Introduction

Welcome to the second part of our comprehensive guide on preparing your content for Copilot deployment. In Copilot ready - A comprehensive Guide - Part 1, we covered the initial steps, including reviewing tenant settings and understanding your data. Now, we focus on the remaining steps: protecting your data, educating users, and maintaining a clean and organized environment—all crucial for ensuring a secure and efficient Copilot experience.

Five-step plan (Continued)

1. Review Tenant settings: Ensure guest and sharing settings are optimal.
2. Understand your data and risks: Comprehend the current state and prioritize critical data.
3. Protect your data – Implement robust safeguards, sensitivity labels, and security policies.
4. Educate end-users – Create training materials and enforce security best practices.
5. Maintain cleanliness – Keep your environment organized and manage content lifecycle effectively.

3. Protect your data and manage risks

The first rule in data protection: You can’t secure everything. Prioritize protecting the most valuable, sensitive information—your crown jewels. Work closely with business teams to understand which data demands strongest security controls, ensuring optimal resource allocation.

Use container labels

Container labels in Microsoft Purview are primarily used to manage sharing and access settings for Microsoft 365 Groups, Teams, and SharePoint sites. Since they apply to the container itself, they do not directly impact individual files or documents within it - yet,

You have a lot of settings at your disposal, but some quick wins here are:

• Default sharing link → As mentioned in the previous post, defaulting to *People with existing access leads to less oversharing and less sharing links in the tenant.
• Sharing settings → Specify whether users can share content externally, and how.
• Site sharing settings → As a best practice, ensure only owners can share the SharePoint site itself - this aligns better with how Teams works. So a member doesn’t accidentially share the SharePoint site to the entire company - that is something you can’t see in Teams.

Many organizations structure sensitivity labels based on confidentiality levels or adopt tiered security models, such as Zero Trust.

Learn more:

• Sensitivity Labels for containers
• Three Tiers of Protection

Implementing sensitivity labels for files, emails, and meetings

Sensitivity labels enable marking, protecting, and controlling data across different formats. Establish a label taxonomy that aligns with business needs to standardize labeling practices.

Copilot and labels

Microsoft 365 Copilot respects sensitivity labels, applying the most restrictive label automatically when summarizing or generating content. If there are multiple sources, the most sensitive label will be applied.

• Prompts in M365 Chat
• Word documents inherit sensitivity labels from summarized files.
• PowerPoint presentations retain labels when content is sourced from labeled files.

Learn more: Sensitivity Labels for Copilot

Meeting labels

Sensitivity labels extend to meetings, applying:

• Watermarks, headers, and footers on invites.
• Security controls for who can bypass the lobby, present, or record the meeting.
• Automatic or suggested labels based on shared content (requires Teams Premium).

Meeting label enforcement is now generally available (GA)—learn more: Sensitivity Labels for Teams Meetings

Block content analysis services

Prevent Copilot and other services from analyzing sensitive content using PowerShell:

Set-Label -Identity "Confidential" -AdvancedSettings @{BlockContentAnalysisServices="True"}

⚠️ Be mindful: This setting blocks more than just Copilot—it also prevents other features that rely on content analysis services, including:

• Data Loss Prevention (DLP)
• Text predictions in Microsoft 365 apps
• Certain AI-powered document summarization features

Ensure you fully understand the implications of enabling this setting before proceeding.

For additional details, refer to Microsoft’s official documentation.

DLP to restrict sensitivity labels in Copilot

Use Microsoft Purview DLP to prevent sensitive labeled content from appearing in Copilot-generated summaries.

• Create DLP policies with the Microsoft 365 Copilot (preview) policy location.
• Exclude items based on sensitivity labels to prevent unintended exposure.
• Currently supports SharePoint, OneDrive, and Copilot Chat.

Learn more: DLP for Copilot

Adaptive Protection

Adaptive Protection dynamically adjusts security measures based on risk levels. It enhances DLP policies, enforces Conditional Access rules, and applies Retention Policies based on user behavior insights.

