Microsoft Copilot Tenant Preparation: The Complete Enterprise Checklist

The number one reason enterprise Copilot deployments fail is not the technology---it is the tenant. Organizations purchase Copilot licenses, assign them to users, and discover within weeks that their SharePoint permissions are broken, their sensitivity labels are nonexistent, their DLP policies have gaps, and their conditional access policies do not account for AI workloads. The result is security incidents, compliance violations, and user frustration that poisons Copilot adoption for years.

This is not a theoretical risk. In our experience working with enterprises across healthcare, financial services, and government sectors, organizations that skip tenant preparation and deploy Copilot immediately experience 60% higher rates of security incidents and user dissatisfaction within the first 90 days compared to those that invest 4-8 weeks in preparation.

Tenant preparation is not optional. It is the difference between a Copilot deployment that delivers measurable ROI and one that becomes an expensive liability. This checklist covers every prerequisite---technical, governance, and organizational---that must be completed before enabling Microsoft 365 Copilot licenses.

Phase 1: Licensing Prerequisites

Base License Verification

Before purchasing Copilot licenses, verify every targeted user has an eligible base license:

Eligible base licenses:

• Microsoft 365 E3 or E5
• Microsoft 365 Business Standard or Business Premium
• Office 365 E3 or E5

Verification steps:

1. Run the Microsoft 365 admin center license report
2. Export the list of users targeted for Copilot deployment
3. Cross-reference against eligible base licenses
4. Identify and remediate any users with ineligible or incomplete licenses
5. Verify that all base license services are provisioned: Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams must all be active

Common issues:

• Users with Office 365 E1 (not eligible---upgrade required)
• Users with disabled SharePoint or OneDrive services (Copilot requires both)
• Users on legacy license plans that have been renamed or restructured

Copilot License Procurement and Allocation

Procurement considerations:

• Copilot add-on is $30/user/month
• Available through Enterprise Agreement, CSP, or direct Microsoft purchase
• 12-month commitment minimum for most agreement types
• Plan for phased allocation: purchase pilot licenses first, expand based on results

Allocation strategy:

1. Identify pilot group (50-100 users across 3-5 departments)
2. Purchase pilot licenses only
3. Create an Azure AD group for Copilot-licensed users
4. Assign licenses using group-based licensing for scalable management
5. Document license allocation decisions for audit trail

Supplementary License Requirements

Some Copilot features require additional licensing:

• Teams Premium: Required for advanced meeting intelligence features (intelligent recap, AI-generated meeting notes beyond basic transcription)
• SharePoint Premium: Required for advanced document processing and content assembly features
• Copilot Studio: Separate license required for building custom Copilot agents and plugins
• Power Automate Premium: Required if building automated workflows triggered by Copilot interactions
• Microsoft Purview premium features: Some advanced compliance features (insider risk management, communication compliance with AI) require E5 or add-on licenses

Phase 2: Network and Infrastructure

Bandwidth Assessment

Copilot generates additional network traffic between client applications and Microsoft's AI services:

• Estimated additional bandwidth: 50-100 MB per user per day for typical Copilot usage
• Peak usage patterns: Copilot traffic is highest during business hours, particularly 9-11 AM and 1-3 PM
• Assessment steps:
  1. Baseline current Microsoft 365 bandwidth usage
  2. Calculate projected Copilot traffic (users x 75 MB average x concurrent usage factor)
  3. Verify that network infrastructure, WAN links, and internet egress can handle the additional load
  4. Test with pilot group before broad deployment to validate projections

Endpoint URLs and Firewall Configuration

Copilot requires connectivity to specific Microsoft service endpoints. Review and update:

1. Microsoft 365 endpoints: Ensure all required Microsoft 365 URLs and IP ranges are allowed (reference Microsoft's published endpoint list, updated monthly)
2. Copilot-specific endpoints: Verify connectivity to Azure OpenAI Service endpoints and Microsoft AI infrastructure
3. Proxy server configuration: If using a web proxy, ensure it does not inspect or modify traffic to Microsoft AI endpoints (TLS inspection can cause Copilot failures)
4. Split tunneling for VPN: If using VPN, configure split tunneling to route Microsoft 365 and Copilot traffic directly rather than through the VPN tunnel

