SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: Copilot Readiness Assessment
description: Scores a Microsoft 365 tenant for Copilot readiness across licensing, sensitivity labelling, oversharing, Conditional Access and audit retention, mapped to Essential Eight.
---
# Copilot Readiness Assessment
> **TL;DR:** This skill produces a read-only maturity scorecard that tells you whether a Microsoft 365 tenant is ready to safely activate Microsoft 365 Copilot or Microsoft Agent 365, and what to remediate first.
## What does the Copilot readiness assessment check?
The skill scores a Microsoft 365 tenant against the AT.10xxx Copilot readiness control family so an organisation can decide whether to proceed, defer, or remediate before activating Microsoft 365 Copilot or a Microsoft Agent 365 rollout. It examines the controls that most directly govern human-AI collaboration: Copilot licensing coverage, Microsoft Purview sensitivity labelling reach across SharePoint and OneDrive, the SharePoint oversharing baseline that determines what Copilot can surface, Microsoft Entra Conditional Access posture, and Unified Audit Log retention. The result is a defensible readiness position grounded in your current cloud configuration rather than an assumption that the tenant is safe.
## When should you run this skill?
- "Assess M365 Copilot readiness"
- "Is this tenant Copilot-ready?"
- "Score our tenant against AT.10xxx"
- "Pre-rollout review for Microsoft Agent 365"
## Policy defaults and baselines
| Control area | Baseline target |
|---|---|
| Licensing | Microsoft 365 E3/E5 plus Copilot SKU coverage |
| Sensitivity labelling | 70%+ coverage on sites holding sensitive content |
| SharePoint sharing | No broad "Anyone" links on sensitive sites |
| Conditional Access | MFA on all interactive logins; device compliance for licensed users |
| Audit retention | Unified Audit Log enabled, 365 days minimum |
## How this skill works, step by step
1. Confirm licensing baseline: Microsoft 365 E3/E5 plus Copilot SKU coverage.
2. Measure sensitivity labelling coverage across SharePoint and OneDrive (target: 70%+ on sites holding sensitive content).
3. Run a SharePoint oversharing baseline: Anyone links, broad sharing.
4. Confirm Conditional Access posture: MFA on all interactive logins, device compliance for licensed users.
5. Confirm the Unified Audit Log is enabled and retention meets the 365-day minimum.
6. Score each AT.10xxx control: Met / Partial / Not Met.
7. Calculate overall maturity: Ready / Conditional / Defer.
8. Produce the scorecard and remediation action list.
## Output format
| AT.10xxx Control | Description | Status | Evidence | Remediation |
Followed by:
- Overall maturity: Ready / Conditional / Defer
- Top three remediation actions with owner and target date
- Estimated weeks to readiness
## Scope and safety
Read-only by default; the skill never changes tenant configuration. This skill does NOT:
- Activate Copilot or assign licences.
- Modify tenant configuration (read-only).
- Replace a formal IRAP or ISO 27001 assessment.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Microsoft 365 Copilot or Microsoft Agent 365 activation being assessed | Microsoft 365 Copilot add-on on Microsoft 365 E3/E5 |
| Microsoft Purview sensitivity labelling coverage check | Microsoft 365 E5 (or E5 Information Protection and Governance) |
| Microsoft Entra Conditional Access posture check | Microsoft Entra ID P1 |
### Least-privilege roles
- Global Reader — read-only visibility across the tenant for the readiness scoring.
- Reports Reader — read licence assignment and usage data.
### Microsoft Graph permissions (read-only)
- `Directory.Read.All` — reads tenant directory, including assigned Copilot licences.
- `Policy.Read.All` — reads Microsoft Entra Conditional Access policies.
- `Sites.Read.All` — reads SharePoint and OneDrive sharing and sensitivity-label coverage signals.
- Unified Audit Log retention and Microsoft Purview sensitivity-label policies are read via the Microsoft Purview portal or Exchange Online PowerShell rather than Microsoft Graph.
## Sources and compliance
- Aligned to ASD Essential Eight Control 6: User Application Hardening.
- Supports E8 ML2 evidence for Control 6 (user application hardening of AI surfaces).
- Aligned to Microsoft 365 Copilot GA and Microsoft Agent 365 GA.
- Reference: [https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-overview](https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-overview)
- Pair with a DSPM for AI remediation plan when the oversharing baseline fails.
