Your CoPilot Readiness Score. A Step-by-Step Assessment Guide

Introduction: Beyond "We Think We're Ready"

I've had this conversation with dozens of IT managers over the past year:

Manager: "We're ready to deploy Copilot. Our users are excited about it."
Me: "How do you know you're ready?"
Manager: "Well, we have MFA enabled and we use sensitivity labels."
Me: "What percentage of your content is labeled?"
Manager: "Uh... I'm not sure. Maybe 50%?"

Here's the problem: "maybe 50%" isn't good enough when you're deploying an AI assistant that can surface any content your users have access to. Without quantifiable metrics, you're gambling with your organization's most sensitive data.

Microsoft Copilot for Microsoft 365 represents a fundamental shift in how users interact with organizational data. Unlike traditional productivity tools that require users to navigate to specific documents, Copilot can surface content from across your tenant based solely on natural language queries and user permissions. This means that security configurations you might have been able to live with before, broadly shared documents, unlabeled sensitive content, forgotten external user accounts, suddenly become critical vulnerabilities.

The good news? You can objectively measure your readiness with automated PowerShell assessments. This guide walks you through the complete process: running four specialized scripts, interpreting the results, calculating your readiness score across six critical dimensions, and determining whether you're truly ready to enable Copilot licenses.

By the end of this article, you'll have a clear, data-driven answer to the question: "Should we deploy Copilot today?"

---

What You'll Need: Prerequisites and Setup

Before starting the assessment, ensure you have the necessary permissions, tools, and environment configured.

Required Permissions

To run the assessment scripts, you need:

• SharePoint Online Administrator role (for content analysis)
• Global Reader role (minimum for tenant-wide visibility)
• Conditional Access Administrator (for CA policy review)
• Microsoft Graph API Permissions:
  • Sites.Read.All
  • User.Read.All
  • Policy.Read.All
  • Directory.Read.All

If you don't have all these permissions, work with your Global Administrator to obtain them. You'll need read-only access across your tenant to get accurate assessment data.

PowerShell Modules Installation

Install the required PowerShell modules before running any assessment scripts:

# Install SharePoint Online Management Shell
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force -AllowClobber

# Install PnP PowerShell for advanced SharePoint operations
Install-Module -Name PnP.PowerShell -Force -AllowClobber

# Install Microsoft Graph modules for identity and policy analysis
Install-Module -Name Microsoft.Graph.Identity.SignIns -Force -AllowClobber
Install-Module -Name Microsoft.Graph.Users -Force -AllowClobber

# Verify installations
Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable
Get-Module -Name PnP.PowerShell -ListAvailable
Get-Module -Name Microsoft.Graph.* -ListAvailable

Environment Requirements

• PowerShell Version: PowerShell 5.1 or PowerShell 7+ (PowerShell 7 recommended for better performance)
• Operating System: Windows 10/11 or Windows Server 2016+
• Network Connectivity: Unimpeded access to Microsoft 365 services
• Local Storage: 1-5 GB free space for CSV outputs (varies by tenant size)
• Execution Policy: Set to RemoteSigned or Unrestricted

# Check PowerShell version
$PSVersionTable.PSVersion

# Set execution policy if needed
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Downloading the Assessment Framework

The complete assessment framework and PowerShell scripts are available as an open-source project:

GitHub Repository: Microsoft Copilot Readiness Assessment Framework

Download and extract to a working directory:

# Clone the repository
git clone https://github.com/nitrondigital/Microsoft-Copilot-Readiness-Framework.git

# Or download ZIP and extract to:
C:\CopilotAssessment\

Your working directory should contain:

• Get-OversharedContent.ps1
• Get-LabelCoverage.ps1
• Get-ExternalUserAccess.ps1
• Get-CAPolicies.ps1
• Framework documentation (PDF)

---

Understanding the 6 Readiness Dimensions

Before running the scripts, it's important to understand what we're measuring. Copilot readiness isn't a single metric, it's a comprehensive evaluation across six critical security and compliance dimensions.

Dimension 1: Information Protection & Sensitivity Labels

Why It Matters: Copilot respects sensitivity labels when generating responses and determining what content to surface. Unlabeled sensitive data cannot be protected by Copilot, meaning it may be exposed in responses regardless of its sensitivity.

What We Measure:

• Percentage of documents with applied sensitivity labels
• Distribution of label types (Confidential, Internal, Public, etc.)
• Auto-labeling policy effectiveness
• Unlabeled sensitive content identification

Readiness Thresholds:

• 80%+ coverage: Ready for Copilot deployment
• 60-79% coverage: Nearly ready, minor remediation needed
• 40-59% coverage: Significant work required before deployment
• <40% coverage: Not ready, major remediation initiative needed

Dimension 2: Data Sharing & Permissions

Why It Matters: Copilot surfaces content based on user permissions. If a document is shared with "Everyone" or has anonymous sharing links, Copilot will treat that content as broadly accessible, potentially surfacing it in responses to users who shouldn't see it.

What We Measure:

• Content shared with "Everyone" or "Everyone except external users"
• Anonymous/Anyone sharing links that bypass permission checks
• Large security group shares (>1000 members)
• Risk-scored oversharing instances based on content sensitivity

Risk Thresholds:

• <5% overshared: Low risk, good governance
• 5-10% overshared: Moderate risk, review needed
• 10-20% overshared: High risk, immediate remediation required
• >20% overshared: Critical risk, deployment should be delayed

Dimension 3: External User Access

Why It Matters: External users (guests) with access to your tenant can use Copilot to query organizational data. For regulated industries (financial services, healthcare, government), external access to AI tools may violate compliance requirements or security policies.

