netwrix · dimav78 · Sep 17, 2025
@@ -70,6 +70,8 @@ A list of the available Compliance reports(category-wise) is given below.
 | Permissions Overview by Resource | Provides a summary of assigned permissions in your organization, including the count of direct user permissions, stale permissions, broken permission inheritance, and high-risk permissions for each object. Click any permissions value to navigate to the specific permissions report for the selected resource. For example, clicking a High Risk Permissions value will take you to the High Risk Permissions report. |
 | Sensitive Documents              | Lists the documents that are classified according to the sensitive data types enabled in the SharePoint Online Data Classification connector. See step 7 in the [Add a Source and Connectors for SharePoint Online](/docs/1secure/admin/organizations/sourcesandconnectors/sharepointonline.md) topic for addition information.                                                                                                             |
 | Sharing Links                    | Provides an overview of all the active sharing links within your SharePoint Online site. For each record, it displays the site collection, URL of the shared resource, name of the shared object, link creation and expiration dates, link type, assigned permissions, and more. Click the "Shared with" link to see exactly who or which groups have access.                                                              |
+| Accounts with Most Access to Sensitive Data | Identifies users with the largest number of sensitive data objects they can effectively access. By highlighting accounts with the highest access, organizations can pinpoint security vulnerabilities and mitigate the risk of sensitive data being accessed and surfaced by AI assistants. For each account, it displays the user name, account, department, title, sensitive data access count, sensitive data types, and last accessed. |
+| Locations with Sensitive Data    | Shows locations (sites or file shares) with the largest number of sensitive data objects. Review the list and make sure these locations have proper access controls, or remove sensitive data to a more secure location. For each location, it displays the location (share or site), sensitive data objects count, and sensitive data types. Click on the sensitive data objects count to drill down into the list of sensitive data objects. |
 
 **Sort a Report**
 

@@ -90,6 +90,11 @@ State In Time reports are available under the following categories.
 | High Risk Permissions on Documents        | Lists permissions granted to high risk trustees, such as Everyone and Authenticated Users, to SharePoint Online documents. Excessive use of broad access groups like "Authenticated Users" or "Everyone" violates the principle of least privilege, a fundamental security concept outlined in NIST SP 800-14. This practice greatly increases the risk of data breaches and insider threats. CIS Controls v8 (5.4) recommends to restrict the administrative privileges to dedicated administrator accounts to minimize security risks. Overexposure of SharePoint content can lead to unauthorized access, data leakage, and compliance violations, especially in industries governed by regulations like GDPR or HIPAA. |
 | Sites with Broken Permissions Inheritance | Lists objects with permissions that differ from their parent site, such as a folder with permissions different from its parent site. Broken inheritance disrupts the hierarchical permission structure that Microsoft recommends for the efficient management of SharePoint Online. This may result in inconsistent access controls, increased risk of privilege creep, and difficulty in maintaining the principle of least privilege.                                                                                                                                                                                                                                                                                    |
 | Stale Direct User Permissions             | Lists stale user accounts with direct permissions to specific objects. Retaining permissions for inactive users violates the access control principle outlined in ISO/IEC 27001:2013 (A.9.2.6), which mandates the timely removal or adjustment of access rights. Stale permissions create security vulnerabilities by retaining unnecessary access points that threat actors could exploit. This risk is particularly relevant in the context of insider threats and account takeovers. Regular access reviews, as recommended by NIST SP 800-53 (AC-2), are crucial for maintaining a secure SharePoint environment and ensuring compliance with data protection regulations.                                            |
+| High-Risk Permissions to Sensitive Data   | Lists sensitive data objects accessible to identities with elevated risk potential, like "Authenticated Users" or "Everyone", thereby increasing the likelihood of unauthorized access, data breaches, and potential insider threats. Such permissions often stem from the excessive use of broad access groups, violating the principle of least privilege. |
+| Unlabeled Sensitive Files                 | Lists sensitive files lacking proper classification tags, potentially leading to mishandling and inadequate protection measures. Proper labeling is crucial for enforcing data protection policies and access controls. |
+| Open Access to Sensitive Data             | Lists sensitive data entries with open access, allowing everyone in the organization to effectively access sensitive information, which typically results from effective access granted through groups such as Everyone. Ensuring controlled access is vital to meeting compliance requirements and preventing unauthorized data exposure. |
+| Stale User Access to Sensitive Data       | Lists user accounts with no login in the last 90 days but still retaining effective permissions to sensitive data, posing a security risk. This highlights the importance of continuous access reviews and adjustments. |
+| External and Anonymous Sharing of Sensitive Data | Lists sensitive data entries shared externally, which can significantly increase risk exposure, especially if proper safeguards are not in place. Mitigating this risk involves stringent data-sharing policies and monitoring. |
 
 ## Identity