5 Things Microsoft's Copilot Readiness Checklist Doesn't Cover
Microsoft's 4-page checklist covers licensing and prerequisites. EPC Group's 47-Point Assessment covers the security gaps that actually cause data exposure.
Microsoft's 4-Page Checklist vs. EPC Group's 47-Point Review
Quick Answer: Microsoft's official Copilot readiness checklist covers licensing prerequisites, technical requirements, and high-level governance recommendations. It does not address the five security gaps that cause real-world data exposure incidents: broken SharePoint permission inheritance, Teams meeting recording policies, sensitivity label enforcement (not just configuration), guest and former employee access, and DLP policies for Copilot-generated content. EPC Group's 47-Point Assessment covers all five — plus 42 other security checkpoints Microsoft's checklist never mentions.
Microsoft's Copilot readiness documentation is designed to get organizations to purchase and deploy Copilot licenses. It answers the question “What do I need to turn on Copilot?” — not the question “What do I need to secure before turning on Copilot?” These are fundamentally different questions with fundamentally different answers.
The Microsoft checklist will confirm that you have the right licenses, that Entra ID is configured, that Microsoft Graph access is enabled, and that the web experience is turned on. It will recommend that you “review data governance” and “consider sensitivity labels.” What it will not do is tell you that 340 of your SharePoint sites have broken permission inheritance exposing financial data to all employees, or that 1,100 abandoned guest accounts can still access your content through Copilot.
EPC Group has audited 700+ Microsoft 365 tenants. We developed the 47-Point Security Assessment specifically because we saw organizations deploying Copilot after completing Microsoft's checklist — and experiencing data exposure incidents within 30-60 days. Here are the five gaps we see in every engagement.
Gap 1: Broken SharePoint Permission Inheritance
The Problem
Microsoft's checklist recommends "reviewing SharePoint permissions" but does not address permission inheritance — the mechanism by which subsites, libraries, and folders inherit access from parent sites. When inheritance is broken (a common administrative action), permissions at lower levels diverge from the site-level policy. Over years of operation, a typical enterprise tenant accumulates hundreds of broken inheritance points, creating permission configurations that no human can audit manually.
Real-World Example
We audited a financial services firm with 2,400 SharePoint sites. 340 sites had broken inheritance at the library or folder level. 67 of those contained financial data accessible to "Everyone except external users" at the parent level — but the broken inheritance created a false sense of security because the site owner thought they had restricted access. Copilot would have surfaced that financial data to all 8,000 employees.
How to Fix It
Run a SharePoint permission inheritance report using PowerShell or third-party tools (ShareGate, AvePoint). Identify every point where inheritance is broken and evaluate whether the resulting permissions match intended access. EPC Group's assessment automates this analysis across all sites and libraries, flagging high-risk inheritance breaks where sensitive content is exposed.
Gap 2: Teams Meeting Recording Policies
The Problem
Microsoft's checklist does not address Teams meeting recording and transcription policies. By default, meeting recordings are stored in OneDrive (for non-channel meetings) or SharePoint (for channel meetings), and meeting transcriptions are searchable by Copilot. This means every recorded meeting — executive strategy sessions, HR discussions, legal reviews, clinical case conferences — becomes part of Copilot's searchable corpus.
Real-World Example
A healthcare organization recorded clinical case conferences for training purposes. The recordings were stored in a Teams channel accessible to 200+ staff members. When Copilot was enabled, a billing department employee asked Copilot about a specific medical condition and received responses citing patient discussions from case conference transcriptions. This constituted a HIPAA violation because the billing employee was not authorized to access PHI from clinical discussions.
How to Fix It
Audit Teams meeting recording policies: who can record, where recordings are stored, who has access to recordings and transcriptions, and what retention policies apply. For sensitive meetings (executive, HR, legal, clinical), configure recordings to be accessible only to the meeting organizer and designated reviewers. Apply sensitivity labels to meeting recordings containing sensitive content.
Gap 3: Sensitivity Label Enforcement vs. Configuration
The Problem
Microsoft's checklist recommends "deploying sensitivity labels" — and most organizations check this box by configuring labels in the Purview portal. But configuration is not enforcement. In the average enterprise tenant, fewer than 15% of existing documents have sensitivity labels applied. Auto-labeling is either not configured or limited in scope. Users are not trained to apply labels manually. The result: millions of documents that Copilot can access with no sensitivity classification — meaning no DLP policy, no encryption, and no access restriction based on content sensitivity.
Real-World Example
An enterprise with 50,000 employees had configured a comprehensive sensitivity label taxonomy 18 months earlier. When we audited, only 8% of SharePoint documents had labels applied. Auto-labeling covered only Exchange Online (email). The 92% of unlabeled documents included HR records, legal contracts, financial forecasts, and M&A documentation. Copilot treated all of these as general-access content because no label meant no protection policy applied.
