top of page
  • Writer's pictureChris Hudson

Microsoft 365 - Prepare for Copilot

Are you ready for take-off?

Following on from a recent announcement, Microsoft has significantly extended the reach of its much-anticipated Microsoft 365 Copilot capability to the masses. Microsoft 365 Copilot is now available to Small & Medium sized businesses with no minimum user entry requirements, assuming they are licensed via the Microsoft 365 Business Standard and/or Business Premium SKUs and can purchase the solution for an additional $30 per user / per month.

Additionally, for Enterprise customers, Microsoft 365 Copilot now accepts additional licenses beyond Microsoft 365 E3 / A3 (faculty) and E5 / A5 (faculty), by also accepting Office 365 E3 / A3 (faculty) and E5 / A5 (faculty) as eligible SKUs. Additionally, much like the SMB news, the minimum user entry restriction of 300 has also been lifted for enterprises.

And since we're talking about Microsoft 365 Copilot here, which if you didn't know already, is an Artificial Intelligence-backed productivity tool that incorporates Large Language Models and combines them with organisational data and Microsoft 365 services and applications, it would seem rather rude to not let it introduce and describe itself...

Introducing a description of Microsoft 365 Copilot, by Copilot: -

Microsoft 365 Copilot is an AI-powered productivity tool that coordinates large language models (LLMs), content in Microsoft Graph, and the Microsoft 365 apps that you use every day, such as Word, Excel, PowerPoint, Outlook, Teams, and others. It provides real-time intelligent assistance, enabling users to enhance productivity, amplify human creativity, and solve complex work tasks in one place. Copilot can help organizations achieve more than ever before using AI. It is integrated with Teams, Word, Outlook, PowerPoint, Excel, and other Microsoft 365 apps, and provides AI-powered chat with Microsoft Copilot. Copilot also offers enterprise-grade security, privacy, and compliance. In summary, Microsoft 365 Copilot can benefit an organisation in the following ways: Enhance productivity, Amplify human creativity, Solve complex work tasks, and Automate repetitive or time-consuming tasks, such as presentation or document creation. Here are some examples of how Microsoft 365 Copilot can benefit an organisation: - Automated Data Analysis in Excel: Copilot 365 can automate complex data analysis tasks in Excel. For instance, it can quickly analyze trends, perform advanced calculations, and generate comprehensive reports, saving hours of manual work. - Efficient Email Management in Outlook: It streamlines email management by prioritizing essential emails, scheduling responses, and organizing your inbox efficiently, ensuring you spend less time sorting emails. - Enhanced Document Creation in Word: Copilot 365 aids in creating more effective documents by suggesting content improvements, formatting options, and even generating text based on brief prompts, significantly speeding up the document creation process - Engaging PowerPoint presentations: Copilot 365 can also help you create engaging and effective presentations in PowerPoint. For instance, you can use Copilot to create an outline for your presentation, which can save you time and effort.

I'll let you be the judge on how well Microsoft 365 Copilot defined and introduced itself above...

If an organisation is fortunate enough to be able to fund and justify the noteworthy price tag associated with Microsoft 365 Copilot, there isn't much they need to do to enable the service for users, other than procure and assign licenses and then run through an initial enablement wizard. However, it's one thing enabling the service for end-users but a whole other undertaking to ensure the successful adoption and engagement of the feature, and much more prominently, at the forefront of everybody's minds, should be the data security and compliance considerations that should be entertained way before end-user deployment is even considered.

So, are you ready to enable Microsoft 365 Copilot? - Let's take a look at each consideration below: -


Data Visibility

Starting with the basics - Is your data visible and accessible to Microsoft Graph? - If not, Copilot's capabilities are going to be significantly constrained.