What We Measure:

• All external users with tenant access
• Sites and content accessible to external users
• Permission levels granted (Read, Edit, Full Control)
• Inactive external accounts (>90 days without activity)
• Risk scoring by access level and content sensitivity

Risk Categories:

• Critical: External users with Full Control on sensitive sites
• High: External users with Edit access to confidential content
• Medium: External users with Read access to internal content
• Low: External users with appropriate, limited access

Dimension 4: Conditional Access Policies

Why It Matters: MFA and device compliance are essential for securing access to AI tools. Inadequate Conditional Access policies create significant security risks, as compromised credentials could allow unauthorized users to query organizational data through Copilot.

What We Measure:

• MFA enforcement for Microsoft 365 Copilot applications
• Device compliance requirements
• Risk-based access controls
• Session controls and limitations
• Legacy authentication blocking

Required Policies:

• MFA required for Copilot app access
• Managed/compliant devices required
• Block legacy authentication protocols
• Risk-based conditional access enabled
• Session controls for Copilot sessions

Dimension 5: Zero Trust Security Posture

Why It Matters: Copilot should be deployed within a Zero Trust security framework that assumes breach and verifies explicitly. This includes identity verification, device health validation, application controls, and data protection.

What We Measure:

• Identity verification mechanisms (MFA, risk-based auth)
• Device compliance and health attestation
• Application access controls and restrictions
• Data protection and encryption policies
• Network segmentation (where applicable)

Zero Trust Principles:

• Verify explicitly: Always authenticate and authorize
• Use least privilege access: Limit user and device access
• Assume breach: Minimize blast radius with segmentation

Dimension 6: Compliance & Governance

Why It Matters: Deploying AI tools that access organizational data must maintain compliance with regulatory frameworks. Different industries have specific requirements around data residency, audit logging, and AI tool usage.

What We Measure:

• Regulatory framework alignment (GDPR, HIPAA, SOX, FINRA, etc.)
• Data residency and sovereignty requirements
• Audit logging and monitoring capabilities
• Policy enforcement mechanisms
• Governance structure and approval processes

Industry-Specific Considerations:

• Financial Services: AI tool usage must comply with FINRA, SEC guidance
• Healthcare: HIPAA requirements for PHI access and audit trails
• Government: FedRAMP, ITAR, security clearance controls
• European Operations: GDPR compliance and data residency

Now that you understand what we're measuring and why it matters, let's run the assessment scripts.

---

Week 1: Discovery Phase. Running the Scripts

The discovery phase involves running four PowerShell scripts to collect objective, quantifiable data about your tenant's current state. Each script focuses on a specific dimension of readiness and produces CSV outputs with detailed findings.

Set aside 3-4 hours to run all four scripts. Depending on your tenant size, scripts may take 15-60 minutes each to complete.

Script 1: Get-OversharedContent.ps1

Purpose: Identifies SharePoint and OneDrive content with overly broad permissions that pose risk when accessed through Copilot.

What It Finds:

• Documents shared with "Everyone" or "Everyone except external users"
• Anonymous sharing links (Anyone with the link)
• Content shared with large security groups (>1000 members)
• Risk-scored oversharing based on content type and sensitivity

Running the Script

# Navigate to your script directory
cd C:\CopilotAssessment

# Run the overshared content assessment
.\Get-OversharedContent.ps1 `
    -TenantUrl "https://tenant-admin.sharepoint.com" `
    -OutputPath "C:\CopilotAssessment\Results\" `
    -IncludeOneDrive

# You'll be prompted to authenticate with your admin credentials

Parameters Explained:

• -TenantUrl: Your SharePoint admin URL (replace 'tenant' with your tenant name)
• -OutputPath: Where to save the CSV results
• -IncludeOneDrive: Optional flag to include OneDrive for Business sites (recommended)

Understanding the Output

The script generates three files:

1. OversharedContent_[timestamp].csv

This is your detailed findings report. Key columns include:

Column	Description	Example
SiteUrl	SharePoint site or OneDrive URL	https://tenant.sharepoint.com/sites/HR
ItemType	Document, Folder, or Site	Document
ItemPath	Full path to the item	/sites/HR/Shared Documents/Salaries.xlsx
SharingType	How it's shared	Everyone, Anyone with link
RiskScore	1-10 risk rating	9 (Critical)
SensitivityLabel	Applied label, if any	Confidential - Finance
LastModified	When content was last changed	2024-12-15

2. OversharedContent_Summary_[timestamp].txt

Console output summary showing:

=== OVERSHARING ASSESSMENT SUMMARY ===
Total sites analyzed: 247
Total items scanned: 45,234
Overshared items found: 3,842 (8.5% of content)

Risk Level Breakdown:
- Critical (Score 9-10): 127 items
- High (Score 7-8): 456 items
- Medium (Score 5-6): 1,234 items
- Low (Score 1-4): 2,025 items

Top Issues:
1. Documents shared with "Everyone": 1,456 items
2. Anonymous sharing links: 892 items
3. Large group shares (>1000 members): 1,494 items

3. HighRiskSharing_[timestamp].csv

Filtered view of only Critical and High risk items (scores 7-10). This is your immediate action list.

Interpreting Your Results

Good (Low Risk):

• <5% of content overshared
• Critical items: <10
• Most oversharing is Low risk (score 1-4)

Needs Attention (Moderate Risk):

• 5-10% of content overshared
• Critical items: 10-50
• Mix of risk levels

Red Flag (High Risk):

• 10% of content overshared

• Critical items: >50
• Many High/Critical items involve sensitive labels

Example Finding to Watch For:

ItemPath: /sites/Finance/Shared Documents/2024 Budget Forecast.xlsx
SharingType: Everyone
SensitivityLabel: Confidential - Finance
RiskScore: 10
LastModified: 2024-11-20

This is a critical finding: A budget document with a Confidential label is shared with Everyone. Any user in your tenant could query this through Copilot.

---

Script 2: Get-LabelCoverage.ps1

Purpose: Calculates sensitivity label coverage across your tenant to assess information protection readiness.

