Control 1.6: Permission Model Audit (SharePoint, OneDrive, Exchange, Teams, Graph)
Control ID: 1.6 Pillar: Readiness & Assessment Regulatory Reference: GLBA §501(b), Sarbanes-Oxley §§302/404 (where applicable to ICFR), FFIEC IT Examination Handbook (Access Control), SEC Regulation S-P Last Verified: 2026-06-07 Governance Levels: Baseline / Recommended / Regulated
Objective
Conduct a comprehensive audit of user permissions across all Microsoft 365 workloads that Copilot accesses via Microsoft Graph -- including SharePoint Online, OneDrive for Business, Exchange Online, Microsoft Teams, and Graph API permissions -- to identify and remediate permission sprawl, overly broad access, and stale permissions before Copilot deployment. This control supports compliance with the principle of least privilege required by financial regulators and helps prevent Copilot from surfacing content that users have access to but should not.
Why This Matters for FSI
- GLBA §501(b): Requires administrative, technical, and physical safeguards proportional to the sensitivity of customer information. Permission audits are a foundational technical safeguard that takes on heightened importance when AI tools amplify the effective scope of each user's access.
- Sarbanes-Oxley §§302/404 (where applicable to ICFR): Internal control assessments must evaluate whether access to financial systems and data is appropriately restricted. Copilot's ability to surface content across all accessible workloads means permission gaps can directly undermine financial reporting controls.
- FFIEC IT Examination Handbook (Access Control): Expects implementation of least privilege, separation of duties, and periodic access reviews. Copilot deployment is a trigger event for conducting comprehensive access reviews.
- SEC Regulation S-P: Permission controls that restrict access to consumer financial information support privacy safeguards. Copilot amplifies the impact of any permission gaps on consumer data protection.
- FINRA Rule 3110 (supervisory systems and WSPs): Supervisory systems and written supervisory procedures must account for information access patterns. Copilot changes how users discover information, making permission accuracy relevant to maintaining supervisory controls.
Control Description
The EEEU Remediation Priority
The single highest-impact remediation for Copilot readiness is addressing Everyone and Everyone Except External Users (EEEU) permissions. These broad group memberships are the #1 source of oversharing that Copilot can exploit.
| Permission Group | Risk Level | Scope | Remediation Priority |
|---|---|---|---|
| Everyone | Critical | Includes all users, including external guests | Immediate -- remove from all sites containing sensitive data |
| Everyone Except External Users (EEEU) | Critical | Includes all internal users | Immediate -- replace with specific security groups |
| All Employees (custom group) | High | Typically all FTEs, may exclude contractors | High -- review membership, scope to relevant populations |
| Large distribution lists (>500 members) | High | Broad internal populations | High -- replace with targeted security groups |
| Org-wide Teams | Medium | All members of the organization | Medium -- review associated SharePoint site permissions |
Note: The group size threshold for review varies by governance level: >500 members (Baseline), >100 members (Recommended), >50 members (Regulated). The table above uses the Baseline threshold; adjust scripts and reviews to your governance tier.