Client Application Requirements

• Microsoft 365 Apps: Version 2309 (Build 16827.20166) or later required for Copilot features
• Update channel: Monthly Enterprise Channel or Current Channel recommended for timely Copilot feature delivery
• Operating system: Windows 10/11 or macOS with latest updates
• Teams: New Teams client required (classic Teams does not support Copilot features)
• Mobile: Latest versions of Outlook, Teams, and Office mobile apps for mobile Copilot access

Phase 3: Identity and Access Management

Conditional Access Policy Review

Conditional access policies control when and how users can access Microsoft 365---including Copilot. Review and update policies:

Recommended Copilot conditional access configuration:

1. Require MFA for all Copilot-licensed users: Copilot's broad data access makes compromised accounts especially dangerous
2. Block access from unmanaged devices: Prevent Copilot from running on personal or untrusted devices
3. Location-based restrictions: Consider restricting Copilot access to trusted network locations for organizations with sensitive data
4. Device compliance requirements: Require device compliance (encryption, OS version, antivirus) for Copilot access
5. Session controls: Configure session timeout and re-authentication requirements appropriate to your security posture

Testing approach: Create a test conditional access policy targeting the pilot group. Validate that all conditions work correctly before applying to the broader organization.

Multi-Factor Authentication Enforcement

MFA is non-negotiable for Copilot users:

1. Verify MFA registration: Run the Azure AD MFA registration report. Identify users who have not registered
2. Enforce registration: Set a registration deadline and communicate it clearly. Block Copilot license assignment until MFA registration is complete
3. Strong methods: Require phishing-resistant MFA methods (FIDO2 keys, Windows Hello for Business, Microsoft Authenticator with number matching) for users with access to highly sensitive data
4. Backup methods: Ensure all users have at least two registered MFA methods in case their primary method is unavailable
5. MFA fatigue protection: Enable number matching and additional context in Microsoft Authenticator to prevent MFA fatigue attacks

Entra ID Configuration

• Security defaults: If using security defaults instead of conditional access, evaluate whether the security defaults provide sufficient control for a Copilot deployment (in most enterprise environments, they do not)
• Privileged Identity Management: Ensure PIM is configured for administrative accounts that manage Copilot configuration
• Guest access review: Audit external guest accounts in Azure AD. Guests with broad access can use Copilot to discover internal content
• Service principal audit: Review service principals and app registrations that may interact with Copilot data

Phase 4: Data Governance Preparation

SharePoint Permissions Audit (Most Critical Step)

This is the single most important preparation task. Every SharePoint permissions problem that exists today will be exposed by Copilot tomorrow:

Audit scope:

1. Site-level permissions: Identify all SharePoint sites shared with "Everyone" or "Everyone except external users"
2. Broken inheritance: Find document libraries and folders with broken permission inheritance where access is broader than intended
3. Orphaned access: Identify guest accounts, former employees, and service accounts with active SharePoint access
4. Overshared content: Locate sensitive documents (HR records, financial data, M&A materials, executive communications) that are accessible to users who should not have access
5. Microsoft 365 Groups: Audit group membership for Teams and SharePoint sites. Groups with overly broad membership grant Copilot access to all group content

Remediation steps:

1. Remove "Everyone" sharing from all sites containing sensitive or internal-only content
2. Fix broken permission inheritance by re-establishing parent permissions or applying correct custom permissions
3. Remove orphaned guest and former employee access
4. Implement a permissions review cadence (quarterly for sensitive sites, semi-annually for standard sites)
5. Use SharePoint Advanced Management reporting to monitor permissions changes going forward

Sensitivity Labels

Deploy Microsoft Purview sensitivity labels before enabling Copilot:

Minimum label taxonomy:

• Public: Content approved for external sharing (marketing materials, published documents)
• Internal: General business content accessible to all employees
• Confidential: Sensitive business content restricted to specific groups (financial data, strategic plans, client information)
• Highly Confidential: Restricted content with encryption and access controls (M&A, executive compensation, trade secrets, regulated data)

Deployment steps:

