Automating SharePoint: five processes worth tackling first in mid-sized companies
Five SharePoint processes that mid-sized companies should automate first, and the tools you use to do it.
Copilot reveals SharePoint over-permissions that have accumulated over years. Here's how to prepare the rollout cleanly with SAM and RCD.

As soon as Microsoft 365 Copilot is rolled out, the same feedback piles up in many IT departments: employees suddenly find documents via AI that they knew nothing about before, such as salary lists, contract drafts, or internal strategy papers.
This is not due to a Copilot error, but to SharePoint permissions that have grown over years and were never cleaned up. Copilot only makes this problem visible; it did not create it.
Copilot accesses exclusively content for which a user already has permission; existing access rights are respected and not bypassed (Source: Microsoft, Copilot Search FAQ).
The real problem is that many SharePoint sites have accumulated sharing for 'Everyone Except External Users' (EEEU), open shared links, or broken permission inheritance over years, which no one searched before because no human could search as efficiently as AI (Source: Microsoft, Zero Trust for Copilot). Copilot searches in seconds what an employee would have taken hours for before, and makes every forgotten share immediately findable.
For companies with strict documentation requirements, such as in human resources or public administration, this is more than a compliance detail: when an internal AI tool unintentionally discloses personal data for which there should be no access permission at all, control over your own data is at stake—precisely the point at which automation without governance becomes a risk instead of a relief.
SharePoint Advanced Management (SAM) bundles the tools administrators use to identify and remediate over-permissions before a Copilot rollout, including Data Access Governance reports, Content Management Assessment, and Site Access Review (Source: Microsoft, Get ready for Copilot with SharePoint Advanced Management).
Site Access Review delegates the review of over-permissioned sites directly to the respective site owners, relieving IT and anchoring responsibility where subject matter expertise over content lies. Change History reports additionally show all website actions and setting changes from the last 180 days, evidence of how much room exists between two reviews for unnoticed growth in permissions (Source: Microsoft, Change History Report).
Restricted Content Discovery (RCD) prevents content from a site appearing in organization-wide search and in Copilot without changing the underlying permissions (Source: Microsoft, Restrict discovery of SharePoint sites and content).
Users who already have access to a site keep that access completely; only discoverability via search and Copilot is restricted, a clean interim step for sites being reviewed. For very large sites with more than 500,000 items, however, the update can take more than a week because the setting must first propagate through the search indices (Source: Microsoft, Restricted Content Discovery).
If you are still using the older Restricted SharePoint Search instead, you should switch: Microsoft blocks its new deployment starting July 31, 2026 and explicitly refers to RCD as the successor solution (Source: Microsoft, Restricted SharePoint Search).
Microsoft's own deployment guide describes oversharing prevention as a four-step process: identify risk sites via Purview data risk assessments and SAM Content Management Assessment, temporarily secure with RCD and data loss prevention rules for Copilot, correct access rights and permission inheritance, and finally permanently limit to entitled groups via Restricted Access Control (Source: Microsoft, Configure a secure and governed foundation for Microsoft 365 Copilot).
In NordFlux projects, this first step runs regularly before every Copilot licensing, not after: with a customer from the public sector, Copilot should initially be activated tenant-wide until Content Management Assessment showed that a significant portion of active sites still had the EEEU share from an older SharePoint migration. Only after cleanup did the rollout go live, with a significantly smaller but clean attack surface.
Read more about our approach to the Microsoft 365 environment in our service Microsoft 365 Automation, for accompanying governance consulting around Copilot rollouts in our AI Consulting.
Copilot only shows what users are already allowed to see, but suddenly exposes SharePoint over-permissions that have accumulated over years. SharePoint Advanced Management and Restricted Content Discovery provide the tools to clean this up before rollout instead of having to explain it afterward.
No. RCD only affects discoverability via organization-wide search and Copilot, not access rights. Users with existing access can continue to access content directly.
No, not permanently. The over-permissions exist independently of Copilot and will become just as visible with the next rollout or an enhanced search function. Cleanup before rollout is cheaper than reacting afterward.
That depends on the number and size of the sites. For individual very large sites, the technical propagation of Restricted Content Discovery alone can take over a week, plus time for access reviews and correction of permission inheritance.
We check before licensing which sites are over-provisioned using the SharePoint Advanced Management reports, implement Restricted Content Discovery as an immediate measure for risk sites, and guide site owners during access review before Copilot goes live.
NordFlux builds digital employees for organisations: automations and AI agents that take over repetitive work. You stay in control.
Five SharePoint processes that mid-sized companies should automate first, and the tools you use to do it.
In a free initial analysis, we check with the SharePoint Advanced Management reports which sites are over-provisioned and show you how to clean that up cleanly before Copilot licensing.