Learn more: Adaptive Protection ## Adaptive Protection
Adaptive Protection intelligently adjusts security policies based on a user’s risk level, ensuring that compliant users can work uninterrupted, while potential threats are met with escalating restrictions.

How Adaptive protection works

Instead of applying static security measures to everyone, Adaptive Protection dynamically enforces different levels of security controls based on a user’s behavior:

🔹 Low-Risk Users (Normal Activity) → Allowed to continue working productively without interruptions.
🔸 Medium-Risk Users (Suspicious Behavior) → Receive DLP policy tips warning them before taking risky actions, OR are temporarily blocked but can provide a business justification to proceed.
🔺 High-Risk Users (Elevated Threats) →

• Conditional Access fully blocks login to Microsoft 365 to prevent unauthorized activity.
• Retention policies hold all sensitive files, ensuring that the user cannot delete or modify data to cover their tracks.
• Security teams are automatically alerted, enabling investigation and response.

Practical examples of Adaptive Protection

🚨 Low-risk example

• A user tries to send an internal report externally → A DLP Policy Tip reminds them that sharing confidential data outside the organization requires approval.

🔑 Medium-risk example

• A user downloads a large number of sensitive files in a short time → They are blocked from downloading further, but can submit a business justification if legitimate work requires it.

🕵️ High-risk example

• A departing employee attempts to wipe emails and delete sensitive files → Retention policies ensure files cannot be deleted, and their Microsoft 365 access is revoked via Conditional Access to prevent further tampering.

Why Adaptive protection is crucial

By dynamically adjusting security based on context, Adaptive Protection balances security and productivity, ensuring:
✅ Trusted users can work normally without unnecessary restrictions.
✅ Potential risks are flagged and given controlled options to proceed.
✅ Confirmed threats face immediate lockdown, preventing data loss or unauthorized access.

🚀 Learn more: Adaptive Protection

4. Educate users and raise awareness

Security isn’t just a technical challenge—it requires end-user awareness. Even the best security policies won’t work unless users understand their importance and follow them correctly.

Effective education combines clear instructions, real-time guidance, and accessible learning resources so users can apply security best practices with minimal friction.

User instructions

Providing structured and accessible user guidance ensures security policies are followed effectively.

Embedding user instructions in label policies

Organizations can integrate user instructions directly within Microsoft Purview sensitivity labels using the “Learn More” link. This allows users to access a dedicated compliance site explaining:

• Why sensitivity labels matter
• How to apply them correctly
• Which label to choose for different scenarios

This centralized guidance hub helps users make informed decisions instead of guessing.

Learn more:

• Building a Compliance Site for Microsoft Purview
• A Learn More Link for Sensitivity Labels

Using DLP Policy tips for instant feedback

Users need real-time guidance to avoid accidental security violations. Microsoft Purview DLP Policy Tips provide on-screen alerts when users attempt restricted actions.

• Example: If a user tries to email a Confidential document externally, a policy tip warns them and suggests alternative actions.
• Example: When uploading a Restricted file to an open SharePoint site, a policy tip alerts them that the site lacks proper security controls.

These automatic prompts educate users while preventing security mistakes before they happen.

Learn more: DLP Policy Tips

Communication strategy

Security awareness shouldn’t be a one-time event—it requires ongoing communication across multiple channels to reach all users effectively.

How to keep users engaged

• Newsletters & Email Campaigns → Monthly security updates with tips, common mistakes, and real-world examples.
• Interactive Webinars & Q&A Sessions → Live training sessions to clarify security concepts and answer practical user concerns.
• Short Training Videos → Bite-sized explainer videos demonstrating best practices for sensitivity labeling and data protection.
• In-App Policy Tips & Prompts → Configuring Microsoft Purview policy tips to appear when users violate security policies, guiding them toward the right actions.

