5 Things Microsoft's Copilot Readiness Checklist Doesn't Cover
Microsoft's 4-page checklist covers licensing and prerequisites. EPC Group's 47-Point Assessment covers the security gaps that actually cause data exposure.
Microsoft's official Copilot readiness checklist covers licensing, prerequisites, and basic settings. EPC Group's 47-Point Assessment covers the five security gaps that actually cause data exposure: broken SharePoint permission inheritance, Teams meeting recording policies, sensitivity label enforcement (not just configuration), guest and former employee access, and DLP for Copilot-generated content.
Key Facts
- Microsoft's official readiness checklist is 4 pages covering licensing and prerequisites only.
- EPC Group's 47-Point Assessment covers the security gaps Microsoft's checklist skips.
- 80%+ of enterprise M365 tenants have at least one broken SharePoint permission inheritance.
- Guest accounts from departing vendors and former employees persist in most tenants — Copilot uses their access tokens.
- Most organizations have sensitivity labels configured but not enforced — Copilot treats unlabeled and unenforced-labeled content the same way.
Microsoft's 4-Page Checklist vs. EPC Group's 47-Point Review
Quick Answer: Microsoft's official Copilot readiness checklist includes licensing prerequisites, technical requirements, and governance recommendations. However, it does not cover five security gaps that lead to data exposure incidents:
- Broken SharePoint permission inheritance
- Teams meeting recording policies
- Sensitivity label enforcement (not just configuration)
- Guest and former employee access
- DLP policies for Copilot-generated content
EPC Group's 47-Point Assessment addresses all five gaps, along with 42 additional security checkpoints that Microsoft's checklist does not mention.
Microsoft's Copilot readiness documentation helps organizations buy and set up Copilot licenses. It focuses on the question, “What do I need to turn on Copilot?”
This is different from the question, “What do I need to secure before turning on Copilot?” Each question has its own unique answers.
The Microsoft checklist helps you confirm several important items:
- It ensures you have the correct licenses.
- It checks that Entra ID is set up.
- It verifies that Microsoft Graph access is enabled.
- It confirms that the web experience is activated.
Additionally, the checklist suggests you:
- review data governance
- consider sensitivity labels
However, it does not inform you that:
- 340 of your SharePoint sites have broken permission inheritance, exposing financial data to all employees.
- 1,100 abandoned guest accounts can still access your content through Copilot.
EPC Group has audited 700+ Microsoft 365 tenants. We developed the 47-Point Security Assessment specifically because we saw organizations deploying Copilot after completing Microsoft's checklist — and experiencing data exposure incidents within 30-60 days. Here are the five gaps we see in every engagement.
Gap 1: Broken SharePoint Permission Inheritance
The Problem
Microsoft's checklist recommends "reviewing SharePoint permissions" but does not address permission inheritance — the mechanism by which subsites, libraries, and folders inherit access from parent sites. When inheritance is broken (a common administrative action), permissions at lower levels diverge from the site-level policy. Over years of operation, a typical enterprise tenant accumulates hundreds of broken inheritance points, creating permission configurations that no human can audit manually.
Real-World Example
We audited a financial services firm with 2,400 SharePoint sites. 340 sites had broken inheritance at the library or folder level. 67 of those contained financial data accessible to "Everyone except external users" at the parent level — but the broken inheritance created a false sense of security because the site owner thought they had restricted access. Copilot would have surfaced that financial data to all 8,000 employees.
How to Fix It
Run a SharePoint permission inheritance report using PowerShell or third-party tools (ShareGate, AvePoint). Identify every point where inheritance is broken and evaluate whether the resulting permissions match intended access. EPC Group's assessment automates this analysis across all sites and libraries, flagging high-risk inheritance breaks where sensitive content is exposed.
Gap 2: Teams Meeting Recording Policies
The Problem
Microsoft's checklist does not address Teams meeting recording and transcription policies. By default, meeting recordings are stored in OneDrive (for non-channel meetings) or SharePoint (for channel meetings), and meeting transcriptions are searchable by Copilot. This means every recorded meeting — executive strategy sessions, HR discussions, legal reviews, clinical case conferences — becomes part of Copilot's searchable corpus.
