Every Copilot readiness review we run for an Australian mid-market business starts the same way. We pull the SharePoint Advanced Management reports, we sit with the IT lead, and within about an hour we've identified the same five oversharing patterns. They show up regardless of industry, tenant size or MSP history. They're the operational residue of fifteen years of SharePoint being used by people who never had a reason to think deeply about its permissions model.
None of these patterns are catastrophes on their own. Each one is mildly embarrassing rather than dangerous. But Copilot aggregates them. A tenant with all five is a tenant where Copilot will confidently summarise last year's restructure plan into a team chat because three of the patterns lined up. Worth cleaning up before go-live, not after.
Pattern 1 — The intranet that grew
Somewhere around 2015 someone built a SharePoint intranet site, shared it with Everyone, and moved on. Over the next ten years, users added document libraries to it — for real reasons at the time. Policy documents. Travel forms. Team rosters. Then, eventually, a sensitive folder someone forgot was inside a site shared with Everyone.
The fix: start from the top. Run the SAM sharing report, filter to sites shared to Everyone, walk each site with the owner. Move the sensitive content to a new, narrowly scoped site. Leave the genuinely-public content where it is. Add a label policy so the intranet can only host Public-labelled content going forward.
Pattern 2 — The "Anyone with the link" from 2021
A contractor needed a file quickly. Someone shared it with "Anyone with the link" to avoid the guest access flow. Three years later the contractor has left, the file is still live on the original share, and the link is sitting in a half-dozen email threads. Multiply by a few thousand.
The fix: this one is made for SharePoint Advanced Management. The SAM sharing report surfaces every active Anyone link in the tenant, sorted by age. Bulk-revoke anything over twelve months old that hasn't been accessed recently. Change the tenant default link type from Anyone to Specific people. Restrict Anyone links to a small set of business-justified scenarios with an explicit expiry policy.
Pattern 3 — OneDrive as everyone's real document management
Staff save sensitive content to OneDrive because it's easier than remembering where it goes in SharePoint. They share individual files out for a specific meeting or review. The sharing expands over time — especially on files that loop through multiple reviewers. A contract draft that started on one person's OneDrive has thirty people with edit access by the end of a deal.
The fix: Purview DLP with OneDrive as an in-scope location. Rules that match on sensitive info types — TFNs, bank details, contracts with specific vendor names — and warn or block when sharing beyond a defined scope. Not a blocker on day one; tune via policy tips first so users learn. Pair with a gradual cultural push back into SharePoint for collaborative work.
Pattern 4 — The Teams site explosion
Every Microsoft Team created in the last five years has a SharePoint site behind it. Most of those Teams were created ad hoc — a project kicked off, someone created a Team, files went in, the project ended, the Team sits there. Multiply by a few hundred. The resulting SharePoint estate contains a long tail of low-governed sites with files that are often sensitive and permissions that are definitely unreviewed.
The fix: set a Microsoft 365 group expiration policy. Force owners to reconfirm ownership of their Team every 365 days — inactive groups auto-archive. This is a Microsoft-native capability most tenants have never enabled. It doesn't break anything for active Teams; it just sweeps the tail. Pair with a naming and sensitivity policy for new group creation.
Pattern 5 — The never-reviewed guest list
Every engagement with an external party creates a guest user in Entra ID. Some engagements end cleanly; most don't. The guest accounts remain, with the permissions they were granted at the time of the original project. Three years of this, and the guest list has accounts from vendors you stopped using, contractors who moved roles, and agencies that were acquired.
The fix: Microsoft Entra ID Access Reviews, scoped to all guest users, running on a quarterly cadence. Inactive guests auto-expire after a defined period — we usually set 60 to 90 days. Reviewers are line managers who can recertify or remove access. This is entirely Microsoft-native, included in Entra ID P2, and takes about an hour to configure.
Try it
Run the full Copilot readiness check
The SharePoint Oversharing Risk Check walks twelve dimensions, including these five patterns and seven others. Ten minutes, PDF report.
Score each of the 8 strategies
Where are you on the Essential Eight — honestly?
Eight strategies. Four levels each. Pick the statement closest to your reality today. We'll map it to the Microsoft 365 tooling that closes the gap.
What's your target Maturity Level?
Maturity Level 2 — most orgs' pragmatic target
- 01
Application control
Only approved applications can execute on workstations and servers.
- 02
Patch applications
Internet-facing apps, browsers, Office, PDF readers patched promptly.
- 03
Microsoft Office macros
Macros disabled unless from trusted locations and signed by a trusted publisher.
- 04
User application hardening
Web browsers and productivity apps hardened against the most common attacks.
- 05
Restrict administrative privileges
Admin accounts limited, separated and reviewed — the crown jewels of the tenant.
- 06
Patch operating systems
Operating system patches applied on a schedule that matches the risk.
- 07
Multi-factor authentication
MFA everywhere that matters — privileged accounts, remote access, important data.
- 08
Regular backups
Backups of important data, configuration and software — and restores you have actually tested.
The reason these matter for Copilot specifically
Each of the five patterns, on its own, is a slightly embarrassing oversight. Each is remediated with Microsoft-native tooling that ships in your existing licensing. None requires new software or a major project. What changes with Copilot is the aggregation — a model that can reason across all of them simultaneously, at the speed of a natural-language question.
In practice this means the time window for fixing these patterns has changed. Under classic SharePoint search, the five patterns would surface the occasional awkward discovery. Under Copilot, they surface every day, on every query where any one of the patterns is in scope. The effort to remediate is the same as it always was. The urgency to remediate has lifted. If you'd like an outside set of eyes on your tenant's version of these five, book a 30-minute Copilot readiness review and we'll walk the reports with you.