1. Design label taxonomy aligned with your data classification policy
2. Create labels and label policies in Microsoft Purview
3. Configure auto-labeling rules for common sensitive content types
4. Deploy labels to pilot group and validate behavior
5. Publish labels organization-wide with user training
6. Apply labels to existing content using auto-labeling or manual remediation campaigns

Data Loss Prevention Policies

Configure DLP policies before Copilot deployment:

1. Sensitive information types: Enable DLP policies for all relevant sensitive information types (SSN, credit card numbers, bank account numbers, health data, custom types)
2. Policy scope: Apply DLP to Exchange, SharePoint, OneDrive, Teams, and Copilot interactions
3. Policy actions: Configure block, warn, and override actions appropriate to each sensitivity level
4. Testing: Test DLP policies against Copilot-generated content to verify they trigger correctly
5. Monitoring: Configure DLP alerts and review dashboards to monitor policy matches during pilot

Retention Policies

Verify retention policies cover all Copilot-accessible content:

1. Exchange retention: Ensure email retention policies cover all mailbox content including Copilot-generated messages
2. SharePoint retention: Apply retention labels or policies to all document libraries where Copilot-generated documents may be stored
3. Teams retention: Configure retention for Teams chat and channel messages, including Copilot interactions within Teams
4. OneDrive retention: Apply retention policies to OneDrive for Business to cover user-created Copilot documents
5. Legal hold compatibility: Verify that legal hold capabilities extend to Copilot-generated content across all workloads

Phase 5: Organizational Readiness

Training Program Development

Build a training program before deployment:

• Executive training: 30-minute session covering Copilot capabilities, ROI expectations, and governance guardrails
• Department-specific training: 2-hour workshops tailored to each department's use cases and workflows
• Prompt engineering: Dedicated training on effective prompt construction using the RISE framework
• Governance awareness: Training on DLP, sensitivity labels, and responsible AI use for all Copilot users
• IT help desk preparation: Train support staff on common Copilot issues, troubleshooting steps, and escalation paths

Copilot Champions Program

Identify and train Copilot Champions in each department:

• Select 1-2 champions per department who are technically capable and influential
• Provide champions with early access during pilot phase
• Train champions as peer coaches who can assist colleagues with adoption
• Create a Champions Teams channel for sharing best practices and escalating issues
• Recognize champion contributions to encourage continued engagement

Communication Plan

Develop a communication strategy:

1. Executive announcement: CEO or CIO message explaining the Copilot investment and expected benefits
2. Department briefings: Manager-led sessions setting expectations for their teams
3. Intranet resources: FAQ page, training materials, and prompt library accessible to all users
4. Rollout schedule: Publish the phased deployment timeline so users know when they will receive access
5. Feedback mechanism: Create a simple feedback channel (Teams form, email alias) for users to report issues and share success stories

Acceptable Use Policy

Create a Copilot-specific acceptable use policy covering:

• Permitted and prohibited use cases
• Review requirements for AI-generated content (especially external-facing documents)
• Data handling expectations (sensitivity labels, DLP compliance)
• Intellectual property considerations for AI-generated content
• Reporting obligations for AI-related security or compliance concerns
• Consequences for policy violations

Deployment Readiness Checklist Summary

Use this checklist to verify readiness before enabling Copilot licenses:

• [ ] Base licenses verified for all target users
• [ ] Copilot licenses procured and allocated to pilot group
• [ ] Network bandwidth assessed and sufficient
• [ ] Firewall and proxy rules updated for Copilot endpoints
• [ ] Client applications updated to required versions
• [ ] Conditional access policies reviewed and updated
• [ ] MFA enforced for 100% of Copilot users
• [ ] SharePoint permissions audit completed and remediated
• [ ] Sensitivity labels deployed and applied to existing content
• [ ] DLP policies configured and tested
• [ ] Retention policies verified across all workloads
• [ ] Training program developed and pilot group trained
• [ ] Copilot Champions identified and trained
• [ ] Communication plan executed
• [ ] Acceptable use policy published

For organizations preparing for Copilot deployment, our readiness assessment services provide a comprehensive tenant evaluation covering every item on this checklist. We identify gaps, prioritize remediation, and deliver a deployment-ready roadmap with timeline and resource estimates. Contact us to schedule a tenant preparation assessment.