What It Measures:

• Percentage of documents with applied labels
• Distribution of label types (Confidential, Internal, Public, etc.)
• Auto-labeling policy effectiveness
• Identification of unlabeled sensitive content

Running the Script

# Run the label coverage assessment
.\Get-LabelCoverage.ps1 `
    -TenantUrl "https://tenant-admin.sharepoint.com" `
    -OutputPath "C:\CopilotAssessment\Results\" `
    -SampleSize 5000

# For smaller tenants, use full scan:
.\Get-LabelCoverage.ps1 `
    -TenantUrl "https://tenant-admin.sharepoint.com" `
    -OutputPath "C:\CopilotAssessment\Results\" `
    -FullScan

Parameters Explained:

• -SampleSize: Number of random documents to analyze (default: 1000, recommended: 5000)
• -FullScan: Analyze ALL documents (use for tenants with <50,000 documents)
• -IncludeFileTypes: Optional CSV list (e.g., "docx,xlsx,pdf")

Pro Tip: For large tenants (>100,000 documents), use sampling. A 5000-document sample provides 95% confidence with ±2% margin of error.

Understanding the Output

The script generates four files:

1. LabelCoverage_[timestamp].csv

Document-level detail for your sample:

Column	Description
SiteUrl	SharePoint site URL
FilePath	Full path to document
FileType	Extension (docx, xlsx, pdf)
SensitivityLabel	Applied label name or "None"
FileSize	Size in MB
LastModified	Last modification date
Author	Document creator

2. LabelDistribution_[timestamp].csv

Breakdown by label type:

LabelName,Count,Percentage
Confidential - Finance,234,4.7%
Confidential - HR,156,3.1%
Internal Use Only,1823,36.5%
Public,892,17.8%
[None - Unlabeled],1895,37.9%

3. LabelCoverage_Summary_[timestamp].txt

Your readiness assessment:

=== SENSITIVITY LABEL COVERAGE ASSESSMENT ===
Total documents analyzed: 5,000
Documents with labels: 3,105 (62.1%)
Documents without labels: 1,895 (37.9%)

Label Distribution:
- Confidential labels: 390 (7.8%)
- Internal Use Only: 1,823 (36.5%)
- Public: 892 (17.8%)
- Unlabeled: 1,895 (37.9%)

READINESS ASSESSMENT: NEARLY READY (Score: 3/5)
At 62.1% coverage, you're approaching the 60-79% threshold.
Recommendation: Implement auto-labeling for common sensitive content
patterns before Copilot deployment. Target: 70%+ coverage.

Auto-Labeling Effectiveness:
- Documents auto-labeled: 1,245 (40% of labeled content)
- Documents manually labeled: 1,860 (60% of labeled content)

4. UnlabeledSensitiveContent_[timestamp].csv

High-risk findings: Documents that appear sensitive but lack labels:

FilePath,FileType,Indicators,RiskScore
/sites/HR/Salaries.xlsx,xlsx,"Contains: SSN patterns, salary data",9
/sites/Finance/Audit.docx,docx,"Contains: account numbers, financial data",8
/sites/Legal/Contract.pdf,pdf,"Contains: attorney-client references",7

This file uses pattern matching to identify likely sensitive content based on:

• Keywords (SSN, salary, confidential, patient, etc.)
• Data patterns (SSN formats, credit card numbers, account numbers)
• File locations (HR, Finance, Legal sites)

Interpreting Your Results

Your Coverage Score:

Coverage %	Readiness Score	Assessment	Action Required
80%+	5/5	Ready	Monitor and maintain
60-79%	3/5	Nearly Ready	Short-term remediation (2-4 weeks)
40-59%	2/5	Requires Work	Medium-term remediation (1-3 months)
<40%	1/5	Not Ready	Major initiative needed (3-6 months)

Key Metrics to Watch:

1. Overall Coverage: What percentage of documents have ANY label?
2. Confidential Coverage: What percentage have high-sensitivity labels?
3. Auto-Labeling Ratio: What percentage are auto-labeled vs. manual?
4. Unlabeled Sensitive Count: How many high-risk unlabeled documents exist?

Example Good Result:

Coverage: 83%
Confidential labels: 12%
Auto-labeled: 65%
Unlabeled sensitive: 23 documents
Assessment: READY (Score: 5/5)

Example Concerning Result:

Coverage: 42%
Confidential labels: 3%
Auto-labeled: 15%
Unlabeled sensitive: 892 documents
Assessment: NOT READY (Score: 1/5)

---

Script 3: Get-ExternalUserAccess.ps1

Purpose: Audits all external users (guests) and their access permissions to identify Copilot-related risks.

What It Finds:

• Every external user account in your tenant
• Sites and content they can access
• Permission levels granted (Read, Edit, Full Control)
• Inactive accounts (no activity >90 days)
• Risk scoring based on access level and content sensitivity

Why This Matters for Copilot: External users can use Copilot to query ANY content they have access to. For regulated industries, this may violate compliance requirements.

