EPC Group - Enterprise Microsoft AI, SharePoint, Power BI, and Azure Consulting
G2 High Performer Summer 2025, Momentum Leader Spring 2025, Leader Winter 2025, Leader Spring 2026
BlogContact
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌
‌

EPC Group

Enterprise Microsoft consulting with 29 years serving Fortune 500 companies.

(888) 381-9725
contact@epcgroup.net
4900 Woodway Drive, Suite 830
Houston, TX 77056

Follow Us

Solutions

  • M&A Practices

    • M&A Tenant Migration
    • Carve-Out Migration
    • Private Equity Practice
    • Engagement Operating Model
  • All Services
  • Microsoft 365 Consulting
  • AI Governance
  • Azure AI Consulting
  • Cloud Migration
  • Microsoft Copilot
  • Data Governance
  • Microsoft Fabric
  • Dynamics 365
  • Power BI Consulting
  • SharePoint Consulting
  • Microsoft Teams
  • vCIO / vCAIO Services
  • Large-Scale Migrations
  • SharePoint Development

Industries

  • All Industries
  • Healthcare IT
  • Financial Services
  • Government
  • Education
  • Teams vs Slack

Power BI

  • Case Studies
  • 24/7 Emergency Support
  • Dashboard Guide
  • Gateway Setup
  • Premium Features
  • Lookup Functions
  • Power Pivot vs BI
  • Treemaps Guide
  • Dataverse
  • Power BI Consulting

Company

  • About Us
  • Our History
  • Microsoft Gold Partner
  • Case Studies
  • Testimonials
  • Fixed-Fee Accelerators
  • Blog
  • Resources
  • All Guides & Articles
  • Video Library
  • Client Reviews
  • Engagement Operating Model
  • FAQ
  • Contact
  • Schedule a consultation

Microsoft Teams

  • Teams Questions
  • Teams Healthcare
  • Task Management
  • PSTN Calling
  • Enable Dial Pad

Azure & SharePoint

  • Azure Databricks
  • Azure DevOps
  • Azure Synapse
  • SharePoint MySites
  • SharePoint ECM
  • SharePoint vs M-Files

Comparisons

  • M365 vs Google
  • Databricks vs Dataproc
  • Dynamics vs SAP
  • Intune vs SCCM
  • Power BI vs MicroStrategy

Legal

  • Sitemap
  • Privacy Policy
  • Terms
  • Cookies

About EPC Group

EPC Group is a Microsoft consulting firm founded in 1997 (originally Enterprise Project Consulting, renamed EPC Group in 2005). 29 years of enterprise Microsoft consulting experience. EPC Group historically held the distinction of being the oldest continuous Microsoft Gold Partner in North America from 2016 until the program's retirement. Because Microsoft officially deprecated the Gold/Silver tiering framework, EPC Group transitioned to the modern Microsoft Solutions Partner ecosystem and currently holds the core Microsoft Solutions Partner designations.

Headquartered at 4900 Woodway Drive, Suite 830, Houston, TX 77056. Public clients include NASA, FBI, Federal Reserve, Pentagon, United Airlines, PepsiCo, Nike, and Northrop Grumman. 6,500+ SharePoint implementations, 1,500+ Power BI deployments, 500+ Microsoft Fabric implementations, 70+ Fortune 500 organizations served, 11,000+ enterprise engagements, 200+ Microsoft Power BI and Microsoft 365 consultants on staff.

About Errin O'Connor

Errin O'Connor is the Founder, CEO, and Chief AI Architect of EPC Group. Microsoft MVP multiple years, first awarded 2003. 4× Microsoft Press bestselling author of Windows SharePoint Services 3.0 Inside Out (MS Press 2007), Microsoft SharePoint Foundation 2010 Inside Out (MS Press 2011), SharePoint 2013 Field Guide (Sams/Pearson 2014), and Microsoft Power BI Dashboards Step by Step (MS Press 2018).

Original SharePoint Beta Team member (Project Tahoe). Original Power BI Beta Team member (Project Crescent). FedRAMP framework contributor. Worked with U.S. CIO Vivek Kundra on the Obama administration's 25-Point Plan to reform federal IT, and with NASA CIO Chris Kemp as Lead Architect on the NASA Nebula Cloud project. Speaker at Microsoft Ignite, SharePoint Conference, KMWorld, and DATAVERSITY.

