PREPARING FOR COPILOT

Identify and eliminate duplicate or near-duplicate files to ensure Copilot retrieves accurate and relevant data. Use tools to detect redundant, obsolete, or trivial (ROT) data.
Archive or Delete Inactive Sites: Use SharePoint Advanced Management (SAM) to identify inactive sites and either archive them to Microsoft 365 Archive (where Copilot cannot access them) or delete them to reduce clutter.

Tag documents with relevant metadata to enhance searchability and ensure Copilot retrieves contextually appropriate content. Well-organized content improves response accuracy.

Implement Sharing Controls: Configure sharing settings at the organization and site levels to prevent accidental oversharing. Update tenant-wide settings to default to “specific people” links instead of broad permissions like “Everyone Except External Users” or “Anyone.”

Use SAM’s Data Access Governance reports to identify overshared content, focusing on sites with “Everyone Except External Users” or “Anyone” sharing settings. Address these by restricting access or revoking unnecessary sharing links.

Temporarily limit Copilot’s access to a curated set of up to 100 SharePoint sites to review and audit permissions. This is a short-term solution to ensure sensitive content isn’t exposed while preparing your environment.

Apply Sensitivity Labels: Use Microsoft Purview to classify and label sensitive data (e.g., PII, confidential documents) to restrict Copilot’s access to unauthorized content. Sensitivity labels ensure Copilot respects permissions and prevents data leaks.
Conduct Access Reviews: Implement SAM Access Reviews to regularly assess and attest permissions for SharePoint sites. Ensure least-privilege access, granting users only the permissions necessary for their roles

Use SAM’s Site Ownership policy to ensure all sites have at least two valid owners. Run the policy in simulation mode to identify ownerless sites, then activate it to notify potential owners. This ensures accountability for content management.

Remove Outdated Content: Regularly review and delete obsolete files or move them to the Microsoft 365 Archive to prevent Copilot from surfacing inaccurate information. Use SAM’s activity-based reports to identify inactive content.
Automate Retention Policies: Implement retention labels and policies to automate the cleanup of stale data. This reduces governance overhead and ensures Copilot accesses up-to-date content.
Encourage User Feedback: Empower users to report outdated or inaccurate content discovered through Copilot. Establish a process for administrators to correct or remove such content from SharePoint sites.

Optimize SharePoint for Search

Enhance Searchability: Optimize SharePoint content for search by ensuring files are well-structured, use clear naming conventions, and include relevant metadata. Copilot relies on SharePoint Search to retrieve content, so improving searchability enhances response quality.
Limit File Size: For Copilot to search full file contents, keep individual files under 36,000 characters (approximately 15-20 pages). Break larger files into smaller ones if necessary.
Avoid Unsupported Formats: Remove tables or complex formatting from documents, as Copilot cannot parse these effectively. Ensure content is in supported file types (e.g., Word, PDF) for optimal retrieval.

Enable Multifactor Authentication (MFA): Use Microsoft Entra ID to enforce MFA and single sign-on (SSO) for secure access to SharePoint and Copilot. This ensures only authorized users can interact with sensitive data.
Review Conditional Access Policies: Ensure policies are configured to align with organizational security requirements, restricting access to sensitive data based on user roles, locations, or devices.
Monitor and Audit Interactions: Enable audit logging in Microsoft Purview to track Copilot interactions and detect potential misuse. Use Communication Compliance policies to surface inappropriate interactions.

Understand Agent Capabilities: Each SharePoint site comes with a pre-built Copilot agent that sources data from document libraries (not lists or .aspx pages). Users with edit permissions can create custom agents, but ensure proper governance to prevent accidental deletion or misconfiguration.
Configure Authentication: Use Microsoft authentication (Sites.Read.All, Files.Read.All scopes) for Copilot Studio agents to securely access SharePoint data. Avoid “No authentication” settings to prevent unauthorized access.
Limit Knowledge Sources: Specify up to 20 relevant document libraries, folders, or files as knowledge sources for agents. Nest data at higher levels if more sources are needed, but ensure users have appropriate permissions.

Develop a Communication Plan: Inform users about Copilot’s capabilities, how to use effective prompts, and best practices for content management. Provide training on reporting outdated content or security issues.
Promote Prompt Engineering: Encourage users to use clear, specific prompts to improve Copilot’s response accuracy. Validate responses by checking citations or prompting Copilot to verify information.
Upskill IT and Admins: Train SharePoint administrators on SAM tools, Microsoft Purview, and PowerShell cmdlets (e.g., Set-SPOCopilotPromoOptInStatus) to manage Copilot effectively.

Set Up a Test Environment: Create a test environment with necessary licenses to validate configurations and test Copilot scenarios before full deployment.
Conduct Pilot Testing: Roll out Copilot to a small group of users to gather feedback, identify issues, and refine governance policies. Use insights to optimize the environment.
Monitor Performance: Use Microsoft 365 admin center reports to track Copilot usage and performance. Adjust configurations based on user feedback and KPIs like time saved or response accuracy.

Microsoft Purview: Use for data classification, sensitivity labeling, and auditing to ensure compliance and security.
SharePoint Advanced Management (SAM): Implement SAM for advanced governance features like access reviews, restricted search, and ownership policies. Note that SAM requires additional licensing.
Third-Party Tools: Consider tools like Syskit Point, ShareGate, or CoreView to simplify permission management, content cleanup, and governance automation.

Licensing Requirements: Ensure users have Microsoft 365 Copilot licenses or Pay-As-You-Go billing for SharePoint agents (available since January 2025). SAM and Purview may require additional licenses.
Data Privacy Compliance: Align with regulations like GDPR by using sensitivity labels and access controls to prevent unauthorized data exposure.
Continuous Improvement: Regularly review Copilot’s performance, update governance policies, and incorporate user feedback to refine the environment. Stay informed about new Copilot features via Microsoft Learn or community calls.