How to Fix It
Measure label adoption, not just configuration. Run a sensitivity label analytics report to determine what percentage of content is labeled. Deploy auto-labeling policies for SharePoint and OneDrive (not just Exchange). Implement mandatory labeling policies that require users to label documents before saving. For legacy content, use bulk auto-labeling based on content classification scans.
Gap 4: Guest and Former Employee Access
The Problem
Microsoft's checklist does not address guest accounts or historical access from former employees. Entra ID guest accounts persist indefinitely unless explicitly removed. Former employees who become contractors often have guest accounts with residual SharePoint permissions from their employee tenure. External collaborators from completed projects retain access to project sites. Copilot exposes this because guest users querying Copilot can access any SharePoint content their guest account has permissions to — including content shared during a project that ended years ago.
Real-World Example
A technology company had 4,200 active guest accounts in Entra ID. Our audit found: 1,100 accounts had not signed in for 6+ months (likely abandoned), 340 had access to SharePoint sites containing proprietary product development data, 89 were former employees with both a disabled employee account and an active guest account with different but overlapping permissions. None of this was on Microsoft's Copilot readiness radar.
How to Fix It
Run an Entra ID guest access report. Identify guest accounts with no sign-in activity in 90+ days. Review SharePoint site permissions for all guest accounts. Implement guest access expiration policies (automatic removal after 30/60/90 days of inactivity). For former employees, verify that offboarding procedures include guest account removal in addition to employee account deactivation. Configure quarterly guest access reviews using Entra ID Access Reviews.
Gap 5: DLP for Copilot-Generated Content
The Problem
Microsoft's checklist mentions DLP as a general governance recommendation but does not address the unique DLP challenge Copilot creates: content aggregation. Traditional DLP protects content where it lives — a confidential document in SharePoint, a sensitive email in Exchange. Copilot generates new content by pulling from multiple sources. A Copilot-generated executive summary might combine revenue projections from one site, employee performance data from another, and strategic plans from a third — creating a new document that aggregates data from three different classification levels with no automatic sensitivity label.
Real-World Example
An executive asked Copilot to "prepare a quarterly business review draft." Copilot pulled data from: the finance SharePoint site (Q3 revenue, classified as Confidential-Financial), the HR SharePoint site (headcount and turnover data, classified as Confidential-HR), and the strategy Teams channel (competitive analysis, classified as Highly Confidential). The resulting Word document contained Highly Confidential data but had no sensitivity label. The executive shared it with their entire leadership team via a Teams chat — half of whom did not have Highly Confidential clearance.
How to Fix It
Deploy DLP policies that specifically cover Copilot-generated content in Word, PowerPoint, Outlook, and Teams. Implement mandatory sensitivity labeling for all new documents (Copilot-generated or otherwise). Configure DLP policies to detect content patterns that indicate data aggregation from multiple classification levels. Monitor Copilot usage logs for queries that access content across multiple sensitivity levels.
What a Real Copilot Readiness Assessment Looks Like
Microsoft's checklist takes 30 minutes. A real assessment takes 2-3 weeks. Here is the difference in scope, depth, and deliverables.
| Area | Microsoft Checklist | EPC 47-Point Assessment |
|---|---|---|
| Licensing | Validates required licenses | Validates licenses + cost optimization analysis |
| Identity | Confirms Entra ID exists | 8-point identity audit (MFA, CA, PIM, risk policies, break-glass) |
| SharePoint Permissions | "Review permissions" | Full inheritance analysis across all sites and libraries |
| Sensitivity Labels | "Deploy labels" | Measures label adoption rate + auto-labeling coverage + enforcement gaps |
| Teams Recordings | Not addressed | Recording policy audit, transcription access, retention policies |
| Guest Access | Not addressed | Guest account audit, stale access removal, expiration policies |
| Copilot DLP | "Consider DLP" | Copilot-specific DLP for content aggregation and generation |
| Remediation Plan | Not included | Prioritized 30/60/90 day roadmap with effort estimates |
| Deliverable | 4-page checklist | 40+ page report with Pass/Fail per checkpoint |
| Duration | 30 minutes | 2-3 weeks |
| Cost | Free | $15,000 |
The ROI Case: The average Copilot data exposure incident costs $50,000-$250,000 in incident response, legal review, and remediation — not counting regulatory fines for HIPAA or SOC 2 violations. A $15,000 assessment that prevents even one incident delivers 3-17x ROI. For regulated industries, the assessment is not optional — it is the minimum standard of care that auditors and regulators expect.
Frequently Asked Questions
What does Microsoft's Copilot readiness checklist miss?
