How to Stop Microsoft Copilot Surfacing Confidential Data to the Wrong People in Your 365 Tenant

Microsoft 365 Copilot does not have a data problem. It has a permissions problem — yours. Copilot respects the access controls already in your tenant. If your SharePoint permissions are a decade-old tangle of 'Everyone except external users' sharing links and sites nobody bothered to lock down, Copilot will dutifully surface board minutes, salary spreadsheets and client contracts to anyone with a licence. A Gartner survey found that 40% of organisations delayed their Copilot rollout by three months or more because of oversharing concerns. Another study found 16% of business-critical data is overshared across the average Microsoft 365 tenant, with 802,000 files at risk per organisation. The fix is not turning Copilot off. The fix is sorting out the mess underneath it.

The Problem Copilot Exposes But Did Not Create

Oversharing in SharePoint and OneDrive has been an open secret for years. Teams sites left set to public. Sharing links generated for 'People in your organisation' when they should have been 'Specific people'. Inherited permissions flowing from parent sites to subsites nobody audited since 2019. Before Copilot, this was a latent risk — someone would have to know where to look. Copilot changed that by making every document with inadequate permissions instantly discoverable through natural language search. Ask it for 'Q3 board pack' and it will return whatever it can access. If that includes the HR director's restructuring plans, that is not a Copilot bug. That is a permissions debt you never paid off.

What 40% of Organisations Got Wrong

The Gartner survey of 132 IT leaders in June 2025 found that data oversharing prompted 40% to delay their Copilot rollout by three months or more. 64% said information governance and security risks required considerable time and resources to address during deployment. A separate study by Concentric AI analysed over 550 million records and found that on average, organisations have 802,000 files at risk from oversharing, broken access permissions and incorrect classification. 67% of enterprise security teams report concerns about AI tools exposing private information. The US House of Representatives banned congressional staff from using Copilot entirely, citing data leakage risk. These are not edge cases. This is the baseline state of nearly every Microsoft 365 tenant.

Step One Run the SharePoint Advanced Management Audit

SharePoint Advanced Management is now included with every Microsoft 365 Copilot licence at no extra cost. It gives you three reports that matter. The site permissions report scans every SharePoint site and lists the total number of permissioned users, content shared with all users, and guest access. The sharing links report shows which sites have the largest number of 'Anyone' and 'People in the organisation' links. The 'Shared with Everyone except external users' report flags sites where internal content is visible to every employee. Run all three. Export the results. Sort by risk. You will find sites you forgot existed with permissions you never intended.

Step Two Fix Your Sharing Defaults

The single highest-impact change takes 30 seconds. Go to the SharePoint admin centre and change the default sharing link type from 'People in your organisation' to 'Specific people'. This does not break existing links. It changes the default for every new link created from this point forward. Every new document shared will require the sender to name the recipients instead of broadcasting to the entire company. This alone prevents the majority of future oversharing.

Step Three Apply Restricted Access Control Policies

For sites containing genuinely confidential material — board papers, M&A documentation, salary data, client legal files — apply a restricted access control policy through SharePoint Advanced Management. This locks the site to a specific Microsoft 365 group or Entra ID security group. Users outside that group cannot access the site, its content, or its files through Copilot, even if they previously had permissions or a shared link. The policy overrides everything. Use it for your ten to twenty highest-risk sites and you eliminate the worst exposure risks immediately.

Step Four Deploy Microsoft Purview Sensitivity Labels

Sensitivity labels from Microsoft Purview apply encryption and access restrictions at the file level, not the site level. Mark a document as 'Confidential — Board Only' and Copilot will check the user's rights before returning any content from that file. If the user does not have the EXTRACT usage right, Copilot will not surface the document at all. Purview DLP for Copilot is now generally available and can block Copilot from processing files with specific sensitivity labels entirely. You can also create DLP policies that prevent users from including sensitive data types — National Insurance numbers, bank account details, medical records — in Copilot prompts. Labels cascade: once applied, they travel with the file regardless of where it is copied or shared.

Step Five Send Site Access Reviews to Owners

SharePoint Advanced Management lets you send site access reviews directly to site owners rather than routing everything through IT. The admin identifies overshared sites from the audit reports, triggers a review, and the site owner receives a notification asking them to verify who should have access. This pushes remediation to the people who actually know who needs what, rather than forcing IT to guess. It scales. A mid-market organisation with 200 SharePoint sites can send 50 reviews in a morning and have 80% resolved within a week.

The UK DPIA Requirement Nobody Mentions

Under UK GDPR Article 35, deploying Microsoft 365 Copilot triggers a mandatory Data Protection Impact Assessment. The ICO classifies Copilot as involving new technology, large-scale processing of personal data from emails, documents, chats and meetings, and profiling capabilities — all DPIA triggers. The ICO has published its own DPIA for its internal Copilot deployment, which is publicly available. If the UK's own data regulator writes a DPIA before rolling out Copilot, your organisation should too. A DPIA forces you to document what data Copilot can access, who can see it, what mitigations you have applied and what residual risks remain. It also protects you if something goes wrong — demonstrating you assessed the risk before deployment is a defence under UK GDPR enforcement.

The 90-Day Lockdown Checklist

Week one: run SharePoint Advanced Management audit reports across all sites. Week two: change default sharing link type to 'Specific people' tenant-wide. Week three: identify your 20 highest-risk sites from audit data and apply restricted access control policies. Week four to six: deploy sensitivity labels to your top three classification tiers — Public, Internal, Confidential. Week six to eight: send site access reviews to owners of all sites flagged as overshared. Week eight to ten: configure Purview DLP policies for Copilot to block processing of Confidential-labelled files and sensitive data types in prompts. Week ten to twelve: complete your UK GDPR DPIA and document residual risks. This is not a weekend project. But it is a 90-day project that a mid-market IT team of three to five people can deliver without external consultants.

What Copilot Still Cannot Protect You From

Permissions fixes stop Copilot from showing the wrong files to the wrong people. They do not stop a legitimate user from copying Copilot output into an email and sending it externally. They do not prevent someone with valid access from asking Copilot to summarise a confidential document and then pasting the summary into a Teams chat with a wider audience. DLP policies on Copilot prompts help, but they catch data going in, not data going out. For outbound control, you need Purview DLP on Exchange, Teams and SharePoint as well — and you need staff training that goes beyond a compliance tick-box. The honest position: Copilot magnifies both the value and the risk of your data governance. If your governance is good, Copilot is extraordinary. If your governance is poor, Copilot is a liability.

Why This Matters More Than the Licence Cost

At £24.70 per user per month, a 200-person organisation spends £59,280 per year on Copilot licences. That is a material investment. But the cost of a data breach involving personal data — an ICO fine, legal fees, reputational damage, customer churn — dwarfs the licence fee. Getting the permissions right is not an IT hygiene project. It is risk management that protects the entire Copilot business case.