A SharePoint permission audit before Copilot goes live is not optional — it is the difference between a controlled rollout and a data leak waiting to happen. For years, administrators relied on fragile PowerShell scripts that broke after every module update. The new Data Access Governance report in the SharePoint admin center changes that equation entirely: it surfaces overshared sites, external sharing violations, and permission anomalies in a single dashboard, without writing a single line of code.

Copilot is incredibly helpful, but it’s also brutally efficient at finding exactly what a user has access to—even if they shouldn't. If your permissions are a mess, Copilot will happily summarize the CEO's confidential restructuring plans for an intern. We need a solid Zero Trust foundation, not a "Zero Trust Bullshit Wall" built on hope and forgotten sharing links.

Enter the "Site Permissions for Users" Report

Thankfully, Microsoft has recognized this critical need. They have introduced a native, built-in solution within the SharePoint Admin Center under the Data Access Governance section. The new "Site permissions for users" report is a massive leap forward in securing our tenants.

Instead of wrestling with code, administrators can now generate a clear, comprehensive snapshot of exactly what a specific user can access across the entire SharePoint and OneDrive environment.

What Makes This Report So Powerful?

This isn't just a basic list of sites. The granularity is where the real value lies. The report breaks down access into crucial categories:

  • Direct Access vs. Indirect Access: It distinguishes between items shared directly with the user and those they can access because they belong to a specific security group.
  • Site Level vs. Item Level: It clarifies if the user is a full member of a site or if they only have access to a few specific files buried within it.
  • Sensitivity Labels: Crucially, it displays any Microsoft Information Protection sensitivity labels (like "HR Highly Confidential") applied to the sites, giving you immediate context on the risk level.
"The report captures the permission state of given user(s) at a specific point in time, giving you a complete overview of sites accessible to these users along with the extent of access." - Microsoft Learn

The Licensing "Loophole" (or Brilliant Strategy?)

Here is the most interesting part. Officially, these Data Access Governance reports are part of the premium SharePoint Advanced Management (SAM) add-on. However, as noted in a recent community analysis and confirmed by Microsoft documentation, there is a significant exception.

If your organization has purchased and assigned at least one Microsoft 365 Copilot license, the SharePoint administrators automatically gain access to these specific governance features. Microsoft clearly understands that you cannot safely deploy Copilot without first cleaning up your permission structure. They are providing the tools necessary to do the job right.

Limitations to Keep in Mind

While fantastic, the tool does have some guardrails to prevent system overload:

  • You can run a maximum of 5 concurrent reports.
  • Reports can only be regenerated for a specific user every 30 days.
  • The downloadable CSV export has a limit of 1 million sites.

Actionable Next Steps

If you are planning a Copilot rollout, or even if you just want to sleep better at night knowing your data is secure, this report is your new best friend. Use it during offboarding processes, for routine security audits, and absolutely before handing an AI assistant the keys to your tenant.

Stop guessing who has access to what. The permission audit is one piece of a broader Zero Trust strategy. For the identity side, see the Microsoft Entra Suite deployment guide. And if you discover orphaned sites during your audit, the ghost hunting guide covers the cleanup process.

Frequently Asked Questions

Do I need SharePoint Advanced Management for the permission report?

Yes. The Data Access Governance reports — including the site permissions report — require a SharePoint Advanced Management license, which is included in Microsoft 365 E5 or available as a standalone add-on. Without it, you fall back to PowerShell-based auditing with the PnP module.

Will Copilot surface data that users should not see?

Copilot respects existing SharePoint permissions. It will not grant access to content a user cannot already reach. The problem is that many tenants have years of accumulated oversharing — sites shared with "Everyone except external users," broken inheritance, or guest links that were never revoked. Copilot simply makes those existing gaps visible faster, because it actively searches across all content the user has access to.

How often should I run a SharePoint permission audit?

At minimum, run the Data Access Governance report quarterly and during every employee offboarding. Before any Copilot rollout, run it against every site collection in the tenant. Ongoing, set up alerts for new "Everyone" sharing events and external guest additions so that oversharing is caught at the moment it happens rather than during the next scheduled audit.


References

  1. Microsoft Learn: Data access governance reports - get site permission report for given users
  2. Microsoft Learn: SharePoint Advanced Management overview