Multi-Workload Permission Audit Scope
Copilot accesses content through Microsoft Graph, which provides unified access across workloads. A comprehensive permission audit must cover all workloads:
SharePoint Online
| Audit Area | What to Review | Tool |
|---|---|---|
| Site collection permissions | Site members, owners, visitors groups | SharePoint admin center, PowerShell |
| Sharing links | Anonymous, company-wide, specific-people links | SharePoint DAG reports |
| Library-level permissions | Broken inheritance, unique permissions | PowerShell (PnP) |
| Hub site associations | Navigation and branding scope (hub association does not grant permissions) | SharePoint admin center |
| Guest access | External users with access to internal sites | Entra ID external collaboration settings |
OneDrive for Business
| Audit Area | What to Review | Tool |
|---|---|---|
| Shared folders | Folders shared with broad audiences | OneDrive admin reports |
| Sharing links | Active sharing links per user | PowerShell (Graph API) |
| Default sharing scope | Tenant and user-level sharing defaults | SharePoint admin center |
| Shared with me | Content shared to users that may be surfaced by Copilot | Per-user review |
Exchange Online
| Audit Area | What to Review | Tool |
|---|---|---|
| Mailbox delegation | Full Access, Send As, Send on Behalf permissions | Exchange admin center, PowerShell |
| Shared mailboxes | Membership and access scope | Exchange admin center |
| Public folders | Access permissions on public folder hierarchy | Exchange PowerShell |
| Calendar sharing | Calendar delegation and sharing settings | Exchange admin center |
| Auto-forwarding rules | Rules that redirect mail to broad audiences | PowerShell transport rule audit |
Microsoft Teams
| Audit Area | What to Review | Tool |
|---|---|---|
| Team membership | Teams with overly broad membership | Teams admin center |
| Private vs. public channels | Public channels accessible to all team members | Teams admin center |
| Shared channels | Cross-organization channel sharing | Teams admin center |
| Guest access | External users in Teams | Entra ID, Teams admin center |
| Associated SharePoint site | Permissions on Teams-linked SharePoint site | SharePoint admin center |
Microsoft Graph API Permissions
| Audit Area | What to Review | Tool |
|---|---|---|
| Application permissions | Apps with broad Graph API permissions (e.g., Sites.Read.All) | Entra ID > App registrations |
| Delegated permissions | User-consented Graph API permissions | Entra ID > Enterprise applications |
| Service principals | Service accounts with Graph API access | Entra ID |
| Admin consent grants | Org-wide consent grants for Graph API scopes | Entra ID > Enterprise applications > Permissions |
Permission Audit Workflow
1. INVENTORY: Export current permissions across all workloads
|
2. ANALYZE: Identify broad access, stale permissions, excessive delegation
|
3. CLASSIFY: Categorize findings by risk level (Critical/High/Medium/Low)
|
4. PRIORITIZE: EEEU remediation first, then by data sensitivity
|
5. REMEDIATE: Remove/replace broad permissions with targeted access
|
6. VERIFY: Re-audit to confirm remediation effectiveness
|
7. ESTABLISH CADENCE: Set recurring audit schedule
Permission Sprawl Indicators
| Indicator | What It Reveals | Threshold for Concern |
|---|---|---|
| Average sites per user | How many SharePoint sites each user can access | >50 sites for non-admin users |
| EEEU membership count | How many sites have EEEU as a member | >0 for sites with sensitive data |
| Stale permissions | Users with access to sites they have not visited in 12+ months | >30% of site membership |
| Orphaned groups | Security groups with no active members used in permissions | Any presence |
| Cross-department access | Users with access to sites outside their department | Review for least privilege alignment |
User-Centric Permission Exposure Review
In addition to site-level and resource-level permission audits, organizations should conduct user-centric permission exposure reviews that assess each user's aggregate access footprint — the total set of content Copilot can search on that user's behalf:
| Review Dimension | What to Assess | Copilot Risk |
|---|---|---|
| Per-user site access breadth | Total number of SharePoint sites each user can access (directly or via group membership) | Users with access to hundreds of sites give Copilot an extremely broad grounding scope — any oversharing on any site is exploitable |
| Cross-department access accumulation | Users who have accumulated access to sites outside their current department through role changes, project assignments, or ad-hoc sharing | Copilot can synthesize information across departments, potentially surfacing information that conflicts with information barrier intent |
| Permission exposure delta | Difference between a user's intended access (based on role/department) and actual access (all sites accessible) | Large deltas indicate permission sprawl that should be remediated before or during Copilot deployment |
| High-sensitivity access concentration | Users who have access to multiple sites containing NPI, MNPI, or Highly Confidential content | Copilot queries from these users have the highest risk of surfacing regulated content in inappropriate contexts |
Assessment approach:
- Use the DAG "Site permissions for users" report (Control 1.7) to export per-user site access breadth
- Cross-reference with HR department data to identify cross-department access accumulation
- Prioritize review of users with access to ≥100 sites or access to ≥3 departments outside their own
- For Regulated-tier governance, conduct formal permission exposure reviews for all users in high-risk roles (traders, wealth advisors, compliance staff, executive assistants)
RBAC Roles for Data Security Posture Management Governance
Current Microsoft Purview Data Security Posture Management uses broader DSPM role groups plus AI-specific roles. These roles are in addition to existing SharePoint and Exchange administrative roles and should be assigned as part of the Copilot permission model configuration. Assigning these roles supports separation of duties between general IT administration and AI compliance oversight, aligning with FFIEC IT Examination Handbook expectations for role-based access control.