Running the Script

# Run the external user access audit
.\Get-ExternalUserAccess.ps1 `
    -TenantUrl "https://tenant-admin.sharepoint.com" `
    -OutputPath "C:\CopilotAssessment\Results\" `
    -IncludeInactiveUsers

# For detailed permission analysis:
.\Get-ExternalUserAccess.ps1 `
    -TenantUrl "https://tenant-admin.sharepoint.com" `
    -OutputPath "C:\CopilotAssessment\Results\" `
    -IncludeInactiveUsers `
    -DetailedPermissions

Parameters Explained:

• -IncludeInactiveUsers: Flag inactive accounts (>90 days)
• -DetailedPermissions: Include specific permission levels per site
• -InactiveDays: Custom threshold (default: 90)

Understanding the Output

The script generates four files:

1. ExternalUserAccess_[timestamp].csv

Complete access log for all external users:

Column	Description
UserPrincipalName	External user email
DisplayName	User's name
InvitedBy	Who granted access
InviteDate	When access was granted
LastActivity	Last sign-in or access
DaysSinceActivity	Days since last activity
SiteUrl	Site they can access
PermissionLevel	Read, Edit, or Full Control
RiskScore	1-10 risk rating
IsInactive	TRUE if >90 days

2. ExternalUserSummary_[timestamp].csv

Per-user summary showing total access:

UserPrincipalName,TotalSites,ReadAccess,EditAccess,FullControlAccess,HighestRisk,IsInactive
contractor1@vendor.com,12,8,3,1,9,FALSE
oldconsultant@firm.com,5,4,1,0,6,TRUE
partner@company.com,2,2,0,0,3,FALSE

3. HighRiskExternalAccess_[timestamp].csv

Filtered view of Critical and High risk external access (scores 7-10):

UserPrincipalName,SiteUrl,PermissionLevel,RiskScore,RiskReason
contractor1@vendor.com,/sites/Finance,Full Control,10,"Full Control on sensitive site"
consultant@firm.com,/sites/Legal,Edit,8,"Edit access to confidential content"
partner@company.com,/sites/HR,Read,7,"Read access to HR data"

4. ExternalUserAccess_ExecutiveSummary_[timestamp].txt

High-level overview:

=== EXTERNAL USER ACCESS ASSESSMENT ===
Total external users: 127
Active external users: 89
Inactive external users (>90 days): 38

Permission Level Distribution:
- Read only: 67 users (53%)
- Edit access: 43 users (34%)
- Full Control: 17 users (13%)

Risk Level Distribution:
- Critical (Score 9-10): 12 users
- High (Score 7-8): 28 users
- Medium (Score 5-6): 45 users
- Low (Score 1-4): 42 users

Top Sites with External Access:
1. /sites/Projects: 45 external users
2. /sites/PartnerPortal: 34 external users
3. /sites/Finance: 8 external users (HIGH RISK)

Inactive Account Risk:
- 38 inactive accounts represent potential security risk
- 8 inactive accounts have Edit or Full Control
- Recommendation: Remove inactive accounts immediately

Interpreting Your Results

Risk Scoring Logic:

The script assigns risk scores based on:

Factor	Risk Score Impact
Full Control permission	+5 points
Edit permission	+3 points
Read permission	+1 point
Access to Finance/HR/Legal sites	+3 points
Access to Confidential labeled content	+2 points
Inactive account	+2 points

Risk Categories:

• Critical (9-10): External users with Full Control on sensitive sites

  • Action: Remove access immediately or convert to least privilege

• High (7-8): External users with Edit on confidential content

  • Action: Review necessity, downgrade to Read if possible

• Medium (5-6): External users with Read on internal content

  • Action: Review and validate business need

• Low (1-4): External users with limited, appropriate access

  • Action: Monitor regularly

Red Flags to Watch For:

1. External users with Full Control: Should be extremely rare
2. Inactive accounts with access: Security risk (orphaned accounts)
3. External access to Finance/HR/Legal: High compliance risk
4. >20% of external users are inactive: Poor access governance

Example Concerning Finding:

UserPrincipalName: oldcontractor@vendor.com
DaysSinceActivity: 456
PermissionLevel: Full Control
SiteUrl: /sites/Finance
RiskScore: 10

This external user hasn't accessed the tenant in over a year but still has Full Control on your Finance site. They could use Copilot to query financial data if they ever signed back in.

---

Script 4: Get-CAPolicies.ps1

Purpose: Reviews Conditional Access policies for Copilot compatibility and security effectiveness.

What It Analyzes:

• Existing CA policy configuration
• MFA enforcement for Copilot apps
• Device compliance requirements
• Copilot app blocking risks
• Session control compatibility
• Zero Trust alignment

Why This Matters: Without proper Conditional Access policies, compromised credentials could allow unauthorized Copilot access from unmanaged devices without MFA.

Running the Script

# Run the Conditional Access policy analysis
.\Get-CAPolicies.ps1 `
    -OutputPath "C:\CopilotAssessment\Results\" `
    -CheckCopilotApps

# For detailed analysis with recommendations:
.\Get-CAPolicies.ps1 `
    -OutputPath "C:\CopilotAssessment\Results\" `
    -CheckCopilotApps `
    -IncludeRecommendations

Parameters Explained:

• -CheckCopilotApps: Specifically analyze policies affecting Copilot apps
• -IncludeRecommendations: Generate policy recommendations
• -ExportJSON: Export policy configurations as JSON (for backup)

Note: This script requires Microsoft Graph authentication with Policy.Read.All permission.

Understanding the Output

The script generates four files:

1. CA_PolicyAnalysis_[timestamp].csv

Complete policy inventory:

Column	Description
PolicyName	CA policy name
State	Enabled, Report-only, or Disabled
Users/Groups	Who the policy applies to
CloudApps	Which apps are targeted
Conditions	Grant controls (MFA, device compliance)
SessionControls	Sign-in frequency, persistent browser
CopilotCompatible	TRUE/FALSE

2. CA_CompatibilityIssues_[timestamp].csv

Policies that may block or conflict with Copilot:

PolicyName,Issue,Severity,Impact,Recommendation
"Block Mobile Apps",Blocks Copilot mobile,High,"Users can't access Copilot on phones","Update to allow Copilot apps"
"Require Compliant Devices",No exception for Copilot,Medium,"May block legitimate use","Add Copilot to allowed apps"
"Legacy Auth Block",None,Low,"Copilot doesn't use legacy auth","No change needed"

3. CA_RecommendedCopilotPolicies_[timestamp].csv

Implementation guide for Copilot-specific policies:

