Browse all topics
All guidesGlossary

Microsoft 365 Copilot rollout prerequisites

What you need to have in place before deploying Microsoft 365 Copilot — identity, data hygiene, labels, and pilot strategy.

Microsoft 365 Copilot doesn't fail because the AI is wrong — it fails because the tenant wasn't ready. Before you license a single user, several pieces need to be in place. Skipping them produces the most common Copilot outcome: a deployment that surfaces everything everyone has ever overshared.

Prerequisite 1 — Identity baseline

Copilot inherits Entra ID identity, including all the permissions and access rights of the signed-in user. Make sure your identity baseline is solid:

  • MFA enforced for every user.
  • Conditional Access policies in place.
  • No legacy auth allowed.
  • PIM for privileged roles.

Copilot exposes everything a user can already access. If a user's account is compromised, an attacker with Copilot can query the whole estate trivially.

Prerequisite 2 — Data hygiene

Copilot's grounding pulls from across SharePoint, OneDrive, Teams, Exchange. Anything a user has been granted access to is potentially surfaced. Before launch:

  • Run SharePoint Advanced Management oversharing reports.
  • Identify high-risk sites — those with "Everyone except external users," large guest populations, or sensitive content with overly broad access.
  • Restrict access on those sites with SAM's restricted access controls, or block from Copilot grounding explicitly.
  • Archive stale sites — old, inactive sites are the worst Copilot fodder.

The infamous "Copilot found my salary" stories all trace to oversharing that already existed.

Prerequisite 3 — Sensitivity labels

A baseline sensitivity-label taxonomy — Public, Internal, Confidential, Highly Confidential — gives Copilot signals about what to handle carefully:

  • Encrypted files the user doesn't have rights to don't surface in Copilot answers.
  • Container labels can restrict sharing on Copilot-readable sites.
  • DLP policies keyed off labels can prevent Copilot output from being shared externally.

Without labels, all content looks the same to Copilot — and that's exactly where unintended exposure happens.

Prerequisite 4 — Pilot strategy

Don't roll out to 1,000 users on day one. A typical staged rollout:

  1. Week 1–2: 20–50 power users, mixed roles. Collect feedback. Measure value.
  2. Week 3–6: scale to 200–500 across additional departments. Build a champions network.
  3. Week 7+: broader deployment.

A pilot of 100 users on a 5,000-seat tenant generates more useful learnings than a one-time roll-out of 5,000.

Prerequisite 5 — Training and prompts

Users new to Copilot don't intuitively know what to ask. Provide:

  • Role-specific prompt examples — sales, finance, HR, engineering.
  • Use-case workshops — show, don't tell.
  • Prompt sharing surfaces — internal wiki, Teams channel, or Copilot Lab.
  • Feedback loops — gather what works and what doesn't.

Adoption isn't a marketing problem; it's a "people don't know what to type" problem.

Prerequisite 6 — Governance and measurement

  • Copilot adoption dashboard in the admin center.
  • Auditing of Copilot interactions through Purview audit.
  • Quarterly reviews of high-risk site lists.
  • Communication channel for users to flag issues.

Treat Copilot as an ongoing programme, not a project. The work doesn't end at deployment.