4.24 min to readDigital WorkplaceThought Leadership

Getting ready for Microsoft 365 Copilot – It’s all about data.

A man with a beard and a white shirt.
Chris ArmstrongSecurity Pre-Sales Lead
A blurry image of people walking in a shopping mall.

In our last blog posts, we talked about the licensing requirements for Microsoft 365 Copilot, but how do you ensure that your organisation is technically ready for Copilot when it launches? At a high level, it’s all about data. This blog should provide a high-level view of how Microsoft 365 Copilot works with your organisation's data and some next steps to ready yourself.

Key technical requirements for implementing Microsoft 365 Copilot

Before breaking down into the individual technical requirements, it is important that you understand what core features come together to form Copilot, namely:

  1. Microsoft 365 Apps
  2. Microsoft Graph
  3. Large Language Model

To simplify, the Large Language Model (LLM), is the AI engine that processes the information that it gathers through Microsoft Graph, indexing this information using Semantic Index for Copilot. Microsoft Graph is the access method for all of your organisational information, providing the LLM access to emails, files, calendars etc. The Microsoft 365 Apps are the front-end interface for users, where they will interact with Copilot.

Microsoft 365 Copilot

Data flow: all request are encrypted via HTTPS:

  1. User prompts from Microsoft 365 Apps are to Copilot
  2. Copilot accesses Graph and Semantic Index for pre-processing
  3. Copilot send modified prompt to Large Language Model
  4. Copilot receives LLM response
  5. Copilot accesses Graph and Semantic Index for post-processing
  6. Colipot send the response, and app command back to Microsoft 365 Apps


Perhaps the simplest of the technical requirements is the Microsoft 365 apps. To leverage Microsoft 365 Copilot organisations must be running the Current or Monthly Enterprise channel version of Apps for Enterprise. Copilot will not be supported on other versions of Office, so now is the time to upgrade your users from old MSI or 2019 deployments, should you want to enable Copilot. Another key callout here is that users will need to migrate to the “new” Outlook which has been appearing in the latest releases of the application.

Another “quick win” is to ensure that any identities that will be using Copilot are in Azure Active Directory and licensed with at least an Entra P1 license, most organisations will already have met this pre-requisite if they are consuming Microsoft 365 services.

Try the new outlook.

Ensuring data accessibility and user context in Microsoft 365 Copilot

Now towards the main topic, data. As highlighted in the above breakdown, Copilot will access data through Microsoft Graph, meaning if it isn’t found there, it’s not going to be discoverable by the LLM.

How can you ensure that your data is accessible through Graph? The simplest answer is to ensure that the data is accessible within your tenant, which means if you haven’t started already, now is the time to be looking at moving those legacy file shares into SharePoint, and those old re-directed user profiles into OneDrive.

Speaking on the topic of data accessibility, it is important to understand the user context of Microsoft 365 Copilot. When a user prompts Copilot, it will query all data accessible to the end user, this means any SharePoint site the user has access to will be searched with the query. This is an important technical aspect to consider, especially for organisations who quickly migrated data to SharePoint during the pandemic, we have seen many instances where SharePoint sites were not locked down correctly, permissions have creeped over time or users have been added to Teams which contained data not pertinent to their job role.

Microsoft has recently echoed the importance of “Just Enough Access”, meaning that employees should have access to only the data they require to do their jobs. This requirement is amplified with the launch of Copilot, where an employee has access to massive amounts of organisational data in seconds through the front end of Copilot. The hero toolkit here is the Microsoft Purview portal, by correctly labelling data, conducting access reviews on sites and using advanced tooling like trainable classifiers, organisations can help protect against any unwanted access from employees, or data that shouldn’t be collated into a Copilot response being used inadvertently.

While there are many other technical aspects to consider, and far more depth to explore in the points above, the takeaway from this blog are three main points:

  1. Ensure that your apps are up to date and at the current channel.
  2. Ensure that your data is accessible via Microsoft Graph.
  3. Ensure that your employees have “just enough” access to data.

It is important to remember these are the first technical steps, there are also other considerations such as the wider organisation AI strategy, Adoption and Change Management for your end users and ensuring that data and access are secured to the platform. SoftwareOne can provide end-to-end advisory to managed services to support you in these areas.


A man with a beard and a white shirt.

Chris Armstrong
Security Pre-Sales Lead