AzureFeeds

Background

Oversharing and data leak risks may occur with or without GenAI use. However, leaders are concerned that GenAI tools might grant faster access to content with incorrect permissions, making these files easier to locate. Oversharing occurs when an employee has access to information beyond what is necessary to do their jobs. It often happens accidentally, for example if a user saves sensitive files to a SharePoint site without realizing everyone has access to that location. It could also happen when people share files too broadly (e.g. everyone in the organization sharing a link). Or it can happen when files lack protection regardless of location.

Microsoft Purview Data Security for Posture Management (DSPM) for AI’s Data Risk Assessment helps to address oversharing by allowing security teams to scan files containing sensitive data and identifying data repositories such as SharePoint sites with overly permissive user access. It provides visibility into overshared content, risk assessment, remediation actions, and detailed reports.

Introduction

Purview Data Security Posture Management for AI (DSPM for AI)’s Data Risk Assessment is for you if you:

1. Are an existing Microsoft 365 Copilot customer, or someone wanting to deploy Microsoft 365 Copilot: or


2. Want to address oversharing but have not yet deployed Microsoft 365 Copilot.

Prerequisites 

Please refer to the prerequisites for DSPM for AI in the Microsoft Learn Docs. 

Log in to the Purview portal 

To begin, start by logging into Microsoft 365 Purview portal with your admin credentials: 

• In the Microsoft Purview portal, go to the Home page.


• Find DSPM for AI under solutions.


• Head to Purview DSPM for AI -> Data Assessment.

Figure 1: Microsoft 365 Purview Homepage.

The Data Assessments tool identifies potential oversharing risks in your organization. It also provides fixes to limit access to sensitive data.

As shown on the Data Risk Assessment landing page, there are two types of assessments:

1. A Default Assessment. This assessment runs automatically every week.


2. Custom Assessments. This assessment is user-triggered.
   
   

This blog will focus on the Default assessment and will not cover Custom assessments. The Default assessment will run automatically weekly. Additionally, the Default assessment runs weekly and targets the top 100 SharePoint sites based on usage.

Default assessment

Next, click the View details button for the Default data risk assessment report on the Overview page.

Figure 2: DSPM for AI Data risk assessments overview page.

In the Oversharing Assessment for the week page, locate the visual reports bar. 

Figure 3: Default assessment visual reports bar.

The visual reports bar provides a general overview of,

1. Assessment details, which includes:
   
   
   
   • Description. Top 100 accessed SharePoint sites by usage.
   
   
   • Last updated, next updated, and frequency. Frequency of updates for the default assessment.
   
   
   
   


2. Total items – a visual graph of the number of items scanned and/or not scanned for sensitive information types (SITs).


3. Sensitivity labels on data – a visual graph that includes,
   
   
   
   • The number of labeled SITs detected and not detected.
   
   
   • The number of Not labeled SITs detected and not detected.
   
   
   • The number of data not scanned.
   
   
   
   


4. Items shared with – a visual graph that includes the number of links,
   
   
   
   • Shared with anyone.
   
   
   • Shared organization wide.
   
   
   • Shared with specific people.
   
   
   • Shared outside your organization.
   
   
   
   

The following data points may indicate that oversharing has occurred in the tenant:

• Large amount of data not scanned.


• Large amount of data containing SITs but not labeled.


• Large amount of data shared externally.

Site-specific data

Figure 4. List of sites (data sources)

Next, locate the list of sites (Data source ID) and their info on the table below the visual reports bar, which includes information on:

• Source type


• Total items


• Total items accessed


• Times users accessed items


• Unique users accessing items


• Total Sensitive items


• Total scanned items


• Total unscanned items


• Items shared with

Scroll through the list and identify potential sites that may contain oversharing based on the knowledge of whether the site is private or public, and the possible conditions below:

1. A private site that is being shared externally based on sharing links info.


2. A private site that has a high level of documents being shared outside of the org based on a high level of total items accessed and/or unique users accessed and/or times users accessed.


3. A public site that has a high level of sensitive items based on total sensitive items count.


4. A site that has a high level of total unscanned items.

By clicking on the Export button, you can export the Data source IDs to an Excel, CSV, JSON, and TSV file. 
The rollout of the export capability has started and will be complete by end of the week (week of April 28, 2025).

