Walk into ten established SMB SharePoint environments and at least seven will have the same problem: years of inherited permissions, ad-hoc external sharing, orphaned sites, mis-applied groups, and "Everyone except external users" attached to folders that no one would have classified that way today.

It's the silent prerequisite for nearly every modern M365 feature. Copilot assumes the permissions are right. Sensitivity-label-driven DLP assumes the permissions are right. Migration to a different tenant assumes the permissions are right. They usually aren't.

The fix isn't dramatic, but it is unglamorous: audit the site collection inventory, identify permission anomalies, run an access review with the data owners, apply a sensible permission model, and lock in governance for the future. Tools like Microsoft 365 Admin Centre, Graph reporting, and third-party permissions analysers all help, but the work is owned by humans deciding who should see what.

The payoff is that everything else — Copilot, DLP, sensitivity labels, audit — starts working as advertised.

What it means for your businessIf you're about to enable Copilot, label sensitive content, or migrate tenants, run a SharePoint permissions audit first. Otherwise you're building on sand.
Source & referenceLepide — Microsoft Copilot Security Checklist for Data Protection (2026) ↑