Imagine a new hire at your Bradenton law firm asks Microsoft Copilot, “What’s everyone’s salary?” — and it actually answers. That’s not a bug. It’s what happens when Copilot has access to every file your team can see, and nobody’s cleaned up permissions in a few years. Before you flip on that Copilot trial, there’s some homework to do first.
Here’s the thing: Microsoft 365 Copilot pulls from emails, SharePoint files, OneDrive documents, Teams chats, and calendar items using each user’s existing permissions. It doesn’t create new access — it just uses what’s already there. And in most tenants, that access is way broader than anyone realizes.
How Copilot Actually Gets to Your Data
Copilot works through something called Microsoft Graph — the behind-the-scenes layer connecting all your Microsoft 365 services. When someone asks Copilot a question, it searches across everything that person has permission to see.
Microsoft’s own documentation says it plainly: Copilot can only access content the user is authorized to see. That sounds reassuring — until you realize most people have access to far more than they should.
Why Permissions Drift Out of Control
Think about how access works at a CPA firm or wealth management office. Someone says, “Give Sarah access to the Henderson file.” The project wraps up. Nobody removes the access. Multiply that across five years of staff changes, client matters, and quick “just share this real quick” moments.
For accounting firms, law offices, and financial advisors here in the Tampa Bay area, this is especially risky. The files are the product — client financials, settlement figures, fee arrangements, deal terms. The confidentiality of that material is the entire business model.
If a permission exists, Copilot will use it. It doesn’t ask whether the access was supposed to be temporary.
Microsoft now acknowledges this head-on. They’ve published a deployment blueprint that puts oversharing remediation as the first step before any Copilot rollout. Not second. First.
Five Things Copilot Could Reveal in a Messy Tenant
Here’s what we’ve seen Copilot surface when permissions haven’t been cleaned up:
“What is everyone’s salary?” — Returns a compensation spreadsheet HR shared with a hiring manager 18 months ago. That share was never revoked.
“Summarize the [client] case.” — Pulls documents from a SharePoint site a user was added to during a one-off project two years ago. They still have access.
“What deals are we working on?” — Assembles a complete picture of your firm’s pipeline from M&A data rooms that were never closed, personal OneDrive files shared for a single meeting, and Teams channels that grew beyond their original scope.
“Find everything about [former employee].” — Surfaces the termination memo, severance calculation, performance reviews, and related emails. All in one query.
“What’s our markup on [client] engagements?” — Returns your internal pricing sheet that was shared once for a proposal review and never locked back down.
It doesn’t matter whether anyone would ask these questions. What matters is what Copilot can return.
Why “Let’s Just Do a Small Pilot” Can Backfire
A limited pilot sounds safe, but there’s a catch. The people picked for pilots are almost always senior partners or managers — the same people who have the broadest access in the entire organization.
A pilot with three senior partners at a Manatee County law firm actually creates the highest-risk version of the test, not the lowest. Those are the accounts that can see everything.
And once Copilot returns a summary to someone, you can’t un-ring that bell. The audit log will show what was asked, but the information is already out there.
Four Things to Fix Before You Hit “Start Trial”
These four steps are the difference between a useful test and an accidental data exposure:
1. Run a SharePoint sharing audit. SharePoint Advanced Management includes a content assessment that flags oversharing patterns and permission issues. This is your starting point.
2. Review OneDrive external shares. Look for files shared outside your organization that were never recalled. This is incredibly common at accounting firms and law offices where documents go back and forth with clients and then get forgotten.
3. Audit Teams membership. Confirm that channel membership still reflects who actually needs access. Channels that ballooned during a big project and never got trimmed are a frequent source of unintended access.
4. Apply sensitivity labels. Microsoft Purview sensitivity labels tell Microsoft 365 which content is confidential. With labels in place, you can use Data Loss Prevention policies to keep Copilot from processing sensitive items — or use encryption to block Copilot from reading them entirely. Without labels, Copilot treats a client settlement document the same as a lunch order.
For a firm with 25 to 100 people, this prep work typically takes four to eight weeks. Your IT team can handle a lot of it, but deciding which document categories get which labels? That needs input from the people who understand the material — partners, owners, practice leaders.
The One Email to Send Your IT Team Right Now
Before you decide anything about Copilot, send this message to whoever manages your Microsoft 365:
“Can you show me a report of every file in our tenant that’s accessible to more than ten people, and flag the ones containing client names, salary figures, or financial data?”
If they can produce something useful in a few days, your environment has been actively managed. If the answer is “we’d need to enable some things first” — that tells you everything you need to know about your Copilot readiness.
Frequently Asked Questions
Does Copilot have access to my files by default?
Copilot sees whatever the signed-in user can see — no more, no less. It works through existing SharePoint, OneDrive, and Exchange permissions. The risk isn’t that Copilot creates new access. It’s that existing access is broader than you think.
Can sensitivity labels actually block Copilot?
Yes. Purview sensitivity labels with encryption can prevent Copilot from reading content. Users need specific usage rights (EXTRACT and VIEW) for Copilot to interact with labeled files. DLP policies can also exclude labeled items from Copilot processing.
Is a small pilot safe?
It can be — if the pilot users have limited access to sensitive content. The common mistake is picking senior staff, who typically have the broadest permissions in the organization.
How long does it take to prepare?
For a firm with several years of accumulated content, plan on four to eight weeks. That covers the SharePoint audit, external share review, Teams membership cleanup, and sensitivity label setup.
Sources and Further Reading
- Microsoft Learn: Microsoft 365 Copilot blueprint for oversharing
- Microsoft Learn: Configure a secure and governed foundation for Microsoft 365 Copilot
- Microsoft Learn: Get ready for Copilot with SharePoint Advanced Management
- Microsoft Learn: Use Microsoft Purview to manage Copilot security and compliance
Whether or not Copilot is on your roadmap, cleaning up your Microsoft 365 permissions is worth doing. If you’re a Florida business that hasn’t had a tenant review in a while — or you’re not sure where to start — we do this for firms just like yours. Book a free 15-minute call and we’ll walk you through what to look at first.