Real-World Example
A healthcare organization recorded clinical case conferences for training purposes. The recordings were stored in a Teams channel accessible to 200+ staff members. When Copilot was enabled, a billing department employee asked Copilot about a specific medical condition and received responses citing patient discussions from case conference transcriptions. This constituted a HIPAA violation because the billing employee was not authorized to access PHI from clinical discussions.
How to Fix It
Audit Teams meeting recording policies: who can record, where recordings are stored, who has access to recordings and transcriptions, and what retention policies apply. For sensitive meetings (executive, HR, legal, clinical), configure recordings to be accessible only to the meeting organizer and designated reviewers. Apply sensitivity labels to meeting recordings containing sensitive content.
Gap 3: Sensitivity Label Enforcement vs. Configuration
The Problem
Microsoft's checklist recommends "deploying sensitivity labels" — and most organizations check this box by configuring labels in the Purview portal. But configuration is not enforcement. In the average enterprise tenant, fewer than 15% of existing documents have sensitivity labels applied. Auto-labeling is either not configured or limited in scope. Users are not trained to apply labels manually. The result: millions of documents that Copilot can access with no sensitivity classification — meaning no DLP policy, no encryption, and no access restriction based on content sensitivity.
Real-World Example
An enterprise with 50,000 employees had configured a comprehensive sensitivity label taxonomy 18 months earlier. When we audited, only 8% of SharePoint documents had labels applied. Auto-labeling covered only Exchange Online (email). The 92% of unlabeled documents included HR records, legal contracts, financial forecasts, and M&A documentation. Copilot treated all of these as general-access content because no label meant no protection policy applied.
How to Fix It
Measure label adoption, not just configuration. Run a sensitivity label analytics report to determine what percentage of content is labeled. Deploy auto-labeling policies for SharePoint and OneDrive (not just Exchange). Implement mandatory labeling policies that require users to label documents before saving. For legacy content, use bulk auto-labeling based on content classification scans.
Gap 4: Guest and Former Employee Access
The Problem
Microsoft's checklist does not address guest accounts or historical access from former employees. Entra ID guest accounts persist indefinitely unless explicitly removed. Former employees who become contractors often have guest accounts with residual SharePoint permissions from their employee tenure. External collaborators from completed projects retain access to project sites. Copilot exposes this because guest users querying Copilot can access any SharePoint content their guest account has permissions to — including content shared during a project that ended years ago.
Real-World Example
A technology company had 4,200 active guest accounts in Entra ID. Our audit found: 1,100 accounts had not signed in for 6+ months (likely abandoned), 340 had access to SharePoint sites containing proprietary product development data, 89 were former employees with both a disabled employee account and an active guest account with different but overlapping permissions. None of this was on Microsoft's Copilot readiness radar.
How to Fix It
Run an Entra ID guest access report. Identify guest accounts with no sign-in activity in 90+ days. Review SharePoint site permissions for all guest accounts. Implement guest access expiration policies (automatic removal after 30/60/90 days of inactivity). For former employees, verify that offboarding procedures include guest account removal in addition to employee account deactivation. Configure quarterly guest access reviews using Entra ID Access Reviews.
Gap 5: DLP for Copilot-Generated Content
The Problem
Microsoft's checklist mentions DLP as a general governance recommendation but does not address the unique DLP challenge Copilot creates: content aggregation. Traditional DLP protects content where it lives — a confidential document in SharePoint, a sensitive email in Exchange. Copilot generates new content by pulling from multiple sources. A Copilot-generated executive summary might combine revenue projections from one site, employee performance data from another, and strategic plans from a third — creating a new document that aggregates data from three different classification levels with no automatic sensitivity label.
Real-World Example
An executive asked Copilot to "prepare a quarterly business review draft." Copilot pulled data from: the finance SharePoint site (Q3 revenue, classified as Confidential-Financial), the HR SharePoint site (headcount and turnover data, classified as Confidential-HR), and the strategy Teams channel (competitive analysis, classified as Highly Confidential). The resulting Word document contained Highly Confidential data but had no sensitivity label. The executive shared it with their entire leadership team via a Teams chat — half of whom did not have Highly Confidential clearance.
