← Back to Blog

GOVERNANCE · April 11, 2026 · 14 min read

Microsoft 365 Copilot Readiness Assessment: What to Check Before You Roll Out

Microsoft 365 Copilot is the first enterprise product in a decade where the blast radius of a misconfigured tenant shows up to every user, on day one, in plain English. If a file is reachable by the person asking, Copilot will read it, summarise it, and quote from it in a chat response. That is the entire value proposition — and it is also the entire risk.

Over the last few weeks we built a Copilot Readiness Assessment into MigrationFox: a read-only scan of a Microsoft 365 tenant that produces a 1.0–4.0 score, a pilot verdict, and a prioritised list of findings across six modules. This post explains what it actually checks, why those checks matter, and how to run one on your own tenant in about five minutes.

The Copilot Oversharing Problem

Here is the scenario every IT team eventually hits. Three years ago, someone on the sales team shared a spreadsheet called 2023 Prospects – Working Copy.xlsx with an Anyone-with-the-link setting so they could forward it to a partner. The partner relationship ended. The link was never revoked. The file was never deleted. It sits, quietly, in the original owner’s OneDrive.

The day Copilot turns on, that spreadsheet is no longer dormant. Copilot indexes the caller’s entire accessible surface — not just files they created, but anything they have effective permission to read. Ask Copilot "summarise our Q4 sales pipeline" and it has no reason to exclude the stale spreadsheet. The client names, the deal values, the internal notes — all of it lands in the answer pane, potentially for a new hire who joined last week.

The more interesting failure mode is Anyone-links. A document shared with Anyone-with-the-link is, by Graph’s permission model, readable by every authenticated user in the tenant once they know it exists. Copilot knows it exists. Copilot semantically searches the whole reachable corpus. So a file someone thought was “just a link I sent to one person” becomes a candidate for every Copilot response in the tenant.

We have seen tenants with 12,000+ active Anyone-links on the top 30 most-used SharePoint sites alone. That is not a theoretical risk. That is a Copilot response waiting to happen.

What Microsoft Tells You vs What Actually Breaks Copilot

Microsoft’s official Copilot readiness guidance is, to its credit, accurate. It tells you to: enable OneDrive, apply sensitivity labels, configure Purview, review sharing policies, and use Conditional Access. Every item on that list is correct.

What the guidance does not tell you is how to verify any of it for your specific tenant. “Configure Purview” is a two-word instruction pointing at a product surface with hundreds of toggles. “Review sharing policies” presumes you already have a report of every Anyone-link in every site. “Use sensitivity labels” presumes labels exist and are published.

More importantly, the guidance does not tell you the one specific thing that matters most for Copilot day-one safety: whether your DLP policies include Microsoft365Copilot as a protected workload. This is a single dropdown in a single Purview policy, and in the tenants we have scanned, it is almost always missing. Without it, your existing DLP rules — the ones blocking credit cards, SIN numbers, health records — do not apply to Copilot chat responses at all. Your controls silently stop working the moment Copilot is switched on.

That is the gap the readiness assessment is built to close. We do not replace Microsoft’s guidance. We verify it, tenant by tenant, finding by finding, and we surface the gaps in a report you can hand to your security team.

The Six Modules of a Real Readiness Check

The assessment is organised into six modules, each scored on the 1.0–4.0 scale. Every check calls a specific Microsoft Graph endpoint in read-only mode and records the evidence alongside the finding.

1. Licensing & Infrastructure

This module answers a basic question: does the tenant have what it needs to run Copilot at all? We enumerate subscribed SKUs via /subscribedSkus to confirm Microsoft 365 Copilot licences are present (or to flag that they are not), verify OneDrive provisioning status per user, and pull M365 service health signals. A tenant missing the Copilot SKU or with OneDrive disabled for a user segment cannot go live regardless of how well the rest of the tenant is configured.

2. Purview Current State

The most consequential module. We enumerate sensitivity labels via the Graph Information Protection endpoint, pull the list of sensitive information types, and — critically — walk every active DLP policy to check whether Microsoft365Copilot appears in the workloads array. That single check is PUR-001, the hero finding of the whole assessment (more on it below). We also flag label publishing gaps: labels that exist but are not published to the users who need them are worth roughly nothing.

3. Identity & Conditional Access

Copilot inherits the identity posture of the tenant. We read Conditional Access policies from /identity/conditionalAccess/policies, enumerate directory roles to count Global Admins (anything above five is a finding on its own), check MFA registration state, sample OAuth application grants for risky scopes, measure the guest-to-member ratio, and verify whether Privileged Identity Management is in use for eligible role activations. A tenant with 12 permanent Global Admins and no baseline CA policy is a tenant where Copilot will be accessed from personal devices in countries no one has heard of.