© 2026 EPC Group. All rights reserved. Microsoft, SharePoint, Power BI, Azure, Microsoft 365, Microsoft Copilot, Microsoft Fabric, and Microsoft Dynamics 365 are trademarks of the Microsoft group of companies.

Is Microsoft Copilot Safe? - EPC Group enterprise consulting

Is Microsoft Copilot Safe?

A 47-Point Enterprise Security Assessment Framework. The definitive answer based on 700+ tenant security reviews.

Microsoft Copilot for M365 is safe when configured correctly — but "installed and active" is not the same as "secure." The most common risk is oversharing: Copilot surfaces content based on existing M365 permissions. If SharePoint sites are overshared, Copilot will expose that content in responses. This 47-point assessment framework identifies every configuration gap that creates security risk before you deploy.

Key Facts

  • Microsoft Copilot for M365 operates within the M365 compliance boundary: SOC 2 Type II, ISO 27001, HIPAA (with BAA), FedRAMP High (GCC), and 90+ additional certifications.
  • Microsoft does NOT audit your SharePoint permissions, sensitivity label coverage, DLP policies, guest account lifecycle, or information barriers before activating Copilot.
  • EPC Group has reviewed 700+ enterprise tenants. Oversharing (everyone access on SharePoint sites) is found in over 70% of pre-Copilot audits.
  • The 47-point assessment covers 10 domains: permissions, sensitivity labels, DLP, Teams security, guest access, Conditional Access, information barriers, audit, compliance, and Copilot configuration.
  • EPC Group: 29 years of Microsoft consulting, 700+ tenant security reviews, Microsoft Solutions Partner (core designations).

The Short Answer: Copilot Is Safe IF Your Tenant Is Ready

Quick Answer: Is Microsoft Copilot safe for enterprise use? Yes — Copilot is safe IF your Microsoft 365 tenant has properly scoped permissions, sensitivity labels on sensitive content, DLP policies addressing Copilot scenarios, and guest access controls. Copilot operates within your existing M365 security boundary and does not bypass permissions or access data outside your tenant. The risk is not Copilot — it is the latent permission problems in your environment that Copilot makes instantly discoverable. EPC Group's 47-Point Assessment validates readiness across 10 security categories.

Every CIO asks the same question before deploying Microsoft Copilot: "Is it safe?" The answer is nuanced but important — and it depends entirely on your organization, not on Copilot itself.

Copilot is an AI layer built on top of Microsoft Graph — the same API that powers SharePoint search, Delve, and Microsoft Search. It accesses the same data, through the same permissions, using the same security boundary. Copilot does not introduce new data access paths. It does not bypass permissions. It does not escalate privileges. It does not send your data to external systems or use it for model training.

So why are security teams concerned? Because Copilot makes existing permission problems instantly exploitable. Before Copilot, an employee with overshared access to an HR site might never navigate there. With Copilot, they can ask "What are the current salary bands?" and get an immediate answer. The data was always accessible — Copilot just eliminated the friction of finding it.

Copilot IS Safe When...

  • SharePoint permissions are properly scoped to named security groups
  • Sensitivity labels cover 90%+ of sensitive content
  • DLP policies include Copilot-aware rules
  • Guest access is audited and time-limited
  • Information barriers isolate regulated departments
  • Broken permission inheritance has been remediated
  • Copilot usage is monitored through audit logs

Copilot IS Risky When...

  • SharePoint sites use "Everyone" or "Everyone except external users"
  • Sensitivity labels are deployed on less than 50% of sensitive content
  • DLP policies were not updated for Copilot scenarios
  • Guest accounts have not been audited in 6+ months
  • No information barriers between departments
  • Broken inheritance exists across SharePoint document libraries
  • No monitoring or audit logging for Copilot usage

What Microsoft Gets Right About Copilot Security

Credit where it is due — Microsoft has built Copilot with significant security controls. Understanding what Microsoft handles well is just as important as knowing what it misses.

Tenant Data Isolation

Copilot processes data within your M365 tenant boundary. Your prompts and responses stay in your environment. Data is not shared across tenants or used for model training. This is a fundamental architectural decision that addresses the biggest AI security concern.

Permission Inheritance (Not Escalation)

Copilot uses the user's existing OAuth token to access Microsoft Graph. It cannot access data the user does not have permission to access. This is a significant security feature — Copilot does not create new access paths or escalate privileges.

