A staged rollout catches problems while they're small.
Step 8: Verify before you expand
Before widening access, re-run the Data Access Governance reports from Step 1 and compare against your baseline. Confirm Anyone links are down, broad permissions are tightened, and your pilot group didn't surface anything sensitive. When the reports look clean and the pilot is happy, roll out to the next group.
What to do next
Start with Step 1 today; the report alone usually surprises people. Work the list down in order, and treat the cleanup as a project with an owner, not a one-afternoon task. If you'd like a readiness check before you turn Copilot on, that's exactly the kind of work we run with clients. Let's talk it through.