PolicyName,Purpose,Priority,Users,Apps,Conditions,GrantControls
"Require MFA for Copilot",MFA enforcement,Critical,All Users,Microsoft 365 Copilot,"All locations","Require MFA"
"Require Managed Device for Copilot",Device compliance,High,All Users,Microsoft 365 Copilot,"All locations","Require device compliance"
"Block Copilot from Untrusted Locations",Geo-restriction,Medium,All Users,Microsoft 365 Copilot,"Untrusted countries","Block access"
"Risk-Based Copilot Access",Identity protection,High,All Users,Microsoft 365 Copilot,"Sign-in risk: Medium/High","Require password change + MFA"

4. CA_ExecutiveSummary_[timestamp].txt

High-level policy assessment:

=== CONDITIONAL ACCESS POLICY ASSESSMENT ===

Total CA Policies: 23
Enabled Policies: 18
Report-Only Policies: 3
Disabled Policies: 2

Copilot-Specific Findings:

✓ MFA Required: YES
  Policy: "Require MFA for All Cloud Apps"
  Applies to: All Users
  
✗ Device Compliance Required: NO
  Risk: Unmanaged devices can access Copilot
  Recommendation: Create policy requiring managed devices
  
✗ Copilot-Specific Policy: NO
  Risk: Generic policies may not adequately protect AI tools
  Recommendation: Create Copilot-specific CA policy
  
✓ Legacy Authentication Blocked: YES
  Policy: "Block Legacy Protocols"
  
✓ Risk-Based Access: YES
  Policy: "Block High-Risk Sign-ins"

OVERALL ASSESSMENT: PARTIALLY READY (Score: 3/5)

Critical Gaps:
1. No device compliance requirement for Copilot
2. No Copilot-specific CA policy
3. No session controls for Copilot sessions

Recommendations:
1. Create "Require Managed Device for Copilot" policy (Priority: HIGH)
2. Create "Copilot Session Controls" policy (Priority: MEDIUM)
3. Review and update app assignments in existing policies

Interpreting Your Results

Critical Policy Requirements for Copilot:

Requirement	Status	Priority	Impact if Missing
MFA Required	✓/✗	CRITICAL	Credential compromise = Copilot access
Device Compliance	✓/✗	HIGH	Unmanaged devices can query data
Legacy Auth Blocked	✓/✗	MEDIUM	Outdated protocols can bypass MFA
Risk-Based Access	✓/✗	HIGH	High-risk sign-ins not blocked
Session Controls	✓/✗	MEDIUM	Extended sessions increase risk

Your Conditional Access Score:

Status	Readiness Score	Assessment
All 5 requirements met	5/5	Ready
4 requirements met	4/5	Nearly Ready
3 requirements met	3/5	Requires Work
2 or fewer met	1/5	Not Ready

Common Gaps and Fixes:

Gap 1: No MFA for Copilot

Issue: Generic "All Cloud Apps" policy doesn't specifically target Copilot
Fix: Create Copilot-specific policy with MFA requirement
Timeline: 1 day

Gap 2: No Device Compliance

Issue: Unmanaged devices can access Copilot and query data
Fix: Require compliant or hybrid-joined devices for Copilot access
Timeline: 1-2 weeks (includes device enrollment)

Gap 3: Policy Blocks Copilot

Issue: Overly restrictive policy blocks legitimate Copilot use
Fix: Add Copilot apps to exclusion list or create separate policy
Timeline: 1 day

Example Recommended Policy Configuration:

{
  "displayName": "Require MFA for Microsoft 365 Copilot",
  "state": "enabled",
  "conditions": {
    "applications": {
      "includeApplications": ["Microsoft 365 Copilot"]
    },
    "users": {
      "includeUsers": ["All"]
    }
  },
  "grantControls": {
    "operator": "AND",
    "builtInControls": ["mfa", "compliantDevice"]
  }
}

---

Week 2-3: Analysis & Scoring

Now that you've collected data from all four scripts, it's time to analyze findings, calculate readiness scores, and prioritize remediation efforts.

Step 1: Consolidate Your Findings

Create a master spreadsheet to track key metrics across all dimensions:

Dimension	Metric	Target	Your Score	Status	Priority
Information Protection	Label Coverage	80%+	62%	⚠ Nearly Ready	HIGH
Data Sharing	Overshared Content	<5%	8.5%	⚠ Moderate Risk	HIGH
External Access	Critical Risk Users	0	12	❌ High Risk	CRITICAL
Conditional Access	Required Policies	5/5	3/5	⚠ Partial	HIGH
Zero Trust	Alignment	Full	Partial	⚠ Gaps	MEDIUM
Compliance	Framework Coverage	100%	85%	⚠ Nearly Ready	MEDIUM

Step 2: Calculate Dimension Scores

Use these formulas to calculate a 1-5 score for each dimension:

Dimension 1: Information Protection Score

Label Coverage Score:
- 80%+ coverage = 5
- 60-79% coverage = 3
- 40-59% coverage = 2
- <40% coverage = 1

Your Calculation:
Label Coverage: 62%
Score: 3/5 (Nearly Ready)

Dimension 2: Data Sharing Score

Oversharing Score:
- <5% overshared = 5
- 5-10% overshared = 3
- 10-20% overshared = 2
- >20% overshared = 1

Critical Items Modifier:
- If >50 critical items, reduce score by 1
- If >100 critical items, reduce score by 2

Your Calculation:
Overshared Content: 8.5%
Critical Items: 127
Base Score: 3
Modifier: -2 (>100 critical)
Final Score: 1/5 (High Risk)

Dimension 3: External Access Score

External User Risk Score:
- 0 Critical/High users = 5
- 1-10 Critical/High = 4
- 11-25 Critical/High = 3
- 26-50 Critical/High = 2
- >50 Critical/High = 1

