Manage365 Docs

Copilot governance

Microsoft 365 Copilot is expensive and easy to misuse. Licences get assigned to people who don't touch it, shared SharePoint sites leak into prompts they shouldn't, and the prompt-audit setting gets left off so you've got no evidence of what was asked. Copilot governance in Manage365 covers the five things MSPs need to actually charge for Copilot management.

What it covers

  1. Licence ROI — who has a Copilot licence, who actually uses it, and how much AUD you're wasting on idle seats
  2. Oversharing scan — SharePoint sites where “Everyone” or anonymous links open the content up to Copilot grounding
  3. Prompt-audit enablement check — whether the Purview audit flag for Copilot interactions is on
  4. Interaction history — per-user prompt preview so you can answer “what did they ask?” questions
  5. Sensitivity-label coverage — how much of the tenant's content is labelled, which lets Copilot respect label-based access controls

1. Licence ROI

For each tenant Manage365 pulls:

  • Total assigned Copilot licences
  • Last interaction timestamp per assigned user (from getM365AppUserDetail reports)
  • A count of idle seats — users with a licence but no Copilot interaction in the last 30 days

Idle seats become a dollar figure on the Copilot card: idle seats × list price per seat × 12 months, in AUD. That's the number you put on the customer-facing report when you recommend reassigning or cancelling licences.

The licence price lookup uses the AUD Microsoft list price at sync time. Override it on a per-MSP basis in Settings → Copilot → Licence price override if you buy through a different channel (CSP partner margin, EA pricing, etc.).

Example output

Tenant: Acme Health
Assigned: 24 seats
Active (30d): 9
Idle: 15
Monthly waste: $540 AUD
Annualised waste: $6,480 AUD

2. Oversharing scan

Copilot for Microsoft 365 grounds responses on whatever the user can already read. If a SharePoint site is shared with “Everyone except external users” or an anonymous link exists, that content is in Copilot's reach for every user in the tenant.

The oversharing scan pulls the top 50 sites per tenant (by storage size) and inspects:

  • Everyone / Everyone-except-external sharing
  • Active anonymous sharing links
  • Sharing capability set to anyone-with-the-link
  • Guest user access on the site (informational, not a violation)

Findings are listed per site with the specific sharing type. Fixing them is manual — the scan doesn't auto-remediate (SharePoint sharing changes are high-blast-radius; human approval only).

Why only top 50?

Tenants with thousands of sites would take hours to scan completely. Top 50 by size captures the sites that matter for Copilot grounding — large sites tend to be the ones Copilot returns results from. If you need a deeper scan for a specific tenant, use the Extended scan button on the tenant Copilot card (covers up to 500 sites, runs async, emails you when done).

3. Prompt-audit enablement check

The check verifies whether Microsoft Copilot interactions audit is enabled in the unified audit log. With it off, prompts and responses aren't retained — terrible news if the customer is in healthcare or finance and someone asks Copilot a sensitive question.

If the check returns disabled you get a compliance alert. Enabling it requires a Graph call that the Copilot governance module can make on your behalf — one-click from the Copilot tenant card.

4. Interaction history per user

The Interaction history preview endpoint returns a page of Copilot interactions for one user — prompt text, response excerpt, source app (Word, Teams, Outlook, chat.microsoft.com), timestamp.

It's a preview feature: results depend on prompt-audit being enabled, and the data comes from the Purview audit log so it lags 15–60 minutes behind the actual interaction. Useful for:

  • Responding to customer questions like “did X ask Copilot for Y?”
  • Investigating a suspected prompt-injection or data-exfil incident
  • Spot-checking new Copilot users to confirm they're actually using it (before you renew their licence)

5. Sensitivity-label coverage

Microsoft Purview sensitivity labels let Copilot respect label-based access — a Confidential document won't get pulled into a chat with someone who shouldn't see it. But coverage is only meaningful at the tenant level: if 2% of documents are labelled, labels don't help.

The coverage check reports:

  • Total documents in scope (SharePoint + OneDrive)
  • Labelled documents
  • Labelled percentage
  • Breakdown by top 5 labels used

Low coverage (under 20%) surfaces as a medium-severity compliance finding. The customer-facing remediation is “turn on auto-labelling in Purview” — Manage365 links to the Purview admin centre rather than driving auto-label config itself (Purview is the right place for those decisions).

Endpoints

Method + pathWhat it doesPermission
GET /copilot/tenants/:tenantId/licence-roiIdle seat count + AUD wasteCOPILOT_READ
GET /copilot/tenants/:tenantId/oversharingTop 50 SharePoint sites with findingsCOPILOT_READ
POST /copilot/tenants/:tenantId/oversharing/extendedAsync extended scan (up to 500 sites)COPILOT_READ
GET /copilot/tenants/:tenantId/prompt-auditReturns enabled / disabledCOPILOT_READ
POST /copilot/tenants/:tenantId/prompt-audit/enableTurns the audit flag onCOPILOT_MANAGE
GET /copilot/tenants/:tenantId/users/:userId/interactionsPaged interaction preview (requires audit enabled)COPILOT_READ
GET /copilot/tenants/:tenantId/label-coverageSensitivity-label coverage %COPILOT_READ

End-to-end example: quarterly Copilot review

  1. Pull Licence ROI for every tenant — get the annualised waste number
  2. Filter to tenants with > $5,000 AUD annualised waste — those are the ones worth a customer conversation
  3. Run oversharing on each — feed findings into the customer report
  4. Check prompt-audit; if off for any tenant, enable it before the renewal conversation
  5. Check label coverage; anything under 20% becomes a Purview workshop recommendation
  6. Export the whole thing to the quarterly customer report PDF

Common pitfalls

  • Interaction history empty — prompt-audit either wasn't on during the window, or the Purview ingestion is lagging. Check the audit flag and wait an hour.
  • Licence price override not applied — the override is per-MSP, not per-tenant. If a customer negotiates a special rate directly with Microsoft, your override won't reflect it.
  • Top 50 missing a known-bad site — the list is ordered by storage size. A heavily-overshared but tiny site won't make the cut. Use the extended scan.
  • Guest access flagged as oversharing — it isn't. Guest users with explicit permission on a site are normal. The scan notes them but doesn't count them as violations.

FAQ

Does this work with Copilot Chat (free tier)? Licence ROI and interaction history don't — no licence means no detail report. Prompt-audit and oversharing still apply.

Can I auto-reclaim idle licences? Not yet. It's a manual action through the licence-management page — mostly because “idle” often means “on leave”, not “should be unassigned”.

Where does this feed into compliance reports? Oversharing + prompt-audit feed into the Essential Eight restrict administrative privileges and application control strategies. Label coverage feeds into APRA CPS 234 data protection.