How to Fix It
Deploy DLP policies that specifically cover Copilot-generated content in Word, PowerPoint, Outlook, and Teams. Implement mandatory sensitivity labeling for all new documents (Copilot-generated or otherwise). Configure DLP policies to detect content patterns that indicate data aggregation from multiple classification levels. Monitor Copilot usage logs for queries that access content across multiple sensitivity levels.
What a Real Copilot Readiness Assessment Looks Like
Microsoft's checklist takes 30 minutes. A real assessment takes 2-3 weeks. Here is the difference in scope, depth, and deliverables.
| Area | Microsoft Checklist | EPC 47-Point Assessment |
|---|---|---|
| Licensing | Validates required licenses | Validates licenses + cost optimization analysis |
| Identity | Confirms Entra ID exists | 8-point identity audit (MFA, CA, PIM, risk policies, break-glass) |
| SharePoint Permissions | "Review permissions" | Full inheritance analysis across all sites and libraries |
| Sensitivity Labels | "Deploy labels" | Measures label adoption rate + auto-labeling coverage + enforcement gaps |
| Teams Recordings | Not addressed | Recording policy audit, transcription access, retention policies |
| Guest Access | Not addressed | Guest account audit, stale access removal, expiration policies |
| Copilot DLP | "Consider DLP" | Copilot-specific DLP for content aggregation and generation |
| Remediation Plan | Not included | Prioritized 30/60/90 day roadmap with effort estimates |
| Deliverable | 4-page checklist | 40+ page report with Pass/Fail per checkpoint |
| Duration | 30 minutes | 2-3 weeks |
| Cost | Free | $15,000 |
The ROI Case: The average cost of a Copilot data exposure incident is between $50,000 and $250,000. This amount covers expenses such as:
- Incident response
- Legal review
- Remediation
Note that this figure does not include possible regulatory fines for HIPAA or SOC 2 violations.
A $15,000 assessment can prevent even one incident. This can result in a return on investment (ROI) of 3 to 17 times.
For regulated industries, this assessment is essential. It establishes the minimum standard of care expected by auditors and regulators.
Frequently Asked Questions
What does Microsoft's Copilot readiness checklist miss?
Microsoft's official Copilot readiness checklist covers licensing prerequisites, technical requirements (Entra ID, Microsoft Graph, web experience), and basic data governance recommendations. It misses five critical areas: 1) Broken SharePoint permission inheritance that exposes sensitive sites to all employees, 2) Teams meeting recording policies that make clinical, legal, and executive discussions searchable by Copilot, 3) The gap between configuring sensitivity labels and actually enforcing them on existing content, 4) Guest and former employee access that gives Copilot access to external users' data, 5) DLP policies specifically for Copilot-generated content that can aggregate sensitive data from multiple sources.
Why is broken SharePoint permission inheritance a Copilot risk?
SharePoint permission inheritance is the mechanism by which subsites, libraries, and folders inherit access permissions from their parent site. When inheritance is "broken" (a SharePoint feature that allows custom permissions at any level), permissions can drift significantly from the parent site. A common pattern: a site owner breaks inheritance on a library to give a specific team access, but the original broad permissions from the parent site remain. Over 3-5 years, dozens of broken inheritance points create a permission maze that no admin can manually audit. Copilot exposes this because it searches across all sites a user can access — including sites with inherited permissions the user may not know they have.
How do I check if my organization is ready for Copilot?
A genuine Copilot readiness assessment requires more than Microsoft's 4-page checklist. Start with: 1) Run a SharePoint permission report (SharePoint admin center > Active sites > export sharing report) to identify overshared sites. 2) Check sensitivity label deployment — not just configuration, but actual label application on documents. 3) Review Teams meeting recording policies for who can access recordings and transcriptions. 4) Run a guest access report in Entra ID and review external user permissions. 5) Check DLP policy scope to see if Copilot scenarios are covered. If any of these areas have gaps, you are not Copilot-ready regardless of what the Microsoft checklist says. EPC Group's 47-Point Assessment covers all of this systematically.