Inactive Account Modifier:
- If >20% inactive, reduce score by 1

Your Calculation:
Critical Users: 12
High Users: 28
Total High-Risk: 40
Base Score: 2
Inactive: 38/127 = 30% (>20%)
Modifier: -1
Final Score: 1/5 (High Risk)

Dimension 4: Conditional Access Score

CA Policy Score (count required policies met):
- 5/5 policies = 5
- 4/5 policies = 4
- 3/5 policies = 3
- 2/5 policies = 2
- 0-1/5 policies = 1

Required Policies:
✓ MFA for Copilot
✗ Device Compliance
✓ Legacy Auth Blocked
✓ Risk-Based Access
✗ Session Controls

Your Calculation:
Policies Met: 3/5
Score: 3/5 (Requires Work)

Dimension 5: Zero Trust Score

Zero Trust Alignment Score:
Evaluate each principle (1 point each):
✓ Verify explicitly (MFA + risk-based)
✗ Least privilege access (oversharing issues)
✓ Assume breach (monitoring enabled)
✗ Device health (no compliance requirement)
✓ Data protection (labels implemented)

Your Calculation:
Principles Met: 3/5
Score: 3/5 (Partial Alignment)

Dimension 6: Compliance Score

Compliance Framework Score:
- All frameworks satisfied = 5
- 80%+ satisfied = 4
- 60-79% satisfied = 3
- 40-59% satisfied = 2
- <40% satisfied = 1

Your Calculation:
Applicable Frameworks: HIPAA, SOX
HIPAA Requirements: 8/10 met (80%)
SOX Requirements: 9/10 met (90%)
Overall: 85% satisfied
Score: 4/5 (Nearly Ready)

Step 3: Calculate Overall Readiness Score

Use weighted averaging based on your organization's priorities:

Standard Weighting (most organizations):

Overall Score = (
  Information Protection × 25% +
  Data Sharing × 25% +
  External Access × 20% +
  Conditional Access × 15% +
  Zero Trust × 10% +
  Compliance × 5%
) / 100

Your Calculation:
(3 × 25%) + (1 × 25%) + (1 × 20%) + (3 × 15%) + (3 × 10%) + (4 × 5%)
= 0.75 + 0.25 + 0.20 + 0.45 + 0.30 + 0.20
= 2.15 / 5

Overall Readiness Score: 2.15/5 (Requires Significant Work)

Industry-Specific Weighting Examples:

Healthcare (HIPAA-focused):

• Information Protection: 30%
• Data Sharing: 20%
• External Access: 25%
• Conditional Access: 15%
• Zero Trust: 5%
• Compliance: 5%

Financial Services (SOX/FINRA):

• Information Protection: 20%
• Data Sharing: 25%
• External Access: 25%
• Conditional Access: 20%
• Zero Trust: 5%
• Compliance: 5%

Step 4: Create Prioritization Matrix

Map your findings to a risk/effort matrix to prioritize remediation:

HIGH IMPACT, LOW EFFORT (Do First):
- Enable MFA for Copilot apps (1 day)
- Remove inactive external accounts (2 days)
- Block critical oversharing (1 week)

HIGH IMPACT, HIGH EFFORT (Schedule Next):
- Implement auto-labeling policies (2-4 weeks)
- Review all external user access (3-4 weeks)
- Deploy device compliance (4-6 weeks)

LOW IMPACT, LOW EFFORT (Quick Wins):
- Enable audit logging (1 day)
- Update CA policy descriptions (1 day)
- Create documentation (1 week)

LOW IMPACT, HIGH EFFORT (Defer):
- Full content labeling (3-6 months)
- Zero Trust architecture overhaul (6-12 months)

Step 5: Build Remediation Timeline

Create a phased remediation plan based on your overall score:

For Score 1-2 (Not Ready / Significant Work):

Phase 1 (Weeks 1-4): Critical Security Gaps
- Enable MFA for Copilot
- Remove high-risk external access
- Block critical oversharing
- Implement emergency audit logging
Goal: Move to Score 2.5

Phase 2 (Weeks 5-8): Foundational Controls
- Deploy device compliance policies
- Implement auto-labeling policies
- Review all external users
- Create data classification guidelines
Goal: Move to Score 3.0

Phase 3 (Weeks 9-12): Optimization
- Remediate medium-priority oversharing
- Fine-tune CA policies
- Enhance Zero Trust alignment
- Document governance processes
Goal: Move to Score 4.0+

Timeline to Readiness: 3 months

For Score 3 (Requires Work):

Phase 1 (Weeks 1-2): Quick Security Wins
- Address critical findings
- Enable missing CA policies
- Remove inactive external accounts
Goal: Move to Score 3.5

Phase 2 (Weeks 3-4): Label Coverage
- Deploy auto-labeling for priority content
- Manual labeling campaign for sensitive docs
- Review and remediate oversharing
Goal: Move to Score 4.0

Phase 3 (Weeks 5-6): Final Validation
- Reassess with scripts
- Fix remaining gaps
- Document readiness
Goal: Move to Score 4.5+

Timeline to Readiness: 6 weeks

For Score 4+ (Nearly Ready):

Phase 1 (Week 1): Address Gaps
- Fix identified issues
- Complete any missing policies
Goal: Move to Score 4.5

Phase 2 (Week 2): Validation
- Rerun assessment scripts
- Confirm all metrics in green zone
- Document baseline
Goal: Achieve Score 5.0

Timeline to Readiness: 2 weeks

---

Week 4: Reporting to Leadership

The final phase is compiling your findings into reports for different audiences: executive leadership, IT leadership, and technical teams.

Executive Summary Template

Leadership needs to understand three things: readiness status, business risk, and investment required.

# Microsoft Copilot Readiness Assessment
Executive Summary

## Assessment Overview

**Assessment Period:** [Dates]
**Assessment Scope:** [Number] users, [Number] SharePoint sites, [Number] documents
**Assessment Methodology:** Automated PowerShell analysis across 6 security dimensions

## Overall Readiness Status

**Overall Readiness Score: 2.15 / 5.0 (Requires Significant Work)**

We are not ready to deploy Microsoft Copilot today due to critical security and compliance gaps.