| Role or role group | Description | Use Case |
|---|---|---|
| Purview Compliance Admin / Data Security Management | Manage current DSPM and Microsoft Purview data security solutions, including DLP, information protection, insider risk, and posture insights. Use the least-privileged role group that matches the task. | DSPM configuration, remediation workflow ownership |
| Data Security Viewers role group / Data Security Viewer role | View current DSPM dashboard insights and use Security Copilot to view detailed data security posture information. | Executive reporting, posture monitoring |
| Microsoft Purview Security Reader role group | View-only access across supported DSPM pages without edit permissions. | Compliance reporting, audit evidence review |
| Purview Data Security AI Viewer | Read-only access to AI-related data security information in current DSPM and DSPM for AI (classic). Does not expose prompt or response content. | AI observability monitoring, compliance reporting |
| Purview Data Security AI Content Viewer | Grants authorized users access to extended prompt and response details in AI application interactions when content review is required. Combine with Content Explorer Content Viewer permissions where the activity requires them. | Compliance investigation, DLP match review |
| Data Security AI Admins (Purview Data Security AI Admin role) | Provides editing capabilities for DLP policies related to Copilot and viewing AI content in DSPM. Use this for AI-specific policy administration rather than legacy information-protection roles. | Copilot DLP policy governance, AI data security administration |
| AI Administrator (Microsoft Entra role) | Provides Entra AI administration and view-only access to AI data security information in DSPM; it is not a substitute for full Purview data security administration. | AI service administration, AI data monitoring |
Role assignment paths:
- Data Security Viewers, Purview Data Security AI Viewer, Purview Data Security AI Content Viewer, Data Security AI Admins, and Data Security Management: assigned via Microsoft Purview portal > Settings > Roles and scopes > Role groups
- AI Administrator: assigned via Microsoft Entra admin center > Roles and administrators > AI Administrator
- Information Protection Admins: still used for sensitivity labels and auto-labeling policy administration, but should not be treated as the primary DSPM or AI observability permission set
These roles follow the least-privilege principle: assign Data Security Viewer or AI Viewer for monitoring, AI Content Viewer only to personnel authorized to review prompt and response content for investigation purposes, Data Security AI Admins only to personnel administering Copilot DLP policies, and AI Administrator only where Entra AI administration or AI-data view-only coverage is required.
