Skip to content
AI SecuritySharePointMicrosoft 365OneDrive

How to Secure SharePoint and OneDrive When AI Needs Access

SharePoint and OneDrive hold board decks, HR records, and customer data. A Microsoft Graph token gives AI all of it. Here is how to lock it down with PortEden.

9 min readPortEden Team

SharePoint and OneDrive for Business are where Microsoft 365 tenants keep almost everything that matters. Board decks, HR records, customer contracts, financial models, engineering specs, and the rolling history of who changed what. When an AI agent connects to Microsoft Graph, it inherits the connecting user's entire view of that footprint in a single OAuth token.

Connecting AI to SharePoint is a reasonable thing to want. AI can summarize a contract, draft a status note from a project library, or answer a question by pulling from internal wikis. The problem is that there is no built-in way to scope an AI agent down to one team site, one library, or one set of sensitivity labels. This guide covers what is at risk and how PortEden, the data firewall for AI, keeps SharePoint content under control.

The Risk: One Token, Every Site

A SharePoint or Microsoft Graph OAuth token does not come with a site picker. Whatever the connecting user can see, the token can see. For most accounts that means dozens or hundreds of team sites, shared department libraries, the user's personal OneDrive, and every list inside every site. For an admin account it means the entire tenant.

This is fine for a human, who is unlikely to systematically enumerate every site and read every file. It is not fine for an AI agent, which can do exactly that, in seconds, on every prompt. Microsoft Search, exposed through Graph, makes the problem worse. A single KQL query can return hits from across the tenant.

What Is Exposed: More Than You Expect

A SharePoint API connection is broader than most teams assume. Four categories of exposure tend to surprise people the first time they audit it.

Every Site, Every Library

The token can list every site the user can reach, enumerate every document library inside, and pull file metadata, content, and sharing permissions. Marketing decks sit next to legal contracts. The Sales team site sits next to the HR team site. Without a firewall, the agent treats all of them as one big folder.

Lists and Their Row Contents

SharePoint lists hold task trackers, vendor registers, incident logs, deal pipelines, and approval workflows. The Graph API exposes the full fields dictionary of every list item, which often contains the most candid information in the tenant. Comments on tickets, deal stage notes, internal severity ratings, all of it is plain text the agent can read and quote.

Sensitivity Labels Are Not Gates

Microsoft Information Protection labels (Public, Internal, Confidential, Highly Confidential) are visible to API callers, but they do not block API access. A file labelled Highly Confidential still returns its bytes through Graph if the connecting user has permission. The label is metadata, not a permission. AI agents can see and quote labelled content unless something else stops them.

OneDrive for Business Too

OneDrive for Business is technically a SharePoint personal site. The same token reaches it through the same APIs. That means anything the user has dragged into OneDrive (drafts, personal notes, screenshots of receipts, exported reports) is in scope by default whenever AI is connected to SharePoint.

How PortEden Helps

PortEden sits between your AI agent and Microsoft Graph. Every request passes through PortEden's rules engine, and only authorized data is returned. You define the rules, and PortEden enforces them on every single request, in both delegated OAuth and Sites.Selected app-only modes.

Operation Permissions

Each access token carries an explicit list of allowed operations: list_files, search_files, get_file_metadata, download_file, upload_file, write_list_item, search_content, and so on. Composites like read_only and write_file let you spin up tightly scoped tokens in one click. An agent that should only read never has the flag to write, and an attempt to call a write endpoint is rejected with 422 OPERATION_NOT_ALLOWED before it reaches Graph.

Site, Library, and Label Firewall Rules

The PortEden SharePoint firewall is multi-level. Allow or block rules can target a single file, a folder and everything beneath it, a whole drive (document library), an entire site, an entire list, or a single list item. Two rule types go beyond identity and target classification instead: mime_type, with optional wildcards, and sensitivity_label_id, which blocks any item carrying a specific label regardless of where it lives.

Block rules always win. A token can be in allow-all mode for convenience and still have explicit blocks on the HR site, the Legal library, and any item labelled Highly Confidential. The same rules are evaluated on direct reads and on Microsoft Search hits, so search cannot be used to enumerate around the firewall.

Field Masking

Even on items the token is allowed to read, you can drop fields from the response. The visibleSharePointFields mask controls who sees owners, sharedWith, parent_folder, the embedded sensitivity label, the site name on list items, and the entire field_values dictionary on list items. Turning field_values off gives a token visibility into list metadata (which lists exist, when they changed, who owns them) without exposing the actual row contents. That is a useful posture for audit and inventory tools.

Microsoft Search through Graph supports KQL across files, list items, lists, and sites. PortEden runs the search through the same rule set as direct reads. Hits the token cannot fetch are dropped from the response before it is built, so an AI agent cannot use search to discover the existence of items it would otherwise be blocked from reading.

Full Audit Trail

Every site browsed, file fetched, list item written, and search query executed is logged. You see exactly which content each agent touched, what was returned, what was field-masked, and what was blocked by which rule. That is the difference between trusting an agent has behaved and being able to prove it.

Getting Started

Setting up PortEden for SharePoint takes a few minutes.

  1. Connect your Microsoft 365 tenant: link via delegated OAuth or a Sites.Selected app-only grant. Both modes use the same PortEden surface.
  2. Set your rules: pick operation flags, configure site, library, and sensitivity-label rules, and choose which fields to mask. See the SharePoint API reference for the full list of operation flags and rule types.
  3. Connect your AI: point your AI agent at the PortEden SharePoint Access API instead of Microsoft Graph. Every request flows through your rules automatically.

For an end-to-end view of the security model, see the SharePoint security solution page. If you are already using PortEden for Google Drive, the SharePoint surface uses the same DTOs and the same firewall model, so there is very little new to learn.

SharePoint and OneDrive hold the most consequential content in most Microsoft 365 tenants. AI should help your team find and summarize that content faster, not turn an OAuth token into a tenant-wide read-out. With PortEden, you get the productivity benefits of AI-powered SharePoint access while keeping confidential sites, labelled documents, and OneDrive folders private.

Your data. Your rules.

Ready to secure SharePoint for AI access?

Site, library, list, and sensitivity-label rules. Set up in minutes.

SharePoint SecurityAPI Reference

Continue Reading

AI SecurityConfluence

How to Secure Confluence When AI Needs Access

8 min read

AI Agent SecurityEmail Security

AI Business Email Security: How to Protect Your Inbox from AI Agents

11 min read

OpenClawDrive Security

How to Secure Your Google Drive When Using OpenClaw

9 min read