Control 1.6: Permission Model Audit (SharePoint, OneDrive, Exchange, Teams, Graph)
Control ID: 1.6 Pillar: Readiness & Assessment Regulatory Reference: GLBA 501(b), SOX 302/404, FFIEC IT Examination Handbook (Access Control), SEC Regulation S-P Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated
Objective
Conduct a comprehensive audit of user permissions across all Microsoft 365 workloads that Copilot accesses via Microsoft Graph -- including SharePoint Online, OneDrive for Business, Exchange Online, Microsoft Teams, and Graph API permissions -- to identify and remediate permission sprawl, overly broad access, and stale permissions before Copilot deployment. This control supports compliance with the principle of least privilege required by financial regulators and helps prevent Copilot from surfacing content that users have access to but should not.
Why This Matters for FSI
- GLBA 501(b): Requires administrative, technical, and physical safeguards proportional to the sensitivity of customer information. Permission audits are a foundational technical safeguard that takes on heightened importance when AI tools amplify the effective scope of each user's access.
- SOX 302/404: Internal control assessments must evaluate whether access to financial systems and data is appropriately restricted. Copilot's ability to surface content across all accessible workloads means permission gaps can directly undermine financial reporting controls.
- FFIEC IT Examination Handbook (Access Control): Expects implementation of least privilege, separation of duties, and periodic access reviews. Copilot deployment is a trigger event for conducting comprehensive access reviews.
- SEC Regulation S-P: Permission controls that restrict access to consumer financial information support privacy safeguards. Copilot amplifies the impact of any permission gaps on consumer data protection.
- FINRA Rule 3110: Supervisory systems must account for information access patterns. Copilot changes how users discover information, making permission accuracy critical for maintaining supervisory boundaries.
Control Description
The EEEU Remediation Priority
The single highest-impact remediation for Copilot readiness is addressing Everyone and Everyone Except External Users (EEEU) permissions. These broad group memberships are the #1 source of oversharing that Copilot can exploit.
| Permission Group | Risk Level | Scope | Remediation Priority |
|---|---|---|---|
| Everyone | Critical | Includes all users, including external guests | Immediate -- remove from all sites containing sensitive data |
| Everyone Except External Users (EEEU) | Critical | Includes all internal users | Immediate -- replace with specific security groups |
| All Employees (custom group) | High | Typically all FTEs, may exclude contractors | High -- review membership, scope to relevant populations |
| Large distribution lists (>500 members) | High | Broad internal populations | High -- replace with targeted security groups |
| Org-wide Teams | Medium | All members of the organization | Medium -- review associated SharePoint site permissions |
Multi-Workload Permission Audit Scope
Copilot accesses content through Microsoft Graph, which provides unified access across workloads. A comprehensive permission audit must cover all workloads:
SharePoint Online
| Audit Area | What to Review | Tool |
|---|---|---|
| Site collection permissions | Site members, owners, visitors groups | SharePoint Admin Center, PowerShell |
| Sharing links | Anonymous, company-wide, specific-people links | SharePoint DAG reports |
| Library-level permissions | Broken inheritance, unique permissions | PowerShell (PnP) |
| Hub site associations | Inherited permissions from hub sites | SharePoint Admin Center |
| Guest access | External users with access to internal sites | Entra ID external collaboration settings |
OneDrive for Business
| Audit Area | What to Review | Tool |
|---|---|---|
| Shared folders | Folders shared with broad audiences | OneDrive admin reports |
| Sharing links | Active sharing links per user | PowerShell (Graph API) |
| Default sharing scope | Tenant and user-level sharing defaults | SharePoint Admin Center |
| Shared with me | Content shared to users that may be surfaced by Copilot | Per-user review |
Exchange Online
| Audit Area | What to Review | Tool |
|---|---|---|
| Mailbox delegation | Full Access, Send As, Send on Behalf permissions | Exchange Admin Center, PowerShell |