Microsoft Graph has been a fundamental component of Microsoft 365 for a while now, well before the advent of Copilot, but in the context of Copilot, Microsoft Graph stores information about the relationships between users, activities, and an organisation's data. Copilot relies upon Graph to ingest, retrieve, and deliver an organisation's line-of-business data (structured and unstructured) to the end-user, which enables Copilot to understand and interpret the context around the organisation's content. Once the data is subsequently ingested through Microsoft Graph, and thus its connectors, the data is enabled for semantic understanding which allows end-users to benefit from a more personalised experience and receive more useful and relevant responses to their prompts.

Microsoft Graph introduces invaluable context from customer signals into the Copilot experience and prompts, such as information from emails, chats, documents, and meetings. Without this context, Copilot would not be able to provide as useful or relevant responses relating to the organisation's data, thus impeding productivity whilst throttling the features' capabilities.

Essentially, anything you'd like Copilot to be aware of, be it to index in searches or to provide insights on or interactions with, needs to be ingested into Microsoft Graph. Natively, data residing within Microsoft 365 platforms such as SharePoint Online, OneDrive, Teams, and Exchange Online are all ingested into Graph by default. However, Microsoft Graph connectors can also be provisioned and configured for other non-Microsoft 365 platforms where data may reside, assuming there is support for it - For example, ServiceNow and Azure DevOps.

To conclude, ensure organisational data is visible in whichever manner to the Microsoft Graph service. If you've already adopted Microsoft 365 for file storage and collaboration, then you're good to go, but if you haven't, you may want to entertain a file migration. Alternatively, if you're wanting to persist with a non-Microsoft 365 service, you should review, plan, and implement the relevant connector/s for Graph, assuming there is support for the service.


Data Security & Compliance

Moving onto the most critical component for preparation - Is your data estate confidently restricted, secured, and compliant? Have you reviewed the existing permission landscape surrounding your Data? Have you considered your commitment to data security & regulation compliance? If not, Copilot may inadvertently expose confidential, sensitive, or undesirable content to the incorrect audiences, which may also result in a data privacy breach and/or data exfiltration. Thinking back to when Microsoft Delve was originally introduced, many organisations soon realised after the fact that their sharing controls for SharePoint Online weren't quite stringent enough.

The following two items should be at the forefront of any security and/or compliance considerations for any data accessible via Microsoft 365 Copilot: -

  • Data Access: Permissions, sharing links, and public / company-wide repositories.

  • Data Protection: Microsoft Purview Sensitivity Labels and Data Loss Prevention.

Remember, Microsoft 365 Copilot doesn't directly introduce new risks around data exposure per se but rather exposes existing risks in the way of over-ambiguous permissions and/or the over-sharing of data. Copilot only ever leverages a user's existing permissions to retrieve and deliver information to them and assumes that any information already visible and accessible to the user can be brought to view for its responses, all of which is completely reasonable, but this means it's pivotal to ensure and maintain an excellent standard of content management.

Additionally, classifying, protecting, and governing organisational data has never been more pivotal with the advent of Copilot. Microsoft Purview capabilities, such as Sensitivity Labels, Data Loss Prevention. and Retention can help organise, govern, and most importantly secure your most confidential of data.

So, how to get started?

1.  Assessment & Audit

There is never a bad time to perform a Microsoft 365 tenant assessment and discovery exercise, especially where security is concerned. In the context of this post, an audit should be exercised before enabling Copilot which is predominantly focused on access and permissions across the SharePoint Online, OneDrive, and Teams platforms, extending to site and folder permissions, sharing links, and company-wide (public) repositories such as Microsoft 365 Groups and Teams. Additionally, Microsoft 365 sharing and access controls should also be reviewed. Where non-Microsoft 365 services are to be put in scope for Copilot, permissions should also be reviewed in those services on an individual basis. Finally, it's also worthwhile reviewing the existing presence and adoption of key Microsoft Purview capabilities such as Data Classification, Sensitivity Labels (Information Protection), Data Loss Prevention, and Retention (Data Lifecycle Management).

