Control 1.3: SharePoint Content Governance and Permissions

Overview

Control ID: 1.3 Control Name: SharePoint Content Governance and Permissions Regulatory Reference: GLBA 501(b), 504(b), SEC Reg S-P, FINRA 4511 Setup Time: 2-4 hours (initial configuration); ongoing management

---

Purpose

SharePoint is often the primary knowledge source for Copilot Studio agents. Proper content governance ensures agents only access authorized data and prevents inadvertent exposure of sensitive customer information. This control is critical for:

• GLBA 501(b): Safeguarding customer NPI stored in SharePoint
• SEC Reg S-P: Protecting customer records in document libraries
• FINRA 4511: Maintaining books and records with appropriate access controls
• Data Minimization: Ensuring agents access only necessary content
• Oversharing Prevention: Stopping accidental exposure through AI responses

---

Prerequisites

Primary Owner Admin Role: SharePoint Admin Supporting Roles: SharePoint Site Collection Admin

Required Licenses

• SharePoint Online (included in Microsoft 365 E3/E5)
• Microsoft 365 E5 or SharePoint Advanced Management (for enhanced controls)
• Microsoft Purview (for sensitivity labels)

Required Permissions

• SharePoint Administrator (tenant-level settings)
• Site Collection Administrator (site-level configuration)
• Purview Compliance Administrator (sensitivity labels)

Dependencies

• Control 1.5 (DLP & Sensitivity Labels): Labels must be created before applying to sites/libraries
• Control 4.1 (IAG): Information Access Governance for restricted content discovery

Pre-Setup Checklist

• [ ] Audit existing SharePoint sites with sensitive data
• [ ] Identify sites that will be agent knowledge sources
• [ ] Define sensitivity label taxonomy
• [ ] Create site templates for FSI governance
• [ ] Document external sharing requirements
• [ ] Plan access review schedule

---

Governance Levels

Baseline (Level 1)

Least-privilege SharePoint permissions; restrict external sharing; label sensitive libraries.

Recommended (Level 2-3)

Standardized site templates + sensitivity labels; periodic access reviews; restrict agent access to approved sites.

Regulated/High-Risk (Level 4)

Admin-controlled permissions with legal review; immutable retention; continuous access monitoring.

---

Setup & Configuration

Step 1: Configure Tenant-Level Sharing Settings

Portal Path: SharePoint Admin Center → Policies → Sharing

1. Navigate to SharePoint Admin Center
2. Go to Policies → Sharing
3. Configure organization-level settings:

FSI Recommended Settings:

Setting	Recommended Value	Rationale
External sharing level	Only people in your organization	Prevent accidental customer data exposure
File and folder links	Only people in your organization	No anonymous links
Allow or block sharing with specific domains	Block consumer domains (gmail.com, yahoo.com)	Prevent consumer email sharing
Guests must sign in using the same account	Enabled	Ensure accountability
Allow guests to share items they don't own	Disabled	Prevent chain sharing
Guest access expires automatically	30-90 days	Limit persistent guest access

1. Click Save

Step 2: Configure Site-Level Settings for Agent Knowledge Sources

Portal Path: SharePoint Admin Center → Sites → Active sites → [Select site]

For each SharePoint site that agents will use as a knowledge source:

1. Select the site → Click Sharing
2. Set sharing level:
3. Enterprise-managed agents: Only people in your organization
4. Team collaboration agents: New and existing guests (with approval)
5. Personal productivity agents: Site owner discretion
6. Click Permissions → Advanced permissions settings
7. Review and configure:
8. Remove Everyone and Everyone except external users groups
9. Add specific security groups with appropriate roles
10. Document all permission grants

Configure Site Settings in SharePoint:

1. Navigate to the site directly
2. Go to Site settings (gear icon → Site information → View all site settings)
3. Under Site Administration:
4. Site permissions: Verify minimal permission grants
5. Site collection features: Enable required features
6. Under Site Actions:
7. Manage site features: Enable auditing if available

Step 3: Apply Sensitivity Labels to Sites and Libraries

Portal Path: Microsoft Purview → Information protection → Labels

Apply Label at Site Level

1. In SharePoint Admin Center → Sites → Active sites
2. Select the site → Policies tab
3. Under Sensitivity, click Edit
4. Select appropriate label:
5. Confidential-FSI for customer data
6. Highly Confidential for trading/material non-public information
7. Internal for general business content
8. Click Save

