Let's be honest: auditing SharePoint permissions has historically been the IT equivalent of untangling a box of Christmas lights in the dark. For years, administrators have relied on fragile, complex PowerShell scripts that often broke after the next module update. But with the arrival of Microsoft 365 Copilot, turning a blind eye to overshared data is no longer an option.
Copilot is incredibly helpful, but it’s also brutally efficient at finding exactly what a user has access to—even if they shouldn't. If your permissions are a mess, Copilot will happily summarize the CEO's confidential restructuring plans for an intern. We need a solid Zero Trust foundation, not a "Zero Trust Bullshit Wall" built on hope and forgotten sharing links.
Enter the "Site Permissions for Users" Report
Thankfully, Microsoft has recognized this critical need. They have introduced a native, built-in solution within the SharePoint Admin Center under the Data Access Governance section. The new "Site permissions for users" report is a massive leap forward in securing our tenants.
Instead of wrestling with code, administrators can now generate a clear, comprehensive snapshot of exactly what a specific user can access across the entire SharePoint and OneDrive environment.
What Makes This Report So Powerful?
This isn't just a basic list of sites. The granularity is where the real value lies. The report breaks down access into crucial categories:
- Direct Access vs. Indirect Access: It distinguishes between items shared directly with the user and those they can access because they belong to a specific security group.
- Site Level vs. Item Level: It clarifies if the user is a full member of a site or if they only have access to a few specific files buried within it.
- Sensitivity Labels: Crucially, it displays any Microsoft Information Protection sensitivity labels (like "HR Highly Confidential") applied to the sites, giving you immediate context on the risk level.
"The report captures the permission state of given user(s) at a specific point in time, giving you a complete overview of sites accessible to these users along with the extent of access." - Microsoft Learn
The Licensing "Loophole" (or Brilliant Strategy?)
Here is the most interesting part. Officially, these Data Access Governance reports are part of the premium SharePoint Advanced Management (SAM) add-on. However, as noted in a recent community analysis and confirmed by Microsoft documentation, there is a significant exception.
If your organization has purchased and assigned at least one Microsoft 365 Copilot license, the SharePoint administrators automatically gain access to these specific governance features. Microsoft clearly understands that you cannot safely deploy Copilot without first cleaning up your permission structure. They are providing the tools necessary to do the job right.
Limitations to Keep in Mind
While fantastic, the tool does have some guardrails to prevent system overload:
- You can run a maximum of 5 concurrent reports.
- Reports can only be regenerated for a specific user every 30 days.
- The downloadable CSV export has a limit of 1 million sites.
Actionable Next Steps
If you are planning a Copilot rollout, or even if you just want to sleep better at night knowing your data is secure, this report is your new best friend. Use it during offboarding processes, for routine security audits, and absolutely before handing an AI assistant the keys to your tenant.
Stop guessing who has access to what. Use the tools provided to build a genuine Zero Trust architecture, not just a buzzword-compliant facade.
