SHAREPOINT OVERSHARING
RISK CHECK.

Score each dimension · 4 options

Is your tenant ready for Microsoft 365 Copilot?

Copilot is as smart as your tenant is tidy. Twelve quick questions — each mapped to a Microsoft-native capability that closes the gap. Takes about ten minutes.

• 01

  Anonymous "anyone with the link" shares

  External access

  How does your tenant handle anonymous sharing links?

  0Anyone-with-the-link is on by default. No site-level overrides. We've never reviewed who's sharing what.1Default is Anyone, but we turn it off per site where someone remembers to ask.2Default is Specific people. Anyone sharing is restricted to specific site types with an expiry policy.3Anonymous sharing is disabled tenant-wide or tightly governed via SharePoint Advanced Management. Reports reviewed monthly.
• 02

  Tenant-wide / "Everyone except external" site sharing

  Permissions hygiene

  Do you have sites shared with "Everyone" or "Everyone except external users"?

  0Yes — widely, including sensitive libraries. Nobody has audited the list.1Yes — for a handful of intranet-style sites, but other sites too.2Limited to clearly-public intranet / news sites. Exceptions documented.3Zero tenant-wide shared sites outside of a documented intranet. Reviewed quarterly.
• 03

  External guest access hygiene

  External access

  How do you manage external guest users in Entra ID?

  0No idea how many guests we have. No review cadence. Ex-contractors are probably still in.1We add guests when asked. Cleanup is reactive when someone notices.2Guests tracked. Annual access review. Most stale accounts removed.3Entra ID Access Reviews scheduled quarterly. Inactive guests auto-expired at 60 days.
• 04

  Site collection admin sprawl

  Identity & privileged access

  How tightly is SharePoint site collection admin access controlled?

  0Many people have site admin rights. No inventory. Ex-staff probably still listed somewhere.1Rough idea of who's an admin; rarely reviewed.2Site owners listed per site. Annual clean-up.3Minimal admin footprint per site. Ownership reviewed quarterly. Privileged SharePoint roles gated by PIM.
• 05

  Broken permission inheritance

  Permissions hygiene

  How much unique (non-inherited) permissioning exists across your sites?

  0Significant and unknown. Folders and files are frequently re-permissioned ad hoc.1Some known unique permissioning. No central view.2Unique permissions only on a handful of approved sites. Documented.3Strong pattern: permissions at site/library level, inheritance intact. Drift reported via Microsoft Purview data map.
• 06

  Orphaned sites with no active owner

  Permissions hygiene

  How do you handle sites whose owner has left or gone inactive?

  0No idea how many orphaned sites we have. No process.1We re-assign when someone raises it. Many still orphaned.2Quarterly orphan audit. Most sites owned by an active person.3SAM inactive site report reviewed monthly. Orphaned sites auto-archived after a documented period.
• 07

  OneDrive personal sharing patterns

  External access

  Do staff share sensitive documents (HR, finance, contracts) from OneDrive?

  0Happens often. Documents are stored and shared from OneDrive ad hoc.1Happens sometimes. We've asked staff not to but there's no enforcement.2Policy exists. Sensitive content is mostly in SharePoint libraries with access controls.3OneDrive sharing tightly governed via tenant policy. DLP catches sensitive content stored there.
• 08

  Sensitivity label coverage

  Content classification

  How much of your content is classified with Microsoft Purview sensitivity labels?

  0No labels deployed. Nothing is classified.1Labels published but most content is unlabelled or defaults to Internal.2Labels applied across the tenant. Auto-labelling running for sensitive info types. Steady adoption.3Mature label program. High auto-labelling accuracy. Copilot respects labels for surfacing and encryption.
• 09

  Restricted SharePoint Search / content discovery controls

  Content classification

  Have you enabled Restricted SharePoint Search or equivalent discovery controls for sensitive sites?

  0No — default tenant-wide discovery is in force on every site.1We've heard of it but haven't scoped which sites need it.2Enabled on a handful of clearly-sensitive sites (board, HR).3Restricted Search applied to all sensitive sites. Reviewed whenever a new sensitive site is created.
• 10

  Microsoft Teams / Groups public vs private hygiene

  Permissions hygiene

  How strict is the hygiene on Team / Microsoft 365 Group privacy settings?

  0Default is public. Many public Teams contain sensitive content.1Some private. Mixed — nobody enforces a pattern.2Default is private. Public Teams require a review.3Group naming + sensitivity policies enforce privacy tier based on content classification.
• 11

  Legacy classic SharePoint sites

  Permissions hygiene

  Do you still have classic (pre-modern) SharePoint sites in the tenant?

  0Yes — many classic sites. Permissions model largely unknown.1Some classic sites surviving. Migration deferred.2Few classic sites. Known and scheduled for modernisation.3Fully modern. Classic sites retired and content migrated.
• 12

  Access review cadence for sensitive sites + external access

  Identity & privileged access

  How often do you review access to sensitive sites and external user lists?

  0Never formally. Only when something goes wrong.1Annually or on request.2Quarterly review for sensitive sites. Annual for guests.3Monthly access reviews via Entra for sensitive sites and guests. Change events logged and reviewed.