SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: Restricted SharePoint Search Readiness
description: Rank the highest-risk SharePoint Online sites to set a Restricted SharePoint Search allowlist before broadening Microsoft 365 Copilot access.
---
# Restricted SharePoint Search Readiness
> **TL;DR:** This skill assesses your SharePoint Online estate, ranks sites by oversharing risk, and produces a recommended Restricted SharePoint Search allowlist so you can stage Microsoft 365 Copilot access while you remediate.
## What does Restricted SharePoint Search readiness assess?
This skill evaluates SharePoint Online sites to support Restricted SharePoint Search, a SharePoint Advanced Management capability that limits Microsoft 365 Copilot and enterprise search to an explicit allowlist of sites. It uses Microsoft Graph and Data Access Governance signals to identify which sites are well-governed enough to expose to Copilot and which should stay excluded until remediated. The result is a defensible allowlist that lets you roll out Copilot to a trusted subset while you reduce oversharing elsewhere. The assessment is read-only and changes no search configuration.
## When should you run this skill?
- "Help me build a Restricted SharePoint Search allowlist"
- "Which sites are safe to enable for Copilot first?"
- "Stage our Copilot rollout while we fix oversharing"
- "Rank sites by risk before turning on enterprise search"
- "Which SharePoint sites should stay excluded from Copilot?"
- "Assess Restricted SharePoint Search readiness for our tenant"
## How this skill works, step by step
1. Connect read-only to Microsoft Graph and SharePoint Online with assessment scopes.
2. Enumerate candidate sites and gather ownership, activity and sensitivity signals.
3. Pull Data Access Governance indicators such as EEEU grants and Anyone links per site.
4. Classify each site as governed, partially governed or high risk.
5. Recommend governed sites for the Restricted SharePoint Search allowlist.
6. Flag high-risk sites for exclusion until remediation completes.
7. Derive a risk score per site from exposure breadth, sensitivity and ownership health.
8. Produce a staged rollout view ordered by readiness.
9. Output the ranked allowlist and exclusion list without applying any change.
## Output format
The skill returns a readiness table, one row per evaluated site, with an allowlist recommendation.
| Site | Owners | Oversharing signals | Risk | Allowlist recommendation |
| --- | --- | --- | --- | --- |
| HR Policies | 2 | None | Low | Include |
| Sales Shared | 1 | Anyone links | Medium | Defer |
| Legacy Archive | 0 | EEEU, Anyone links | High | Exclude |
Summary:
- Total sites assessed: 210
- Recommended for allowlist: 96
- Defer pending review: 78
- Exclude until remediated: 36
## Scope and safety
This skill is read-only by default and makes no changes to Restricted SharePoint Search, search settings or site permissions.
This skill does NOT:
- Enable, disable or modify Restricted SharePoint Search configuration.
- Add or remove any site from the live allowlist.
- Change Microsoft 365 Copilot licensing or access.
- Alter site permissions, ownership or content.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Restricted SharePoint Search and Data Access Governance reports | SharePoint Advanced Management (included with Microsoft 365 Copilot, or as a standalone add-on) |
| SharePoint Online site enumeration and signals | Microsoft 365 E3 or E5 |
### Least-privilege roles
- Global Reader for read-only assessment across the tenant.
- SharePoint Administrator where SharePoint Advanced Management report access is required.
### Microsoft Graph permissions (read-only)
- `Sites.Read.All` — enumerate SharePoint Online sites and read site metadata.
- `Files.Read.All` — read sharing signals such as Anyone links to gauge exposure.
- `Group.Read.All` — read group ownership and membership backing each site.
- `Directory.Read.All` — resolve owners and directory objects for ownership health.
Data Access Governance and Restricted SharePoint Search reports are surfaced through the SharePoint admin centre and SharePoint Online Management Shell PowerShell rather than Microsoft Graph.
## Sources and compliance
- [Restricted SharePoint Search](https://learn.microsoft.com/en-us/sharepoint/restricted-sharepoint-search)
- [Get ready for Copilot with SharePoint Advanced Management](https://learn.microsoft.com/en-us/sharepoint/get-ready-copilot-sharepoint-advanced-management)
- Maps to Essential Eight: Restrict administrative privileges and reduce unnecessary data exposure.