Sensitivity Label Respect

Copilot respects Microsoft Purview sensitivity labels. Labeled content with restrictions (encryption, access control) is protected in Copilot responses. This gives organizations a powerful mechanism for controlling what Copilot can process.

Comprehensive Compliance Certifications

Copilot inherits M365 compliance certifications: SOC 1/2/3, ISO 27001/27018/27701, HIPAA (with BAA), FedRAMP High, HITRUST, PCI DSS, and 90+ others. The compliance infrastructure is world-class.

Audit Logging

Copilot interactions are logged in the Microsoft Purview audit log, providing visibility into what users are querying and what data Copilot returns. This supports compliance evidence collection and anomaly detection.

What Microsoft Does NOT Check Before Copilot Deployment

When you assign a Copilot license, Microsoft validates technical prerequisites — license compatibility, Entra ID configuration, Graph API availability. But Microsoft does not assess your data governance posture. These unchecked areas are where 100% of Copilot security incidents originate.

Critical Gap: Microsoft's Copilot deployment process does not include a security assessment of your environment. You can assign Copilot licenses to 10,000 users in minutes — even if your SharePoint has 500 overshared sites with "Everyone" access. Microsoft assumes you have already addressed data governance. Most organizations have not.

Whether SharePoint sites have overshared permissions ("Everyone" groups)

Whether broken permission inheritance exposes sensitive documents

Whether sensitivity labels are deployed on sensitive content

Whether DLP policies address Copilot-specific scenarios

Whether guest accounts have been audited and time-limited

Whether information barriers exist for regulated departments

Whether stale, outdated content should be archived before Copilot indexes it

Whether Teams meeting policies restrict Copilot summarization for sensitive meetings

Whether Conditional Access policies control Copilot from unmanaged devices

Whether audit logging and monitoring capture Copilot usage patterns

EPC Group's 47-Point Copilot Security Assessment Framework

10 categories. 47 specific checks. Based on 700+ tenant security reviews across healthcare, finance, government, and enterprise organizations.

1

SharePoint Permissions

8 checks

The foundation of Copilot security. SharePoint permissions determine what content Copilot can access for each user.

  • Overshared site audit — identify sites with "Everyone" or "Everyone except external users" permissions
  • Broken permission inheritance scan across all document libraries
  • External sharing configuration review (anonymous links, authenticated sharing)
  • Site collection administrator audit (who has full control)
  • Hub site permission propagation analysis
  • Orphaned permissions cleanup (users who have left the organization)
  • Access review configuration (automated quarterly reviews)
  • Sharing link expiration and type analysis
2

Sensitivity Labels

5 checks

Sensitivity labels are the primary mechanism for restricting Copilot access to classified content.

  • Label coverage analysis — percentage of sensitive documents labeled (target: 90%+)
  • Auto-labeling policy configuration for PII, PHI, financial data
  • Default label enforcement on new content creation
  • Label protection settings validation (encryption, access restrictions)
  • Copilot-label interaction testing (verify Copilot respects labels)
3

DLP Configuration

5 checks

DLP policies must be updated for Copilot-specific scenarios that traditional sharing-focused rules miss.

  • Copilot-aware DLP rule configuration
  • Sensitive information type coverage across all content
  • DLP policy enforcement mode (audit vs. block)
  • Endpoint DLP integration for Copilot on devices
  • DLP incident alerting and response workflow
4

Teams Security

4 checks

Teams channels, meetings, and chat are primary Copilot data sources requiring specific controls.

  • Meeting policy Copilot controls (which meetings allow Copilot)
  • Channel permission model review (standard vs. private vs. shared)
  • Private channel Copilot access validation
  • Meeting recording and transcript access scope
5

Guest Access

4 checks

External guest accounts are frequently over-provisioned and create external data exposure through Copilot.

  • Active guest account inventory and last-access audit
  • Guest expiration policy configuration
  • Guest Copilot capability restrictions
  • Shared channel external membership review
6

Conditional Access

4 checks

Conditional Access policies control who can use Copilot, from where, and under what conditions.

  • Copilot-specific access policies configuration
  • Device compliance requirements for Copilot users
  • Location-based access restrictions
  • Session management and timeout controls
7

Information Barriers

3 checks

Information barriers isolate regulated departments and prevent Copilot from crossing organizational boundaries.

