Copilot Readiness: 47 Questions Before Go-Live

Microsoft Copilot Readiness Checklist: The Enterprise 47-Point Audit (2026)

Before Microsoft 365 Copilot is licensed, an enterprise-grade readiness audit determines whether the tenant is positioned for safe deployment — or whether oversharing, identity gaps, sensitivity-label coverage, and governance immaturity will cause compliance findings or pilot abandonment within 90 days.

This is the working enterprise readiness checklist EPC Group uses for Fortune 500 organizations. Built from 90+ Microsoft Copilot deployments across healthcare, financial services, government, manufacturing, and technology.

EPC Group has delivered Microsoft Copilot readiness assessments for Fortune 500 organizations since the M365 Copilot GA wave.

TL;DR — 8-Domain Readiness Checklist

Domain	Checks
1. Identity readiness	7 checks
2. Data surface readiness	8 checks
3. License readiness	6 checks
4. Governance readiness	6 checks
5. Sensitivity labeling	5 checks
6. Compliance readiness	6 checks
7. Use case readiness	5 checks
8. Adoption readiness	4 checks

47 total checks. Each must score "ready" or "remediation in progress" before tenant-wide Microsoft 365 Copilot licensing.

Domain 1: Identity Readiness (7 Checks)

• Microsoft Entra ID coverage: 100% of users (no on-premises AD-only accounts)
• MFA at 100% coverage on Copilot-eligible users
• Hardware token / FIDO2 / PIV/CAC for privileged accounts
• Conditional Access policies: required MFA, blocked legacy auth, device compliance
• Microsoft Entra Privileged Identity Management for admin elevation
• Inactive account cleanup (target: <2% inactive in past 90 days)
• Service account hygiene (no Microsoft Copilot licenses on service accounts)

Typical findings: 5-15% inactive accounts, MFA gaps in service accounts, weak Conditional Access.

Domain 2: Data Surface Readiness (8 Checks)

• SharePoint sites with "Everyone except external users" permissions identified
• OneDrive folders shared with "Anyone with link" identified
• Microsoft 365 Group lifecycle policies enabled
• Inactive site detection running
• External sharing posture audited
• Microsoft Restricted SharePoint Search ready to enable
• Stale OneDrive content from departed employees archived
• Microsoft Teams chat retention configured

Typical findings: 30-50% of sites with broad permissions; 10-20% of OneDrive folders shared with anonymous links; weak external sharing posture.

Domain 3: License Readiness (6 Checks)

• Microsoft 365 E3 / E5 backbone confirmed for Copilot-eligible users
• Microsoft 365 E5 features (Microsoft Defender XDR, Microsoft Purview Premium) licensed
• Microsoft Fabric F-SKU sizing (F64+ for Power BI Copilot)
• Microsoft Power Platform licensing for Microsoft Copilot Studio agents
• Microsoft Defender for Cloud Apps for BYOAI / Shadow AI governance
• Microsoft Entra ID P2 for risk-based access

Typical findings: E3 backbone with no E5 add-on; Microsoft Fabric capacity not provisioned; Microsoft Defender for Cloud Apps not licensed.

Domain 4: Governance Readiness (6 Checks)

• Microsoft Purview AI Hub configured
• Microsoft Purview Audit (Premium) retention configured (7+ years)
• Microsoft Sentinel for SOC monitoring
• AI ethics committee charter signed
• AI risk register established
• Acceptable Use Policy (AUP) AI provisions added

Typical findings: AI Hub not configured; AI ethics committee not established; AUP doesn't cover AI tools.

Domain 5: Sensitivity Labeling (5 Checks)

• Microsoft Purview sensitivity label taxonomy published (5-tier)
• Auto-labeling rules deployed for regulated content patterns
• Container labels applied at site level
• DLP policies for Restricted-tier blocking
• Coverage at 80%+ on regulated content within 90 days of rollout

Typical findings: Sensitivity-label coverage at 5-15% pre-assessment; auto-labeling rules not configured; container labels not applied.

Domain 6: Compliance Readiness (6 Checks)

• HIPAA BAA executed (healthcare)
• FINRA Rule 3110 supervision program (financial services)
• FedRAMP Moderate / High tenant (federal)
• CMMC Level 2 readiness (DoD contractors)
• EU AI Act conformity assessment (European tenants)
• NIST AI RMF mapping (federal alignment)

Typical findings: BAA execution unverified; supervision program absent; NIST AI RMF mapping not started.

Domain 7: Use Case Readiness (5 Checks)

• Department-by-department use case inventory completed
• Persona-by-persona value modeling completed
• Common workflow patterns identified for Microsoft Copilot Studio agents
• Power BI semantic model coverage assessed
• Microsoft Dynamics 365 / CRM Copilot for Sales / Service scope scoped

Typical findings: Use cases unidentified; ROI not modeled; persona prioritization absent.

