M365 Copilot and the Case for a Permissions Audit
M365 Copilot and the Case for a Permissions Audit
When Microsoft 365 Copilot arrived, the immediate question from clients was not "Can it help?" It was "Is it safe to turn on?"
My answer was simple: not without a proper permissions review.
AI does not remove tenant risk. It makes existing risk easier to surface.
What I kept finding
Across multiple audits, the same issues kept coming back:
- over-permissive app consents
- mailbox forwarding rules that nobody had reviewed in months
- Intune drift that had crept in quietly
None of that was exotic. It was just the usual gap between default settings and an actual security posture.
Why the audit mattered
The useful part of the process was not the reporting template. It was the discipline.
I needed a way to check the tenant, explain the findings clearly, and keep the evidence somewhere traceable. That made the audit easier to repeat and a lot harder to hand-wave away.
The lesson
If Copilot is going to sit on top of the tenant, the tenant needs to be in decent shape first.
That means permissions, logging, and a clear view of who can do what. Otherwise the tool just gives people faster access to a system they do not actually understand.