Copilot Surface Coverage
| Copilot Surface | Permission Audit Relevance | Why |
|---|---|---|
| Microsoft 365 Copilot Chat | Critical | Queries all workloads via Graph -- every permission gap is exploitable |
| SharePoint Copilot | Critical | Directly queries SharePoint site permissions |
| Teams Copilot | High | Accesses Teams channel content and linked SharePoint files |
| Outlook Copilot | High | Accesses mailbox content including delegated mailboxes |
| Word / Excel / PowerPoint | High | References files from SharePoint and OneDrive based on permissions |
| OneDrive Copilot | Medium | Limited to personal OneDrive and explicitly shared content |
| Copilot Pages | High | Can reference content from any workload the user can access |
| Copilot Notebooks | High | Can reference content from any workload the user can access |
| Loop Copilot | Medium | Accesses Loop content and referenced SharePoint files |
| Viva Copilot | Medium | Accesses organizational data based on user permissions |
Governance Levels
| Level | Requirement | Rationale |
|---|---|---|
| Baseline | Audit SharePoint site permissions for EEEU and "Everyone" access. Review top 20 sites with broadest access. Remediate EEEU access on sites containing sensitive information types. Document audit findings and remediation actions. Assign Data Security Viewer or Purview Data Security AI Viewer access to compliance team members monitoring DSPM. | Addresses the most critical permission sprawl vector (EEEU) that creates the broadest Copilot oversharing risk. Viewer roles enable monitoring without exposing prompt content. |
| Recommended | All Baseline requirements plus: extend audit to OneDrive sharing, Teams membership, and Exchange delegation. Remediate all EEEU access on all sites. Review and reduce large group memberships (>500 members). Implement quarterly permission audit cadence. Assign Purview Data Security AI Content Viewer to investigation team members authorized to review prompt content. Assign Data Security AI Admins membership only to the Copilot DLP policy owner. Document audit process and establish ownership for ongoing permission governance. | Provides comprehensive multi-workload permission audit with ongoing governance cadence and properly scoped DSPM roles for AI governance oversight. |
| Regulated | All Recommended requirements plus: include Graph API permissions in audit scope. Conduct formal access certification with business owners for all sites containing regulated data. Implement automated permission monitoring and alerting. Establish a formal role assignment policy with quarterly access review for Data Security Viewer, AI Viewer, AI Content Viewer, Data Security AI Admins, and AI Administrator assignments. Engage internal audit for independent validation of permission audit results. Maintain audit trail for regulatory examination. Establish monthly audit cadence for high-sensitivity sites. | Examination-ready permission governance with independent validation, automated monitoring, comprehensive documentation, and formalized governance of DSPM and AI-specific administrative roles. |
Setup & Configuration
Step 1: Generate SharePoint Permission Reports
Navigate to SharePoint admin center > Data access governance to generate:
- Sites shared with "Everyone" or "Everyone Except External Users"
- Sites with company-wide sharing links
- Sites with the most sharing activity
Step 2: Export Detailed Permissions via PowerShell
Use SharePoint Online Management Shell and PnP PowerShell for detailed exports:
# Key audit commands (see PowerShell Setup playbook for full scripts):
# Get-SPOSite -Limit All | Get site collections
# Get-SPOSiteGroup | Get site-level permission groups
# Get-PnPSiteCollectionAdmin | Get site collection administrators
# Get-SPOExternalUser | List external (guest) users granted access via sharing
Step 3: Audit Exchange Permissions
Use Exchange Online PowerShell for mailbox permission audit:
# Key audit commands (see PowerShell Setup playbook):
# Get-MailboxPermission | Full Access delegation
# Get-RecipientPermission | Send As permissions
# Get-MailboxFolderPermission | Folder-level permissions
Step 4: Audit Teams Membership
Use Teams admin center and PowerShell for membership audit:
# Key audit commands (see PowerShell Setup playbook):
# Get-Team | List all Teams
# Get-TeamUser -GroupId <id> | Get team membership
# Review public vs. private channel configuration
Step 5: Audit Graph API Permissions
Navigate to Microsoft Entra admin center > Applications > App registrations and review:
- Applications with
Sites.Read.AllorSites.ReadWrite.Allpermissions - Applications with
Mail.ReadorMail.ReadWritepermissions - Admin consent grants that provide organization-wide access
Step 6: Assign DSPM and AI Data Security Roles
Navigate to Microsoft Purview portal > Settings > Roles and scopes > Role groups and assign:
- Data Security Viewers or Data Security Viewer: Compliance team members responsible for current DSPM dashboard monitoring
- Purview Data Security AI Viewer: Compliance team members responsible for AI activity monitoring without prompt/response access
- Purview Data Security AI Content Viewer: Investigation team members authorized for prompt/response review
- Data Security AI Admins: Copilot DLP policy owners who require Purview Data Security AI Admin capabilities
Navigate to Microsoft Entra admin center > Roles and administrators > AI Administrator and assign only when required:
- AI Administrator: AI service administrators or users who require Entra AI administration and AI-data view-only coverage in DSPM
Step 7: Remediate and Document
For each finding: 1. Assign remediation owner (site owner or team admin) 2. Define target state (replace EEEU with specific security groups) 3. Execute remediation 4. Verify through re-audit 5. Document action, date, and verification
Financial Sector Considerations
- Separation of Duties: Financial institutions must maintain separation of duties between front office (trading, sales), middle office (risk, compliance), and back office (operations, settlement). Permission audit should verify these boundaries are maintained across M365 workloads and will be respected by Copilot. Data Security AI Admins membership and AI Content Viewer access should not be held by the same person.