Optionally, to further aid the assessment and protection activities for residing Microsoft 356 data, if you're willing to spend an additional $3 (£2.50) per user per month to enable the SharePoint Advanced Management capability of Microsoft Syntex, you'll be able to leverage some handy tools to detect and prevent the oversharing of data. One notable feature to assist the assessment and discovery exercise is the data access and governance reports that are made available for SharePoint Online sites. For example, one useful report called "Sharing links" helps identify sites that potentially contain overshared content.

Another useful report is "Sensitivity labels applied to files" which helps to identify SharePoint Online sites that contain documents with specific Sensitivity Labels applied - These sites can then be reviewed to ensure the correct access, security, and compliance policies are applied.

Regarding the Microsoft Purview element, tools such as Data Classification and Content Explorer can be used to discover the sensitive and potentially confidential data residing across the Microsoft 365 estate, and any other environment that Purview has been extended to. Alternatively, good old-fashioned conversations with department leads will also usually prove useful in bringing to light the types of sensitive information each department handles regularly. These findings will likely aid future design decisions when it comes to implementing Microsoft Purview controls.

2.  Remediation

Once a thorough audit and assessment exercise has been completed, anything permission & access related should always be cross-referenced between the relevant parties such as the facilitating IT and Compliance teams alongside the identified data owners, such as the corresponding departments that "own" and use the data - The latter of which are usually best placed to make any decisions around who should have access to "their" data, whilst also being able to identify untoward permissions and any outliers that need to be remediated and removed. The principle of "just enough access for each user to operate their daily work activities" should always be adopted and embraced.

Once the findings from the access & permission audit have been reviewed between the relevant parties, any identified anomalies and incorrect access levels should be remediated by an administrator accordingly - Whether that be the complete removal of permissions, an amendment to their level of access, or the transitioning of a data repository from Public to Private.

3.  Protection

Once confident that the permission landscape surrounding the organisation's data is correct and configured as expected, it's time to move onwards to protecting the data moving forward.

Starting with Microsoft Purview, if not already adopted and based on the outcome of the Data Classification audit in the previous step, the appropriate features should be adopted and deployed across the estate. To begin with, we recommend that the following Purview components be implemented as an effective introduction to the technology: -

  • Classification & Sensitivity Labels: Introduce labels to classify files and repositories based on their content and audience, on either a manual or automatic basis, whilst also introducing a level of encryption to prevent unauthorised and unintended access in the future.

  • Data Loss Prevention: Introduce data loss prevention policies to protect against the accidental and/or over-sharing of sensitive data from both an internal and external perspective.

Reverting to the SharePoint Advanced Management capability of Microsoft Syntex which was referenced earlier to aid in the assessment & discovery phase, this capability also introduces advanced protection mechanisms, such as: -

  • Restrict SharePoint site access: SharePoint Online sites can have their access strictly restricted to members of a group, be it a Microsoft 365 or Security group. This means that users who aren't members of the specified groups will not be able to access the site under any circumstances, even if a sharing link has already been, or is later issued to them.

  • Secure SharePoint document libraries: On the back of the Microsoft Purview Sensitivity Label protection activity, a default label can also be applied to all content within document libraries by default. This ensures that any newly uploaded files, or existing files that are modified, will automatically have the specified label applied even if they don't already have one appended.


Adoption & Engagement

Next, we need to review the end-user aspect of Copilot - Are your users ready to use Copilot? Do your users know how to access Copilot across the different Microsoft 365 applications? Are your users armed with any business-specific use cases and/or prompts? - If not, end-users may become disillusioned or even frustrated with the feature, which could result in a failed investment and venture - Remember, the return on investment with Copilot predominantly correlates to improvements in productivity. End-users must be empowered, engaged, and supported throughout the entirety of this journey.

