Eight governance gaps. Eight solutions.
QueryNow Compass covers the full governance lifecycle, from Copilot readiness assessment through ongoing compliance retention. Every product deploys into your Microsoft 365 tenant and runs on Power Platform and Azure.
Know exactly what Copilot will expose, before you turn it on.
Consulting firms charge $15,000–$50,000 for manual Copilot readiness assessments that take 4–6 weeks. Compass Copilot Readiness Assessment automates the entire process in hours. It scans your tenant using Microsoft Graph APIs to enumerate every SharePoint site permission, detect "Everyone except external users" access grants, catalog sharing links by type, identify sites missing sensitivity labels, flag stale content and inactive sites, and enumerate guest user access patterns.
- Automated tenant-wide permission scan via Microsoft Graph API
- Detection of "Everyone except external users" claims across all site collections
- Sharing link catalog: anonymous, organization-wide, specific people, with expiration status
- Sensitivity label coverage gap analysis
- Guest user access enumeration and risk scoring
Prove Copilot ROI, or stop paying for unused licenses.
At $30 per user per month, Microsoft 365 Copilot is one of the most expensive line items in your IT budget. Yet Microsoft's native usage reporting provides only last-activity-date granularity. No interaction counts, no departmental breakdown, no ROI calculation, no historical trending beyond 180 days.
- Per-user Copilot activity tracking across all apps (Word, Excel, PowerPoint, Outlook, Teams, BizChat)
- Department, location, and manager-level segmentation via Entra ID enrichment
- Historical trending beyond Microsoft's 180-day retention limit
- License utilization scoring: identify unused and underused Copilot seats
- Configurable ROI calculation (time saved per interaction x hourly cost)
Microsoft keeps Copilot audit logs for 180 days. Your auditors expect 7 years.
Every Copilot interaction generates an audit event (RecordType 261, CopilotInteraction) in Microsoft's Unified Audit Log. These records capture who used Copilot, when, in which app, and what files were referenced. But on E3 licenses, Microsoft retains this data for just 180 days. Even E5 provides only one year. HIPAA requires 6 years. SOX mandates 7 years. And the average time to detect a sophisticated data breach is 290 days, beyond E3's entire retention window.
- Near-real-time capture of CopilotInteraction audit events via Office 365 Management Activity API
- Structured storage in Azure SQL or Azure Table Storage within customer's tenant
- Full metadata capture: user, timestamp, app host, accessed resources, sensitivity labels, plugins
- Optional prompt/response content capture via aiInteractionHistory API
- Configurable retention periods: store for 1 year, 7 years, or indefinitely
Stop oversharing before Copilot surfaces it.
16% of business-critical data is overshared across the average M365 tenant, with organizations averaging 802,000 files at risk. Microsoft's SharePoint Advanced Management provides discovery reports, but remediation remains largely manual and is capped at 1,000 site access reviews per month. For large tenants with thousands of sites, that's a years-long cleanup timeline, while Copilot exposes everything today.
- Continuous scanning for new sharing links and permission changes
- Detection of company-wide sharing (organization scope links)
- Automatic identification of anonymous links without expiration
- Guest access monitoring for sensitivity-labeled sites
- Configurable policy engine: alert-only, alert-and-recommend, or auto-remediate
Microsoft deletes your analytics after 180 days. Your compliance team needs them for years.
The M365 admin center provides SharePoint and Teams usage reports for a maximum of 180 days. The Microsoft Graph API enforces a hard ceiling at D180. Site-level SharePoint analytics show popular content for just 7 days and unique viewer data for 30 days. Teams Admin Center limits reports to 90 days. Microsoft 365 Usage Analytics in Power BI provides 12-month rolling monthly aggregates, but no daily granularity and a 5–8 day latency.
- Daily extraction from Graph API endpoints: SharePoint site usage, SharePoint activity, Teams user activity, Teams device usage, Teams team activity
- Unlimited historical retention in Azure SQL within customer's tenant
- Pre-built Power BI dashboards for year-over-year trend analysis
- Per-site, per-team, and per-user granularity
- Storage efficiency: ~500MB–1GB per year for medium organizations
End Teams sprawl. Govern every workspace from creation to retirement.
Microsoft provides a binary choice for workspace creation: fully open self-service that leads to sprawl, or fully restricted creation that creates bottlenecks and shadow IT. There is no native middle ground. Teams templates cannot include private or shared channels, cannot apply sensitivity labels, and changes never propagate to existing teams. Site scripts are limited to 300 actions and cannot provision pages or web parts.
- Power App request form for guided workspace creation
- Multi-level approval workflows via Power Automate
- Content-rich templates: pre-populated folders, files, channels, Planner tasks, pages, and web parts
- Naming convention enforcement and metadata capture at creation time
- Sensitivity label application during provisioning
Microsoft backs up your Power Platform for 7 days. You've built mission-critical apps.
Microsoft provides only 7-day system backups for non-production Dataverse environments (28 days for Managed Environments), with full-environment restores only. No granular recovery. There is zero native backup for standalone Power Apps, Power Automate flows, or Power BI reports. If a developer accidentally deletes a canvas app or a flow breaks during an update, your only option is to rebuild from scratch.
- Automated scheduled backups of Power Apps (canvas and model-driven), Power Automate flows, Power BI reports, and Dataverse solutions
- Granular restore: recover individual apps, flows, or reports without full-environment restore
- Version history with comparison capabilities
- Storage in SharePoint document libraries within customer's tenant (up to 25TB per site)
- Power App interface for backup management and restore operations
Unlabeled content is unprotected content. Copilot doesn't care about the difference.
Sensitivity labels are the primary mechanism for controlling what Copilot can access and surface. Without labels, there are no guardrails. Copilot treats all content equally, regardless of whether it contains salary data, M&A documents, or legal privileged communications. Yet most organizations have less than 20% label coverage across their SharePoint environment.
- Tenant-wide sensitivity label coverage assessment
- Per-site and per-library label gap identification
- High-risk content flagging based on site context, metadata, and content patterns
- Bulk labeling campaign execution via metered Graph API ($0.00185 per label)
- Rules-based classification: apply labels based on site, library, file type, and metadata
Ready to close the governance gap?
Book a consultation and see how Compass maps to your specific requirements.