  • Department isolation configuration (Legal, HR, Finance, Compliance)
  • Barrier policy validation and testing
  • Cross-barrier Copilot query testing
8

Audit & Monitoring

5 checks

Continuous monitoring of Copilot usage patterns is essential for detecting anomalies and maintaining security.

  • Copilot audit log configuration and retention
  • Sensitive data access alerting rules
  • Usage analytics dashboard deployment
  • Anomaly detection for unusual Copilot queries
  • Compliance reporting automation
9

Compliance Alignment

5 checks

Map Copilot configuration to your specific regulatory requirements.

  • HIPAA control mapping (PHI access, audit trails, BAA validation)
  • SOC 2 requirement validation (access controls, monitoring, encryption)
  • FedRAMP boundary confirmation (GCC/GCC High requirements)
  • Data residency verification (Copilot data processing location)
  • Retention policy impact analysis (Copilot and data lifecycle)
10

Copilot-Specific Configuration

4 checks

Copilot admin controls that govern feature availability, plugins, and AI behavior.

  • Copilot feature toggle review (enabled/disabled per user group)
  • Web grounding settings (external web search in Copilot responses)
  • Plugin and connector security review
  • Copilot Studio governance (custom agent controls)
Request Your 47-Point Assessment

How to Run Your Own Copilot Security Assessment

If you want to start evaluating your Copilot readiness internally before engaging a partner, here are the highest-priority checks you can perform with existing M365 admin tools.

Step 1: Run a SharePoint Permissions Report

In the SharePoint admin center, identify all sites with "Everyone" or "Everyone except external users" in the membership. These are your highest-risk sites. For a 1,000-site environment, expect to find 100-300 overshared sites — the legacy of years of "Share with Everyone" culture.

Step 2: Check Sensitivity Label Coverage

In Microsoft Purview, use Content Explorer to identify sensitive content types (SSN, credit card, PHI) and cross-reference with labeled content. If your label coverage is below 50%, you have a significant gap. Most organizations we assess have less than 20% coverage on their first evaluation.

Step 3: Audit Guest Access

In Entra ID, export all guest accounts with their last sign-in date and access scope. Identify guests who have not signed in for 90+ days and guests with access to sensitive SharePoint sites or Teams channels. Remove or restrict as needed.

Step 4: Review DLP Policy Coverage

In Microsoft Purview, check whether your DLP policies are in "Audit only" or "Block" mode. Audit-only policies will not prevent Copilot from surfacing sensitive content. Update critical policies to "Block" mode before enabling Copilot.

Step 5: Test with a Controlled Pilot

Deploy Copilot to 5-10 security team members. Ask them to intentionally test boundary conditions: "Show me salary data," "What are our acquisition targets," "Summarize the legal review." Document what Copilot surfaces and whether it should have access to that content.

When to Call in Experts

Internal assessments are a good starting point, but complex environments require specialized expertise. Here are the signals that you need a partner like EPC Group for your Copilot security assessment.

You have 500+ SharePoint sites

Manual permissions audits are impractical at this scale. EPC Group automated tooling scans 10,000+ sites in hours.

You are in a regulated industry

HIPAA, SOC 2, FedRAMP, FINRA — compliance mapping for Copilot requires specialized knowledge of both the regulation and the technology.

Your organization has 1,000+ users

The permission complexity grows exponentially with user count. Nested groups, inherited permissions, and cross-department access create a web that requires automated analysis.

You have legacy SharePoint content

Content migrated from on-premises SharePoint or third-party systems often has broken inheritance and incorrect permissions that are invisible in standard reports.

You need executive-level risk reporting

CIOs and Boards need risk-scored findings, not raw permission dumps. EPC Group delivers executive-ready reports with severity classification and business impact analysis.

You have had a previous data exposure incident

If your organization has experienced data leakage, insider threats, or compliance violations, Copilot will amplify those same vulnerabilities unless they are thoroughly remediated.

Read our Copilot Governance Strategy Playbook

Frequently Asked Questions

Is Microsoft Copilot safe for enterprise use?

