Texas A&M UniversityWork In Progress
Infrastructure & Devices
Endpoint ManagementCloud & Compute
Productivity & Collaboration
Microsoft 365Google Workspace
Security & Identity
IdentityCloud SecurityData Protection
Networking & Telecom
Core NetworkingTelecommunications
Development
Developer Tools
Arts & SciencesBush SchoolBusiness SupportCollege of ArchitectureCollege of EducationCollege of EngineeringExecutive SupportFacilitiesGalvestonHealthLawMays Business SchoolPerformance, Visualization & Fine ArtsStudent AffairsTransportationUniversity LibrariesVeterinary Medicine

Remediate oversharing, secure SharePoint sharing, implement Zero Trust access, and prepare for Copilot.

purviewimplementationsharepointcopilotzero-trust

Access & Sharing Governance

The Remediation Phase

This is where the "quick wins" happen. With DSPM showing you oversharing risks, you can now:

  • Eliminate Anyone links that expose content publicly
  • Reduce external sharing to identity-based authentication
  • Apply container labels to SharePoint sites and Teams
  • Prepare for Copilot with Restricted SharePoint Search

Complete this section to produce measurable improvements in your DSPM dashboard.

SharePoint Sharing Controls {#sharing-controls}

Objective

Harden SharePoint and OneDrive sharing settings to reduce oversharing risk identified in DSPM.

Key Activities

ActivityToolOutcome
Identify orphaned sitesSharePoint Admin CenterSites assigned owners
Configure sharing defaultsTenant sharing settingsBalanced security posture
Enable site lifecycleSharePoint Advanced ManagementStale sites cleaned up
Restrict external sharingPer-site policiesHigh-risk sites locked down

SharePoint Sharing Levels

LevelWhat It AllowsRecommended For
AnyoneAnonymous linksNot recommended
New and existing guestsAuthenticated externalDefault for most
Existing guests onlyPre-approved externalResearch collaboration
Only people in orgNo externalHR, Legal, FERPA sites
Step 1 – Audit Current Sharing Settings

Click-Ops:

  1. Navigate to SharePoint Admin Center > Policies > Sharing
  2. Review tenant-level sharing settings
  3. Set organization default to New and existing guests (identity-based)
  4. Disable anonymous links unless specifically needed

PowerShell:

Connect-SPOService -Url "https://yourtenant-admin.sharepoint.com"

# Get current settings
Get-SPOTenant | Select-Object SharingCapability, DefaultSharingLinkType

# Set identity-based sharing as default
Set-SPOTenant -SharingCapability ExternalUserAndGuestSharing
Set-SPOTenant -DefaultSharingLinkType Internal
Step 2 – Harden High-Risk Sites

Goal: Lock down sites containing FERPA, HIPAA, or research data based on DSPM findings.

Recommended Settings for Sensitive Sites:

SettingValue
SharingOnly people in your organization
Guest accessBlocked
Access requestsDisabled or routed to site owner
Container sensitivity labelApplied (from Classification)
Use DSPM to Prioritize

DSPM's "Overshared Data" report shows which sites have sensitive content with broad permissions. Start remediation there.

Zero Trust Access Control {#zero-trust}

Objective

Implement Conditional Access policies and integrate with Defender for Cloud Apps for session-level controls.

Key Policies

PolicyTriggerAction
Require MFAAccessing sensitive appsBlock if not MFA
Block unmanaged devicesDownloading labeled contentBlock download
Session controlAccessing labeled files from risky locationsRead-only access

Copilot Protection {#copilot-protection}

Objective

Prepare your environment for safe Microsoft Copilot deployment using Restricted SharePoint Search.

Copilot Readiness Checklist

  • DSPM posture score ≥ 70
  • Overshared content remediated
  • Sensitivity labels applied to sensitive content
  • High-risk sites excluded from Copilot indexing
  • Pilot group identified
Enable Restricted SharePoint Search

Goal: Prevent Copilot and enterprise search from surfacing content from sensitive sites.

Renamed Feature

This feature was previously called "Restricted Content Discovery" in Purview. It has been moved to SharePoint Admin Center and renamed to Restricted SharePoint Search.

Click-Ops:

  1. Navigate to SharePoint Admin CenterPoliciesSharingRestricted SharePoint Search
  2. Select Enable site restriction
  3. Add sites to exclude from search/Copilot:
    • HR sites
    • Legal sites
    • Research data repositories
  4. Test with pilot users

PowerShell Alternative:

# Requires SharePoint Online Management Shell
Set-SPOTenant -RestrictedSharePointSearch "Enabled"
Add-SPOTenantRestrictedSearchAllowedSite -SiteUrl "https://tamu.sharepoint.com/sites/hr-sensitive"

Validation Checklist

#ItemSuccess Criteria
1Sharing settingsTenant default is identity-based
2Orphaned sitesAll sites have owners
3Labels publishedUsers can apply labels
4Auto-labelingPolicies active in simulation
5Copilot exclusionsSensitive sites excluded

Next Steps

With access controls and Copilot protection in place, proceed to Monitoring to enable visibility and investigation capabilities.

Continue to Monitoring →