| Shared mailboxes | Membership and access scope | Exchange Admin Center |
| Public folders | Access permissions on public folder hierarchy | Exchange PowerShell |
| Calendar sharing | Calendar delegation and sharing settings | Exchange Admin Center |
| Auto-forwarding rules | Rules that redirect mail to broad audiences | PowerShell transport rule audit |
Microsoft Teams
| Audit Area | What to Review | Tool |
|---|---|---|
| Team membership | Teams with overly broad membership | Teams Admin Center |
| Private vs. public channels | Public channels accessible to all team members | Teams Admin Center |
| Shared channels | Cross-organization channel sharing | Teams Admin Center |
| Guest access | External users in Teams | Entra ID, Teams Admin Center |
| Associated SharePoint site | Permissions on Teams-linked SharePoint site | SharePoint Admin Center |
Microsoft Graph API Permissions
| Audit Area | What to Review | Tool |
|---|---|---|
| Application permissions | Apps with broad Graph API permissions (e.g., Sites.Read.All) | Entra ID > App registrations |
| Delegated permissions | User-consented Graph API permissions | Entra ID > Enterprise applications |
| Service principals | Service accounts with Graph API access | Entra ID |
| Admin consent grants | Org-wide consent grants for Graph API scopes | Entra ID > Enterprise applications > Permissions |
Permission Audit Workflow
1. INVENTORY: Export current permissions across all workloads
|
2. ANALYZE: Identify broad access, stale permissions, excessive delegation
|
3. CLASSIFY: Categorize findings by risk level (Critical/High/Medium/Low)
|
4. PRIORITIZE: EEEU remediation first, then by data sensitivity
|
5. REMEDIATE: Remove/replace broad permissions with targeted access
|
6. VERIFY: Re-audit to confirm remediation effectiveness
|
7. ESTABLISH CADENCE: Set recurring audit schedule
Permission Sprawl Indicators
| Indicator | What It Reveals | Threshold for Concern |
|---|---|---|
| Average sites per user | How many SharePoint sites each user can access | >50 sites for non-admin users |
| EEEU membership count | How many sites have EEEU as a member | >0 for sites with sensitive data |
| Stale permissions | Users with access to sites they have not visited in 12+ months | >30% of site membership |
| Orphaned groups | Security groups with no active members used in permissions | Any presence |
| Cross-department access | Users with access to sites outside their department | Review for least privilege alignment |
RBAC Roles for DSPM for AI Governance
Microsoft Purview DSPM for AI introduces dedicated roles that enable least-privilege access to AI governance data. These roles are in addition to existing SharePoint and Exchange administrative roles and should be assigned as part of the Copilot permission model configuration. Assigning these roles supports separation of duties between general IT administration and AI compliance oversight, aligning with FFIEC IT Examination Handbook expectations for role-based access control.
| Role | Description | Use Case |
|---|---|---|
| Purview Data Security AI Viewer | Read-only access to DSPM for AI dashboards, activity reports, and AI observability metrics. Does not expose prompt or response content. | DSPM monitoring, compliance reporting |
| Purview Data Security AI Content Viewer | Extends AI Viewer with the ability to view actual prompt and response content in DSPM. Combines AI Viewer with Content Explorer Content Viewer permissions. | Compliance investigation, DLP match review |
| AI Administrator (Microsoft Entra role) | Full management of Copilot DLP policies in the Microsoft 365 Admin Center; scoped authorizations for Copilot, agents, and AI services. Separate from Purview Compliance Administrator -- grants AI governance authority without full Purview admin rights. | Copilot policy governance, AI service authorization |
Role assignment paths:
- Purview Data Security AI Viewer and Purview Data Security AI Content Viewer: Assigned via Microsoft Purview portal > Settings > Roles and scopes > Role groups
- AI Administrator: Assigned via Microsoft Entra admin center > Roles and administrators > AI Administrator
These roles follow the least-privilege principle: assign AI Viewer to any compliance team member who monitors AI activity, AI Content Viewer only to personnel authorized to review prompt and response content for investigation purposes, and AI Administrator only to the Copilot governance lead responsible for policy configuration.