Apply Label at Library Level

1. Navigate to the document library in SharePoint
2. Click Settings (gear) → Library settings
3. Under Permissions and Management:
4. Click Apply sensitivity label to items in this list or library
5. Select the appropriate default label
6. Choose whether to:
7. Apply label to existing items: Recommended for initial deployment
8. Apply label only to new items: For ongoing governance

Step 4: Create Restricted Sites for Sensitive Agent Knowledge

Portal Path: SharePoint Admin Center → Sites → Create

Create dedicated sites for agent knowledge sources:

1. Click Create → Choose Team site or Communication site
2. Configure site settings:
3. Site name: Agent-Knowledge-[AgentName] or FSI-AgentData-[Zone]
4. Privacy settings: Private
5. Language: English
6. After creation, configure:
7. External sharing: Only people in your organization
8. Apply sensitivity label: Appropriate FSI label
9. Site permissions: Only agent service accounts + content owners

Step 5: Configure Information Access Governance (IAG)

Portal Path: SharePoint Admin Center → Sites → Active sites → Restricted access control

For enterprise-managed agent knowledge sources:

1. Select the site containing sensitive data
2. Click Policies → Restricted access control
3. Enable Restrict access to this site
4. Add specific users or groups who can access
5. This creates an additional layer beyond standard permissions

Configure Restricted Content Discoverability:

1. Navigate to SharePoint Admin Center → Content services → Information access governance
2. Create a new restricted content discoverability policy
3. Define:
4. Sites/content to restrict
5. Users/groups who can discover restricted content
6. Exceptions for agents that need access

Step 6: Configure Access Reviews for Agent Knowledge Sites

Portal Path: Microsoft Entra → Identity Governance → Access Reviews

1. Navigate to Entra Admin Center → Identity Governance → Access Reviews
2. Click + New access review
3. Configure:
4. Name: Agent-Knowledge-Sites-Quarterly-Review
5. Scope: SharePoint site(s) used by agents
6. Reviewers: Site owners or designated governance team
7. Frequency: Quarterly (for enterprise-managed) or Semi-annually (team collaboration)
8. Duration: 14 days
9. Under Upon completion settings:
10. Auto-apply results: Consider for personal productivity / team collaboration
11. If reviewers don't respond: Remove access (for enterprise-managed)
12. Create the access review

Step 7: Configure PowerShell Site Governance

# SharePoint Content Governance Configuration
# Requires: SharePoint Online Management Shell

# Install module if needed
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force

# Connect to SharePoint Online
$AdminUrl = "https://contoso-admin.sharepoint.com"
Connect-SPOService -Url $AdminUrl

# Get all sites and their sharing settings
$Sites = Get-SPOSite -Limit All
$SiteReport = $Sites | Select-Object Url, Title, Owner, SharingCapability,
    ConditionalAccessPolicy, SensitivityLabel, LockState |
    Export-Csv "C:\Governance\SharePoint-Sites-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

# Configure a site for an enterprise-managed agent knowledge source
$AgentKnowledgeSite = "https://contoso.sharepoint.com/sites/Agent-CustomerService"

Set-SPOSite -Identity $AgentKnowledgeSite `
    -SharingCapability Disabled `
    -DisableSharingForNonOwners $true `
    -DefaultLinkPermission View `
    -ConditionalAccessPolicy AllowLimitedAccess `
    -LimitedAccessFileType OfficeOnlineFilesOnly

# Apply sensitivity label to site (requires Graph API)
# Connect to Graph
Connect-MgGraph -Scopes "Sites.ReadWrite.All", "InformationProtectionPolicy.Read"

# Get the site ID
$Site = Get-MgSite -SiteId "contoso.sharepoint.com:/sites/Agent-CustomerService"

# Get available labels
$Labels = Get-MgInformationProtectionLabel
$TargetLabel = $Labels | Where-Object { $_.Name -eq "Confidential-FSI" }

# Apply label to site
# Note: Site sensitivity labels are set via site classification during creation
# or via the SharePoint Admin Center for existing sites

# Remove overly permissive groups from sites
$AgentSites = @(
    "https://contoso.sharepoint.com/sites/Agent-CustomerService",
    "https://contoso.sharepoint.com/sites/Agent-Trading",
    "https://contoso.sharepoint.com/sites/Agent-Compliance"
)

foreach ($SiteUrl in $AgentSites) {
    # Get site groups
    $Site = Get-SPOSite -Identity $SiteUrl -Detailed

