Securing AI on Azure: SharePoint Overexposure + Purview…

Why this module is the heart of what’s new on SC-500

Simple explanation

Microsoft Copilot — the M365 one that rides on top of your tenant’s Word, Excel, Outlook, Teams, and SharePoint — reads through Microsoft Graph using the signed-in user’s identity. That’s the design. It means if a user can technically see a file in SharePoint, Copilot can read it too and surface that content in answers.

For most organisations, this exposes a problem that was already there but invisible: over-sharing. A 2020 SharePoint site set to “Everyone in the org” because someone clicked the wrong button. A folder marked “Everyone except external users” so that anyone in the company can reach the salary spreadsheet. A site collection inherited from a long-gone team.

Before Copilot, these sat in directories nobody browsed. After Copilot, the question “Can you summarise our pay bands?” can return them.

SC-500 expects you to use Microsoft Purview Data Security Posture Management (DSPM) for AI to discover exactly this: which SharePoint sites and which content are over-exposed, what AI activity is reaching them, and how to contain. DSPM is the discovery surface. Sensitivity labels, DLP, and restricted SharePoint search are the enforcement.

Before Copilot, the practical “blast radius” of an over-permissioned SharePoint site was the small set of users who happened to navigate to it or be pointed to a link. After Copilot, the blast radius is every user with read access, multiplied by every natural-language question that might bring the content forward.

Why over-sharing went from theoretical to real-world risk once Copilot was enabled
Feature	Before Copilot	After Copilot
Discovery surface	Manual SharePoint navigation, share links	Natural-language search across all readable content
Practical reach	Tiny — most over-permissioned content is never opened	Tenant-wide — anyone can ask a question that surfaces it
Trigger	A user clicking through to a file	A user asking 'summarise our compensation policy'
Mitigation if missed	Manual reactive incident response	Defensible only if pre-mitigated — Copilot answers in real time
Visibility to IT	Low — over-sharing rarely surfaces until incident	Higher — DSPM for AI surfaces risky interactions

Microsoft Purview Data Security Posture Management (DSPM) for AI

DSPM for AI lives in the Microsoft Purview portal (purview.microsoft.com). It’s a dedicated workspace for understanding how AI applications interact with your organisation’s data — which AI apps, whose data, what sensitivity, what the user did with the AI response.

What DSPM for AI discovers

AI app activity — which Microsoft Copilot, Copilot Studio agents, Foundry-hosted apps, and third-party AI tools are being used; which users are using them; what’s being asked.
Sensitive content in interactions — when a Copilot prompt or response includes content matching sensitive information types or sensitivity labels, DSPM surfaces it.
Risky interactions — patterns flagged as elevated risk: a user asking Copilot for compensation data, a Copilot Studio agent that reads from a “highly confidential”-labeled site, anomalous AI usage by a single account.
Unethical prompts — prompts that match Microsoft-curated patterns of attempts to extract sensitive content, jailbreak the model, or generate harmful output.

What DSPM for AI recommends

For each risk, DSPM surfaces a recommended action. Typical recommendations:

“Apply sensitivity labels to over-shared content in [site list]”
“Enable Restricted SharePoint Search to limit Copilot’s reach to curated sites only”
“Configure a DLP policy to block sensitive content from Copilot responses”
“Review user X’s AI activity for further investigation”

Recommendations link directly into the relevant Purview surfaces (label management, DLP policy creation, Insider Risk Management).

SharePoint Advanced Management — the enforcement controls

Microsoft Purview DSPM tells you what’s exposed. SharePoint Advanced Management (SAM) (an add-on to M365 plans, included in some Copilot-bearing plans) and core SharePoint controls are how you contain it.

Restricted SharePoint Search (RSS)

A tenant-wide setting that limits Copilot and SharePoint enterprise search to a curated allowlist of sites plus the user’s own OneDrive and recent files. It’s the “we’ll turn on Copilot but Copilot will only see these 200 sites we’ve reviewed and labeled” pattern — buying you time to harden the long tail of over-shared sites.

