10 steps before enabling Microsoft Copilot.
Copilot inherits every permission in your tenant. This checklist covers the governance steps you must complete before enabling Copilot to protect sensitive data, meet compliance requirements, and prove ROI.
1Assessment
Scan tenant-wide permissions
Enumerate every SharePoint site, library, folder, and file permission. Identify sites with broken inheritance, org-wide access, and overly permissive sharing settings.
Audit external sharing and guest access
Identify all anonymous sharing links, guest user accounts, and external sharing configurations. Map which external users have access to which content and when access was last used.
Assess sensitivity label coverage
Determine what percentage of content has sensitivity labels applied. Identify high-risk unlabeled content including financial data, HR records, legal documents, and intellectual property.
2Remediation
Remove public and anonymous sharing links
Revoke all "Anyone with the link" and "People in your organization" sharing links on sensitive content. Replace with named-user or group-based sharing.
Clean up stale guest accounts
Remove external user accounts for expired contractors, former vendors, and inactive guest users. Implement guest access review policies for ongoing management.
Apply sensitivity labels to high-risk content
Run bulk labeling campaigns for financial reports, HR files, legal documents, and other sensitive content. Target 80%+ label coverage before enabling Copilot.
Configure DLP policies for Copilot
Ensure Data Loss Prevention policies are in place to prevent Copilot from surfacing content that matches sensitive information types (SSN, credit card numbers, etc.).
3Governance Infrastructure
Deploy continuous permission monitoring
Set up daily automated scans for new oversharing events — new anonymous links, org-wide permissions, guest access grants. Configure automated alerts and remediation workflows.
Enable Copilot audit log retention
Configure extended retention for CopilotInteraction audit events. Native retention is limited to 180 days. Regulated industries require 6-10 years.
Deploy usage analytics and ROI tracking
Set up per-user, per-department Copilot usage tracking. Monitor prompts, interactions, license utilization, and calculate ROI to justify the $360/user/year investment.
Automate this checklist with Compass.
8 of these 10 steps are automated by Compass modules. Deployed into your Azure subscription. One-time fee.
Get a Copilot Readiness Score for your tenant — we scan permissions, sharing links, guest access, and labeling coverage in a single assessment.