## Critical Findings (Must Fix Before Deployment)

1. **External User Risk (Score: 1/5)**
   - 40 external users have High or Critical access levels
   - 12 external users have Full Control on sensitive sites
   - 38 inactive external accounts (>90 days) still have access
   - **Business Risk:** External partners could query confidential data through Copilot

2. **Data Oversharing (Score: 1/5)**
   - 8.5% of content (3,842 items) is overshared
   - 127 critical items shared with "Everyone" include labeled sensitive data
   - **Business Risk:** Copilot could expose confidential data to any employee

3. **Label Coverage (Score: 3/5)**
   - 62% of documents have sensitivity labels (target: 80%)
   - 1,895 unlabeled documents include likely sensitive content
   - **Business Risk:** Unlabeled sensitive data cannot be protected by Copilot

## Business Impact of Deployment Delay

**Cost of Remediation:** $[X] (internal resources + potential consulting)
**Timeline to Readiness:** 3 months
**Cost of Premature Deployment:** Potential data breach, regulatory fines, reputational damage

We recommend delaying Copilot deployment until critical gaps are addressed.

## Investment Required

**Phase 1 (Critical - Weeks 1-4):** $[X]
- MFA enforcement
- External user remediation
- Oversharing remediation

**Phase 2 (Foundational - Weeks 5-8):** $[X]
- Auto-labeling implementation
- Device compliance
- CA policy deployment

**Phase 3 (Optimization - Weeks 9-12):** $[X]
- Remaining remediation
- Documentation
- Training

**Total Investment:** $[X]
**ROI:** Risk mitigation > $[X] (potential breach cost)

## Recommendation

**Proceed with 3-month remediation plan before enabling Copilot licenses.**

Next Steps:
1. Approve remediation budget
2. Form cross-functional remediation team
3. Begin Phase 1 (Critical) work immediately
4. Reassess readiness in Month 3

Technical Findings Report Template

IT teams need detailed findings with specific remediation actions.

# Microsoft Copilot Readiness Assessment
Technical Findings Report

## Dimension 1: Information Protection (Score: 3/5 - Nearly Ready)

### Current State
- Total documents analyzed: 5,000
- Documents with labels: 3,105 (62.1%)
- Documents without labels: 1,895 (37.9%)
- Target coverage: 80%+
- **Gap:** 18% below target

### Key Findings
1. Auto-labeling policies exist but have limited effectiveness (40% coverage)
2. 892 documents in Finance and HR sites are unlabeled
3. Manual labeling is inconsistent across departments
4. No default sensitivity labels configured

### Remediation Actions
| Action | Priority | Effort | Timeline | Owner |
|--------|----------|--------|----------|-------|
| Deploy auto-labeling for Finance/HR | HIGH | 2 weeks | Week 2-3 | InfoSec |
| Configure default labels | HIGH | 1 day | Week 1 | InfoSec |
| Manual labeling campaign | MEDIUM | 3 weeks | Week 4-6 | All Depts |
| Label usage training | MEDIUM | 2 weeks | Week 3-4 | Training |

### Success Criteria
- 80%+ label coverage
- 90%+ auto-labeling rate for new content
- <100 unlabeled sensitive documents

---

## Dimension 2: Data Sharing (Score: 1/5 - High Risk)

### Current State
- Total content analyzed: 45,234 items
- Overshared content: 3,842 (8.5%)
- Critical risk items: 127
- High risk items: 456
- Target: <5% overshared

### Key Findings
1. 1,456 documents shared with "Everyone"
2. 892 anonymous sharing links active
3. Finance site has highest oversharing rate (23%)
4. Many "Everyone" shares are 2+ years old (legacy)

### High-Priority Remediation
**Critical Items (Score 9-10) - Fix Immediately:**
| Site | Item | Risk | Action |
|------|------|------|--------|
| /sites/Finance | 2024_Budget_Forecast.xlsx | 10 | Remove "Everyone" share |
| /sites/HR | Salary_Ranges.docx | 10 | Restrict to HR group |
| /sites/Legal | Acquisition_Terms.pdf | 9 | Restrict to Legal team |

**Bulk Remediation Plan:**
1. Week 1: Disable anonymous sharing at tenant level (if not business-critical)
2. Week 1-2: Remove "Everyone" shares on Confidential content (456 items)
3. Week 3-4: Review and remediate large group shares
4. Week 5-6: Implement quarterly access reviews

### Success Criteria
- <5% overshared content
- 0 critical risk items
- <50 high risk items

[Continue for all 6 dimensions...]

Remediation Tracking Dashboard

Create a simple tracking spreadsheet:

Finding ID	Dimension	Risk	Issue	Action	Owner	Status	Due Date	Complete
IP-001	Info Protection	HIGH	38% unlabeled	Deploy auto-label	InfoSec	In Progress	2/15	40%
DS-002	Data Sharing	CRITICAL	127 critical overshares	Remove "Everyone"	IT Admin	Not Started	2/1	0%
EXT-003	External Access	CRITICAL	12 Full Control users	Revoke access	IT Admin	Not Started	2/1	0%

---

Conclusion: Defining "Ready" for Microsoft Copilot

After running the assessment scripts, analyzing the data, and calculating your readiness score, you should have a clear, objective answer to the question: "Are we ready to deploy Copilot?"

But what does "ready" actually mean?

The Definition of "Ready"

Ready for Copilot deployment means:

1. Information Protection: Score 4+

   • At least 70% of documents have sensitivity labels
   • Auto-labeling policies are deployed and effective
   • Critical unlabeled sensitive content has been identified and labeled
   • Why: Copilot can only protect labeled content. Unlabeled sensitive data WILL be exposed.