- Aligns with ISM controls for access control and information classification.
- Reference: [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
Restricted SharePoint Search Readiness
TL;DR: This skill assesses your SharePoint Online estate, ranks sites by oversharing risk, and produces a recommended Restricted SharePoint Search allowlist so you can stage Microsoft 365 Copilot access while you remediate.
What does Restricted SharePoint Search readiness assess?
This skill evaluates SharePoint Online sites to support Restricted SharePoint Search, a SharePoint Advanced Management capability that limits Microsoft 365 Copilot and enterprise search to an explicit allowlist of sites. It uses Microsoft Graph and Data Access Governance signals to identify which sites are well-governed enough to expose to Copilot and which should stay excluded until remediated. The result is a defensible allowlist that lets you roll out Copilot to a trusted subset while you reduce oversharing elsewhere. The assessment is read-only and changes no search configuration.
When should you run this skill?
- “Help me build a Restricted SharePoint Search allowlist”
- “Which sites are safe to enable for Copilot first?”
- “Stage our Copilot rollout while we fix oversharing”
- “Rank sites by risk before turning on enterprise search”
- “Which SharePoint sites should stay excluded from Copilot?”
- “Assess Restricted SharePoint Search readiness for our tenant”
How this skill works, step by step
- Connect read-only to Microsoft Graph and SharePoint Online with assessment scopes.
- Enumerate candidate sites and gather ownership, activity and sensitivity signals.
- Pull Data Access Governance indicators such as EEEU grants and Anyone links per site.
- Classify each site as governed, partially governed or high risk.
- Recommend governed sites for the Restricted SharePoint Search allowlist.
- Flag high-risk sites for exclusion until remediation completes.
- Derive a risk score per site from exposure breadth, sensitivity and ownership health.
- Produce a staged rollout view ordered by readiness.
- Output the ranked allowlist and exclusion list without applying any change.
Output format
The skill returns a readiness table, one row per evaluated site, with an allowlist recommendation.
| Site | Owners | Oversharing signals | Risk | Allowlist recommendation |
|---|---|---|---|---|
| HR Policies | 2 | None | Low | Include |
| Sales Shared | 1 | Anyone links | Medium | Defer |
| Legacy Archive | 0 | EEEU, Anyone links | High | Exclude |
Summary:
- Total sites assessed: 210
- Recommended for allowlist: 96
- Defer pending review: 78
- Exclude until remediated: 36
Scope and safety
This skill is read-only by default and makes no changes to Restricted SharePoint Search, search settings or site permissions.
This skill does NOT:
- Enable, disable or modify Restricted SharePoint Search configuration.
- Add or remove any site from the live allowlist.
- Change Microsoft 365 Copilot licensing or access.
- Alter site permissions, ownership or content.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Restricted SharePoint Search and Data Access Governance reports | SharePoint Advanced Management (included with Microsoft 365 Copilot, or as a standalone add-on) |
| SharePoint Online site enumeration and signals | Microsoft 365 E3 or E5 |
Least-privilege roles
- Global Reader for read-only assessment across the tenant.
- SharePoint Administrator where SharePoint Advanced Management report access is required.
Microsoft Graph permissions (read-only)
Sites.Read.All— enumerate SharePoint Online sites and read site metadata.Files.Read.All— read sharing signals such as Anyone links to gauge exposure.Group.Read.All— read group ownership and membership backing each site.Directory.Read.All— resolve owners and directory objects for ownership health.
Data Access Governance and Restricted SharePoint Search reports are surfaced through the SharePoint admin centre and SharePoint Online Management Shell PowerShell rather than Microsoft Graph.
Sources and compliance
- Restricted SharePoint Search
- Get ready for Copilot with SharePoint Advanced Management
- Maps to Essential Eight: Restrict administrative privileges and reduce unnecessary data exposure.
- Aligns with ISM controls for access control and information classification.
- Reference: ASD Essential Eight Maturity Model
- Output in Australian English
Last updated on