How to get Copilot ready now

Microsoft at Inspire in July announced the general availability of Bing Enterprise Chat and key details around pricing and the various Copilots it’s releasing across the three clouds (Azure, Dynamics 365 & Microsoft 365) later this year.  These announcements, simply put, was Microsoft Copilot democratising AI in the modern workplace. 

 If you're organisation is planning on utilising M365 Copilot to boost productivity of employees there are 3 steps, you need to take to be "Copilot Ready" for when it launches: 

1. Ensure you have the correct Licensing in place: users who are earmarked to utilise Copilot will need an assigned Business Standard, Premium, E3 or E5 license and an Active Directory Account 

2. Align your network to M365 network connectivity principles to ensure minimal latency to improve the end-user experience. 

3. Prepare your organisation's Information Access Controls and Policies 

 The first two steps are ‘straightforward’ and more administrative than anything else.  Deliberate planning and action is required for the third point as it can be tricky for an organisation to get this right depending on the maturity of the business's information management & data governance policies. 

 Core behind the 3rd step is to understand the fundamentals of how M365 Copilot operates: It utilises Microsoft Graph (which includes your emails, chats, documents and importantly - access and permission rights) in combination with LLMs to tailor and ground responses to your business context and applies security and compliance logic when producing output ('grounding').  

 With this in mind, two key concepts become important now to the future success of your M365 Copilot rollout: 

1. Information & Content Access Rights:

Copilot fundamentally operates on the same principle as enterprise search. Any content that a user can search for and find on your M365 tenant - through SharePoint's Search for example - means that they have some level of access to it.   Copilot adopts and adheres to your existing user roles permissions and access to information when generating output against user prompts.  

2. Information Architecture, Data Security & Governance:

The quality of Copilot's output depends on the quality of your information.  The more mature your information architecture - information categorisation, meta data, properties and tagging - and the better data security - data labelling and categorisation - the better responses your employees will likely experience when using Copilot.  It can have a major improvement on the quality of output generated by Copilot - much like your enterprise search results would improve.  

In other words, when an employee asks Copilot something, their user profile and what information they have been granted access to is used to produce output that is contextual to them. 

Taking a step back from Copilot for a moment, Microsoft provides protection of your organisation’s data, in many ways such as logical isolation via Azure Active Directory authorisation, multi-layered encryption of customer content at rest and in transit and more.  Microsoft have also made major investments into platforms like Purview for data governance and protection of sensitive data and recently released various enhanced SharePoint capabilities to make it easier for administrators to manage access to content and information on a continuous basis. 

 The question then; where to start and what to prioritise to ensure your users are reaping the benefits of improved productivity from using Copilot while ensuring that they only gain knowledge about organisational data privy to them?  

 There are a few elements to consider in terms of your information and content management: 

• Preventing oversharing of information 
• Managing the Content Lifecycle within your organisation 

• Information Access Controls & Permissions 
• Enforcing compliance 

These will fundamentally impact your readiness for Copilot.  To address these, you need to take 3 steps: 

 Step 1 - Start with the basics: Migrate (if you haven't already) your documents and content to SharePoint Online.  Implement its content management capabilities to allow you to manage the lifecycle of content, access control, and very importantly the tagging of content so that it becomes more searchable.  This functionality has been available for ages but sadly a lot of organisations choose to not reap the benefits thereof.   

 Similarly, get the basics around the management of your Teams environment ready - create the necessary policies to manage who can create teams and channels, what apps can be installed, retention rules of teams and external access control.  This will put you in a good position to start off with and you can do this right now. 

 Step 2 - Infuse AI and Advanced Data Protection: You can optionally implement Microsoft Syntex to incorporate advanced AI into your M365 content, simplifying and automating content management (automated document creation, information, and text extraction from documents, tagging, labeling for security and retention purposes and notifications). 

  Microsoft Purview's Data Loss Prevention & Information Protection solution capabilities will allow you to label and identify sensitive information and control the sharing thereof which can result in Copilot accessing a divulging this information accidentally.  Communication Compliance will prevent your users communicating and sharing sensitive information with each other while Information Barriers takes this a step further by outright preventing users from different teams or departments communicating directly. 

 Step 3: Keep an eye out for the advanced M365 features recently announced that will expand the scope of potential content oversharing by looking at stale information locations, including OCR capability to interpret imagery that may pose risks.  It offers more comprehensive control over access to potentially sensitive information on SharePoint, OneDrive and Teams (advanced access policies for secure collaboration, site access reviews, restricted access control (RAC) policy, and Everyone Except External Users (EEEU) report.) 

 The above three steps need to be taken from the point of view of what your specific organisational needs are of course.