SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: Data Access Governance Report Review
description: Interpret SharePoint Advanced Management Data Access Governance reports and turn oversharing and sharing-link findings into a prioritised remediation plan.
---
# Data Access Governance Report Review
> **TL;DR:** This skill reads your SharePoint Advanced Management Data Access Governance reports, interprets the oversharing, sharing-link and sensitivity-label signals, and produces a prioritised, owner-assigned remediation plan for Microsoft 365 Copilot readiness.
## What do the Data Access Governance (DAG) reports reveal?
This skill interprets the Data Access Governance (DAG) reports generated by SharePoint Advanced Management, which surface sites with potential oversharing, broad sharing links and unlabelled sensitive content. It correlates these reports with Microsoft Graph and Microsoft Purview sensitivity signals to explain what each finding means and how it affects Microsoft 365 Copilot exposure. The output is a prioritised remediation plan that assigns each issue an owner and a least-privilege action. The review reads existing reports only and makes no tenant changes.
## When should you run this skill?
- "Explain our Data Access Governance reports"
- "Turn the DAG oversharing report into a remediation plan"
- "Which sites does SharePoint Advanced Management flag as risky?"
- "Prioritise our oversharing findings by impact"
- "Assign owners to our SharePoint governance issues"
- "Map DAG findings to Copilot readiness actions"
## How this skill works, step by step
1. Connect read-only to SharePoint Online and retrieve available DAG report data.
2. Parse the oversharing, sharing-links and sensitivity-label report categories.
3. Correlate flagged sites with Microsoft Graph ownership and activity signals.
4. Enrich findings with Microsoft Purview sensitivity-label context where present.
5. Deduplicate overlapping findings across report categories per site.
6. Score each finding by exposure breadth, sensitivity and remediation effort.
7. Assign a likely owner from site ownership metadata.
8. Sequence findings into a prioritised remediation plan.
9. Output the plan without modifying reports or tenant configuration.
## Output format
The skill returns a prioritised remediation table, one row per finding.
| Site | Finding | Sensitivity | Owner | Risk | Recommended action |
| --- | --- | --- | --- | --- | --- |
| Finance Hub | Oversharing (EEEU) | Confidential | j.smith | High | Replace EEEU with scoped group |
| Marketing | Anyone links active | General | a.lee | Medium | Expire and reissue as scoped |
| R&D Vault | Unlabelled sensitive | Unknown | k.nguyen | High | Apply sensitivity label |
Summary:
- Total findings reviewed: 188
- High risk: 41
- Medium risk: 73
- Low risk: 74
- Findings with assigned owner: 165
## Scope and safety
This skill is read-only by default and makes no changes to reports, sites or permissions.
This skill does NOT:
- Generate, schedule or delete Data Access Governance reports.
- Modify site permissions, sharing links or sensitivity labels.
- Reassign site ownership or contact owners directly.
- Change SharePoint Advanced Management configuration.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Data Access Governance reports and oversharing signals | SharePoint Advanced Management (with Microsoft 365 E3 or E5) |
| Sensitivity-label context for findings | Microsoft 365 E5 (or E5 Compliance / Information Protection) |
| Microsoft Graph ownership and activity enrichment | Microsoft 365 E3 |
### Least-privilege roles
- Global Reader (tenant-wide read for reviewing reports and signals)
- SharePoint Administrator with read access to the SharePoint admin centre Data Access Governance reports
### Microsoft Graph permissions (read-only)
- `Sites.Read.All` — read SharePoint site metadata and ownership for flagged sites
- `Files.Read.All` — read item-level sharing context referenced in findings
- `Group.Read.All` — resolve groups used in sharing and site ownership
- `Directory.Read.All` — resolve users and directory objects for owner assignment
Note: the Data Access Governance reports themselves are generated and viewed in the SharePoint admin centre under SharePoint Advanced Management, not via Microsoft Graph; this skill reads the exported or displayed report data and enriches it with the read-only Graph scopes above.
## Sources and compliance
- [Data access governance reports](https://learn.microsoft.com/en-us/sharepoint/data-access-governance-reports)
- [SharePoint Advanced Management overview](https://learn.microsoft.com/en-us/sharepoint/advanced-management)
- Maps to Essential Eight: Restrict administrative privileges through least-privilege remediation.
