New — Microsoft 365 Copilot Readiness Assessment

Find Copilot oversharing before Copilot finds it for you.

A read-only Microsoft Graph scan that produces a 1.0–4.0 readiness score across six modules — DLP coverage, SharePoint Anyone-link audit, Conditional Access, Purview labels, Teams governance, and more. Runs in 3–5 minutes. No writes. Ever.

Run Free Snapshot → See Sample Report

Read-only. No credit card. 1 free snapshot per tenant per month.

app.migrationfox.com/governance
Composite Readiness Score
contoso.onmicrosoft.com
NOT READY
1.2
/ 4.0
Top Must-Do Before Copilot
PUR-001 DLP does not protect Microsoft365Copilot as a workload
CRIT
SPO-004 14 sites with active "Anyone with the link" sharing
CRIT
IAM-002 9 Global Admins, no PIM, no MFA enforcement on 2
CRIT

Example output. Your score will vary by tenant.

The Verdict

One score. Four decisions.

Every scan ends with a number between 1.0 and 4.0 and one of four plain-English verdicts. No ambiguity. No "it depends".

1.0 – 1.9

NOT READY

Critical gaps in DLP, oversharing, or identity will leak sensitive data through Copilot. Do not enable Copilot — even for a pilot — until the Must Do Before Copilot items are resolved.

2.0 – 2.9

PARTIALLY READY

Run a tightly scoped pilot with 5–10 hand-picked users on non-sensitive workloads only.

3.0 – 3.4

MOSTLY READY

Internal pilot approved for any team. Resolve the remaining Must Do Before Full Rollout items before expanding.

3.5 – 4.0

READY

Full Copilot rollout approved. Maintain ongoing monitoring with quarterly assessments.

What We Scan

Six modules. One composite score.

Each module reads a specific corner of your tenant through Microsoft Graph and contributes to the final 1.0–4.0 score.

01

Licensing & Infrastructure

Confirms the subscribed SKUs, OneDrive enablement, and M365 service health before anything else runs.

/subscribedSkus · /admin/serviceAnnouncement
02

Purview Current State

Inventories sensitivity labels, sensitive info types, and DLP policies — including whether Microsoft365Copilot is a protected workload.

/security/labels · /dataLossPreventionPolicies
03

Identity & Conditional Access

Audits CA policies, MFA enforcement, guest ratio, OAuth grants, Global Admins, and PIM coverage.

/conditionalAccess/policies · /directoryRoles
04

M365 Apps Readiness

Checks Office update channel adoption so users actually get Copilot features on the right build.

/deviceManagement · /reports/office365
05

Teams & OneDrive Governance

Reviews Teams lifecycle policy, tenant external sharing posture, and OneDrive Known Folder Move adoption.

/groups · /admin/sharepoint/settings
06

SharePoint Permissions

Runs a per-site Anyone-link audit on up to 30 SharePoint sites — the exact surface area Copilot will index.

/sites · /sites/{id}/permissions
THE CRITICAL CHECK — PUR-001

Does your DLP actually protect Copilot as a workload?

Every other Copilot readiness tool on the market treats DLP as a boolean: "you have DLP policies, you're fine". That is wrong. Microsoft365Copilot is a distinct DLP workload. If your existing DLP policies don't explicitly list it in the workload scope, Copilot can surface labelled and regulated content to any user who can see the underlying file — through a chat response.

PUR-001 inspects every DLP policy in the tenant, parses the workload array, and flags any policy where Microsoft365Copilot is missing. It's the single highest-impact finding in the report — and the one nobody else surfaces.

Regulated industries (PHIPA/HIPAA, OSFI, GMP) cannot enable Copilot until this check passes.
// What PUR-001 looks for
{
"name": "Confidential DLP",
"workload": [
"Exchange",
"SharePoint",
"OneDriveForBusiness",
// Microsoft365Copilot ⚠
]
}
Verdict: MUST DO BEFORE COPILOT

Trust

Read-only by design.

Three independent guarantees that mean this scan cannot change anything in your tenant.

Write guard at the API client

Every Graph request goes through a client that rejects PATCH, POST, PUT, and DELETE before the wire. No write is physically possible — not even accidentally.

AES-256-GCM encryption at rest

All findings and raw evidence are encrypted with AES-256-GCM before they touch the database. Keys are managed separately from the data store.

