Skip to content
eMotivz logo
Solutions

Microsoft 365 Modern Workplace

Secure, productive & always connected

Microsoft 365 management

Scans, projects & partial managed services

Microsoft Azure

Cloud infrastructure & management

Microsoft Copilot AI

Generative AI for your Microsoft 365 workplace

Virtual Desktops

Azure Virtual Desktop & Windows 365

Business Connectivity

Internet & Mobile for your organisation

Telephony Teams & Xelion

Calling via Microsoft Teams

Collaboration Devices

From headset to meeting board

All solutions→
About us

About us

Who we are and what drives us

Approach

How we work with our customers

Blog

Insights and news from eMotivz

Success storiesContact
Book a meeting
eMotivz logo
Success storiesContact
Book a meeting
Microsoft CopilotAISecurityMicrosoft 365SMB

Rolling Out Microsoft Copilot Without Leaking Data — A Checklist for SMBs

Copilot is only as secure as the tenant it runs in. This is the practical checklist we follow at eMotivz to roll out Microsoft 365 Copilot without sensitive data accidentally landing on the wrong desk via a prompt.

eMBy Ronald van Ackooij
·5 May 2026·8 min read

Microsoft 365 Copilot is a powerful assistant. It summarises meetings, drafts emails, analyses Excel spreadsheets and searches SharePoint faster than any member of staff ever could. But it is also ruthlessly honest: anything your people have rights to, Copilot can find for them.

And that is exactly where the problem lies.

In almost every SMB tenant we take over, we find folders that "everyone in the organisation" has access to but were never meant to — salary information, customer contracts, a little folder called "board meeting". As long as nobody was actively looking for them, they went unnoticed. With Copilot, they don't. Someone asks "what's in the contracts with our biggest customers" and the assistant dutifully delivers the answer.

This article sets out the practical checklist we follow to roll out Copilot safely in an SMB workplace — without paying for the productivity gains with a data breach.

How does Copilot actually work?

A brief explanation, because the misconceptions run deep.

What Copilot does do:

  • Searches your own Microsoft 365 tenant based on each user's permissions
  • Combines that data with the general language model from OpenAI (GPT-4 and its successors, hosted in Microsoft Azure)
  • Generates answers that sit within the context of your business

What Copilot does not do:

  • Use your business data to further train the language model
  • Share data with other tenants or with OpenAI
  • Grant access to data the user does not already have access to

The last point is crucial, and at the same time the source of the risk. Copilot respects a user's access rights precisely. No more, no less. If the permissions in your tenant are a mess, Copilot will bring that to light.

The checklist — ten steps to a safe rollout

1. Start with a data readiness scan

Before we activate a single Copilot licence, we map out what the access model in your tenant really looks like. Specifically:

  • Which SharePoint sites have "Everyone except external users" as a member?
  • Which Teams have open membership?
  • Which OneDrive files are shared beyond their owner?
  • Which files have sensitivity labels and which do not?

Microsoft provides the SharePoint Advanced Management add-on for this, which uses "Data Access Governance" reports to surface exactly this picture. For those who would rather not buy it: PowerShell scripts can do much the same, with more manual effort.

2. Clean up "everyone" access rights

Every site, list, library or folder where "Everyone" or "All employees" is a member goes through a review. The question is simple: is this genuinely meant to be? In 80% of cases the answer is no — it happened by accident, or it was needed at some point and never adjusted since.

Replace broad groups with specific teams. Not "All employees have access to HR" but "HR team + management". It costs a day's work per 100 sites, and you earn that day back the first time an employee asks Copilot something about salary bands.

3. Switch on sensitivity labels

Microsoft Purview Information Protection offers sensitivity labels that both indicate a classification (e.g. "Confidential", "Highly confidential") and apply the corresponding behaviour (encryption, watermark, restrictions on sharing).

For SMBs, a simple scheme is enough:

  • Public — suitable for external publication
  • Internal — for your own staff only
  • Confidential — restricted to specific roles
  • Highly confidential — named individuals only, with encryption

Copilot respects these labels. A confidential document only appears in a Copilot answer if the user asking has rights to it themselves. For "Highly confidential" you can even block Copilot altogether.

4. Enable Data Loss Prevention for Copilot

Standard DLP policies (which prevent credit card numbers from accidentally ending up in an external email) apply to Copilot too. At a minimum, enable:

  • Personal data — national insurance numbers, passport numbers, IBAN account numbers
  • Financial data — credit card numbers, revenue figures as defined by your business
  • Passwords and keys — patterns that look like API keys or passwords

For specific sectors (healthcare, legal, financial) there are ready-made templates available in Microsoft Purview.