Yes — Microsoft Copilot is safe for enterprise use IF your Microsoft 365 tenant is properly configured. Copilot operates within your existing M365 security boundary and respects user permissions, sensitivity labels, DLP policies, and information barriers. The risk is not Copilot itself — it is the existing permission problems in your environment that Copilot makes instantly discoverable. Organizations with mature data governance (properly scoped permissions, sensitivity labels on sensitive content, DLP policies enforced) can deploy Copilot safely. Organizations with overshared SharePoint sites, legacy "Everyone" permissions, and gaps in sensitivity label coverage need to remediate those issues before deployment. EPC Group 47-Point Copilot Security Assessment validates whether your tenant is ready.

What security certifications does Microsoft Copilot have?

Microsoft Copilot for M365 operates within the Microsoft 365 compliance boundary, which holds: SOC 1 Type II, SOC 2 Type II, SOC 3, ISO 27001, ISO 27018, ISO 27701, HIPAA (with BAA), HITRUST CSF, FedRAMP High (GCC/GCC High), PCI DSS, FERPA, GLBA, and 90+ additional certifications. Copilot data processing occurs within the M365 service boundary — prompts and responses are not used to train the underlying language models. Data residency commitments apply to Copilot. However, these certifications cover the infrastructure — your organization is responsible for configuring Copilot correctly (permissions, labels, DLP) to maintain compliance.

Does Copilot store or share my data with Microsoft?

No. Microsoft Copilot for M365 does not store your prompts, responses, or organizational data outside your tenant boundary. Prompts and responses are not used to train foundation models. Copilot processes data within the Microsoft 365 service boundary and is subject to the same data residency commitments as the rest of M365. Your data stays in your tenant — Copilot is essentially a sophisticated interface layer on top of Microsoft Graph, not a separate data repository. Microsoft has published the Copilot data, privacy, and security documentation confirming these commitments.

What does Microsoft check vs. what it does not check before Copilot deployment?

Microsoft checks: valid M365 E3/E5 license, Copilot license assignment, Entra ID configuration, Microsoft Graph API availability, and basic tenant health. Microsoft does NOT check: whether your SharePoint sites have overshared permissions, whether sensitivity labels are deployed on sensitive content, whether DLP policies address Copilot scenarios, whether guest accounts have been audited, whether information barriers are configured for regulated departments, whether broken permission inheritance exposes sensitive data, or whether stale content should be archived. These are YOUR responsibility — and they determine whether Copilot is safe in YOUR environment.

How do I run a Copilot security assessment?

A comprehensive Copilot security assessment should cover 10 categories with 47 specific checks: SharePoint permissions (8 checks for oversharing, inheritance, external access), sensitivity labels (5 checks for coverage, auto-labeling, Copilot interaction), DLP configuration (5 checks for Copilot-aware rules), Teams security (4 checks for meetings, channels, Copilot controls), guest access (4 checks for account lifecycle, Copilot restrictions), Conditional Access (4 checks for device, location, session policies), information barriers (3 checks for department isolation), audit and monitoring (5 checks for logging, alerting, reporting), compliance alignment (5 checks for HIPAA, SOC 2, FedRAMP), and Copilot-specific configuration (4 checks for features, plugins, governance). EPC Group delivers this assessment in 2-3 weeks with prioritized remediation roadmap.

What happens if I deploy Copilot without a security assessment?

Based on EPC Group analysis of 700+ tenant reviews: 60% of organizations that deploy Copilot without a security assessment experience a data exposure incident within 90 days. The most common incidents: 1) Non-executive employees discovering executive compensation, Board minutes, or M&A plans through Copilot prompts. 2) Copilot surfacing HR investigation documents or performance reviews from overshared sites. 3) Guest users accessing confidential project data through Copilot queries. 4) Copilot-generated meeting summaries containing confidential M&A or legal discussions being shared through Teams. The cost of emergency remediation after an incident is typically 2-3x the cost of a proactive security assessment.

Can I restrict what data Copilot accesses?

Yes, through several mechanisms: 1) Sensitivity labels — label content as restricted and Copilot will respect the classification. 2) Information barriers — isolate departments so Copilot cannot cross organizational boundaries. 3) Conditional Access — control who can use Copilot and from which devices/locations. 4) SharePoint permissions — properly scope site access to named security groups instead of broad "Everyone" groups. 5) DLP policies — configure Data Loss Prevention to intercept Copilot scenarios. 6) Copilot admin controls — disable specific Copilot features (web grounding, plugins) at the tenant or user level. The key limitation: you cannot allow a user to access a SharePoint site while blocking Copilot from indexing it for that same user. If they can access it, Copilot can surface it.

