There’s a tool sitting inside your SharePoint Admin Centre right now that can surface over-sharing risks, orphaned sites, and broken permissions across your estate, and many organisations have never heard of it.
In SharePoint Advanced Management, there’s an assessment tool that helps you prepare for Copilot.
But even if Copilot isn’t on your radar yet, the assessment can be useful for highlighting issues, you have within your SharePoint sites – broken permissions, sites no one uses, sensitive content and more.
While useful for everyone using Microsoft 365, it’s essential for those planning to switch on Copilot in the coming months.
Last year, we created a guide to help you secure Microsoft 365 for Copilot – which outlined the ways you can prepare to make sure your Microsoft 365 is secure and structured to avoid Copilot leaking sensitive information.
The Copilot Readiness Assessment tool does a lot of the legwork – creating a health check report on your Microsoft 365 environment. This used to require complex PowerShell scripts, specialist expertise, and significant time, but it now takes a few clicks.
Here, our CEO and Founder Tony Phillips shows you how it works and how to use the tool to assess the health of your current SharePoint sites.
Why the Readiness Assessment is useful – whether you use Copilot or not
The name might say “Copilot Readiness”, but the value of this assessment stretches well beyond AI. Here’s a straightforward breakdown of why it matters depending on where your organisation currently sits.
For organisations already using or planning to use Copilot
Permission problems become AI problems, fast.
Copilot respects existing permissions, which sounds reassuring until you realise your permissions haven’t been reviewed in years. Whatever people can already access, Copilot can surface. If the wrong people can see sensitive files, Copilot will find those files and potentially serve them up.
Files shared with “Everyone in the organisation” via an old sharing link? The assessment tells you exactly how many of those exist before you switch Copilot on.
What’s more, orphaned, out-of-date sites pollute Copilot’s knowledge base. If Copilot is drawing on out-of-date, ownerless sites full of obsolete documents, the answers it gives your staff will reflect that. Archiving inactive content keeps Copilot focused on what’s current and relevant.
In short, you need a clean foundation before you can trust the outputs. Running the assessment first, and acting on its findings, means when you do deploy Copilot, you can do so with confidence rather than crossed fingers.
For organisations not using Copilot
Even if you’re not using Copilot, permissions, old sites and the oversharing of sensitive content are all issues you should want to fix within your organisation.
SharePoint Search already surfaces over-shared content. Those old “Anyone in the organisation” links? Any member of staff searching for the right term can already find that content. The exposure exists regardless of Copilot.
Ownerless sites are a data governance liability. Sites with no owner have no accountability. Nobody is reviewing who has access, whether the content is still accurate, or whether it should even exist. That’s a data governance and data protection risk, not just an AI concern.
Broken permission inheritance might cause real operational problems. When people share files directly instead of managing access at site level, new starters don’t get access to things they should, and leavers retain access to things they shouldn’t.
And for former contractors, external collaborators, temporary partners – if their guest access was never removed, it’s still active. The assessment makes this visible so you can act on it.
How to run the Copilot Readiness Assessment
The assessment lives in the SharePoint Admin Centre under Advanced Management.
Look for “Prepare for Copilot with SharePoint Advanced Management” and hit Start Assessment.
Note: depending on the size of your tenant, it can take several days to complete its crawl, so kick it off, then come back to review the results.
The assessment runs across your entire SharePoint and OneDrive environment and surfaces issues across four key areas.
It produces downloadable reports for each category, which you can open in Excel, filter by risk level, and prioritise for action.
Site lifecycle – Sites nobody owns or uses
Every old project, team, or initiative that created a SharePoint site and then got forgotten. No owner or oversight, just dormant data sitting in your environment.
Oversharing – Files shared with everyone
In many older SharePoint environments, broad organisation-wide sharing links may still be active. Your staff may not know, but your search engine does.
Permissions – Broken permission inheritance
When someone clicks “Share” on a file, they break the permissions chain. Over time, this creates a tangle of one-off individual permissions that are almost impossible to manage manually.
Site privacy – Public sites with sensitive content
Sites set as Public rather than Private may be accessible or discoverable much more widely than intended. That might be fine – or it might be a serious problem, depending on what’s in them.
Top tips for using the Copilot Readiness Assessment
We’ve outlined the best practice tips that Microsoft suggests when using the Readiness Assessment tool:
Rerun the assessment every 30 days.
New sites are created, permissions change, and staff come and go. You should view this as an ongoing governance habit, not a one-time exercise.
Use AI insights to interpret findings.
The SharePoint Admin Centre now has AI-generated insights that help identify patterns in the data and suggest recommended actions. This is useful when the volume of findings feels overwhelming.
Use Restricted Access Control
Restricted Access Control can be applied to high-risk sites to limit who can access sensitive content, regardless of existing sharing links or permissions.
Use site lifecycle policies
Site lifecycle policies can automate the process of identifying inactive sites and prompting owners to confirm whether they’re still needed, reducing the manual burden of ongoing governance.
More information and guidance from Microsoft can be found here.
What happens after the Copilot Readiness Assessment?
Running the assessment is the first step. Knowing what to do with the results – and building the structures to prevent the same issues from recurring – is where most organisations need support.
Cloud Design Box works with schools, Multi-Academy Trusts and organisations to build properly structured Microsoft 365 environments using SharePoint and Teams. That means permissions are set correctly from day one, site creation is governed rather than ad hoc, and the kind of problems the assessment surfaces are far less likely to accumulate in the first place.
