Eight governance gaps. Eight modules.
Every product deploys into your Azure subscription as Python Azure Functions with a React web dashboard. You own the solution, the data, and the code. No Power Platform licensing required.
Know exactly what Copilot will expose - before you turn it on.
Consulting firms charge $15,000-$50,000 for manual Copilot readiness assessments that take 4-6 weeks. Compass Copilot Readiness Assessment automates the entire process in hours. Python Azure Functions use Microsoft Graph API and the SharePoint REST API to enumerate every SharePoint site permission, detect "Everyone except external users" access grants, catalog sharing links by type, identify sites missing sensitivity labels, flag stale content and inactive sites, and enumerate guest user access patterns.
- Automated tenant-wide permission scan via Microsoft Graph API and SharePoint REST API
- Durable Functions fan-out/fan-in pattern scans thousands of sites in parallel
- Detection of "Everyone except external users" claims across all site collections
- Sharing link catalog: anonymous, organization-wide, specific people, with expiration status
- Sensitivity label coverage gap analysis
Prove Copilot ROI - or stop paying for unused licenses.
At $30 per user per month, Microsoft 365 Copilot is one of the most expensive line items in your IT budget. Yet Microsoft's native usage reporting provides only last-activity-date granularity. No interaction counts, no departmental breakdown, no ROI calculation, no historical trending beyond 180 days.
- Per-user Copilot activity tracking across all apps (Word, Excel, PowerPoint, Outlook, Teams, BizChat)
- Department, location, and manager-level segmentation via Entra ID enrichment
- Historical trending beyond Microsoft's 180-day retention limit
- License utilization scoring: identify unused and underused Copilot seats
- Configurable ROI calculation (time saved per interaction x hourly cost)
Microsoft keeps Copilot audit logs for 180 days. Your auditors expect 7 years.
Every Copilot interaction generates an audit event (RecordType 261, CopilotInteraction) in Microsoft's Unified Audit Log. These records capture who used Copilot, when, in which app, and what files were referenced. On E3 licenses, Microsoft retains this data for just 180 days. Even E5 provides only one year. HIPAA requires 6 years. SOX mandates 7 years. The average time to detect a sophisticated data breach is 290 days - beyond E3's entire retention window.
- Near-real-time capture of CopilotInteraction audit events via Office 365 Management Activity API
- Dual-tier storage: Azure SQL for indexed metadata, Azure Table Storage for raw event payloads
- Full metadata capture: user, timestamp, app host, accessed resources, sensitivity labels, plugins
- Optional prompt/response content capture via aiInteractionHistory API (beta)
- Configurable retention periods - store for 1 year, 7 years, or indefinitely
Stop oversharing before Copilot surfaces it.
16% of business-critical data is overshared across the average M365 tenant, with organizations averaging 802,000 files at risk. Microsoft's SharePoint Advanced Management provides discovery reports, but remediation remains largely manual and is capped at 1,000 site access reviews per month. For large tenants with thousands of sites, that's a years-long cleanup timeline while Copilot exposes everything today.
- Continuous scanning via Durable Functions fan-out/fan-in for parallel site analysis
- Detection of company-wide sharing (organization scope links)
- Automatic identification of anonymous links without expiration
- Guest access monitoring for sensitivity-labeled sites
- Configurable policy engine in React UI: alert-only, alert-and-recommend, or auto-remediate
Microsoft deletes your analytics after 180 days. Your compliance team needs them for years.
The M365 admin center provides SharePoint and Teams usage reports for a maximum of 180 days. The Microsoft Graph API enforces a hard ceiling at D180. Site-level SharePoint analytics show popular content for just 7 days and unique viewer data for 30 days. Teams Admin Center limits reports to 90 days.
- Daily extraction via timer-triggered Azure Function from Graph API endpoints: SharePoint site usage, SharePoint activity, Teams user activity, Teams device usage, Teams team activity
- Unlimited historical retention in Azure SQL Serverless within customer's subscription
- Interactive React dashboards for year-over-year trend analysis (Recharts line/bar/area charts)
- Per-site, per-team, and per-user granularity with TanStack Table drill-down
- Storage efficiency: ~500MB-1GB per year for medium organizations (500 users, 1,000 sites)
End Teams sprawl. Govern every workspace from creation to retirement.
Microsoft provides a binary choice for workspace creation: fully open self-service that leads to sprawl, or fully restricted creation that creates bottlenecks and shadow IT. There is no native middle ground.
- React web application for guided workspace request submission
- Multi-level approval workflows via Azure Logic Apps (Teams Adaptive Cards + email fallback)
- Graph API provisioning: Teams, SharePoint sites, Microsoft 365 Groups with full configuration
- Content-rich templates: pre-populated folders, channels, Planner tasks, and default pages
- Naming convention enforcement and metadata capture at creation time
Microsoft backs up your Power Platform for 7 days. You've built mission-critical apps.
Microsoft provides only 7-day system backups for non-production Dataverse environments (28 days for Managed Environments), with full-environment restores only - no granular recovery. There is zero native backup for standalone Power Apps, Power Automate flows, or Power BI reports. If a developer accidentally deletes a canvas app or a flow breaks during an update, your only option is to rebuild from scratch.
- Automated scheduled backups of Power Apps (canvas and model-driven), Power Automate flows, Power BI reports, and Dataverse solutions
- Hybrid Python + PowerShell architecture: Python for orchestration and UI, PowerShell for Power Platform exports
- Granular restore: recover individual apps, flows, or reports without full-environment restore
- Version history with comparison capabilities in the React management UI
- Storage in Azure Blob Storage within customer's subscription (Cool tier for recent, Archive for old)
Unlabeled content is unprotected content. Copilot doesn't care about the difference.
Sensitivity labels are the primary mechanism for controlling what Copilot can access and surface. Without labels, there are no guardrails. Copilot treats all content equally, regardless of whether it contains salary data, M&A documents, or legal privileged communications. Most organizations have less than 20% label coverage across their SharePoint environment.
- Tenant-wide sensitivity label coverage assessment via Durable Functions parallel scanning
- Per-site and per-library label gap identification
- High-risk content flagging based on site context, metadata, and content patterns
- Bulk labeling campaign execution via Graph API metered endpoint ($0.00185 per label)
- Rules-based classification: apply labels based on site, library, file type, and metadata
Ready to close the governance gap?
Book a consultation and see how Compass maps to your specific requirements.