4. M365 Apps Readiness

Copilot in Word, Excel, PowerPoint, and Outlook requires a reasonably recent Click-to-Run update channel. We pull the getM365AppUserDetail report from the Graph reports endpoint and bucket users by channel: Current Channel and Monthly Enterprise Channel are fine; Semi-Annual and anything older is a finding because the Copilot ribbon simply will not render for those users. This is the module that catches the “we bought licences but half the company cannot see the button” problem before it becomes a help-desk flood.

5. Teams & OneDrive Governance

This module looks at tenant-wide collaboration settings. We check the SharePoint tenant external sharing capability (Anyone vs New and existing guests vs Existing guests vs Only people in your organization) from the tenant settings endpoint, sample Teams lifecycle hygiene — orphaned teams, teams with one owner, teams that have not been used in 180 days — and measure OneDrive Known Folder Move adoption. KFM matters because if Documents, Desktop, and Pictures are not redirected to OneDrive, a large fraction of each user’s working content is invisible to Copilot. That is a Copilot value problem, not a Copilot safety problem, but it affects the readiness verdict.

6. SharePoint Permissions

The most expensive module and the one most directly tied to oversharing risk. We enumerate the top 30 most-active SharePoint sites via the Graph sites endpoint, then walk each site’s sharing links to build an Anyone-link footprint. For each site we record the count of active Anyone-links, the count of links with edit vs view permission, and any links that have been active for more than 12 months. The per-site evidence is included in the report so your SharePoint admin can triage the worst offenders first rather than trying to boil the ocean. Thirty sites is a deliberate cap — it keeps the scan fast enough to finish in minutes and covers the 80% of activity on most tenants. If your tenant has meaningful risk hiding in the long tail, the top 30 will already tell you.

How the Score Works

Each module produces a sub-score on the 1.0–4.0 scale by averaging its findings, where individual findings are weighted by priority. The six sub-scores are then combined into a composite — but not evenly. SharePoint Permissions and Purview Current State are weighted at 2× the other modules because those two are the modules that determine whether Copilot will overshare on day one. A tenant can have perfect identity posture and perfectly channelled Office apps and still be catastrophically unready if Purview is empty and SharePoint is leaking.

The composite score maps to a four-state pilot verdict:

Every finding also carries a priority: Must Do Before Copilot, Must Do Before Full Rollout, or Nice to Have. The priority drives both the weighting and the order of the remediation checklist.

The Single Most Important Check (PUR-001)

If we had to delete every other check in the assessment and keep one, it would be PUR-001: “Is Microsoft 365 Copilot listed as a protected workload in at least one active DLP policy?”

Here is why. Microsoft Purview DLP policies are scoped to workloads: Exchange, SharePoint, OneDrive, Teams chat and channel messages, Devices — and, as of the Copilot GA, a dedicated Microsoft365Copilot workload. When you create a DLP policy to block credit card numbers from being shared, you pick which workloads it applies to. And existing DLP policies, created before Copilot shipped, do not retroactively include the Copilot workload. Somebody has to edit every policy and tick the box.

In practice, almost nobody does. We have scanned tenants with twelve active DLP policies, three of them carefully tuned for PHIPA-regulated content, and zero of them applied to Copilot. The policies “work” in the Purview dashboard. They show a green check. They block real violations every day. And they do absolutely nothing when a user asks Copilot “show me our patient intake form” and Copilot reads the form aloud in chat.

PUR-001 is the one check Microsoft’s own readiness guidance does not verify for you. It is a finding we flag at Must Do Before Copilot priority, with evidence pulled directly from the DLP policy objects so you can hand the report to the person who owns Purview and they can fix it in ten minutes. The fix is trivial once you know. The finding is worth the entire assessment.

If PUR-001 fails, nothing else in your readiness report matters until it is green. A tenant with no Copilot-scoped DLP should not run a Copilot pilot, full stop.

Read-Only by Design

A readiness tool that can modify your tenant is a liability. From day one we decided the scan would be read-only at the architectural level, not just by convention.

The Graph client that performs every call in the assessment has a write guard at the client level: any HTTP verb other than GET raises before the request leaves the process. There is no code path from the readiness scanner to a write request. You cannot accidentally misconfigure it into mutating your tenant because the mutation path does not exist.

The service account you create for the scan is granted exactly fourteen read-only Microsoft Graph application scopes. Not sixteen, not “Directory.ReadWrite.All just in case”. Fourteen, all ending in .Read.All, covering directory, policy, reports, sites, files, information protection, and service health. The consent screen in Azure AD shows every scope; you see exactly what you are agreeing to before you click Accept.

Once the scan completes, every finding, every piece of evidence, every score is stored encrypted at rest with AES-256-GCM in the MigrationFox database. The encryption key is per-environment and never leaves the API server. If our database were stolen tomorrow, the findings would be ciphertext.

Finally, the scan is fast. A typical mid-market tenant (500–2,000 users, 20–50 active SharePoint sites) completes a full six-module assessment in three to five minutes. That matters because a slow tool gets skipped, and a skipped tool produces no findings. Five minutes is short enough to run before a meeting and read the report during it.