14 read-only Graph scopes

Only .Read.All and equivalent read scopes — admin-consented once. A scope-diff UI shows you exactly what's missing before you run.

How It Works

Four steps. Five minutes.

STEP 01

Connect

Paste service-account credentials or use delegated OAuth. About 5 minutes of Azure AD setup the first time.

STEP 02

Verify

A scope-diff UI shows exactly which of the 14 read-only Graph permissions are present and which are missing, before anything runs.

STEP 03

Run

All six modules execute in 3–5 minutes. Read-only Graph calls only — your tenant never notices.

STEP 04

Read

Score banner and module scorecard for all tiers. Insight unlocks the full remediation checklist and JSON / HTML exports. Partner adds the Word and Excel client deliverables for consulting engagements.

Pricing

Simple, transparent pricing

All prices in CAD. Start free — upgrade when you need full findings.

Free Snapshot

CA$0

View-only sneak peek. 1 assessment / tenant / month.

  • Full 1.0–4.0 composite score
  • All 6 modules run
  • Module scorecard with finding counts
  • One sample finding (preview)
  • No full findings list
  • No exports (no JSON, HTML, CSV, or Word/Excel)
  • No email or webhook delivery
  • No score trend history
Run Free Snapshot
Most Popular

Copilot Readiness Insight

CA$79 / month

or CA$790/year — save 2 months

  • Unlimited assessments
  • Full findings list across all 6 modules
  • JSON export
  • In-browser HTML preview
  • Score trend over time
  • Email & webhook delivery
  • Single tenant
Start Insight

Copilot Readiness Partner

CA$399 / month

or CA$3,990/year — save 2 months

  • Everything in Insight
  • Word client deliverable (.docx) — coming soon
  • Excel action plan (.xlsx) — coming soon
  • CSV export → Microsoft Planner
  • Built for MSPs and consultants
Start Partner
📝

One-off: Consultant Report — CA$999 one-time

Single tenant. 90-day access. Ideal for one-shot engagements where a subscription doesn't make sense.

Contact sales →

FAQ

Frequently asked questions

Is this safe to run in a production tenant?
Yes. The assessment is 100% read-only. A write guard enforced at the Graph API client level makes PATCH, POST, PUT and DELETE physically impossible — not just policy, but code. It only consumes read-only Graph scopes and cannot alter tenant state even if we wanted it to.
What permissions does it need?
14 read-only Microsoft Graph scopes (all .Read.All or equivalent), admin-consented once. Before any scan runs, the scope-diff UI shows you exactly which are present and which are missing, so you never hit a mid-run permission failure.
How long does a scan take?
Three to five minutes for a typical tenant. The SharePoint permissions module is the slowest because it audits up to 30 sites for Anyone-link exposure — the exact surface area Copilot will index.
Can I run it on a customer's tenant as a consultant?
Yes — the Partner tier is built exactly for this. Today you get the CSV-to-Microsoft-Planner export so the client's IT team has a ready-to-assign remediation backlog. The Word client deliverable and Excel action plan are landing in the next release — the consultant-grade narrative report your client reads, plus the filterable action sheet their IT team works from. One-off Consultant Report at CA$999 is also available when a subscription doesn't fit the engagement shape.
How is this different from Microsoft Secure Score?
Secure Score is a generic security posture tool — it will tell you to enable MFA and patch things. This assessment is Copilot-specific. The clearest example is PUR-001: checking whether Microsoft365Copilot is a protected DLP workload. Secure Score doesn't look at that. Nobody else does.
Will this slow down my tenant?
No. The scan issues read-only Graph calls only, throttled by Microsoft's own published limits. For users of the tenant, it's indistinguishable from not running.
What if I don't have Microsoft Purview?
The assessment handles it gracefully. Missing Purview endpoints return a 404, which is surfaced as "endpoint not available in this tenant" rather than a crash or a scope error — and is itself recorded as a gap in the score.
How is this different from running the checks manually?
Depth, speed, and repeatability. A manual walkthrough of all six modules typically takes half a day and produces six disconnected reports; this runs in 3–5 minutes and produces one composite score plus a single prioritized backlog you can track quarter over quarter.

Run your first Copilot Readiness assessment in 5 minutes.

Free Snapshot. No credit card required. Read-only by design.

Run Free Snapshot → Book a 15-min demo