2. Data Sharing: Score 4+

   • Less than 5% of content is overshared
   • No critical risk items (Score 9-10) exist
   • Fewer than 50 high-risk items (Score 7-8) exist
   • Why: Overshared content becomes queryable through Copilot by any user with access.

3. External Access: Score 4+

   • Zero external users have Full Control on sensitive sites
   • Fewer than 10 external users have High risk (Score 7-8) access
   • No inactive external accounts (>90 days) remain
   • External access aligns with regulatory requirements
   • Why: External users can query organizational data through Copilot, creating compliance and security risks.

4. Conditional Access: Score 5

   • MFA is required for Microsoft 365 Copilot applications
   • Device compliance is required for Copilot access
   • Legacy authentication is blocked
   • Risk-based conditional access is enabled
   • Session controls are configured
   • Why: Without strong authentication and device controls, compromised credentials = Copilot access.

5. Zero Trust: Score 3+

   • Identity verification is robust (MFA + risk-based)
   • Least privilege principles are applied to data sharing
   • Breach assumption mindset with monitoring and detection
   • Device health is validated
   • Data protection mechanisms are deployed
   • Why: Copilot should be deployed within a Zero Trust framework that assumes breach.

6. Compliance: Score 4+

   • All applicable regulatory frameworks are satisfied
   • Data residency requirements are met
   • Audit logging is comprehensive
   • Governance processes are documented
   • Why: AI tools accessing organizational data must maintain regulatory compliance.

Readiness Score Interpretation

Overall Readiness Score: 4.0+ (Ready)

• All critical security controls are in place
• Minimal high-risk findings
• Compliance requirements are met
• Action: Proceed with pilot deployment to limited user group
• Timeline: Deploy within 2 weeks

Overall Readiness Score: 3.0-3.9 (Nearly Ready)

• Most security controls are effective
• Some medium-risk gaps exist
• Minor remediation required
• Action: Address gaps, then proceed with deployment
• Timeline: 4-6 weeks to readiness

Overall Readiness Score: 2.0-2.9 (Requires Work)

• Significant security gaps exist
• Multiple high-risk findings
• Moderate remediation effort required
• Action: Do NOT deploy; complete remediation plan
• Timeline: 2-3 months to readiness

Overall Readiness Score: 1.0-1.9 (Not Ready)

• Critical security gaps exist
• Many high-risk findings
• Major remediation initiative needed
• Action: Do NOT deploy; extensive work required
• Timeline: 3-6 months to readiness

The Real Answer

Here's what this assessment framework tells you that subjective evaluation never could:

Instead of:
"We think we're ready because we use MFA and have sensitivity labels."

You can now say:
"We have a readiness score of 3.2/5 based on objective analysis of 45,000 documents, 247 sites, and 127 external users. We have 127 critical oversharing issues and 40 high-risk external users. We need 6 weeks of remediation before we're ready to deploy."

That's the difference between hoping you're ready and knowing you're ready.

Your Readiness Decision Tree

Use this simple decision tree after completing your assessment:

Do you have a readiness score of 4.0+?
├─ YES → Are all dimension scores 3+?
│  ├─ YES → PROCEED with pilot deployment
│  └─ NO → Remediate low-scoring dimensions first
└─ NO → What's your overall score?
   ├─ 3.0-3.9 → 4-6 weeks remediation, then deploy
   ├─ 2.0-2.9 → 2-3 months remediation, then deploy
   └─ 1.0-1.9 → 3-6 months remediation, then reassess

The Value of Objective Assessment

The four PowerShell scripts provide something invaluable: objective, quantifiable data that supports informed decision-making.

Without these scripts, you're making deployment decisions based on:

• Anecdotal evidence
• Assumptions about your security posture
• Vendor assurances that "everyone's deploying Copilot"
• Pressure from leadership to enable licenses you've already purchased

With these scripts, you're making deployment decisions based on:

• Actual label coverage percentages
• Real counts of overshared sensitive documents
• Specific external users with inappropriate access
• Concrete CA policy gaps
• Quantified risk scores

That's the difference between guessing and knowing.

Final Thoughts

Microsoft Copilot for Microsoft 365 is a transformative productivity tool, but it amplifies whatever security posture you already have. Good security becomes great productivity. Bad security becomes a significant data exposure risk.

The assessment framework and PowerShell scripts I've outlined here give you the visibility you need to deploy Copilot safely and confidently. They turn subjective concerns ("I think we might have an oversharing problem") into objective metrics ("We have 3,842 overshared items, including 127 critical findings").

Use these tools. Run the assessments. Get your readiness score. Make data-driven decisions.

And if your score is below 4.0? That's okay. You now have a roadmap for remediation and a clear path to readiness. Better to know the truth and fix the problems than to deploy blindly and hope for the best.

---

Next Steps

1. Download the Framework

   • GitHub: Microsoft Copilot Readiness Assessment Framework

2. Run the Assessment

   • Schedule 3-4 hours for script execution
   • Run all four scripts in sequence
   • Document your findings

3. Calculate Your Score

   • Use the scoring methodology in this guide
   • Create your dimension scorecard
   • Calculate overall readiness score

4. Create Your Plan

   • Prioritize findings by risk and effort
   • Build phased remediation timeline
   • Identify resource requirements

5. Track Progress

   • Use remediation tracking spreadsheet
   • Reassess monthly with scripts
   • Document improvements

6. Deploy When Ready

   • Wait until you achieve 4.0+ overall score
   • Start with pilot group (10-20 users)
   • Monitor and expand gradually

---

Need help with your Copilot readiness assessment? The team at Nitron Digital specializes in Microsoft 365 security assessments and Copilot readiness. Schedule a consultation to discuss your specific environment.

Want to discuss this framework? Reach out at info@365adviser.com.