Data Access Governance (DAG) reports

SharePoint admin centre includes Data Access Governance reports that surface:

Sites shared with “Everyone except external users” (the most common over-share)
Sites shared with the entire organisation
Sites with sensitivity-labelled content but inconsistent permission scope
Recently-shared sites and the scope of sharing

Site lifecycle policies

Inactive site discovery and review — sites untouched for N months prompt their owners to certify or archive. Reduces the long tail.

Sensitivity labels in the Copilot path

Sensitivity labels do two things in the AI context:

Inheritance into Copilot responses — when Copilot summarises content from a “Confidential — Finance” labelled document, the response inherits the label. Recipients see the same label, and label-bound restrictions (encryption, audience scope) follow the answer.
Label-based exclusion — label policies can block content with specific sensitivity labels from being summarised by Copilot at all. Pattern: “Highly Confidential” content is invisible to Copilot regardless of user permissions.

This is the structured-data answer to over-sharing: even if a user has SharePoint read access, the label says “Copilot, do not surface this in summaries.”

Microsoft Purview DLP for AI

Purview Data Loss Prevention has dedicated policy templates and conditions for AI:

Detect sensitive content in Copilot prompts — alert or block a prompt that contains regulated data (e.g. customer PII pasted into a Copilot question).
Detect sensitive content in Copilot responses — alert when a response includes detected sensitive info types or labelled content.
Block third-party AI sites (via Defender for Cloud Apps integration) — prevent users from posting sensitive content to consumer AI tools outside the tenant boundary.

DLP for AI is the “act on what DSPM saw” layer.

The SC-500 AI-security pattern: discovery → containment → enforcement

When an SC-500 scenario asks “what should be configured?”, the answer typically follows a three-step pattern:

Discovery (DSPM for AI) — surface what AI apps are doing, what sensitive content they touch, what users are doing with the responses. Pure visibility.
Containment (Restricted SharePoint Search, Site lifecycle, DAG reports) — limit what the AI can reach in the first place. Reduces the surface.
Enforcement (sensitivity labels, DLP for AI, Defender for Cloud Apps for third-party AI) — block, label, alert on specific content patterns. Structured controls.

An exam answer that proposes “just turn on DSPM and you’re protected” is incomplete — DSPM tells you what’s wrong; the other surfaces fix it. Conversely, “just turn on DLP” misses the discovery step that tells you where to point DLP. The right exam answer typically combines at least one discovery and one enforcement surface.

Scenario: Ravi protects Maple Genomics against Copilot over-exposure

Maple Genomics is six weeks from a tenant-wide Microsoft Copilot rollout. Ravi (their solo security lead) has been told “Copilot is on; make it safe.” Here’s his plan:

Discovery first — Microsoft Purview DSPM for AI
- Enable DSPM for AI in the Purview portal.
- Run the Data assessments recommended action — DSPM scans SharePoint and surfaces sites with “Everyone except external users” or organisation-wide sharing. Output: a list of 38 over-shared sites in Maple Genomics’ tenant, including the HR — Comp 2026 site.
- Run the AI app activity report — identifies that 4 employees have already been using personal ChatGPT via the browser (surfaced via Defender for Cloud Apps integration).
Containment — Restricted SharePoint Search
- Enable Restricted SharePoint Search. Curate the initial allowlist to ~80 sites that have either been label-classified or pass a content review.
- Buy time to fix the long tail: until a site is added to the allowlist, Copilot cannot use it as a grounding source.
Enforcement — sensitivity labels + DLP for AI
- Apply the “Confidential — Patient Data” label to all genomics-data libraries. Configure the label policy to block Copilot summarisation of labelled content (no matter the user’s permission).
- Roll out a Purview DLP for AI policy that detects HIPAA-style PHI in Copilot prompts and responses; alert + tip on first detection, block on repeat.
- Configure Defender for Cloud Apps with the “Block uploads of sensitive content” policy aimed at consumer AI domains, so the four ChatGPT users can no longer paste PHI into the public tool.
Site lifecycle
- Enable inactive-site discovery; sites untouched for 12 months prompt owner certification. Reduces the long tail over time.

After 30 days: DSPM for AI shows zero “Everyone except external users” sites in the allowlist, zero sensitivity-labelled content surfaced in Copilot responses, zero PHI in Copilot prompts. Ravi presents to the exec team: Copilot is on, the audit trail is in place, and the surface area is contained.