Learn more: Security Awareness Training

Adoption strategy

Training should go beyond one-time sessions—users need a structured adoption plan that encourages ongoing learning and feedback.

Encouraging user participation

• Gamification Elements → Reward employees for following best practices with certifications, badges, or recognition.
• Assessments & Quizzes → Regular short tests to reinforce security awareness and identify areas for improvement.
• Security Champions Program → Appoint team-based security advocates to promote good security habits.
• Feedback Loops → Enable users to report challenges, ask questions, and share success stories, making security a collaborative effort.

Role-based security training

Different teams interact with data differently, so training must be tailored:

• HR & Finance → Handling employee records & financial data securely.
• Engineering → Protecting source code and intellectual property.
• Sales & Marketing → Safeguarding customer lists & campaign analytics.

Automated security nudges

Security should be seamlessly integrated into daily workflows:

• Periodic Reminders via email, Teams, or IT portal banners.
• End-User Security Reports allowing users to track their compliance progress.
• Proactive prompts before users take security-sensitive actions.

5. Maintain a clean and organized environment

A well-organized data environment reduces security risks, improves productivity, and optimizes storage costs. Without proper governance, data sprawl can lead to abandoned content, unnecessary duplication, and outdated files appearing in search results—impacting Microsoft 365 Copilot and compliance efforts.

Here’s how you can manage your content efficiently and securely.

Retention in Purview

Retention policies ensure critical business data is preserved, while outdated content is disposed of appropriately—reducing unnecessary clutter.

Retention policies can:

• Prevent accidental deletions by applying a mandatory retention period.
• Automatically delete content after a defined lifecycle.
• Support legal and regulatory compliance by ensuring records remain intact.

By configuring Microsoft Purview retention policies, organizations can classify and automate content lifecycle decisions without requiring manual intervention.

Learn more: Retention Policies

Inactive data & ownership management

Data without ownership or relevance can create compliance risks and disrupt search accuracy. Organizations should:

• Implement inactive sites policies – Identify unused SharePoint sites and alert owners to archive or delete outdated content. This prevents uncontrolled data sprawl.
• Enforce site ownership management – Ensure all SharePoint sites have at least one designated owner, preventing orphaned sites from containing sensitive data with no oversight.

A well-managed data lifecycle ensures old content doesn’t resurface unexpectedly in Copilot searches or compliance audits.

Learn more: SharePoint Site Lifecycle Management

Microsoft 365 Archive

Microsoft 365 Archive provides cost-effective cold storage, ensuring organizations can retain critical content while reducing storage expenses.

Benefits of M365 Archive:

• Compliance-first storage – Content remains searchable and protected but stored at a lower cost.
• Affordable scalability – Above the threshold, the price drops from $40 to $10 per terabyte.
• Easy retrieval – Archived content maintains permission structures, enabling seamless access when needed.

Organizations struggling with large amounts of inactive but required data should consider M365 Archive as a structured alternative to deletion.

Learn more: Microsoft 365 Archive

SharePoint Versioning

Managing document versions effectively prevents storage waste and enhances collaboration. Microsoft’s new version trimming feature helps organizations control excessive versions automatically.

• Queue a Trim Job → Use PowerShell to clean up versions for a specific site or library.
• Version Trimming Modes → Delete versions based on age, count, or algorithmic factors, ensuring older unnecessary versions don’t inflate storage.
• ‘What-if’ Analysis → Simulate trimming impact before execution to prevent accidental deletions.

⚠️ Trimmed versions are permanently deleted—they cannot be recovered via the recycle bin, making it essential to run simulations before applying changes.

Learn more: SharePoint Versioning

Summary & conclusion

In these two blog posts, we’ve covered a structured plan to prepare content for Copilot deployment. From understanding data risks to protecting sensitive information and educating users, strong data governance is key to leveraging Copilot securely.
Next, I think we’ll get into some post-deployment strategies.

Thank you for reading
/Simon