How to prepare your business for Microsoft Copilot — a step by step guide

Microsoft 365 Copilot requires a qualifying base licence. For SMEs this means Microsoft 365 Business Premium or Business Standard at minimum. Business Basic is not supported.

If you're on Business Basic, upgrade to Business Premium before proceeding — you'll need the security and compliance features anyway. Business Premium also includes Intune, Defender, and Conditional Access, all of which you'll want configured before deploying Copilot.

This is the most critical — and most commonly skipped — step. Copilot surfaces data that users have permission to access in SharePoint and OneDrive. If your permissions are too permissive, Copilot can show users files they technically have access to but shouldn't be seeing in practice.

• Run a SharePoint permissions report to identify oversharing
• Remove "Everyone" and "All authenticated users" permissions from sensitive sites
• Ensure each department or client has its own site with appropriate membership
• Remove legacy sharing links that are no longer needed
• Set default sharing to "Specific people" rather than "Anyone with a link"

Sensitivity labels help Copilot understand how to handle different types of content. A document labelled "Confidential — Client Data" is treated differently to one labelled "Internal Use Only".

• Create a simple label taxonomy — Public, Internal, Confidential, Highly Confidential
• Configure auto-labelling policies to label documents containing personal data, financial information, or client data automatically
• Apply labels manually to your most sensitive existing documents
• Train staff on what the labels mean and when to apply them

Copilot finds and summarises information from your SharePoint environment. If your files are scattered, inconsistently named, or buried in illogical folder structures — Copilot's responses will reflect that disorganisation.

• Consolidate files currently sitting in personal OneDrive into appropriate SharePoint sites
• Standardise file naming conventions across the team
• Archive old or redundant files so they don't appear in Copilot results
• Create a logical site structure — by department, project, or client — that Copilot can navigate effectively

Before adding AI to your environment, your security foundations need to be solid. This isn't specific to Copilot — it's just good practice — but it's especially important before deploying AI that will be working with your business data.

• Enforce MFA for all users via Conditional Access
• Block legacy authentication protocols
• Configure Defender for Business on all devices
• Enrol all devices in Intune
• Enable audit logging and set up alerts for high-risk events

Copilot adoption fails when staff receive licences but no training. The most common complaint is "I don't know what to say to it." Effective prompting is a skill — and one that needs to be taught.

• Plan a half-day training session before or on go-live day
• Prepare a prompt library specific to your business — 20–30 prompts your team can use immediately
• Identify two or three Copilot champions who will help colleagues and share new prompts
• Set up a Teams channel for sharing prompt tips and successes
• Schedule a 30-day review to check adoption and address any issues