What is the difference between configuring and enforcing sensitivity labels?
Configuration means creating sensitivity labels in the Microsoft Purview portal — defining the label taxonomy (Public, Internal, Confidential, Highly Confidential), assigning protection actions (encryption, watermarks, access restrictions), and publishing the labels to users. Enforcement means labels are actually applied to existing content. Microsoft's checklist treats label configuration as sufficient. In reality, most organizations configure labels but only 5-15% of existing documents get labeled because: auto-labeling is not enabled, users are not trained to apply labels, there is no policy mandating labeling, and legacy content predating label deployment is completely unlabeled. Copilot treats unlabeled content as accessible — making millions of legacy documents searchable without sensitivity classification.
Can former employees still access data through Copilot?
Former employees themselves cannot access Copilot after account deactivation. However, the risk is more subtle: 1) Guest accounts created for former employees who transitioned from employee to contractor/consultant status may still be active with lingering SharePoint permissions. 2) Shared mailboxes and Teams channels that included former employees may still contain sensitive content that Copilot can surface to current members. 3) OneDrive content from former employees that was not properly managed during offboarding may be accessible if it was shared broadly before departure. The gap in Microsoft's checklist is that it does not address historical access patterns — only current licensing and configuration.
What DLP policies do I need specifically for Copilot?
Standard DLP policies protect content at rest and in transit. Copilot-specific DLP policies must address content generation: 1) Copilot can aggregate data from multiple sources into a single response — a Copilot summary might combine salary data from one SharePoint site, performance reviews from another, and termination plans from an email, creating a new document with data from three different classification levels. 2) Copilot-generated drafts in Word, PowerPoint, and Outlook inherit no sensitivity label by default — users must manually label Copilot outputs. 3) Copilot meeting summaries may contain sensitive discussion points. DLP policies must cover Copilot-generated content in all M365 apps, not just traditional file storage locations.
How does EPC Group's 47-Point Assessment differ from Microsoft's checklist?
Microsoft's official checklist is 4 pages covering licensing, technical prerequisites, and high-level governance recommendations. EPC Group's 47-Point Assessment is a 2-3 week engagement that examines 47 specific security checkpoints across 6 domains: Identity & Access (8 points), Email Security (7 points), Data Protection (9 points), Endpoint Management (7 points), Compliance & Governance (8 points), and Copilot & AI Readiness (8 points). Each checkpoint receives a Pass/Fail/Partial rating with specific remediation steps. The assessment includes SharePoint permission inheritance analysis, sensitivity label enforcement measurement, Copilot data exposure modeling, and a prioritized 30/60/90 day remediation roadmap. Cost: $15,000.
Go Beyond the Checklist
EPC Group offers Copilot and M365 Tenant Security Reviews for businesses across all industries. We have secured over 700 tenants and have 29 years of Microsoft experience.
Our team focuses on identifying:
- What Copilot can access
- What it should not access
Microsoft's checklist spans 4 pages. Our 47-Point Assessment evaluates 47 security checkpoints across 6 domains. This includes the 5 critical gaps mentioned earlier.
Begin with the assessment for $15,000. You will receive a prioritized remediation roadmap.
5 Things Microsoft's Copilot Readiness Checklist Doesn't Cover
Microsoft's official Copilot readiness checklist includes licensing, prerequisites, and basic settings. EPC Group's 47-Point Assessment addresses five key security gaps that lead to data exposure:
- Broken SharePoint permission inheritance
- Teams meeting recording policies
- Sensitivity label enforcement (not just configuration)
- Guest and former employee access
- DLP for Copilot-generated content
Key facts
- Microsoft's official readiness checklist is 4 pages covering licensing and prerequisites only.
- EPC Group's 47-Point Assessment covers the security gaps Microsoft's checklist skips.
- 80%+ of enterprise M365 tenants have at least one broken SharePoint permission inheritance.
