Episode Details
Back to Episodes
SharePoint Agents Data Leak: Stop SharePoint Agents From Leaking Your Data (The IT Pro Fix)
Season 1
Published 4 months, 4 weeks ago
Description
(00:00:00) SharePoint Agents and Data Security
(00:00:34) The Agent's Perspective: Permissions and Retrieval
(00:01:23) Grounding and DLP: The Missing Links
(00:02:21) Scope Control: The Foundation of Governance
(00:03:16) The Agent's Mental Model: A Step-by-Step Guide
(00:03:42) The Dangers of Inheritance and Scope Overlap
(00:08:33) Hardening Inheritance and Labeling
(00:13:30) Approval Gates and Licensing Controls
(00:17:15) DLP: The Final Layer of Protection
In this episode of M365.fm, Mirko Peters explains why your SharePoint agents aren’t “haunted” — they’re over‑scoped, over‑permitted, and under‑protected. You’ll learn how agents actually see data through Microsoft Graph and ACLs, why grounding does not equal security, and how broken inheritance, weak DLP, and loose labels turn one well‑meaning agent into a data‑leak amplifier.
WHAT YOU WILL LEARN
Your SharePoint agent didn’t leak because AI is spooky; it leaked because your permissions, scope, and DLP told it that leak was allowed. Agents read Graph, not intentions. Permissions gate first, retrieval filters decide where to look, and labels + DLP decide what is allowed to be processed — if you don’t configure
(00:00:34) The Agent's Perspective: Permissions and Retrieval
(00:01:23) Grounding and DLP: The Missing Links
(00:02:21) Scope Control: The Foundation of Governance
(00:03:16) The Agent's Mental Model: A Step-by-Step Guide
(00:03:42) The Dangers of Inheritance and Scope Overlap
(00:08:33) Hardening Inheritance and Labeling
(00:13:30) Approval Gates and Licensing Controls
(00:17:15) DLP: The Final Layer of Protection
In this episode of M365.fm, Mirko Peters explains why your SharePoint agents aren’t “haunted” — they’re over‑scoped, over‑permitted, and under‑protected. You’ll learn how agents actually see data through Microsoft Graph and ACLs, why grounding does not equal security, and how broken inheritance, weak DLP, and loose labels turn one well‑meaning agent into a data‑leak amplifier.
WHAT YOU WILL LEARN
- How SharePoint agents really work: persona (identity + permissions) plus retrieval filters over SharePoint via Microsoft Graph
- Why grounding filters relevance but never shrinks what the identity is legally allowed to access
- How overscoped knowledge sources (site roots, hubs, recursive folders) quietly pull in HR, Legal, and sensitive side libraries
- Why permission inheritance and “Everyone/All Employees” groups become silent escalation paths for agents
- How to scope knowledge sources like a lawyer: library‑level only, shallow folder depth, metadata filters, and explicit exclusion of drafts and working trees
- How to harden permissions by breaking inheritance on the right libraries, replacing broad groups with role‑based security groups, and defining clear tiers (Confidential, Internal, Public‑internal)
- How to pair sensitivity labels with Purview DLP so some labels are agent‑allowed and others are always blocked, even if users can view the files
- How to design approval gates for agents, using service identities, Pay‑As‑You‑Go/licensing, and data policies as real guardrails
- How to monitor, audit, and safely roll back when an agent or policy misstep exposes the wrong content
Your SharePoint agent didn’t leak because AI is spooky; it leaked because your permissions, scope, and DLP told it that leak was allowed. Agents read Graph, not intentions. Permissions gate first, retrieval filters decide where to look, and labels + DLP decide what is allowed to be processed — if you don’t configure