A safe Microsoft Copilot rollout starts with a permissions audit before any trial license is enabled. Microsoft 365 Copilot retrieves files, emails, and chats using each user's existing Microsoft 365 permissions. In most tenants, those permissions are broader than anyone has mapped, because access tends to accumulate across years of projects, ad-hoc sharing, and staff changes. Microsoft itself now recommends a specific cleanup before any trial: map who currently has access to what, fix the permissions that have drifted out of scope, and apply sensitivity labels to confidential content.

This post covers what Microsoft 365 Copilot does with permissions, where oversharing tends to show up in a typical tenant, the kinds of content Copilot can return when permissions are broad, how to run the audit Microsoft recommends, and what to fix before any rollout.

How Microsoft 365 Copilot accesses your data

Copilot answers questions and generates content by retrieving information through Microsoft Graph, which is the API layer that ties together your Microsoft 365 services. When a user asks Copilot a question, it pulls from emails, calendar items, SharePoint documents, OneDrive files, Teams messages, and meeting transcripts that the signed-in user has permission to access.

The critical phrase in Microsoft's own documentation is short: Copilot can only summarise or reference content that the user is authorised to access.

That statement is accurate, and it is also where the risk sits. The variable is whether each user's permission set still matches what you assume it covers.

Why permissions tend to be broader than anyone thinks

For a manufacturer or trades business, most of the data sitting in your Microsoft 365 tenant is operational. Inventory records, production schedules, supplier contracts, project files. Some of it is sensitive, but the consequences are usually contained when the wrong employee reads a document.

At a professional services firm, the dynamic is different. The files are the product itself. Client matters, settlement figures, fee arrangements, deal terms, financial data, and employment records make up the deliverable, and the confidentiality of that material is the whole business model. Yet the same files often live in environments that were never properly scoped.

The reason is structural. “Just give them access for the Henderson matter” is how it starts. The matter closes, the access is never removed, and eighteen months later that person has read permissions on a folder they have no current reason to be in. Multiply that across five years of staff changes, project onboarding, ad-hoc Teams channels, and external sharing links that never expired. The result is a permission environment that nobody fully understands.

If the permission exists, Copilot can use it. Whether it was granted with appropriate scope is not part of the calculation.

Microsoft now acknowledges this directly. The company publishes a deployment blueprint for Copilot rollouts that organises the work around three pillars: remediate oversharing, set up guardrails, and meet AI regulatory requirements. Microsoft's own guidance puts oversharing remediation first, because it's the pillar that has to be addressed before any rollout produces a useful result.

What Copilot can return in a tenant with broad permissions

Five examples of what Copilot can return when broad permissions exist and have not been audited:

“What is everyone's salary?” Returns the compensation spreadsheet HR shared with a hiring manager during a recruitment process eighteen months earlier. The file remained shared after the hiring manager got promoted.

“Summarize the [client] case.” Pulls content from a SharePoint site set up for a different team. A user added during a one-off project two years ago still has the permission that was never removed, and Copilot returns a summary of the case to them.

“What deals are we currently working on?” Aggregates content from M&A data rooms that were never properly closed, pipeline trackers in personal OneDrives that got shared once for a partner meeting, and prospect lists sitting in a Teams channel that grew beyond its original membership. The output is a single consolidated view of the firm's commercial pipeline.

“Find everything mentioning [former employee].” Surfaces the termination memo, the severance calculation, the performance review that preceded the exit, and any email threads saved to SharePoint. Material that was never intended to be findable below partner level shows up in one query.

“What's our markup on [client] engagements?” Outputs the internal pricing sheet that was shared during a proposal process so two people could review it. The link was never restricted, the file was never moved, and the numbers come back when Copilot is asked.

The question of who would ask any of these queries is separate from the question of what Copilot can return. Microsoft's deployment guidance focuses on what Copilot is capable of returning, and recommends a permissions review before Copilot is enabled at any scale.

Why a “small pilot” is rarely as contained as people think

Running a limited pilot feels like a safe middle ground, but the way most firms set them up tends to produce the highest-risk version of the trial.

The three or four people picked for a pilot are almost always senior. Senior staff have the broadest access of anyone in the firm, which means any searches they run have the widest possible scope. A pilot with three senior partners produces a higher-risk preview of Copilot than a pilot with three junior staff.

And pilots drift. Licenses get reassigned when a partner decides they are not using one. The person who ends up with the license is often whoever asked most recently, which is not the same as whoever has the most appropriate access profile.

Microsoft's audit logs will show you what was asked after the fact, but the asking cannot be reversed. Once a Copilot summary has been returned to a user, that information cannot be recalled.

The cleanup that should happen before any trial

Before you click “start trial,” four pieces of work make the difference between a useful test and a disclosure event.

SharePoint sharing audit. SharePoint Advanced Management includes a content management assessment that surfaces permission issues, oversharing patterns, and inactive sites. If your tenant has never been reviewed, this is the first place to look. The report identifies which sites are shared more broadly than they should be.

OneDrive external share review. Look at files shared outside the organization that were never recalled. These are particularly common in legal and accounting firms where files get sent to clients for review and then forgotten.

Teams membership review. Confirm that channel membership still reflects who should have access to the files stored there. Channels that grew during an active project and were never trimmed are a frequent source of unintended access.

Sensitivity labels for confidential content. Microsoft Purview sensitivity labels are the mechanism that tells Microsoft 365 which content is confidential. Once applied, you can use Data Loss Prevention policies to exclude labeled items from Copilot processing, and use encryption settings that block Copilot from reading the content at all without explicit permission. Without sensitivity labels in place, Copilot has no way to treat a client settlement document differently from a catering invoice.

These four pieces of work generally take four to eight weeks for a firm in the 25-to-100-person range. Some of it can be done by your IT provider. The most sensitive parts, like deciding which document categories deserve which sensitivity label, are best handled with input from the partners or owners who understand the material.

Once you know what Copilot can access, then you can safely start planning a trial.