Guide: Securing Microsoft 365 Copilot from Anonymous and Cross-Tenant Access

As the Copilot settings are ever evolving, I just wanted to add an updated best practice on securing M365 Copilot, as the settings have changed a few times this year.

Microsoft 365 Copilot is integrated with your organization’s data and Microsoft productivity suite. Securing it against anonymous access and unwanted cross-tenant connections is essential to protect sensitive information, maintain compliance, and prevent data breaches.

Key Principles

• Zero Trust: Never trust, always verify every connection—even inside your organization.
• Least Privileged Access: Only provide users the minimal level of access required.
• Tenant Isolation: Ensure organizational boundaries are strongly enforced.

1. Block Anonymous Access

Best Practices

• Disable Anonymous Sharing: In OneDrive, SharePoint, and Teams, set sharing policies to block or restrict links and content access to authenticated users only.
  • SharePoint & OneDrive: In the Microsoft 365 admin center, set external sharing for SharePoint and OneDrive to block anonymous links entirely. Only allow sharing with authenticated users or specific guests. https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off,
  • Teams: Prevent “Anyone” sharing for files in Teams, which relies on SharePoint/OneDrive backend. https://learn.microsoft.com/en-us/microsoft-365/solutions/groups-teams-access-governance?view=o365-worldwide
  • Block Anonymous Access in Power Platform Apps, In the Power Platform admin center, go to Resources > Power Pages Sites. Under Governance Controls, select Disable anonymous access to all sites, ensuring unauthenticated users cannot access Dataverse data or Copilot-driven experiences through Power Apps
  • Review all your M365 practices for sharing https://learn.microsoft.com/en-us/microsoft-365/solutions/best-practices-anonymous-sharing?view=o365-worldwide
• Restrict Web & Personal Account Access: Block Copilot web endpoints intended for personal or unauthenticated use, and only allow login with your corporate Entra ID (formerly Azure AD) accounts. This is to ensure they are only using the M365 copilot from your tenant NOT the Web or their personal one. Here is a great article describing the options https://answers.microsoft.com/en-us/msoffice/forum/all/how-to-disable-web-copilot-for-users-having-m365/c3ffd9fa-77ad-4314-ab88-3ffc457cae66
• Control App Entry Points: Unpin or block Copilot access from non-managed endpoints and browsers. Regulate which platforms and apps users are allowed to use Copilot from. https://learn.microsoft.com/en-us/copilot/manage

2. Enforce Tenant Restrictions

Microsoft Entra (Azure AD) Tenant Restrictions enable you to restrict users to only access resources in your own tenant.

• Set up your on-premises proxy or supported edge devices to inject the Restrict-Access-To-Tenants HTTP header. This allows only sign-ins to your organization’s tenant and blocks cross-tenant access attempts. https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tenant-restrictions
• For advanced control, implement Tenant Restrictions v2 by injecting the sec-Restrict-Tenant-Access-Policy header tied to your specific tenant and policy GUID. This blocks authentication to all but permitted tenants and disables sign-in via personal accounts or external organizations. https://learn.microsoft.com/en-us/entra/external-id/tenant-restrictions-v2
• Enable Tenant Isolation in Power Platform Admin Center: Tenant isolation—meaning the ability to block cross-tenant connections and control inbound/outbound access—can be configured directly from the Power Platform admin center. This impacts environments and connectors such as Power Apps and Power Automate that interact with external Microsoft tenants. https://learn.microsoft.com/en-us/power-platform/admin/cross-tenant-restrictions?tabs=new
• Monitor and Audit cross-tenant access using admin dashboards and connection reports, especially for guest users and B2B (business-to-business) access. Unfortunately these don’t all exist out of the box , but here is a fantastic article from Clayton Barrozo de Oliveira https://www.linkedin.com/pulse/why-cross-tenant-restrictions-matter-how-monitor-them-clayton-5xude/

3. Audit and Monitor for Anonymous Access

• Microsoft 365 provides several built-in tools and reports to help you identify, audit, and monitor files shared via anonymous links (also called “anyone links”) and files or folders shared externally from SharePoint or OneDrive.
• 1. Using Microsoft Purview Audit (Unified Audit Log) https://learn.microsoft.com/en-us/purview/audit-log-activities
• Access the Microsoft Purview compliance portal.
• Navigate to Audit.
• Set your desired date and time range.
• In the Activities filter, search for and select actions like:
  • AnonymousLinkCreated
  • AnonymousLinkRemoved
  • AnonymousLinkUsed (when an anonymous link is used/accessed)
  • SharingInvitationCreated (when a file/folder is shared externally)
• Export and review the log to identify when anonymous links were created, accessed, or removed, and which files or folders were affected.
• Note: The audit log will show IP addresses for anonymous link usage, but not user identities since links are unauthenticated. Retention of logs is linked to your organization’s licensing level, so keep retention settings in mind.
• 2. Generating External Sharing Reports per Site https://learn.microsoft.com/en-us/sharepoint/sharing-reports
• You can generate a CSV report for any SharePoint site or OneDrive to see exactly what has been shared externally:
• Go to the site in SharePoint or the corresponding OneDrive.
• Settings > Site usage.
• Scroll to Shared with external users and select Run report.
• Choose where to save the CSV file and run the report.
• For OneDrive, go to Settings > More settings > Run sharing report.
• These reports give detailed records of what items have been shared externally, with whom, and what permissions were granted.
• 3. SharePoint or OneDrive Admin Center Reports
• In the SharePoint Admin Center, go to Reports > Sharing.
• Review all externally shared files, who shared them, when, and the method (direct user, specific guest, anyone link).
• Filter or export results for further analysis.
• 4. PowerShell for Deep Auditing
• Custom PowerShell scripts can enumerate all anonymous links, their permissions, and other metadata for both SharePoint and OneDrive. Examples of relevant PowerShell commands and scripts:
• Use Search-UnifiedAuditLog to query for AnonymousLinkCreated or SharingInvitationCreated events.
• Scripts are available online to export all anonymous or external links across your tenant into CSV files, including permission level, date, file path, and expiration if set. https://o365reports.com/2021/06/22/audit-anonymous-access-in-sharepoint-online-using-powershell/
• Set up automatic alerts for unusual sharing or guest activity.

Example Configuration Checklist

Area	Action	Where to Configure
Sharing Links	Turn off “Anyone” links, restrict to authenticated users	Microsoft 365, SharePoint, OneDrive
Tenant Restrictions	Enable and enforce via proxy or supported devices	Edge Device/Proxy, Entra ID
Guest Access	Restrict guest access to own directory objects only	Entra ID Admin Center
Conditional Access	Require MFA, block risk, enforce device compliance	Entra ID > Conditional Access
Power Platform/Apps	Disable anonymous access everywhere possible	Power Platform Admin Center

For Purview setting on Information protection labels , I will be doing some follow up blogs to help ensure your data stays safe.

Hope that helps answer some of the M365 Security questions I have been asked over this last 6 weeks.