Copilot Surface Coverage
| Copilot Surface | Permission Audit Relevance | Why |
|---|---|---|
| Microsoft 365 Copilot Chat | Critical | Queries all workloads via Graph -- every permission gap is exploitable |
| SharePoint Copilot | Critical | Directly queries SharePoint site permissions |
| Teams Copilot | High | Accesses Teams channel content and linked SharePoint files |
| Outlook Copilot | High | Accesses mailbox content including delegated mailboxes |
| Word / Excel / PowerPoint | High | References files from SharePoint and OneDrive based on permissions |
| OneDrive Copilot | Medium | Limited to personal OneDrive and explicitly shared content |
| Copilot Pages | High | Can reference content from any workload the user can access |
| Loop Copilot | Medium | Accesses Loop content and referenced SharePoint files |
| Viva Copilot | Medium | Accesses organizational data based on user permissions |
Governance Levels
| Level | Requirement | Rationale |
|---|---|---|
| Baseline | Audit SharePoint site permissions for EEEU and "Everyone" access. Review top 20 sites with broadest access. Remediate EEEU access on sites containing sensitive information types. Document audit findings and remediation actions. Assign Purview Data Security AI Viewer role to compliance team members monitoring DSPM for AI. | Addresses the most critical permission sprawl vector (EEEU) that creates the broadest Copilot oversharing risk. AI Viewer role enables monitoring without exposing prompt content. |
| Recommended | All Baseline requirements plus: extend audit to OneDrive sharing, Teams membership, and Exchange delegation. Remediate all EEEU access on all sites. Review and reduce large group memberships (>500 members). Implement quarterly permission audit cadence. Assign Purview Data Security AI Content Viewer to investigation team members authorized to review prompt content. Assign AI Administrator role to the Copilot governance lead. Document audit process and establish ownership for ongoing permission governance. | Provides comprehensive multi-workload permission audit with ongoing governance cadence and properly scoped DSPM roles for AI governance oversight. |
| Regulated | All Recommended requirements plus: include Graph API permissions in audit scope. Conduct formal access certification with business owners for all sites containing regulated data. Implement automated permission monitoring and alerting. Establish a formal role assignment policy for all AI-prefixed Purview roles with quarterly access review for AI Viewer, AI Content Viewer, and AI Administrator assignments. Engage internal audit for independent validation of permission audit results. Maintain audit trail for regulatory examination. Establish monthly audit cadence for high-sensitivity sites. | Examination-ready permission governance with independent validation, automated monitoring, comprehensive documentation, and formalized governance of AI-specific administrative roles. |
Setup & Configuration
Step 1: Generate SharePoint Permission Reports
Navigate to SharePoint Admin Center > Data access governance to generate:
- Sites shared with "Everyone" or "Everyone Except External Users"
- Sites with company-wide sharing links
- Sites with the most sharing activity
Step 2: Export Detailed Permissions via PowerShell
Use SharePoint Online Management Shell and PnP PowerShell for detailed exports:
# Key audit commands (see Playbook 1.6.2 for full scripts):
# Get-SPOSite -Limit All | Get site collections
# Get-SPOSiteGroup | Get site-level permission groups
# Get-PnPSiteCollectionAdmin | Get site collection administrators
# Get-SPOSiteUserInvitations | Get sharing invitations
Step 3: Audit Exchange Permissions
Use Exchange Online PowerShell for mailbox permission audit:
# Key audit commands (see Playbook 1.6.3):
# Get-MailboxPermission | Full Access delegation
# Get-RecipientPermission | Send As permissions
# Get-MailboxFolderPermission | Folder-level permissions
Step 4: Audit Teams Membership
Use Teams Admin Center and PowerShell for membership audit:
# Key audit commands (see Playbook 1.6.3):
# Get-Team | List all Teams
# Get-TeamUser -GroupId <id> | Get team membership
# Review public vs. private channel configuration
Step 5: Audit Graph API Permissions
Navigate to Microsoft Entra admin center > Applications > App registrations and review:
- Applications with
Sites.Read.AllorSites.ReadWrite.Allpermissions - Applications with
Mail.ReadorMail.ReadWritepermissions - Admin consent grants that provide organization-wide access
Step 6: Assign DSPM for AI Roles
Navigate to Microsoft Purview portal > Settings > Roles and scopes > Role groups and assign:
- Purview Data Security AI Viewer: Compliance team members responsible for AI activity monitoring
- Purview Data Security AI Content Viewer: Investigation team members authorized for prompt/response review
Navigate to Microsoft Entra admin center > Roles and administrators > AI Administrator and assign:
- AI Administrator: Copilot governance lead responsible for DLP policy management and AI service authorization
Step 7: Remediate and Document
For each finding: 1. Assign remediation owner (site owner or team admin) 2. Define target state (replace EEEU with specific security groups) 3. Execute remediation 4. Verify through re-audit 5. Document action, date, and verification
Financial Sector Considerations
- Separation of Duties: Financial institutions must maintain separation of duties between front office (trading, sales), middle office (risk, compliance), and back office (operations, settlement). Permission audit should verify these boundaries are maintained across M365 workloads and will be respected by Copilot. The AI Administrator and AI Content Viewer roles should not be held by the same person.