Much like other sizable undertakings in the Microsoft ecosystem, Copilot is no different in that Microsoft recommends establishing an internal Center of Excellence within the organisation where technical professionals, stakeholders, and end-users can come together to share their experiences and ask questions to promote a healthy feedback loop. Additionally, it's also advisable to adopt the "Champion" model, whereby key people within the business are elected as key drivers for the implementation and are trained and briefed accordingly. The Center of Excellence should help identify what's working well, what's not working so well, where productivity has increased, where time-saving benefits have been identified, and any useful business or role-specific prompts that have proven useful. The committee should then identify any key takeaways and pass this invaluable information onwards to the remainder of the business. Additionally, internal stakeholders, champions, and technology professionals should work together to identify any repetitive, tedious, and time-consuming tasks across the business, and then experiment with Copilot to determine whether any efficiencies can be made.

During the initial provisioning of the Copilot service via the enablement wizard, administrators have the option to allow Microsoft to e-mail users within the organisation on their behalf with information about how to use Microsoft 365 products such as Copilot. Additionally, an administrator can also opt to distribute an initial Copilot announcement and welcome e-mail to the necessary in-scope users, which is a highly recommended step.

Microsoft is committed to aiding organisations and their end-users to successfully engage with and adopt the Microsoft 365 Copilot product, and this is reflected with the amount of adoption material and collateral made available, some of which can be found below: -

  • User Onboarding Toolkit

The User Onboarding toolkit comprises seven pre-defined communication templates relating to different Copilot use cases and integrations with the various Microsoft 365 services and applications. The toolkit includes one communication for each week of the initial user onboarding journey, covering 7 weeks in total. The bundle contains e-mail templates as well as imagery for posts on Teams, Intranets, and Viva / Yammer, each of which is designed to engage and onboard end-users during the onboarding phase.

  • Microsoft 365 Copilot Adoption

The Copilot Adoption repository is your one-stop shop for all things Copilot. Here, you'll find a plethora of useful collateral focusing on Copilot adoption, engagement, preparation, and learning materials, which are also categorised by their target audience, such as Business Users or IT Professionals. It's hard to go wrong with all of this comprehensive material on offer.

  • Microsoft 365 Copilot Support & Help

The Copilot Help and Support portals are your go-to for assistance with Copilot. Here, you'll find useful service descriptions, definitions, demonstrations, and examples relating to each Microsoft 365 application and service that Copilot is integrated with.


The Future

There's absolutely no hiding from Artificial Intelligence in 2024, and Copilot is no exception. The hype is very much real and as the solution continues to learn, develop, and expand, the adoption and excitement surrounding Copilot is only going to multiply.

Now that we've briefly looked into what it means to "prepare for Copilot", at least to the point of getting the data estate into a position where an organisation can confidently entertain conversations around the various considerations along with the actual adoption and deployment of Copilot, we should probably review what the ongoing requirements look like. Much like other security pillars, data security is no different in that it's an ever-changing landscape and thus an ongoing responsibility.

Do you have a clear plan & process in place to accommodate & govern all the above going forward? - If not, there is a risk that all the previous preparation efforts will be quickly undone, potentially re-opening up the organisation to a compromisable and risky position, at least where data security is concerned.

Firstly, periodic and routine access reviews should continue to be conducted across the in-scope data estate, whether they are performed by a technology professional, a compliance team, and/or the "owners" of the data. This may reflect a manual process for most organisations, but for those who have bought into the SharePoint Advanced Management capability, access reviews can be somewhat automated, a bit like they are with Identity-related access reviews using the Entra ID Plan 2 license SKU. The advanced "Site access" review capability enables administrators to request owners of the top SharePoint sites discovered within the previously mentioned sharing and label reports, to review and attest that the access patterns observed within their site/s are as expected.

Finally, continuously reviewing the necessary collaboration security controls and performing ongoing assessments around the types of data the organisation withholds whilst adjusting data protection controls accordingly, are all paramount to the continued success of a Copilot deployment. For example, periodically reviewing the Data Classification component of Microsoft Purview to review the presence of sensitive data and then implementing and/or amending the appropriate Purview security controls accordingly.

Happy Copilot'ing !





bottom of page