EPC Group performs Copilot & M365 Tenant Security Reviews for enterprises across all industries. With 700+ tenants secured and 29 years of Microsoft expertise, we identify exactly what Copilot can access that it shouldn't.

Find Out If Your Tenant Is Copilot-Ready

EPC Group's 47-Point Copilot Security Assessment covers 10 categories with specific, actionable findings. We have secured 700+ tenants across healthcare, finance, and government — we know exactly where to look.

Get Your 47-Point Assessment (888) 381-9725

Is Microsoft Copilot Safe for Enterprise Use? 47-Point Security Assessment (2026)

Microsoft Copilot for M365 is safe when configured correctly — but "installed and active" is not the same as "secure." The most common risk is oversharing: Copilot surfaces content based on existing M365 permissions. If SharePoint sites are overshared, Copilot will expose that content in responses. This 47-point assessment framework identifies every configuration gap that creates security risk before you deploy.

Key facts

  • Microsoft Copilot for M365 operates within the M365 compliance boundary: SOC 2 Type II, ISO 27001, HIPAA (with BAA), FedRAMP High (GCC), and 90+ additional certifications.
  • Microsoft does NOT audit your SharePoint permissions, sensitivity label coverage, DLP policies, guest account lifecycle, or information barriers before activating Copilot.
  • EPC Group has reviewed 700+ enterprise tenants. Oversharing (everyone access on SharePoint sites) is found in over 70% of pre-Copilot audits.
  • The 47-point assessment covers 10 domains: permissions, sensitivity labels, DLP, Teams security, guest access, Conditional Access, information barriers, audit, compliance, and Copilot configuration.
  • EPC Group: 29 years of Microsoft consulting, 700+ tenant security reviews, Microsoft Solutions Partner (core designations).

The core risk: permission inheritance

Copilot does not have its own permissions system. It uses Microsoft Graph to find content that the signed-in user can access. If a user has read permission on a SharePoint site — even through broken inheritance or an Everyone except external users group — Copilot can surface that content in a response.

This is not a Copilot bug. It works as designed. The risk comes from permissions that were acceptable when humans had to manually navigate to content but become risky when an AI can instantly search everything accessible.

What Microsoft checks vs what you must check

What Microsoft checks

  • Whether Copilot licenses are valid and assigned.
  • Whether the M365 tenant meets baseline requirements (Exchange Online, SharePoint Online).
  • Data isolation between tenants (your data does not train Microsoft's AI models).

What you must check (Microsoft does NOT do this for you)

  • Whether SharePoint sites have overshared permissions (Everyone or Everyone except external users access).
  • Whether sensitivity labels are deployed and cover sensitive content.
  • Whether DLP policies address Copilot-specific scenarios (prompt injection, exfiltration through Copilot responses).
  • Whether guest accounts have been audited and old accounts deprovisioned.
  • Whether information barriers are configured for regulated business units (legal, M&A, HR).
  • Whether broken permission inheritance exposes sensitive data.
  • Whether stale content should be archived before Copilot begins surfacing it to users.

The 47-point assessment framework

Domain 1 — SharePoint permissions (8 checks)

  • Check 1: Sites accessible to "Everyone except external users" — list and remediate.
  • Check 2: Sites accessible to "Everyone" — highest risk; must be fixed before Copilot goes live.
  • Check 3: Broken permission inheritance at folder or document level.
  • Check 4: Stale external sharing links (anonymous links older than 30 days).
  • Check 5: Site collection admins with no business justification.
  • Check 6: Group membership staleness (users who changed roles but retain old site access).
  • Check 7: OneDrive shared-with-everyone configurations.
  • Check 8: Teams channels with overshared SharePoint folder permissions.

Domain 2 — Sensitivity labels (5 checks)

  • Check 9: Label coverage across SharePoint, OneDrive, Exchange, and Teams.
  • Check 10: Auto-labeling policies for sensitive information types (SSN, credit card, PHI).
  • Check 11: Copilot interaction with labeled content (does Copilot respect Highly Confidential labels?).
  • Check 12: Container labels on high-risk site collections.
  • Check 13: Label inheritance from email attachments to SharePoint documents.