- Information Barriers: Broker-dealers and investment banks with information barrier requirements should cross-reference permission audit findings with information barrier policies to identify potential gaps that Copilot could exploit.
- Client Data Segregation: Wealth management and advisory firms must ensure client data is not accessible across advisor boundaries. Permission audit should verify that Copilot cannot surface one client's data to another client's advisor.
- Regulatory Access: Regulators and examiners may have guest access to specific SharePoint sites. Ensure these permissions are scoped appropriately and that regulatory examination materials are not surfaced by Copilot to non-examination personnel.
- Terminated Employee Access: Financial institutions must promptly revoke access for terminated employees. Permission audit should verify that no stale access exists for former employees, as Copilot would inherit these permissions.
- Contractor and Vendor Access: Third-party personnel (auditors, consultants, technology vendors) often have broad access that accumulates over engagement lifecycles. Audit and scope these permissions before Copilot deployment.
Verification Criteria
- SharePoint site permissions have been audited for EEEU and "Everyone" access across all in-scope sites
- All EEEU permissions on sites containing sensitive data have been remediated (replaced with specific security groups)
- OneDrive sharing configuration has been reviewed and overly broad sharing links addressed (Recommended and Regulated levels)
- Exchange mailbox delegation permissions have been audited for appropriateness (Recommended and Regulated levels)
- Teams membership has been reviewed for overly broad access patterns (Recommended and Regulated levels)
- Graph API permissions for applications and service principals have been audited (Regulated level)
- Data Security Viewer or Purview Data Security AI Viewer access assigned to compliance team members who monitor DSPM (Baseline and above)
- Purview Data Security AI Content Viewer role assigned to investigation team with documented authorization (Recommended and Regulated levels)
- Data Security AI Admins membership assigned only to Copilot DLP policy owners with documented authorization (Recommended and Regulated levels)
- Formal role assignment policy established for DSPM and AI-specific roles with quarterly access review (Regulated level)
- Permission audit findings are documented with risk classifications and remediation actions
- Remediation actions are verified through re-audit with documentation of before/after states
- Recurring permission audit cadence is established (quarterly / monthly for high-sensitivity per governance level)
- Permission audit reports and remediation logs are retained and accessible for regulatory examination
Additional Resources
- Microsoft Learn: SharePoint site permissions management
- Microsoft Learn: Sharing and permissions in SharePoint
- Microsoft Learn: Permissions for Data Security Posture Management
- Microsoft Learn: Mailbox permissions in Exchange Online
- Microsoft Learn: Manage Teams settings
- Microsoft Learn: Microsoft Graph permissions reference
- FFIEC IT Handbook - Access Control
- Related Controls: 1.1 Copilot Readiness Assessment, 1.2 SharePoint Oversharing Detection, 1.7 SharePoint Advanced Management, 3.1 Copilot Audit Logging, 4.1 Admin Settings & Feature Management
- Playbooks: Portal Walkthrough, PowerShell Setup, Verification & Testing, Troubleshooting
FSI Copilot Governance Framework v1.4.0 - April 2026