Domain 8: Adoption Readiness (4 Checks)

• Champion network identified (1 per 50 users)
• Pilot user list assembled (50-200 users, 4-6 personas)
• Workforce AI literacy training plan documented
• Microsoft Viva Engage Copilot community pre-launched

Typical findings: Champion network absent; pilot scope undefined; training plan absent.

Common Critical Gaps

Critical Gap 1: SharePoint Oversharing

90%+ of Fortune 500 tenants have significant oversharing — sites with "Everyone except external users" permissions, OneDrive folders with anonymous links, Microsoft 365 Groups with public membership.

Impact: Microsoft 365 Copilot will surface content the user shouldn't see in practice — HR documents, M&A planning, performance reviews.

Mitigation: Microsoft Restricted SharePoint Search Day 1 + permissions cleanup over 90-180 days.

Critical Gap 2: Sensitivity Label Coverage

Most enterprise tenants have 5-15% sensitivity-label coverage on regulated content. For healthcare (PHI), financial services (MNPI), government (CUI), this is a critical gap.

Impact: Restricted-tier protection doesn't function; Microsoft Copilot grounding can surface regulated content.

Mitigation: Microsoft Purview auto-labeling rules + 90-day coverage push to 80%+.

Critical Gap 3: Microsoft Purview Audit Retention

Default Microsoft Purview Audit retention is 90 days. HIPAA, FINRA, SEC, and FedRAMP-regulated tenants require 7-year (or 10-year for SEC Rule 17a-4) retention.

Impact: Audit log gaps prevent compliance attestation.

Mitigation: Microsoft Purview Audit (Premium) license + retention policy update.

Critical Gap 4: Conditional Access Maturity

Many tenants have Conditional Access policies but they don't enforce required posture for Copilot — MFA exceptions, legacy auth allowed, weak device compliance.

Impact: Copilot accessible from compromised credentials or unmanaged devices.

Mitigation: Conditional Access policy hardening before Copilot rollout.

Critical Gap 5: Workforce AI Literacy

Most enterprises have no AI literacy training program. Users don't understand Copilot grounding, what data they can prompt with, or compliance obligations.

Impact: Inadvertent compliance violations, low utilization, support burden.

Mitigation: Microsoft Viva Learning required course + acceptable use policy update.

EPC Group AI Readiness Assessment

EPC Group offers a 4-week fixed-fee Microsoft Copilot Readiness Assessment that covers all 47 checks above, produces an Architecture Decision Record (ADR), and delivers a 12-month roadmap. See AI Readiness Assessment.

Frequently Asked Questions

How long does it take to remediate gaps?

Most gaps remediate in 90-180 days. Critical gaps (oversharing, sensitivity labeling) take longer. EPC Group standard remediation timeline:

• Identity gaps: 30 days
• Microsoft Restricted Search Day 1
• Permissions cleanup: 90-180 days
• Sensitivity labeling: 90 days to 80%+ coverage
• Microsoft Purview AI Hub configuration: 30 days
• AI ethics committee + AUP: 60 days

Can we deploy Copilot before all gaps are closed?

Microsoft Restricted Search lets you deploy Copilot to a curated allowlist of sites while permissions cleanup proceeds. This is the recommended approach for most enterprises.

What if oversharing is severe?

EPC Group standard pattern: Microsoft Restricted Search Day 1 + permission cleanup wave per department. Pilot Copilot to allowlisted sites; expand as cleanup progresses.

How do we measure readiness?

EPC Group standard scoring:

• 47/47 checks "ready" → green light
• 35-46 checks "ready" → yellow, deploy with mitigations
• <35 checks "ready" → red, remediation required first

What about regulated industries?

Healthcare (HIPAA), financial services (FINRA, SEC), government (FedRAMP, CMMC), and pharma (GxP) have stricter compliance requirements. Domain 6 of the checklist expands to industry-specific requirements.

Who delivers readiness assessments?

EPC Group senior architects with combined Microsoft 365, Microsoft Purview, Microsoft Defender, Microsoft Sentinel, and AI governance experience. Errin O'Connor is a 4-time Microsoft Press author.

Next Steps

Schedule a 30-minute Microsoft Copilot Readiness Assessment scoping call at /schedule or call (888) 381-9725. Senior architects (not sales) take discovery calls.

Related reading: AI Readiness Assessment, Copilot for Microsoft 365 Complete Deployment Guide, Microsoft Copilot Governance Framework for Regulated Industries, Microsoft Copilot Adoption Enterprise Playbook, and Microsoft 365 Copilot Security & Data Protection Enterprise Guide.