Solution Atlas
EverydayUser storyConsultative playbook

We are rolling out Copilot but Legal is worried about oversharing

The CFO has asked IT to enable Copilot for Finance and Legal next quarter. The CISO has flagged that SharePoint permissions have not been audited in years, and Legal is concerned Copilot will surface old M&A drafts to people who technically have access but should not see them.

Trigger
Copilot pilot approved; permissions never audited.
Good outcome
Pilot launches with sensitivity labels enforced, oversharing reduced, audit trail in place.
Diagnostic discovery

Signals this story fits

Observable cues that confirm the conversation belongs here.

  • ·Copilot pilot approved but Security or Legal have raised concerns
  • ·SharePoint permissions have not been comprehensively audited in 2+ years
  • ·No tenant-wide sensitivity-label taxonomy in use
  • ·Mixed M365 E3/E5 estate without a clear Purview deployment
  • ·Departmental SharePoint sites with inherited or default sharing

Questions to ask

Open-ended, SPIN-style — each one has a reason it matters.

  1. 1.When did your team last audit SharePoint permissions across Legal, Finance, and HR sites?

    WhyOversharing is the #1 Copilot rollout blocker. "Never" or "years ago" confirms this story fits.

    Listen for: “never audited” · “we don't really know” · “site by site only”

  2. 2.Do you have a sensitivity-label taxonomy in use today, even partially?

    WhyWithout classification, Copilot grounds on everything — including content people technically have access to but should not see.

    Listen for: “no labels” · “pilot only” · “confidential-only”

  3. 3.Who decides which content is sensitive — IT, Legal, or content owners?

    WhyDetermines the rollout sequence. Content owners must be engaged or classification will not stick.

  4. 4.What is your current M365 baseline — E3, E5, or a mix?

    WhyCopilot needs M365 E3 minimum; Purview Information Protection ships with E5. The mix shapes the cost and licensing story.

  5. 5.Has Legal flagged any specific content types or M&A history they are worried about?

    WhyConcrete examples make the case stronger; abstract concerns rarely justify the programme.

  6. 6.How will you measure Copilot value beyond licence counts?

    WhyWithout success metrics, the pilot becomes a procurement exercise rather than a proof of value.

Baseline → target architecture

TOGAF-style gap framing — what we typically see today, and what the proposed end state looks like. The gap between them is the engagement.

Baseline architecture

M365 E3 baseline with default sharing settings. SharePoint sites grew organically. Sensitivity labels not deployed or pilot-only. No tenant-wide DLP. Conditional Access enforces MFA only. Audit logging configured for standard activity, not AI interactions.

Typical concerns

  • ·Inherited SharePoint permissions across many sites
  • ·Legal artefacts and HR records on default-shared sites
  • ·Limited or absent tenant-wide DLP
  • ·No content classification baseline
  • ·Standing admin access flagged but not yet eliminated

Capability gaps

  • ·Content classification — sensitivity labels
  • ·DLP across SharePoint, OneDrive, Teams
  • ·Conditional Access risk-aware policies
  • ·Audit logging extended for Copilot interactions
  • ·Pilot governance — cohort selection, success criteria
Target architecture

M365 E3 baseline upgraded with the Microsoft 365 Copilot add-on for the pilot cohort. Purview Information Protection deployed tenant-wide with a 3-level sensitivity-label taxonomy in front of the pilot. DLP policies on the SharePoint sites Copilot will see. Conditional Access risk-aware. Audit logging extended for Copilot interactions with a measurable cadence.

Key capabilities

  • Tenant-wide sensitivity labels (3 levels)
  • DLP on SharePoint, OneDrive, and Teams
  • Conditional Access risk-aware policies
  • Copilot deployed to a governed pilot cohort
  • Audit + measurement cadence

Enabling SKUs

Resolved in the ‘Recommended cards’ section below.

Architecture decisions

Each decision is offered as explicit options with trade-offs — Hohpe's “selling options” principle. A safe default is noted where one exists.

  1. Decision 1.Sensitivity label taxonomy — lightweight (3 levels) vs full (5+ levels)

    3-level lightweight (Public / Internal / Confidential)

    When it fitsMid-size org with no prior labelling. Easier user adoption.

    Trade-offsLess granular for highly regulated content.

    5+ level full

    When it fitsRegulated industry or M&A-heavy org. Matches existing data classifications.

    Trade-offsHarder to roll out; users mis-label without strong CoE.

    Default recommendationStart with 3-level lightweight. Add granularity in phase 2 if regulated content demands it.

  2. Decision 2.Pilot cohort shape — cross-functional 50 vs single-business-unit 200

    Cross-functional 50

    When it fitsDiverse use-case validation; learning prioritised over scale.

    Trade-offsSlower per-team impact.

    Single-BU 200

    When it fitsSpecific business outcome target (e.g. Finance close time).

    Trade-offsLess learning across personas.

    Default recommendationCross-functional 50 for the first eight weeks, then scale into a single-BU 200 for production.

  3. Decision 3.Information Protection licensing — keep E3 + Copilot add-on vs uplift to E5

    Stay on E3 + add-on Purview pieces

    When it fitsTight budget; Copilot is the only AI investment near-term.

    Trade-offsPieces of Purview cost more standalone; E5 may break even if Defender XDR is also on the roadmap.

    Uplift to E5

    When it fitsDefender XDR or full Purview likely in the next 12 months.

    Trade-offsHigher per-seat cost; some E5 features will go unused initially.

    Default recommendationIf a SOC modernisation is on the 18-month roadmap, uplift to E5 with Copilot add-on; otherwise stay on E3.

Low-risk trial — proof of value

30-day Copilot Readiness Assessment + 50-seat pilot enablement

4 weeks

Tenant audit, sensitivity-label baseline (3 levels), DLP on five priority SharePoint sites, 50-seat Copilot deployment to a mixed-function pilot cohort, two success-metric workshops, weekly telemetry review.

Success criteria

  • Tenant audit report with prioritised remediation list
  • 3-level sensitivity-label taxonomy live and applied to the top five SharePoint sites
  • 50 pilot users active, weekly usage telemetry captured
  • Zero compliance escalations during the pilot window

InvestmentAdd-on licence ~€14k for 50 seats / 4 weeks. Permanent licensing decisions deferred to month 3.

Proof metrics

  • ·Pilot user activation rate above 70%
  • ·Self-reported time saved per user per week above two hours
  • ·Zero unauthorised content surfacing events during pilot
  • ·Helpdesk ticket trend flat or down versus baseline

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Why for this story

The productivity SKU at the centre of the pilot. Add-on on top of M365 E3; ships nothing useful until the control plane around it is in place.

Why for this story

The licensing floor. Copilot requires E3 minimum. E3 also brings Entra ID P1, which is the identity guardrail we will rely on for Conditional Access.

Why for this story

Conditional Access and MFA gate who can use Copilot at all. Non-negotiable foundation before the pilot opens to any user.

Why for this story

Sensitivity labels and DLP are the difference between safe rollout and oversharing. Must precede grounding, not follow it — Copilot surfaces what labels and DLP allow.

Back to Microsoft 365 Copilot rollout