- Guest accounts from departing vendors and former employees persist in most tenants — Copilot uses their access tokens.
- Most organizations have sensitivity labels configured but not enforced — Copilot treats unlabeled and unenforced-labeled content the same way.
Microsoft's Checklist vs EPC Group's 47-Point Assessment
| Coverage area | Microsoft's 4-page checklist | EPC Group's 47-point review |
|---|---|---|
| Licensing and prerequisites | Yes | Yes |
| SharePoint permission inheritance | No | Yes — full audit |
| Teams recording policies for sensitive meetings | No | Yes |
| Sensitivity label enforcement (not just configuration) | No | Yes — adoption rate measured |
| Guest and former employee access | No | Yes — stale account audit |
| DLP for Copilot-generated content | No | Yes |
| Conditional Access for Copilot users | Mentioned | Full policy set |
Gap 1: Broken SharePoint Permission Inheritance
The Problem
SharePoint permissions flow from the site collection to libraries, folders, and files by default. Administrators can break this inheritance to grant specific groups access to certain content. However, they often overlook this change.
This oversight can lead to:
- Content being accessible to more users than intended.
Copilot queries are not filtered by intention. If a user has access to a document, Copilot returns it — even if that access was accidental.
Real-World Example
A healthcare organization granted an HR admin access to a clinical document library for a single audit. However, this temporary permission was not revoked.
Three years later, the HR admin used the Copilot prompt, "Summarize recent patient outcomes." As a result, they received clinical data that was not intended for them.
How to Fix It
- Export site-level permissions for all SharePoint sites using PowerShell or the SharePoint admin center.
- Identify all folders and files with broken inheritance and document the intended access scope.
- Restore inheritance on non-intentional breaks. Set explicit permissions only where intentional breaks are required.
- Schedule quarterly inheritance audits going forward.
Gap 2: Teams Meeting Recording Policies
The Problem
All recorded Teams meetings are saved as searchable files in OneDrive or SharePoint. Copilot can summarize these recordings when needed. However, risks can occur if recording storage is not managed properly. This is especially true for:
- Compliance issues with data retention policies
- Increased storage costs due to unmanaged files
- Difficulty in finding important recordings
- Data security and privacy concerns
- Compliance with regulations
- Storage costs and management
- Board meetings
- Legal reviews
- HR investigations
- M&A discussions
Real-World Example
A financial services firm recorded its weekly executive briefing in Teams. The recording was saved in a shared OneDrive folder for all senior directors to access.
One director asked Copilot to summarize the last three executive briefings. In response, he received summaries of confidential M&A discussions.
How to Fix It
- Create a Teams meeting policy that restricts recording to specific user groups.
- Set recording storage location to a governed SharePoint site — not the organizer's OneDrive.
- Apply sensitivity labels to all recordings in sensitive Teams channels.
- Disable Copilot meeting summarization for meetings flagged as sensitive via meeting type policies.
Gap 3: Sensitivity Label Enforcement vs Configuration
The Problem
85% of organizations have sensitivity labels in place. However, fewer than 15% actually enforce these labels. A label that users can ignore, or one that is not applied to older content, does not protect Copilot.
Copilot cannot distinguish between "labeled but not encrypted" and "unlabeled" content. Only labels backed by Azure Rights Management encryption restrict Copilot from including content in its output.
Real-World Example
A law firm labeled new documents with "Confidential — Attorney-Client Privilege." However, legacy documents from the past five years were not labeled retroactively.
As a result, Copilot used both labeled and unlabeled sources to summarize case files. This led to summaries that included privileged information accessible to non-legal staff.
How to Fix It
- Enable mandatory labeling so users cannot save documents without applying a sensitivity label.
- Deploy auto-labeling policies to classify legacy content by content type, site, and metadata.
- Measure current label adoption rate in Microsoft Purview — target 80%+ before Copilot goes live.
- Apply encryption-backed labels to all content that should restrict Copilot access.
