← Blog

Before you switch on Copilot, check what your team can already see

Tenant Strike4 min read

Copilot is now part of Microsoft 365 Business plans. It only shows people files they can already open — which is exactly the problem. Three checks first.

Ask Copilot "what do people at this company get paid?" and it won't hack anything. It will do exactly what it's designed to do: search everything you're allowed to open and give you a tidy answer — including, at plenty of small companies, the payroll spreadsheet someone saved to a shared folder in 2022 and forgot.

That question is about to get very easy to ask. On July 1, Microsoft made Copilot part of the standard small-business plans: Business Standard and Business Premium now come with the AI assistant built into Word, Excel, Outlook, and Teams — no separate add-on. If your business runs on Microsoft 365, Copilot is no longer a purchase decision. It's a switch.

Before you flip it, it's worth understanding the one sentence in Microsoft's announcement that matters most.

"Copilot only sees what it is allowed to see"

That's Microsoft's line, and it's true. Copilot doesn't bypass your permissions — it obeys them perfectly. If a salesperson asks about payroll and can't open the payroll file, Copilot won't show it.

Here's the catch: the question was never whether Copilot respects your permissions. It's what your permissions actually say after years of nobody looking at them.

At most small companies, file access has grown the way a garage fills up. Someone shared a folder with "everyone" to hit a deadline. A departed employee's OneDrive got handed wholesale to their manager. An outside accountant got invited in for one project and still has access. A company-wide team chat quietly became the place contracts get stored. None of it caused a problem, because finding anything required knowing where to look — and nobody browses old file folders for fun.

That obscurity was doing quiet work as a security control. Copilot removes it. Everything an employee technically has access to — every folder, every old attachment, every forgotten share — becomes one chat prompt away, neatly summarized.

Even Microsoft assumes you have this problem

Microsoft's own pre-Copilot security guidance tells organizations to verify "just enough access" — each person can reach what their job needs and no more — before handing out Copilot licenses. It ships oversharing reports to find the problem sites, and a setting called Restricted Content Discovery that hides a site from Copilot while you clean it up. You don't build those tools for a problem nobody has.

That guidance is written for enterprises with IT departments. The 20-person version is simpler, and most of it fits in a week.

Three checks before you turn it on

1. Run the nosy-colleague test (ten minutes). Once Copilot is live on your own account, ask it the questions you'd least want an employee asking: What do people here get paid? What are the terms of our biggest client contract? What severance did we offer last year? Then have one non-manager try the same on their account. Every surprising answer is a folder with the wrong permissions — you've just built your cleanup list.

2. Ask about "Everyone" shares (one email to your IT provider). Ask, by name: "Can you run the SharePoint data access governance reports and tell me which sites are shared with 'Everyone except external users'?" Those org-wide shares are where payroll files and contracts leak from. If a site is too messy to fix quickly, ask them to apply Restricted Content Discovery to it — Copilot skips the site, and nobody's daily work breaks.

3. Sweep the guests (thirty minutes). External access outlives every project. The Microsoft 365 admin center lists your guest accounts — anyone tied to a client or vendor you no longer work with should go. Guests don't get Copilot licenses, but cleaning up who can see what is the same job either way.

None of this is a reason to skip Copilot — for a small team, an assistant that already knows your files is genuinely useful. It's a reason to spend a week on permissions first, because a permissions problem is invisible right up until something starts surfacing files. Better that something is you.

If you'd rather not do the checking by hand, this is what Tenant Strike is for: a read-only scan of your Microsoft 365 setup — sharing settings, guest access, and 100+ other checks — graded A–F with the exact fix for each gap, in about five minutes. It can see your settings; it never changes them.

Either way: ask the nosy questions before your employees do.

AI-researched from public sources, human-reviewed on July 11, 2026. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.