5. Draw up an acceptable-use policy

Not everything is a technical measure. People need to know what they may and may not do with Copilot. A two-page policy is enough, provided it answers the following questions:

  • Which data may and may not go into a Copilot prompt?
  • Who is responsible for the output (accuracy remains your responsibility, not Microsoft's)?
  • What do we do with external participants in Teams meetings that Copilot summarises?
  • Which sources may Copilot draw on for meeting notes — all mail, internal mail only, or none?

6. Decide who gets Copilot and who doesn't

Microsoft 365 Copilot is a per-user licence. You don't have to give it to everyone. For an SMB of 60 employees, a commonly used pattern is:

  • First 10-15 licences — leadership, sales, marketing, and a few early adopters per department
  • First review after 6 weeks — who is genuinely using it and who isn't?
  • Second wave — extend to users with a demonstrable use case
  • Optional: stay selective for good — there is no law that says everyone has to have Copilot

7. Train the first users

People who have never worked with an AI assistant don't know how to talk to it well. A 60- to 90-minute training session on prompt technique, giving context, and reading Copilot output critically pays for itself quickly.

Important: treat Copilot like an intern who knows the subject matter but not your company. Output is used after checking, never without.

8. Monitor usage

In the Microsoft 365 Admin Center you'll find Copilot usage reports. Each week, look at:

  • Who has actively used Copilot in the last 7 days?
  • In which apps (Teams, Outlook, Word, Excel)?
  • Are there queries that sound suspicious (e.g. a lot of searches on sensitive terms by someone who shouldn't be near them)?

In Microsoft Purview you'll see the Copilot interaction reports — handy for demonstrating at an audit that you know what is going on.

9. Adjust governance every month

In the first three months you will come across things you hadn't anticipated. A team that shares a sensitive document with "Everyone" by default. A Copilot answer that pulls data from an abandoned SharePoint site. Someone asking Copilot for HR data from a mailbox that should have been archived.

Treat governance as an ongoing process, not a one-off project. Thirty minutes a month looking at new sites, new external sharing invitations and new reports keeps your powder dry.

10. Don't forget the Copilot Studio agents

Alongside Microsoft 365 Copilot, you can build your own Copilot Studio agents that perform specific tasks — for example an agent that only answers from knowledge base articles, or an agent that fills in quote templates. Those agents have their own access model, their own connectors and their own risks.

Set a policy up front: who may build Copilot Studio agents, which connectors are and aren't allowed, and how are agents published? Otherwise you end up with a shadow IT problem of the kind we already had ten years ago with standalone SaaS tools.

The biggest pitfalls

"We'll do licences first and governance later." This is the most common — and most dangerous — mistake. Once you're in production, retrofitting governance is ten times more work than doing it up front. What's more, by then you've already had a data breach before you even noticed.

"Our tenant is small, it'll be fine." Regardless of organisation size: 200 SharePoint sites are 200 places where permissions can be wrong. Small is no licence to skip the basics.

"Copilot shares our data with OpenAI." This isn't true. Microsoft 365 Copilot runs within the Microsoft tenant boundary. Your prompts and answers travel via Azure to the language model, but are not available to other customers and are not used for training. This is contractually set out in the Microsoft 365 terms.

"We let every user invent their own prompts." That works for a handful of enthusiasts. For broad adoption, a prompt library per department (5 to 10 examples of common tasks) is a quick accelerator.

What does eMotivz do here?

We guide Copilot rollouts in three phases:

  1. Readiness scan — two weeks of taking stock of data access, sensitivity labels and governance
  2. Pilot — four to six weeks with 10 to 15 licences, training and evaluation
  3. Rollout — expansion based on use cases, with additional governance and ongoing monitoring

For SMBs that have Microsoft 365 Business Premium, Copilot fits almost seamlessly onto the existing security foundation — provided that foundation is in place.

Want to know where your organisation stands on Copilot readiness? Book a no-obligation introductory call or take a look at our Microsoft Copilot AI solution for our full approach.

Back to blog
eMotivz — IT partner and specialist across Flevoland and central Netherlands

IT partner for SMBs and specialist for larger organisations across Flevoland and central Netherlands. MSP based in Lelystad.

Solutions
  • Modern Workplace
  • Microsoft 365
  • Microsoft Azure
  • Copilot
  • Virtual desktops
  • Telephony
  • Connectivity
  • Collaboration devices
Company
  • About
  • Approach
  • Blog
  • Customers
  • Contact
Legal
  • Privacy Policy
  • Cookie Statement
  • Terms & Conditions
© 2026 eMotivz B.V.KvK 92466990 · BTW NL866059568B01