Microsoft's official Copilot readiness checklist covers licensing prerequisites, technical requirements (Entra ID, Microsoft Graph, web experience), and basic data governance recommendations. It misses five critical areas: 1) Broken SharePoint permission inheritance that exposes sensitive sites to all employees, 2) Teams meeting recording policies that make clinical, legal, and executive discussions searchable by Copilot, 3) The gap between configuring sensitivity labels and actually enforcing them on existing content, 4) Guest and former employee access that gives Copilot access to external users' data, 5) DLP policies specifically for Copilot-generated content that can aggregate sensitive data from multiple sources.
Why is broken SharePoint permission inheritance a Copilot risk?
SharePoint permission inheritance is the mechanism by which subsites, libraries, and folders inherit access permissions from their parent site. When inheritance is "broken" (a SharePoint feature that allows custom permissions at any level), permissions can drift significantly from the parent site. A common pattern: a site owner breaks inheritance on a library to give a specific team access, but the original broad permissions from the parent site remain. Over 3-5 years, dozens of broken inheritance points create a permission maze that no admin can manually audit. Copilot exposes this because it searches across all sites a user can access — including sites with inherited permissions the user may not know they have.
How do I check if my organization is ready for Copilot?
A genuine Copilot readiness assessment requires more than Microsoft's 4-page checklist. Start with: 1) Run a SharePoint permission report (SharePoint admin center > Active sites > export sharing report) to identify overshared sites. 2) Check sensitivity label deployment — not just configuration, but actual label application on documents. 3) Review Teams meeting recording policies for who can access recordings and transcriptions. 4) Run a guest access report in Entra ID and review external user permissions. 5) Check DLP policy scope to see if Copilot scenarios are covered. If any of these areas have gaps, you are not Copilot-ready regardless of what the Microsoft checklist says. EPC Group's 47-Point Assessment covers all of this systematically.
What is the difference between configuring and enforcing sensitivity labels?
Configuration means creating sensitivity labels in the Microsoft Purview portal — defining the label taxonomy (Public, Internal, Confidential, Highly Confidential), assigning protection actions (encryption, watermarks, access restrictions), and publishing the labels to users. Enforcement means labels are actually applied to existing content. Microsoft's checklist treats label configuration as sufficient. In reality, most organizations configure labels but only 5-15% of existing documents get labeled because: auto-labeling is not enabled, users are not trained to apply labels, there is no policy mandating labeling, and legacy content predating label deployment is completely unlabeled. Copilot treats unlabeled content as accessible — making millions of legacy documents searchable without sensitivity classification.
Can former employees still access data through Copilot?
Former employees themselves cannot access Copilot after account deactivation. However, the risk is more subtle: 1) Guest accounts created for former employees who transitioned from employee to contractor/consultant status may still be active with lingering SharePoint permissions. 2) Shared mailboxes and Teams channels that included former employees may still contain sensitive content that Copilot can surface to current members. 3) OneDrive content from former employees that was not properly managed during offboarding may be accessible if it was shared broadly before departure. The gap in Microsoft's checklist is that it does not address historical access patterns — only current licensing and configuration.
What DLP policies do I need specifically for Copilot?
Standard DLP policies protect content at rest and in transit. Copilot-specific DLP policies must address content generation: 1) Copilot can aggregate data from multiple sources into a single response — a Copilot summary might combine salary data from one SharePoint site, performance reviews from another, and termination plans from an email, creating a new document with data from three different classification levels. 2) Copilot-generated drafts in Word, PowerPoint, and Outlook inherit no sensitivity label by default — users must manually label Copilot outputs. 3) Copilot meeting summaries may contain sensitive discussion points. DLP policies must cover Copilot-generated content in all M365 apps, not just traditional file storage locations.
How does EPC Group's 47-Point Assessment differ from Microsoft's checklist?
Microsoft's official checklist is 4 pages covering licensing, technical prerequisites, and high-level governance recommendations. EPC Group's 47-Point Assessment is a 2-3 week engagement that examines 47 specific security checkpoints across 6 domains: Identity & Access (8 points), Email Security (7 points), Data Protection (9 points), Endpoint Management (7 points), Compliance & Governance (8 points), and Copilot & AI Readiness (8 points). Each checkpoint receives a Pass/Fail/Partial rating with specific remediation steps. The assessment includes SharePoint permission inheritance analysis, sensitivity label enforcement measurement, Copilot data exposure modeling, and a prioritized 30/60/90 day remediation roadmap. Cost: $15,000.
Go Beyond the Checklist
EPC Group performs Copilot & M365 Tenant Security Reviews for enterprises across all industries. With 700+ tenants secured and 29 years of Microsoft expertise, we identify exactly what Copilot can access that it shouldn't.
Microsoft's checklist covers 4 pages. Our 47-Point Assessment covers 47 security checkpoints across 6 domains — including the 5 critical gaps described above. Start with the assessment ($15,000) and get a prioritized remediation roadmap.