Back to blog

M365 Copilot and the Case for a Permissions Audit

2 min read

M365 Copilot and the Case for a Permissions Audit

When Microsoft 365 Copilot arrived, the immediate question from clients was not "Can it help?" It was "Is it safe to turn on?"

My answer was simple: not without a proper permissions review.

AI does not remove tenant risk. It makes existing risk easier to surface.

What I kept finding

Across multiple audits, the same issues kept coming back:

  • over-permissive app consents
  • mailbox forwarding rules that nobody had reviewed in months
  • Intune drift that had crept in quietly

None of that was exotic. It was just the usual gap between default settings and an actual security posture.

Why the audit mattered

The useful part of the process was not the reporting template. It was the discipline.

I needed a way to check the tenant, explain the findings clearly, and keep the evidence somewhere traceable. That made the audit easier to repeat and a lot harder to hand-wave away.

The lesson

If Copilot is going to sit on top of the tenant, the tenant needs to be in decent shape first.

That means permissions, logging, and a clear view of who can do what. Otherwise the tool just gives people faster access to a system they do not actually understand.