Secure and Govern Each Site

Click into each site of interest, or sites may have potential oversharing, to review the site info in the flyout panel.

Figure 5: Flyout panel that displays site details.

1. Overview – provides an overview of the details for the site.
   
   
   
   • Data source details – provides details of where the data comes from (i.e. SharePoint) and its corresponding URL
   
   
   • Data coverage – displays the total items scanned in the site that are either:
     
     
     
     • Labeled and SITs detected, or No SITs detected
     
     
     • Not labeled and SITs detected, or No SITs detected
       *Data points that may indicate that oversharing has occurred in the tenant:
       1. Lots of unscanned documents.
       2. Lots of documents that contain SITs but not labeled.
     
     
     
     
   
   
   
   


2. Identify – scans your data for sensitive information.
   
   
   
   • Use Microsoft Purview On-demand classification data scan to scan for sensitive information for all content in this site. Microsoft Purview On-demand classification data scan is a feature to help discover and classify sensitive content in historical data across Microsoft 365.
   
   
   
   


3. Protect – provides remediation actions that you can take to address internal oversharing:
   
   
   
   • Limit Microsoft 365 Copilot access to this site – Restrict access or block processing of certain content in SharePoint – you can choose two methods of how Copilot accesses data in SharePoint:
     
     
     
     • Restrict access by label – Block processing of content with a specific sensitivity label using Purview Data Loss Prevention (DLP) policy for Copilot
     
     
     • Restrict all items – Restrict access to site(s) using SharePoint Advanced Management (SAM) restricted content discovery (RCD)
     
     
     
     
   
   
   • Other labeling policies – Create sensitivity label taxonomy and publish labels to SharePoint via:
     
     
     
     • Default sensitivity label for SharePoint document library
     
     
     • Default labels – setup default labels to label all new items by default using sensitivity labels. 
     
     
     • Sensitive information auto-labeling policy – Use auto-labeling policies based on sensitive content or keywords. You can click View items to view the files with SITs.
     
     
     
     
   
   
   • SharePoint site sensitivity label to apply a sensitivity container label to the site.
   
   
   • Review unused files – Protect sensitive data from oversharing by deleting unused files with Purview Data Lifecycle Management (DLM) retention policies.
   
   
   
   


4. Monitor – Ongoing access monitoring
   
   
   
   • Run a site access review
     
     
     
     • This section displays the number of sites:
       
       
       
       • Shared with anyone.
       
       
       • Shared organization wide.
       
       
       • Shared with specific people.
       
       
       • Shared externally.
       
       
       
       
     
     
     • You can then run a SharePoint site access review using SAM
     
     
     
     
   
   
   • Run an access review through Microsoft Entra to make sure access granted is up to date.
   
   
   
   

Conclusion

In this blog, we explored the concept of oversharing and its implications in collaborative environments. We discussed how Microsoft Purview DSPM for AI Data Risk Assessments can help identify and mitigate risks associated with sensitive data. Additionally, this blog provided a detailed guide on using the Data Risk Assessments tool, focusing on the Default assessment, which runs automatically every week. We covered how to interpret the visual reports and identify potential oversharing risks based on various data points. Additionally, we outlined steps to secure and govern each site, including remediation actions and access monitoring.

For detailed guidance on all Purview + SAM features to address oversharing, please reference the oversharing blueprint – https://aka.ms/Copilot/Oversharing.

Be sure to also check out the blog on How to deploy DSPM for AI to secure and govern all types of AI, including Microsoft Copilot experiences, Enterprise AI apps, and other AI apps!

 

Resources

• Address oversharing concerns with Microsoft 365 blueprint – aka.ms/Copilot/Oversharing


• Public webinar on oversharing – Secure AI: Practical Steps for Addressing Oversharing Concerns


• Microsoft Purview data security and compliance protections for Microsoft 365 Copilot and other generative AI apps | Microsoft Learn


• Considerations for deploying Microsoft Purview AI Hub and data security and compliance protections for Microsoft 365 Copilot and Microsoft Copilot | Microsoft Learn


• Downloadable whitepaper – Data Security for AI Adoption | Microsoft


• Public roadmap for DSPM for AI – Microsoft 365 Roadmap | Microsoft 365