- Output in Australian English.
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
Copilot Readiness Assessment
TL;DR: This skill produces a read-only maturity scorecard that tells you whether a Microsoft 365 tenant is ready to safely activate Microsoft 365 Copilot or Microsoft Agent 365, and what to remediate first.
What does the Copilot readiness assessment check?
The skill scores a Microsoft 365 tenant against the AT.10xxx Copilot readiness control family so an organisation can decide whether to proceed, defer, or remediate before activating Microsoft 365 Copilot or a Microsoft Agent 365 rollout. It examines the controls that most directly govern human-AI collaboration: Copilot licensing coverage, Microsoft Purview sensitivity labelling reach across SharePoint and OneDrive, the SharePoint oversharing baseline that determines what Copilot can surface, Microsoft Entra Conditional Access posture, and Unified Audit Log retention. The result is a defensible readiness position grounded in your current cloud configuration rather than an assumption that the tenant is safe.
When should you run this skill?
- “Assess M365 Copilot readiness”
- “Is this tenant Copilot-ready?”
- “Score our tenant against AT.10xxx”
- “Pre-rollout review for Microsoft Agent 365”
Policy defaults and baselines
| Control area | Baseline target |
|---|---|
| Licensing | Microsoft 365 E3/E5 plus Copilot SKU coverage |
| Sensitivity labelling | 70%+ coverage on sites holding sensitive content |
| SharePoint sharing | No broad “Anyone” links on sensitive sites |
| Conditional Access | MFA on all interactive logins; device compliance for licensed users |
| Audit retention | Unified Audit Log enabled, 365 days minimum |
How this skill works, step by step
- Confirm licensing baseline: Microsoft 365 E3/E5 plus Copilot SKU coverage.
- Measure sensitivity labelling coverage across SharePoint and OneDrive (target: 70%+ on sites holding sensitive content).
- Run a SharePoint oversharing baseline: Anyone links, broad sharing.
- Confirm Conditional Access posture: MFA on all interactive logins, device compliance for licensed users.
- Confirm the Unified Audit Log is enabled and retention meets the 365-day minimum.
- Score each AT.10xxx control: Met / Partial / Not Met.
- Calculate overall maturity: Ready / Conditional / Defer.
- Produce the scorecard and remediation action list.
Output format
| AT.10xxx Control | Description | Status | Evidence | Remediation |
Followed by:
- Overall maturity: Ready / Conditional / Defer
- Top three remediation actions with owner and target date
- Estimated weeks to readiness
Scope and safety
Read-only by default; the skill never changes tenant configuration. This skill does NOT:
- Activate Copilot or assign licences.
- Modify tenant configuration (read-only).
- Replace a formal IRAP or ISO 27001 assessment.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Microsoft 365 Copilot or Microsoft Agent 365 activation being assessed | Microsoft 365 Copilot add-on on Microsoft 365 E3/E5 |
| Microsoft Purview sensitivity labelling coverage check | Microsoft 365 E5 (or E5 Information Protection and Governance) |
| Microsoft Entra Conditional Access posture check | Microsoft Entra ID P1 |
Least-privilege roles
- Global Reader — read-only visibility across the tenant for the readiness scoring.
- Reports Reader — read licence assignment and usage data.
Microsoft Graph permissions (read-only)
Directory.Read.All— reads tenant directory, including assigned Copilot licences.Policy.Read.All— reads Microsoft Entra Conditional Access policies.Sites.Read.All— reads SharePoint and OneDrive sharing and sensitivity-label coverage signals.- Unified Audit Log retention and Microsoft Purview sensitivity-label policies are read via the Microsoft Purview portal or Exchange Online PowerShell rather than Microsoft Graph.
Sources and compliance
- Aligned to ASD Essential Eight Control 6: User Application Hardening.
- Supports E8 ML2 evidence for Control 6 (user application hardening of AI surfaces).
- Aligned to Microsoft 365 Copilot GA and Microsoft Agent 365 GA.
- Reference: https://learn.microsoft.com/en-us/microsoft-365/copilot/microsoft-365-copilot-overview
- Pair with a DSPM for AI remediation plan when the oversharing baseline fails.
- Output in Australian English.
Licensed under CC BY 4.0 by Educ4te . Adapted from the open HybridSP skills catalogue.
Last updated on