Microsoft Copilot Security Readiness Checklist
Use this checklist to assess whether your Microsoft 365 environment is ready to enable Copilot safely. Work through each section before enabling licences. Items marked Required represent minimum security controls; Recommended items reduce risk further.
Why this matters: Microsoft Copilot respects existing permissions — but it dramatically lowers the barrier to surfacing data users already have access to. If your permissions and data governance aren't clean before enablement, Copilot will surface overshared, unclassified, and forgotten data at scale. Fix the foundations first.
1
Identity & Access Foundation
Copilot acts as the user — it needs the same identity controls you'd require for any high-privilege access pattern.
Multi-Factor Authentication (MFA) enforced for all users via Conditional Access Required
Per-user MFA is not sufficient. Use Conditional Access policies to enforce MFA at sign-in.
Microsoft Entra ID P1 or P2 licences in place to support Conditional Access Required
Conditional Access policy blocks legacy authentication protocols Recommended
Legacy auth bypasses MFA. Block Basic Auth and legacy auth clients entirely.
Privileged Identity Management (PIM) enabled for all admin roles Recommended
Standing admin access should be eliminated. Admins should activate roles just-in-time.
Entra ID sign-in risk and user risk policies configured Recommended
Guest/external user access reviewed and scoped to minimum required Recommended
Copilot will not cross tenant boundaries, but overly permissive guest access should still be cleaned up before enabling.
2
Data Classification & Sensitivity Labels
Copilot surfaces content based on access — if files are unclassified, you have no way to audit what it finds or control what it returns.
Microsoft Purview sensitivity label taxonomy defined and published Required
Minimum recommended: Public, Internal, Confidential, Highly Confidential. Labels should be meaningful to your organisation.
Auto-labelling policies configured for common sensitive data patterns (PII, financial, HR) Required
High-volume unclassified data in SharePoint/OneDrive identified and remediated Recommended
Run a Purview data discovery scan before enabling Copilot to understand the classification gap.
Sensitivity label inheritance enabled for email replies and meetings Recommended
Labels applied to Microsoft Teams channels and SharePoint sites (site-level labelling) Recommended
3
SharePoint & OneDrive Permissions Hygiene
Oversharing is the most common finding pre-Copilot. "Anyone with a link" sharing is a significant risk once Copilot can traverse content at speed.
"Anyone with the link" sharing disabled or restricted to specific sites Required
Review SharePoint admin > Policies > Sharing. Disable anonymous links at tenant level unless there is a specific business requirement.
Stale sharing links and overshared "everyone" permissions reviewed and cleaned up Required
SharePoint site access requests reviewed — no unmonitored request queues Recommended
Highly sensitive data stores (HR, Finance, Legal) confirmed to have restricted access, not inherited broad permissions Recommended
Verify that sensitive document libraries are NOT accessible to "Everyone except external users" or "All Company" groups.
OneDrive oversharing audit completed using SharePoint admin reports or Purview Recommended
4
Data Loss Prevention (DLP)
DLP policies limit what Copilot can share externally or include in outputs that leave the tenant boundary.
DLP policies active across Exchange, SharePoint, OneDrive, and Teams Required
DLP policies reviewed to include Microsoft Copilot as a workload (Purview DLP > Locations) Recommended
Microsoft Purview now supports Copilot as a DLP location. Ensure your policies include it.
DLP policy simulation mode run and results reviewed before switching to enforce mode Recommended
DLP alerts routing to a monitored mailbox or Sentinel/Defender portal Recommended
You must be able to see what Copilot is doing before you can assess whether enabling it created any risk.
Microsoft 365 unified audit log enabled Required
Copilot interactions are logged in the unified audit log under "CopilotInteraction" events. Audit must be enabled to capture these.
Audit log retention set to minimum 90 days (180+ days recommended) Required
Purview Copilot activity reports reviewed post-enablement (Purview > AI Hub) Recommended
Copilot interaction logs routed to Microsoft Sentinel if SIEM is in use Recommended
Insider risk management policies reviewed to include Copilot activity signals Recommended
6
Copilot Configuration & Governance
Control who gets Copilot, what it can access, and how it's used — before broad rollout.
Copilot licences assigned to a pilot group only for initial deployment Required
Do not assign Copilot licences to the entire tenant on day one. Pilot with a defined group across different roles and data access profiles.
Microsoft 365 Apps admin settings reviewed — Copilot connected experiences policy configured Recommended
Copilot AI pinning and optional connected features enabled/disabled per organisational policy Recommended
Staff briefing/awareness completed for pilot users — prompt guidance and data hygiene expectations set Recommended
Copilot acceptable use policy documented and communicated Recommended
Review cadence established (30/60/90 day post-enablement checks) Recommended
Readiness Scoring
| Score | Interpretation | Recommendation |
| All Required items ✓ + most Recommended |
Ready for controlled rollout |
Proceed with pilot group. Monitor Copilot activity logs. |
| All Required items ✓, some gaps in Recommended |
Conditionally ready |
Proceed with pilot. Prioritise remaining Recommended items within 30 days. |
| One or more Required items not completed |
Not ready |
Do not enable Copilot until Required controls are in place. Engage your security team or Magma Cloud. |