Copilot is genuinely useful. You can summarise a Teams meeting in 10 seconds. Draft a reply to a client email in the right tone. Or ask a question about your business and get an answer pulled from your own files.
But Copilot is also the fastest way to discover staff can see things they were never meant to see. For example because of incorrect SharePoint permissions.
We can clean up your Microsoft 365 tenant for you so Copilot doesn't expose the wrong thing to the wrong person. Permissions, sharing settings, stale content, identity controls. Then we can configure Copilot optimally and also make sure your team knows how to use it.
Copilot doesn't have special access to anything. It sees exactly what each user can already see. The problem is that in most small business M365 tenants, users can often see way more than they really should.
This is the big one. Sites shared with “everyone in the organisation.” Links set to “anyone with the link” that were created for a one-off project two years ago and never expired. A former employee's OneDrive folder that somehow became a shared resource nobody questioned.
When human staff are manually clicking through folder structures these problems sit unnoticed. When Copilot can search across everything in seconds and serve up whatever it finds, the problems quickly become visible. Permissions need reviewing.
Copilot can't tell the difference between a current policy document and a draft from 2019 that was never deleted.
If you've got three versions of the employee handbook in SharePoint and none of them labelled “current” then Copilot picks whichever one it hits first and presents it with full confidence. Your staff get outdated information delivered in a way that looks authoritative.
External sharing enabled at the tenant level by default. Guest accounts still existing from a collaboration that ended 18 months ago. OneDrive files shared externally with no expiry date. You may still be running on these defaults because nobody went back to check.
MFA not enforced for everyone. Admin roles given to five people because it was easier than figuring out the right level of access, and two of those people don't even work with you now. No conditional access policies configured even though your Business Premium licence includes them.
Absolutely problems with or without Copilot, but Copilot makes those problems bigger. A compromised account with broad access is bad. A compromised account with broad access and AI that can search the entire tenant in seconds is worse.
The M365 tenant being messy is the main problem. We can clean it up for your organisation.
It's a practical cleanup with a written report at the end.
This is where we spend the most time because it's where the most risk lives.
We go through every SharePoint site and OneDrive sharing configuration in your tenant. We're looking for:
We document and fix them. Tighten the permissions, remove the stale links, reconfigure the sharing policies at the tenant level so the same problems don't reaccumulate next month.
We review every change with you before we make it.
Copilot's answers are only as good as the content it has access to.
If your SharePoint is full of old drafts, duplicates, and abandoned sites, that's what Copilot will respond with.
We give you visibility in terms of action items: inactive sites, Teams channels nobody's posted in for a year, document libraries with obvious duplicates or naming chaos. We show you, and you decide what to archive or delete. We can set up retention policies so it doesn't get this bad again.
The security layer underneath everything else.
This section is about making sure your Entra ID is solid. If your identity controls are weak, nothing else matters much.
Once your tenant is clean, we turn Copilot on.
Enable licences for the right users, configure the admin centre settings, set up a basic usage policy so your team has guardrails, and — if you elect — walk them through what Copilot does well and where it falls short.
The staff walkthrough is 30–45 minutes covering the practical how-to's: how to prompt effectively, what kind of questions get good results, what kind of output you should double-check before sending, and where Copilot tends to confidently present something that's not quite right. Over time as you develop expertise and familiarity with Copilot you'll figure out its strengths and weaknesses.
What we found, what we fixed, and what needs your attention. Permissions issues, stale content flagged for your review, identity gaps, Copilot configuration details, and recommendations for keeping things clean going forward.
You did some reading, realised Copilot can see everything your users can see, and decided you should sort out the tenant first.
You need the mess cleaned up properly before someone else finds more data they shouldn't have.
Insurance questionnaires are starting to include questions about how you manage AI tools and data access. A documented readiness report with evidence of permissions review, identity hardening, and usage policies gives you a solid answer.
A lot of the value of doing this is the M365 tenant hygiene exercise. Your permissions get fixed. Your stale content gets flagged. Your identity controls get hardened. Your tenant is going to be more secure and data of higher value.
We manage tenants, configure Entra ID, deploy Intune, handle Exchange Online. We're not an AI consultancy that read the Copilot documentation and built a service around it. We've been cleaning up SharePoint permissions and fixing identity gaps in M365 for years. Copilot just made the consequences of not doing it more visible.
Surry Hills. Available in person and remotely across Sydney and for remote teams happy to engage remotely.
Your tenant is cleaner. Copilot is configured. Your team is using it.
The report will flag things that sit outside the readiness scope:
If you decide you want ongoing M365 management and security monitoring after this, that's a managed services conversation.
Whether you've bought Copilot licences or you're still thinking about it, the cleanup of your Microsoft 365 subscription is worth doing. Everything in your M365 gets safer and better organised either way.
Quick self-serve check of your M365 security posture. Good starting point.
Take assessmentBroader M365 security hardening: conditional access, email security, Defender configuration.
Learn moreUrgent containment if a mailbox or account has been compromised.
Learn moreOngoing Microsoft-first IT support for Sydney businesses.
Learn moreReady to Talk About Your IT?Book a call