    # Remove Everyone and Everyone except external users if present
    try {
        Remove-SPOUser -Site $SiteUrl -LoginName "c:0(.s|true"  # Everyone
        Write-Host "Removed 'Everyone' from $SiteUrl" -ForegroundColor Yellow
    } catch {
        Write-Host "'Everyone' not found on $SiteUrl" -ForegroundColor Gray
    }

    try {
        Remove-SPOUser -Site $SiteUrl -LoginName "c:0-.f|rolemanager|spo-grid-all-users/$($Site.Id)"
        Write-Host "Removed 'Everyone except external users' from $SiteUrl" -ForegroundColor Yellow
    } catch {
        Write-Host "'Everyone except external' not found on $SiteUrl" -ForegroundColor Gray
    }
}

# Generate permission report for agent knowledge sites
$PermissionReport = @()

foreach ($SiteUrl in $AgentSites) {
    $SiteUsers = Get-SPOUser -Site $SiteUrl -Limit All

    foreach ($User in $SiteUsers) {
        $PermissionReport += [PSCustomObject]@{
            Site = $SiteUrl
            LoginName = $User.LoginName
            DisplayName = $User.DisplayName
            IsSiteAdmin = $User.IsSiteAdmin
            Groups = ($User.Groups -join "; ")
        }
    }
}

$PermissionReport | Export-Csv "C:\Governance\AgentSites-Permissions-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host "Permission report exported" -ForegroundColor Green

# Configure external sharing for each site
Set-SPOSite -Identity "https://contoso.sharepoint.com/sites/Agent-CustomerService" `
    -SharingCapability Disabled

Set-SPOSite -Identity "https://contoso.sharepoint.com/sites/Agent-Trading" `
    -SharingCapability Disabled

# Enable auditing at tenant level
Set-SPOTenant -DisabledWebPartIds @() # Ensure web parts not blocking audit
# Note: Unified audit log is enabled via Security & Compliance Center

---

Financial Sector Considerations

Regulatory Alignment

Regulation	SharePoint Governance Requirement
GLBA 501(b)	Restrict access to sites containing customer NPI; log access
SEC Reg S-P	Privacy safeguards for customer records in document libraries
FINRA 4511	Maintain books and records with access controls; audit trail
SOX 302/404	Segregation of duties for financial document access

Zone-Specific Configuration

Zone 1 (Personal Productivity)

Site Sharing: Site owner discretion
External Sharing: Organization-wide setting
Sensitivity Labels: Recommended but not required
Access Reviews: Annual
Permissions: Standard SharePoint groups

Zone 2 (Team Collaboration)

Site Sharing: Existing guests only (with approval)
External Sharing: Specific partner domains only
Sensitivity Labels: Required - minimum "Internal"
Access Reviews: Semi-annual
Permissions: Named security groups only

Zone 3 (Enterprise Managed)

Site Sharing: Organization only (no external)
External Sharing: Disabled completely
Sensitivity Labels: Required - "Confidential-FSI" or higher
Access Reviews: Quarterly
Permissions: Named individuals + service accounts only
Additional: IAG/Restricted Content Discoverability enabled

FSI Configuration Example: Wealth Management Firm

Scenario: A wealth management firm uses Copilot Studio agents to answer client questions using portfolio documentation stored in SharePoint.

SharePoint Structure:

/sites/ClientPortfolios-WM/
├── Client-Onboarding/          [Sensitivity: Highly Confidential]
│   ├── KYC Documents/
│   ├── Account Opening Forms/
│   └── Risk Assessments/
├── Investment-Research/        [Sensitivity: Confidential-FSI]
│   ├── Analyst Reports/
│   ├── Market Data/
│   └── Model Portfolios/
├── Agent-Knowledge-Base/       [Sensitivity: Confidential-FSI]
│   ├── Product Information/
│   ├── Fee Schedules/
│   ├── FAQ Content/
│   └── Approved Disclosures/
└── Compliance-Archive/         [Sensitivity: Highly Confidential - Regulatory]
    ├── Audit Reports/
    ├── Regulatory Correspondence/
    └── Examination Materials/

Agent Configuration:

