Glow Cloud Solutions

Copilot

Copilot oversharing: what actually goes wrong

Copilot respects your permissions perfectly. That is the problem, because most tenants share more broadly than anyone realises. Here is what actually causes it, and what to check before you roll out.

2 June 2026

Microsoft 365 Copilot does not bypass permissions. It uses them, exactly as they are, and it does it in a sentence. That is why it exposes oversharing: the access was always there, Copilot just makes it instantly findable.

What oversharing actually is

Oversharing is rarely someone deliberately opening the doors. In practice it builds up from a few ordinary habits:

  • Links scoped too broadly. “Anyone with the link” and “people in your organisation” links are the quick option, so they get used by default.
  • No expiry. A link created for one supplier two years ago can still be live and circulating.
  • Sharing out of context. A link meant for one person gets forwarded, or a sensitive file is dropped into a broad Team or chat.
  • Broad group and site access. Org-wide sites, communication sites readable by everyone, and Microsoft 365 groups that quietly contain the whole company.
  • Permission drift, defaults and legacy. Inheritance broken years ago, and provisioning defaults or old migrations that left content open in ways nobody chose on purpose.

None of this matters much while finding the content means clicking through site by site. Almost nobody does that.

Then you switch on Copilot

Copilot can read everything the signed-in user can read, and surface it from a plain-English question. “Summarise what we have on the redundancy plan” no longer needs anyone to know where the file lives. If one document about it is reachable by that user, Copilot will find it.

So enabling Copilot does not create the exposure. It removes the only thing that was quietly protecting you: obscurity.

What to check before you roll out

In rough order of how often it bites:

  1. Sharing link policy. The default link type, and whether expiry is enforced on anonymous links.
  2. Existing broad links. The old, open, never-expiring ones still in circulation.
  3. Broadly shared sites and groups. What is readable org-wide, and which groups really contain everyone.
  4. Sensitivity labels and DLP. Whether anything sensitive is actually classified and protected.
  5. Permission drift. Sites and libraries where access no longer matches intent.

Do this before you enable, not after

The right order is to assess first, fix the high-risk items, then turn Copilot on. A read-only scan tells you what Copilot is about to surface, prioritised by severity, with the specific sites and links involved.

That is what our free Microsoft 365 health-check does. For the patterns we see most often, see what oversharing actually looks like, and where it leads, the governance work that keeps a tenant clean as it drifts.

← All resources

Start with a free health-check.

Read-only. The whole tenant. One clear report.

Get your free health-check →