Pricing — Free, Insight, Partner

The free tier is a real sneak peek, not the whole product. The point is to let you know whether your tenant has a problem worth fixing — once you know that, the paid tiers give you the tools to actually fix it. Here is the honest breakdown.

Free Snapshot — $0

One assessment per calendar month. View-only. You get your composite score, the four-state pilot verdict, the module scorecard with finding counts per module, and one sample finding rendered in the same format as the paid tiers so you can see what you are missing. There are no exports — no JSON, no HTML, no CSV, no Word, no Excel — and no email or webhook delivery on completion. The free tier exists to answer one question honestly: does your tenant have a Copilot readiness problem? Once you know the answer is yes, upgrading is the next step.

Insight — $79 CAD / month

Unlimited assessments. The full finding list with every observation, business impact, recommendation, evidence source, owner role, effort estimate, and Microsoft Docs link. JSON export for AI tools and downstream automation. In-browser HTML preview so you can read the full report without downloading anything. Score trend tracking across every run so you can watch the number move as you remediate. Email and webhook delivery on every completed assessment. This is the tier for an in-house IT or security team that owns one tenant and wants to drive it to green.

Partner — $399 CAD / month

Everything in Insight, plus the outputs consulting firms actually need to deliver to clients: CSV export of the finding list ready to import into Microsoft Planner as a remediation backlog, plus the Word client deliverable (.docx) and Excel action plan (.xlsx) coming in the next release. This is the tier for MSPs and governance consultancies running readiness engagements across multiple clients — one scan produces both the narrative report the client reads and the action sheet their IT team works from.

Consultant Report — $999 CAD (one-off)

A single-tenant, non-recurring option for firms that need one deep report for one client and nothing else. Includes 90 days of access to the full finding list and exports for that specific assessment. No subscription, no auto-renew.

How to Run Your First Assessment in 5 Minutes

The setup is the same whether you are on Free, Insight, or Partner. The only difference is what you can do with the result afterward.

  1. Register and create a governance workspace. Sign up at app.migrationfox.com/register and open the Governance tab. There is no migration setup required — the Copilot assessment is a standalone module.
  2. Create an Azure AD app registration. In your Microsoft 365 tenant, create a new app registration, add the 14 read-only Graph application scopes listed in our setup wizard, and grant admin consent. The wizard gives you the exact scope list you can copy-paste.
  3. Paste your credentials into MigrationFox. Tenant ID, client ID, and client secret. The credentials are validated against Graph before they are saved and stored encrypted at rest.
  4. Run the scan. Click Run Assessment. You will see progress per module — Licensing, Purview, Identity, Apps, Teams/OneDrive, SharePoint Permissions. Most tenants complete in three to five minutes.
  5. Read the report. Free Snapshot users see the score, the verdict, the module scorecard, and one sample finding right in the wizard. Insight users get the full sorted findings list with priority filters plus JSON and HTML exports. Partner users get everything in Insight plus the CSV / Word / Excel client deliverables. Either way, start with every Must Do Before Copilot finding and work down.

If you have ever set up an app registration for a cloud backup tool or an SSO provider, this will feel familiar. If you have not, the wizard walks you through the Azure portal screens one by one.

Common Findings We See in the Wild

Every tenant is different, but the failure patterns are remarkably consistent. Here are the findings we see in something like 70%+ of first-run assessments, in rough order of frequency:

None of these are exotic. All of them are fixable. What the assessment gives you is the specific, prioritised list for your tenant, with evidence, owner, and effort estimate attached so you can actually run the remediation as a project rather than a vibe.

Where This Fits in a Broader Migration Programme

Most teams running a Copilot readiness assessment are also in the middle of something bigger — a tenant-to-tenant migration, a Google Workspace to M365 cutover, a Dropbox consolidation. The readiness score is a useful gate: it tells you whether the destination tenant is safe to start piling content into before the migration concludes. If you are in that boat, our cloud migration checklist for IT admins pairs naturally with this assessment — run the readiness scan against the destination before Phase 3 of the checklist, not after.

Get Started

If you are planning a Copilot rollout in the next 90 days, the most valuable thing you can do this week is run a readiness scan against your production tenant and find out where you actually stand. The Free Snapshot is designed for exactly that: five minutes of setup, three to five minutes of scan, a composite score, a four-state pilot verdict, the per-module breakdown, and one sample finding so you can see exactly what the paid report looks like. No credit card.

Start at app.migrationfox.com/governance, or create a free account first at app.migrationfox.com/register. If you hit anything confusing in the setup wizard, the scopes list, or the report itself, we want to hear about it — every finding category in this assessment started as feedback from somebody who ran into the problem in production.

Copilot is going to be the most-used feature in Microsoft 365 within a year. The tenants that get there safely are the ones that treated readiness as a verification exercise and not a checkbox. We built this tool so that verification takes five minutes instead of five weeks.

Start your assessment

Free Snapshot. No credit card required.

Run a Readiness Scan →