1. Client Inquiry Agent (enterprise-managed):
2. Access: /Agent-Knowledge-Base/ only
3. Permissions: Read-only via service account
4. Sensitivity: Can only return Confidential or lower content

5. Excluded: Client-Onboarding (PII), Compliance-Archive

6. Internal Research Agent (team collaboration):

7. Access: /Investment-Research/ + /Agent-Knowledge-Base/
8. Permissions: Read via analyst security group
9. Sensitivity: Can access Confidential-FSI content

Governance Measures:

• Weekly access review for Client Inquiry Agent service account
• Audit log monitoring for unusual access patterns
• Quarterly recertification of agent data source permissions
• DLP policies prevent agent from exposing SSN, account numbers in responses

---

Verification & Testing

Verification Steps

1. Confirm Tenant Sharing Settings:
2. SharePoint Admin Center → Policies → Sharing

3. EXPECTED: External sharing restricted per FSI requirements

4. Verify Site-Level Permissions:

5. Navigate to agent knowledge source site
6. Site settings → Site permissions

7. EXPECTED: Only approved groups/users; no "Everyone" groups

8. Test Agent Access Boundaries:

9. Ask agent to retrieve content from excluded site

10. EXPECTED: Agent cannot access or returns "no information found"

11. Validate Sensitivity Labels:

12. Check document library → Information panel

13. EXPECTED: All documents have appropriate sensitivity labels

14. Confirm External Sharing Blocked:

15. Attempt to share a document externally from an enterprise-managed site

16. EXPECTED: Sharing blocked with appropriate message

17. Test Access Review Notification:

18. Check that access review notifications are being sent
19. EXPECTED: Reviewers receive notification per schedule

Verification Evidence

• [ ] Screenshot: Tenant-level sharing settings
• [ ] Export: Site inventory with sharing settings (CSV)
• [ ] Screenshot: Agent knowledge site permissions
• [ ] Export: Permission audit for all agent data sources
• [ ] Screenshot: Sensitivity labels applied to libraries
• [ ] Documentation: Access review schedule and results

---

Troubleshooting & Validation

Issue: Agent Cannot Access Required Content

Symptoms: Agent returns "I don't have access to that information" for valid content

Solutions:

1. Verify agent service account is in site members group
2. Check sensitivity label on content matches agent's allowed labels
3. Confirm IAG/restricted content discoverability isn't blocking
4. Review Conditional Access policies that might block service account
5. Check if site requires MFA and service account can satisfy

Issue: Agent Accessing Content It Shouldn't

Symptoms: Agent returning sensitive information from excluded sites

Solutions:

1. Review agent knowledge source configuration in Copilot Studio
2. Verify site permissions don't include broad groups
3. Check for inheritance from parent site
4. Remove any "Everyone" or "All Users" permissions
5. Verify sensitivity labels are correctly applied and enforced

Issue: Sensitivity Labels Not Appearing on Documents

Symptoms: Documents don't show expected sensitivity labels

Solutions:

1. Verify labels are published to users in the site
2. Check if auto-labeling policies are configured
3. Confirm user has Information Protection client installed
4. Review if default library label is configured
5. For existing documents, may need to apply label retroactively

Issue: External Sharing Still Possible Despite Settings

Symptoms: Users can share externally from restricted sites

Solutions:

1. Check site-level override vs. tenant settings (site can't be more permissive)
2. Verify setting saved correctly (refresh admin center)
3. Check for PowerShell scripts that may be resetting values
4. Confirm user isn't a site collection admin (different permissions)
5. Review SharePoint feature flags for new sharing features

---

Additional Resources

• SharePoint Site Permissions
• SharePoint Sharing Settings
• Sensitivity Labels for SharePoint Sites
• SharePoint Advanced Management
• SharePoint Admin PowerShell
• Access Reviews for SharePoint

---

Related Controls

Control	Relationship
Control 1.5	Sensitivity labels for content classification
Control 4.1	IAG for advanced content restrictions
Control 4.2	Access reviews for SharePoint sites
Control 4.4	Guest access management
Control 1.14	Data minimization for agent scope

---

Support & Questions

For implementation support or questions about this control, contact:

• SharePoint Administrator: Site configuration and permissions
• Information Protection Team: Sensitivity labels and DLP
• Compliance Officer: Regulatory requirements and evidence
• AI Governance Lead: Agent data source approval

---

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification