Copilot readiness means one thing above all: Microsoft 365 Copilot can surface anything a user already has permission to see. If your SharePoint permissions are messy, Copilot will faithfully summarise documents people were never meant to find, from salary spreadsheets to board papers. Fixing that before you buy licences is the whole game.
This checklist is the work we do before any Copilot rollout. If you want it run against your tenant, talk to us about AI services.
Why readiness comes before licences
Copilot does not bypass your security model, and that is exactly the problem. It respects permissions perfectly, including the ones you forgot about: the “Everyone except external users” link from 2021, the all-staff site holding HR documents, the Teams channel that was never locked down. Search made this data hard to stumble on. Copilot makes it one prompt away.
The good news is that none of the fixes are Copilot-specific. Everything below improves your security posture whether or not you ever buy a licence.
The readiness checklist
1. Find and fix oversharing
- Run SharePoint Advanced Management or a permissions report across sites and flag anything shared with “Everyone” or org-wide links.
- Kill default org-wide sharing links; switch to “specific people” as the tenant default.
- Archive or delete stale sites. Copilot grounds its answers in whatever exists, including the 2019 version of your pricing.
2. Classify what actually matters
- Apply sensitivity labels to the small set of genuinely sensitive content: contracts, financials, HR records.
- If your licensing includes Microsoft Purview, label-based controls can keep that content out of Copilot responses entirely.
- Do not try to label everything. A working policy for two labels beats an aspirational taxonomy of nine.
3. Confirm the identity baseline
- Phishing-resistant multi-factor authentication for every account.
- Conditional Access requiring compliant devices for Microsoft 365 data.
- Standing admin moved into Privileged Identity Management.
An assistant that can read everything a user can read raises the value of a stolen account. Strong identity is a prerequisite, not a parallel project.
4. Pilot with intent
- Choose 10 to 20 people across roles that actually write, summarise and search: operations, finance, bids and proposals.
- Give them three measurable tasks, such as meeting recap quality, first-draft turnaround and document discovery.
- Run it for 30 days and compare against the licence cost. Copilot pays for itself in some roles and clearly does not in others.
5. Write the usage policy before day one
- What may staff paste into AI tools, and what never leaves the tenant?
- Which outputs need human review before they reach a client?
- Who owns prompts, outputs and mistakes?
Keep it to a page. Practical rules people can follow beat legal boilerplate nobody reads.
Where your data goes
For Australian organisations the common questions have clear answers. Microsoft 365 Copilot processes prompts within the Microsoft 365 service boundary, inherits your tenant’s data residency commitments, and does not use your business data to train foundation models. Verify the current commitments against your own compliance needs, and document the data flows as part of the rollout.
Copilot is not the only option
Copilot is the right default for organisations that live in Microsoft 365, but it is not the answer to every problem. Narrow, high-value workflows are often better served by a custom agent built on Azure OpenAI or Anthropic Claude, grounded in your own knowledge base with citations. Copilot Studio sits in between for structured internal agents. We cover the trade-offs in our AI services work and will tell you plainly when a licence is not worth it.
What to do this quarter
- Run a permissions and oversharing report, and fix the worst of it.
- Enforce the identity baseline: MFA, Conditional Access, PIM.
- Pick a pilot group, three success measures and a one-page usage policy.
Do those three and a Copilot rollout becomes a decision based on evidence rather than hope. If you would like help with any step, book a consultation.