Domain 3 — DLP configuration (5 checks)

  • Check 14: DLP policies covering Exchange, SharePoint, Teams, and endpoint.
  • Check 15: Copilot-aware DLP rules (block sensitive content from appearing in Copilot responses).
  • Check 16: Simulation mode results — is DLP triggering on the right content types?
  • Check 17: DLP policy alerts routing to the correct security team.
  • Check 18: Exception documentation — authorized exceptions tracked and reviewed quarterly.

Domain 4 — Teams security (4 checks)

  • Check 19: Teams meeting recording access — are recordings accessible to non-meeting participants?
  • Check 20: External Teams access — can external users read channel conversations that Copilot references?
  • Check 21: Private channel permission isolation — private channels should not be accessible to general team members.
  • Check 22: Copilot in Teams meetings — is meeting transcript access restricted to participants?

Domain 5 — Guest access (4 checks)

  • Check 23: Guest account audit — external accounts not accessed in 90+ days should be reviewed and deprovisioned.
  • Check 24: Guest access to SharePoint sites with sensitive content.
  • Check 25: Copilot access for guest accounts — guests should not have Copilot licenses unless explicitly authorized.
  • Check 26: B2B collaboration policies aligned to Copilot deployment scope.

Domains 6–10 (summary)

  • Conditional Access (4 checks, 27–30): device compliance required for Copilot access, location restrictions, session policies for unmanaged devices, MFA enforced for all Copilot users.
  • Information barriers (3 checks, 31–33): separation between regulated business units, Copilot interactions blocked between isolated groups, IB policy audit log review.
  • Audit and monitoring (5 checks, 34–38): Purview Audit (Premium) enabled, Copilot interaction logs retained, alert policies for mass data access, SIEM integration, quarterly audit log review.
  • Compliance alignment (5 checks, 39–43): HIPAA BAA signed, SOC 2 Copilot controls documented, FedRAMP boundary confirmed, GDPR data subject request coverage, regulatory eDiscovery for Copilot content.
  • Copilot-specific configuration (4 checks, 44–47): Restricted SharePoint Search enabled for sites that cannot complete permission remediation, plugin governance, Copilot usage reporting reviewed monthly, prohibited use cases policy published to users.

M365 compliance certifications (what Copilot inherits)

Because Copilot operates within the M365 compliance boundary, it inherits these certifications when you configure your tenant correctly.

  • SOC 1 Type II, SOC 2 Type II, SOC 3
  • ISO 27001, ISO 27018, ISO 27701
  • HIPAA (requires signed Business Associate Agreement with Microsoft)
  • HITRUST CSF
  • FedRAMP High (GCC/GCC High)
  • PCI DSS, FERPA, GLBA
  • 90+ additional certifications (see Microsoft Trust Center)

Frequently asked questions

Is Copilot safe for healthcare organizations under HIPAA?

Yes, with proper configuration. Sign the Microsoft Business Associate Agreement. Apply PHI sensitivity labels. Configure DLP policies that prevent PHI from appearing in Copilot responses. Restrict Copilot access to managed, compliant devices. EPC Group's Copilot Safety Blueprint covers the full HIPAA configuration checklist.

Can Copilot access files in private Teams channels?

Only if the user has permission to the private channel. Copilot respects existing SharePoint permissions on private channel document libraries. Users cannot use Copilot to access private channels they are not members of.

What is Restricted SharePoint Search and when should I use it?

Restricted SharePoint Search (RSS) limits Copilot to only search a curated list of pre-approved SharePoint sites. Use RSS as a temporary control for organizations that cannot complete a full permission audit before Copilot go-live. It is a tactical workaround, not a permanent governance solution.

Does Copilot store prompts and responses?

Copilot interaction history is stored in the user's Exchange Online mailbox in a hidden folder. It is subject to your existing retention policies, eDiscovery holds, and compliance boundary. Audit logs for Copilot interactions are available in Purview Audit (Premium) for 180 days (Standard) or 1 year (Premium).

How long does the pre-deployment security assessment take?

EPC Group's Copilot pre-deployment assessment takes 4–6 weeks for a standard enterprise tenant (5,000–50,000 users). Larger tenants with complex permission structures take 6–10 weeks. The assessment produces a prioritized remediation plan and a Copilot readiness score across all 47 checks.

Get your Copilot security assessment

EPC Group has reviewed 700+ enterprise tenants for Copilot readiness. Call (888) 381-9725 or request a 30-minute discovery call.