Your input shapes our product. Suggest a feature now →
Features Pricing Demos Add-ons Blog Guides Use cases Compare Tools Alerts FAQ Contact Sign in Start free trial
  1. Home
  2. Use Cases
  3. Copilot Readiness Cleanup

SharePoint Copilot Readiness: A Permissions Cleanup Use Case

Microsoft 365 Copilot does not bypass SharePoint permissions. It surfaces content based on what the current user already has access to. That sounds reassuring until you realise how much content in a typical SharePoint environment is accessible to people who were never specifically intended to see it: organisation-wide sharing links set years ago, guest accounts for contractors who left, unique permissions on individual files that no one remembers creating. Enabling Copilot before addressing these issues turns every oversharing gap into a potential AI disclosure.

Meet Sarah, IT Manager at a 420-person professional services firm with offices in three cities. Her firm's Microsoft 365 Copilot licences had been purchased and were ready to activate. The CTO wanted a rollout within 60 days. Sarah's job was to make sure SharePoint's permission landscape was clean enough that Copilot would not surface salary documents, client proposals, or HR files to people who had no business seeing them.

The problem: Copilot exposes what permissions already allow

Why oversharing matters with Copilot

In a normal SharePoint environment, oversharing is a latent risk. Users rarely stumble across content they were not meant to see because they are not actively looking for it. Copilot changes that dynamic. It actively indexes and surfaces content in response to natural language queries. A user who asks Copilot to summarise recent project proposals may receive results that include proposals from other business units shared via an organisation-wide link set three years ago.

The Copilot rollout became Sarah's deadline for fixing permission issues that had been accumulating since the firm first moved to Microsoft 365.

What the initial audit revealed

Sarah connected ShareMaster to the firm's tenant and ran Report Master across all 34 SharePoint sites. The resulting permission matrix export in Excel showed the full picture for the first time:

  • 3,840 active sharing links across the tenant, of which 1,200 had organisation-wide access scope.
  • 240 active guest accounts, of which approximately 80 had not accessed the tenant in more than 12 months.
  • Unique permissions set on individual files in 11 of the 34 sites, many traceable to ad-hoc document sharing requests rather than a deliberate access policy.
  • Six sites where permission inheritance had been broken at the folder level multiple times, making it impossible to determine effective access from the site or library level alone.
"The Report Master export showed 1,200 sharing links with organisation-wide scope. Copilot would have surfaced confidential client proposals to everyone in the firm, including people who joined last month. None of us realised how far it had spread."
- Sarah, IT Manager

Phase 1: Identify and remove sharing link oversharing

Tenant-wide sharing link audit

Sarah used the Shared Links and Permissions tool to generate a full export of every active sharing link across all 34 sites. The export showed the link type, target (specific users vs. organisation-wide vs. anonymous), creation date, creator, and whether the link had been accessed recently.

She filtered the export to three high-priority categories:

  1. Organisation-wide links on sensitive libraries. Any "anyone in the organisation" link on the HR, Finance, or Client Proposals libraries was flagged for immediate revocation regardless of when it was created.
  2. Links created by accounts that had since left the firm. Sharing links created by departed employees are often forgotten and unmanaged. If the creator is gone, there is no one to ask whether the link is still needed.
  3. Links not accessed in over 180 days. Low-use links have a small chance of being needed and a higher chance of being forgotten access grants that should have been revoked months ago.

Bulk revocation

Sarah shared the filtered export with her manager and the firm's risk team for a brief review. Within two days she had approval to revoke 2,900 of the 3,840 links - the remaining 940 were confirmed as still needed and converted to specific-user access where the original link had been organisation-wide.

The bulk revocation ran directly from ShareMaster's Shared Links and Permissions tool, covering 2,900 links across 34 sites in a single operation. The manual alternative would have required opening each site, navigating to each file, and removing links one at a time: a task measured in weeks, not hours.

Phase 2: Fix unique permissions that break inheritance

Where permissions diverge silently

Broken permission inheritance is one of the most common governance problems in a SharePoint environment that has been used for several years. It happens incrementally: an admin shares a single document with an external party, breaking that file's inheritance. A department head requests that a folder be visible only to their team, creating a unique permission. Over time, the effective access on dozens of folders and files no longer reflects the library-level or site-level settings that admins think are in place.

For Copilot, this creates a specific risk: a file with a unique permission granting broader access than its parent library will be surfaced to more people than the current library-level view suggests. The permission inheritance map is the authoritative source; the library view is misleading.

Cleanup process

Sarah used the Shared Links and Permissions tool to identify every file and folder in the six affected sites where permission inheritance had been broken. For each unique permission:

  • She reviewed the permission against the content. If the unique permission was more restrictive than the parent (locking content down further), she left it in place.
  • Where a unique permission was broader than the parent (granting additional access beyond what the library settings allowed), she assessed whether the broader access was intentional and still needed.
  • For individual files where the broader access was a workaround rather than a policy, she revoked the unique permission and reset the file to inherit from its parent library.

This phase was more manual than the sharing link revocation, but the Report Master permission matrix export provided the data in a form that could be reviewed offline and triaged before making any changes in SharePoint.

Results and key takeaways

What changed

Metric Before cleanup After cleanup
Active sharing links 3,840 940 (all specific-user scope)
Organisation-wide links 1,200 0
Stale guest accounts (12+ months inactive) ~80 0 (revoked and removed)
Sites with broken inheritance at file/folder level 6 2 (remaining unique permissions confirmed as policy)
Total time to audit and remediate N/A 8 days (part-time, across two admins)

Try ShareMaster free for 14 days

First steps if you are planning a Copilot rollout

Sarah's experience points to a clear sequence. Start with the audit before setting any remediation targets: the Report Master permission matrix will show you where the real risk is concentrated, and it is almost never evenly distributed across the tenant. In most organisations, 20 percent of sites hold 80 percent of the oversharing. Audit first; prioritise based on what you find.

Organisation-wide sharing links on sensitive libraries are the highest-risk item and typically the fastest to resolve once you can see them. Fix those before worrying about broken inheritance on low-sensitivity sites.

Build a reusable process. Without a maintenance cadence, the sharing link and unique permission issues Sarah fixed will accumulate again - quarterly re-runs of the same Report Master export and Shared Links tool are the lowest-effort way to keep the permission landscape manageable. For further guidance on setting up a permissions audit process, see the SharePoint permissions audit guide.

Frequently Asked Questions

Why do SharePoint permissions matter for Microsoft 365 Copilot?

Microsoft 365 Copilot surfaces SharePoint content based on what the current user already has permission to access. Overly broad permissions or stale sharing links mean Copilot can surface content a user was never intended to see. Tightening permissions before enabling Copilot reduces the risk of sensitive content appearing in AI-generated responses.

What SharePoint permission issues should I fix before enabling Copilot?

The highest-risk issues are: active sharing links with organisation-wide or broad access scope; stale guest accounts for external users who no longer need access; unique permissions on individual files set as workarounds rather than policy decisions; and site collections where permission inheritance has been broken at multiple levels, making effective access unclear.

How long does a SharePoint permissions cleanup for Copilot readiness typically take?

The audit phase takes one to two days for a mid-sized tenant (200 to 500 users, 20 to 50 sites). Remediation depends on the extent of oversharing found. A tenant with years of accumulated sharing links and broken inheritance can take a week of part-time effort. Bulk-revoking sharing links through ShareMaster cuts the remediation time significantly compared to manual site-by-site removal.