Before You Turn On Copilot, Do This

Microsoft 365 Copilot is genuinely useful. I'll say that upfront because a lot of IT writing about AI tools defaults to either breathless enthusiasm or dire warning, and this is going to be neither. It's a real productivity tool, and for professional services firms that live in Word, Outlook, and Teams, it's worth having.

But there's a conversation that needs to happen before you flip the switch, and most firms are skipping it.

Copilot works by surfacing information from across your Microsoft 365 tenant. When you ask it to summarize recent activity on a matter, draft a client email, or pull together notes from the last three meetings, it draws on emails, documents, Teams conversations, and calendar events. Essentially whatever it can reach given the permissions of the person asking.

That last part is the one to pay attention to. Given the permissions of the person asking.

If your SharePoint permissions have drifted — and at most small firms, they have — Copilot will surface whatever those permissions allow. If a paralegal technically has read access to a partner's client folder because someone shared it two years ago and nobody cleaned it up, Copilot doesn't know that was an accident. It will use that data. If an old employee account was never fully deprovisioned, or guest access was granted for a project two years ago and never removed, Copilot doesn't ask questions. It just answers them.

The tool respects your permissions model. The problem is that most firms' permissions model doesn't actually reflect their intentions.

This is why the technical prep matters before deployment, not after.

The first thing to audit is your SharePoint and OneDrive sharing state. In a lot of small firms, this has accumulated years of "share with anyone" links, folders that were opened up for a contractor and never closed, and documents sitting in places that made sense in 2019 but don't anymore. A Copilot readiness review — something we do as part of Athencia One Complete onboarding — starts here. What's shared, with whom, and does it still make sense.

The second is sensitivity labels. These are Microsoft Purview features that let you tag content as Confidential, Client Privileged, Internal Only, and so on. Labels travel with the document. They can enforce encryption and usage restrictions, and Copilot honors those protections when a user interacts with labeled content. For a law firm or an accounting practice, getting labels applied to your active matter files before Copilot goes live is the difference between a tool that helps and one that creates a compliance problem.

Microsoft has also started adding more targeted controls aimed at reducing accidental oversharing from SharePoint while you clean up the underlying permissions. They help, but they are not a substitute for fixing the permissions model itself.

The third is Entra ID access hygiene. Old accounts. Accounts for people who left. Service accounts with more permissions than they need. Guest access that was set up for a client portal demo and never removed. Copilot can surface information from across Microsoft 365 that the user already has permission to access, which is exactly why stale access and oversharing need attention before rollout. Running an access review before deployment closes the doors you forgot were open.

None of this is complicated in the way that enterprise security projects are complicated. It's detailed and it takes time, but it's not technically exotic. The harder part is that it requires someone to actually go through the tenant systematically rather than spot-checking.

The firms that get the most out of Copilot, and they do get a lot out of it, which we'll cover separately, are the ones that treated deployment as a reason to finally clean up their data governance. Not because Microsoft requires it, but because you don't want to discover that your permissions model has been wrong for three years via an awkward Copilot response in a client meeting.

If you're planning to roll out Copilot and want to know what your tenant actually looks like before you do, that's exactly the kind of assessment we run as part of onboarding. It's worth doing regardless of Copilot; the cleanup pays dividends across your whole M365 footprint. Copilot just makes it urgent.

Copilot is not the security problem. Copilot is the thing that reveals whether your permissions model already was one.