Gap 4: Guest and Former Employee Access
The Problem
Over time, guest accounts for contractors, vendors, and partners build up in M365 tenants. Accounts for former employees also remain active. These accounts keep their SharePoint and Teams permissions. Their access tokens still function with Copilot queries.
Real-World Example
A manufacturing firm discovered an inactive guest account. This account belonged to a former IT contractor and had not been used for 14 months.
Despite its inactivity, the account still had read access to a confidential product roadmap SharePoint site. It was not flagged for deprovisioning because it was classified as a guest account, not a licensed user.
How to Fix It
- Run a guest account audit: identify all accounts not signed in within the last 90 days.
- Review the SharePoint sites and Teams channels each guest account can access.
- Remove access for stale guests. Block or delete accounts inactive for 90+ days.
- Implement an automated guest access review policy via Entra ID access reviews.
Gap 5: DLP for Copilot-Generated Content
The Problem
Most DLP policies focus on content that is stored and in transit. These policies were created before Copilot was introduced. Copilot generates new content, such as:
- Summaries
- Drafts
- Reports
This content may contain sensitive data from various sources.
Without DLP policies that account for Copilot, this generated content could be sent to unauthorized recipients.
Real-World Example
An analyst requested Copilot to "Summarize our Q3 financial performance for the board deck." Copilot created an accurate summary using information from budget files, Dynamics 365, and Teams discussions.
The analyst then sent the summary to an external consultant. However, there was no DLP policy in place for output generated by Copilot.
How to Fix It
- Create DLP policies in Microsoft Purview that target Microsoft 365 Copilot as a workload.
- Define sensitive information types that trigger DLP actions (SSN, credit card, earnings data, PHI).
- Configure policy actions: alert, block, or require justification when Copilot output matches a sensitive type.
- Test DLP policies against realistic Copilot prompt scenarios before enforcement.
What a Real Copilot Readiness Assessment Looks Like
EPC Group's 47-point assessment covers all five gaps above plus:
- Oversharing audit before any production license assignment
- Microsoft Sentinel detections for prompt injection and abnormal use
- Sensitivity label coverage measurement (target: 80%+ before go-live)
- Copilot Studio agent governance and cost-management framework
- Conditional Access policy targeting Copilot-licensed users specifically
Frequently Asked Questions
What does Microsoft's Copilot readiness checklist miss?
Microsoft's checklist focuses solely on licensing and prerequisites. It does not address several important issues, including:
- Broken SharePoint permission inheritance
- Teams recording policies
- Sensitivity label enforcement gaps
- Stale guest and former employee access
- DLP policies for Copilot-generated content
Why is broken SharePoint permission inheritance a Copilot risk?
Copilot allows users to access all content they can view. This includes content that may have been accessed due to accidental or forgotten permission grants. Users might see content they should not access if there is broken inheritance. Copilot highlights this content when users ask related questions.
How do I check if my organization is ready for Copilot?
Conduct a SharePoint permissions audit. Measure how well sensitivity labels are being adopted. Review guest access and audit the storage of Teams recordings. Check if DLP policies cover content generated by Copilot.
EPC Group's 47-Point Assessment covers all these areas in a structured review:
- SharePoint permissions audit
- Adoption of sensitivity labels
- Guest access review
- Teams recording storage audit
- DLP policies evaluation for Copilot-generated content
What is the difference between configuring and enforcing sensitivity labels?
Configuration ensures that labels are created and published. Enforcement requires users to apply these labels through mandatory labeling. Auto-labeling helps manage old content. Encryption prevents Copilot from bypassing the label.
Many organizations have configuration in place but lack enforcement.
How does EPC Group's 47-Point Assessment differ from Microsoft's checklist?
Microsoft's checklist is 4 pages long and focuses on licensing. EPC Group's review includes 47 points and addresses the five security gaps mentioned earlier. It also covers:
- Conditional Access
- Sentinel detections
- Copilot Studio governance
- A remediation roadmap
All of this is done before any production license is assigned.
Go Beyond the Checklist
EPC Group's 47-Point Copilot Readiness Assessment identifies exactly what is exposed before you assign a single production license. Call (888) 381-9725 or request a readiness assessment.