Copilot Readiness Assessment: Is Your Organisation Ready?

What readiness means: Every user in your Copilot target population has a valid M365 E3 or E5 licence (Copilot requires E3 minimum), is signed in with their work account (not a personal Microsoft account), and has MFA enabled. Your Entra ID (Azure AD) tenant is correctly configured with no hybrid identity conflicts that prevent Copilot activation.

What failure looks like: Shared accounts or generic logins in the target population; users with legacy per-device licensing instead of per-user; hybrid environments where on-premises AD sync causes Copilot activation errors. Notably, Copilot does not function with shared mailboxes or group accounts — users must have individual licensed identities.

Remediation timeline: 2–4 weeks for identity cleanup in most organisations. Licence conversion from legacy per-device to per-user can take 4–8 weeks if procurement must run a change cycle.

Commercial implication: Failure here typically means you've been paying for licences that don't cover the identity model Copilot requires. This is a real-time licence optimisation opportunity — fix it before you add Copilot licences on top.

What readiness means: Your target Copilot population is actively using the M365 applications that Copilot enhances. Specifically: at least 70% of target users are monthly active users of Teams, Outlook, SharePoint, and OneDrive. Users know how to find documents in SharePoint (they don't rely on emailed attachments). Teams meetings are recorded and transcribed via Teams recording (not third-party tools). OneDrive is the primary file sync tool, not mapped drives.

What failure looks like: Target users who primarily use email attachments instead of SharePoint links; file storage fragmented across personal OneDrive, mapped network drives, and legacy file shares; Teams calls that happen externally via Zoom or Google Meet because internal usage never established itself; low SharePoint MAU even among power users.

Remediation timeline: 60–90 days for adoption programme investment. This is not a technology problem — it's a behaviour change problem that requires a change management programme, not an IT project.

Commercial implication: If your M365 adoption baseline is low, Copilot ROI will be near-zero. Don't commit to Copilot seats until you can demonstrate 70%+ MAU on the underlying M365 surface area. This is strong commercial leverage: "Our M365 adoption data shows we need 60 days of adoption investment before Copilot would deliver ROI. We're happy to commit to Copilot at renewal when our adoption baseline justifies it."

What readiness means: SharePoint sites and document libraries are configured with least-privilege access — i.e., documents are accessible only to users who genuinely need them. Sensitive content (HR records, executive communications, financial models, M&A materials) is protected with Microsoft Purview sensitivity labels at the document level. "Everyone" and "Everyone except external users" site permissions are eliminated or scoped to genuinely public content. Stale content (documents not accessed in 2+ years) is archived or deleted.

What failure looks like: This is the gate most organisations fail. Typical findings: 40–60% of SharePoint sites with broad "Everyone" read access applied years ago and never reviewed; executive compensation documents accessible to all employees because they're stored in an HR SharePoint site with tenant-wide read access; board minutes accessible to any authenticated user because the governance site was misconfigured at initial setup. When Copilot is activated, it respects your existing permissions — meaning it will happily summarise board minutes, salary spreadsheets, or M&A planning documents for anyone who asks, if those documents are technically accessible to them under your current permissions model.

Remediation timeline: 60–120 days for most organisations. Permission remediation is often politically sensitive (business units resist having access removed) and technically complex (legacy SharePoint migrations often carried forward overly permissive access). This is the gate most commonly used to justify delaying a Copilot commitment — legitimately.

Commercial implication: A genuine data governance remediation programme in progress is your strongest argument to delay Copilot commitment until readiness is confirmed. Tell Microsoft: "Our data governance audit identified overly permissive SharePoint access that must be remediated before Copilot deployment is appropriate. We expect remediation to complete in [date]. We'll commit to Copilot at that point with a pre-agreed pricing structure."

What readiness means: You have an identified Copilot champion network (at least 1 champion per 50 target users), a structured onboarding programme (not just a "how to use Copilot" Teams channel), a success metrics framework (defining what productivity improvement looks like for each role), and executive sponsorship at the senior leadership level. You've identified your highest-value use cases for the initial deployment and have case studies or pilot data that demonstrate ROI for those use cases in your specific environment.

What failure looks like: Licensing procured by IT, deployment handed to "the business" with a one-hour training session, no measurement framework, no champion network. Six months later: 38% MAU across the organisation, loud complaints from the 62% who "don't find it useful," and an awkward renewal conversation.

Remediation timeline: 30–60 days to establish the infrastructure; 90 days to validate it with a structured pilot before production rollout.

Commercial implication: Adoption infrastructure failure doesn't warrant delaying commitment — it warrants structuring a pilot-to-production commitment. Commit to a pilot population (200–500 users) with adoption infrastructure fully in place before scaling. Use the pilot data to negotiate your production pricing — higher MAU demonstrated in the pilot gives you leverage for better pricing on the production commitment.

What readiness means: Your network architecture supports Copilot's connectivity requirements: direct internet access from user endpoints to Microsoft 365 service endpoints (Copilot is latency-sensitive and performs poorly through web proxies or VPN hairpins); Microsoft 365 endpoints correctly categorised in your proxy/firewall as "Optimise" category per Microsoft's published endpoint taxonomy; no SSL inspection on Copilot traffic (SSL inspection introduces latency that degrades real-time AI response quality). For organisations planning Copilot Studio deployments, Power Platform environments are correctly provisioned and DLP policies are in place.

What failure looks like: All M365 traffic routed through a centralised VPN or web proxy that introduces 200–400ms additional latency; SSL inspection breaking Copilot authentication tokens; Power Platform environments in default state with no DLP policy applied; Copilot Studio access not restricted to authorised developers.

Remediation timeline: Network architecture changes: 30–60 days. Power Platform governance: 2–4 weeks. SSL inspection exceptions: 1–2 weeks once approved by security team.

Commercial implication: Technical architecture failures rarely justify delaying commercial commitment — they are typically resolvable within the pre-deployment period. However, Copilot Studio architecture failures should delay any Copilot Studio Capacity Pack commitment until governance is confirmed. See our Copilot Studio licensing guide for the specific controls needed.