- Aligns with ISM controls for access control, information classification and data handling.
- Reference: [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
Data Access Governance Report Review
TL;DR: This skill reads your SharePoint Advanced Management Data Access Governance reports, interprets the oversharing, sharing-link and sensitivity-label signals, and produces a prioritised, owner-assigned remediation plan for Microsoft 365 Copilot readiness.
What do the Data Access Governance (DAG) reports reveal?
This skill interprets the Data Access Governance (DAG) reports generated by SharePoint Advanced Management, which surface sites with potential oversharing, broad sharing links and unlabelled sensitive content. It correlates these reports with Microsoft Graph and Microsoft Purview sensitivity signals to explain what each finding means and how it affects Microsoft 365 Copilot exposure. The output is a prioritised remediation plan that assigns each issue an owner and a least-privilege action. The review reads existing reports only and makes no tenant changes.
When should you run this skill?
- “Explain our Data Access Governance reports”
- “Turn the DAG oversharing report into a remediation plan”
- “Which sites does SharePoint Advanced Management flag as risky?”
- “Prioritise our oversharing findings by impact”
- “Assign owners to our SharePoint governance issues”
- “Map DAG findings to Copilot readiness actions”
How this skill works, step by step
- Connect read-only to SharePoint Online and retrieve available DAG report data.
- Parse the oversharing, sharing-links and sensitivity-label report categories.
- Correlate flagged sites with Microsoft Graph ownership and activity signals.
- Enrich findings with Microsoft Purview sensitivity-label context where present.
- Deduplicate overlapping findings across report categories per site.
- Score each finding by exposure breadth, sensitivity and remediation effort.
- Assign a likely owner from site ownership metadata.
- Sequence findings into a prioritised remediation plan.
- Output the plan without modifying reports or tenant configuration.
Output format
The skill returns a prioritised remediation table, one row per finding.
| Site | Finding | Sensitivity | Owner | Risk | Recommended action |
|---|---|---|---|---|---|
| Finance Hub | Oversharing (EEEU) | Confidential | j.smith | High | Replace EEEU with scoped group |
| Marketing | Anyone links active | General | a.lee | Medium | Expire and reissue as scoped |
| R&D Vault | Unlabelled sensitive | Unknown | k.nguyen | High | Apply sensitivity label |
Summary:
- Total findings reviewed: 188
- High risk: 41
- Medium risk: 73
- Low risk: 74
- Findings with assigned owner: 165
Scope and safety
This skill is read-only by default and makes no changes to reports, sites or permissions.
This skill does NOT:
- Generate, schedule or delete Data Access Governance reports.
- Modify site permissions, sharing links or sensitivity labels.
- Reassign site ownership or contact owners directly.
- Change SharePoint Advanced Management configuration.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Data Access Governance reports and oversharing signals | SharePoint Advanced Management (with Microsoft 365 E3 or E5) |
| Sensitivity-label context for findings | Microsoft 365 E5 (or E5 Compliance / Information Protection) |
| Microsoft Graph ownership and activity enrichment | Microsoft 365 E3 |
Least-privilege roles
- Global Reader (tenant-wide read for reviewing reports and signals)
- SharePoint Administrator with read access to the SharePoint admin centre Data Access Governance reports
Microsoft Graph permissions (read-only)
Sites.Read.All— read SharePoint site metadata and ownership for flagged sitesFiles.Read.All— read item-level sharing context referenced in findingsGroup.Read.All— resolve groups used in sharing and site ownershipDirectory.Read.All— resolve users and directory objects for owner assignment
Note: the Data Access Governance reports themselves are generated and viewed in the SharePoint admin centre under SharePoint Advanced Management, not via Microsoft Graph; this skill reads the exported or displayed report data and enriches it with the read-only Graph scopes above.
Sources and compliance
- Data access governance reports
- SharePoint Advanced Management overview
- Maps to Essential Eight: Restrict administrative privileges through least-privilege remediation.
- Aligns with ISM controls for access control, information classification and data handling.
- Reference: ASD Essential Eight Maturity Model
- Output in Australian English
Last updated on