- Information Barriers: Broker-dealers and investment banks with information barrier requirements should cross-reference permission audit findings with information barrier policies to identify potential gaps that Copilot could exploit.
- Client Data Segregation: Wealth management and advisory firms must ensure client data is not accessible across advisor boundaries. Permission audit should verify that Copilot cannot surface one client's data to another client's advisor.
- Regulatory Access: Regulators and examiners may have guest access to specific SharePoint sites. Ensure these permissions are scoped appropriately and that regulatory examination materials are not surfaced by Copilot to non-examination personnel.
- Terminated Employee Access: Financial institutions must promptly revoke access for terminated employees. Permission audit should verify that no stale access exists for former employees, as Copilot would inherit these permissions.
- Contractor and Vendor Access: Third-party personnel (auditors, consultants, technology vendors) often have broad access that accumulates over engagement lifecycles. Audit and scope these permissions before Copilot deployment.
Verification Criteria
- SharePoint site permissions have been audited for EEEU and "Everyone" access across all in-scope sites
- All EEEU permissions on sites containing sensitive data have been remediated (replaced with specific security groups)
- OneDrive sharing configuration has been reviewed and overly broad sharing links addressed (Recommended and Regulated levels)
- Exchange mailbox delegation permissions have been audited for appropriateness (Recommended and Recommended levels)
- Teams membership has been reviewed for overly broad access patterns (Recommended and Regulated levels)
- Graph API permissions for applications and service principals have been audited (Regulated level)
- Purview Data Security AI Viewer role assigned to compliance team (Baseline and above)
- Purview Data Security AI Content Viewer role assigned to investigation team with documented authorization (Recommended and Regulated levels)
- AI Administrator role assigned to Copilot governance lead (Recommended and Regulated levels)
- Formal role assignment policy established for all AI-prefixed roles with quarterly access review (Regulated level)
- Permission audit findings are documented with risk classifications and remediation actions
- Remediation actions are verified through re-audit with documentation of before/after states
- Recurring permission audit cadence is established (quarterly / monthly for high-sensitivity per governance level)
- Permission audit reports and remediation logs are retained and accessible for regulatory examination
Additional Resources
- Microsoft Learn: SharePoint site permissions management
- Microsoft Learn: Sharing and permissions in SharePoint
- Microsoft Learn: DSPM for AI permissions
- Microsoft Learn: Mailbox permissions in Exchange Online
- Microsoft Learn: Manage Teams settings
- Microsoft Learn: Microsoft Graph permissions reference
- FFIEC IT Handbook - Access Control
- Related Controls: 1.1 Copilot Readiness Assessment, 1.2 SharePoint Oversharing Detection, 1.7 SharePoint Advanced Management, 3.1 Copilot Audit Logging, 4.1 Admin Settings & Feature Management
- Playbooks: Playbook 1.6.1 (SharePoint Permission Audit Walkthrough), Playbook 1.6.2 (PowerShell Permission Export Scripts), Playbook 1.6.3 (Exchange and Teams Audit Procedures), Playbook 1.6.4 (EEEU Remediation Guide)
FSI Copilot Governance Framework v1.2.1 - March 2026