Small tenants with fewer than 300 users often lack dedicated compliance teams. Without a governance checklist, Copilot can expose sensitive data through grounded responses in Microsoft 365 apps. This article provides a practical checklist covering data source restrictions, user licensing, and audit logging. You will learn the exact settings to configure in the Microsoft 365 admin center and Entra admin center to keep Copilot safe and compliant.
Key Takeaways: Copilot Governance for Small Tenants
- Microsoft 365 admin center > Copilot > Data sources: Restrict Copilot to specific SharePoint sites and exclude all OneDrive personal content by default.
- Entra admin center > Conditional Access > Policies: Require multi-factor authentication for all Copilot users and block legacy authentication.
- Microsoft 365 admin center > Audit > Audit log search: Enable auditing for all Copilot interactions and retain logs for at least 90 days.
What a Small Tenant Copilot Governance Checklist Covers
A governance checklist for small tenants defines who can use Copilot, what data Copilot can access, and how to monitor usage. Small tenants often share the same global admin account for multiple roles. This increases risk if Copilot inadvertently surfaces internal data in public channels. The checklist addresses three areas: access control, data boundaries, and audit readiness.
Access control includes user licensing, role-based permissions, and multi-factor authentication. Data boundaries involve restricting SharePoint sites, disabling web grounding, and limiting Copilot to work data only. Audit readiness requires enabling unified audit logging and reviewing Copilot interaction reports weekly.
Prerequisites for Building the Checklist
Before you apply any governance setting, confirm you have these items:
- Global admin or Compliance admin role in Microsoft 365
- Copilot for Microsoft 365 licenses assigned to test users
- Entra ID Premium P1 license for Conditional Access policies
- Microsoft 365 audit logging enabled in the organization
Steps to Build the Copilot Governance Checklist
Step 1: Restrict Copilot Data Sources in the Microsoft 365 Admin Center
- Open the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with a Global admin account. - Navigate to Copilot settings
Select Settings > Org settings > Copilot. This page controls data source permissions for all Copilot users. - Select Data sources
Under the Copilot tab, choose Data sources. By default, Copilot can access all SharePoint sites and OneDrive files. For small tenants, restrict this to specific sites only. - Add allowed SharePoint sites
Click Add sites and enter the URLs of the SharePoint sites Copilot can read. For example, https://contoso.sharepoint.com/sites/ITTeam. Do not add general sites like /sites/AllCompany unless necessary. - Disable OneDrive access
Toggle Allow Copilot to access OneDrive to Off. This prevents Copilot from surfacing personal files in responses. - Disable web grounding
Toggle Allow Copilot to use web search results to Off. This keeps Copilot responses grounded only in your tenant data.
Step 2: Configure Conditional Access Policies in Entra Admin Center
- Open the Entra admin center
Go to entra.microsoft.com and sign in with a Global admin account. - Create a new Conditional Access policy
Select Protection > Conditional Access > Policies > New policy. - Name the policy
Enter Copilot MFA Required in the Name field. - Assign users
Under Users > Include, select All users. Under Exclude, add your emergency break-glass accounts. - Target the Copilot app
Under Cloud apps or actions > Include, select All cloud apps. Then under Exclude, add Microsoft Copilot as an app. This ensures Copilot itself is protected while other apps are excluded. - Set access controls
Under Grant, select Grant access > Require multi-factor authentication. Check Require device to be marked as compliant if your tenant uses Intune. - Enable the policy
Set Enable policy to Report-only first. Test with a single user, then switch to On after 24 hours.
Step 3: Enable and Monitor Audit Logging
- Open the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with a Global admin or Compliance admin account. - Enable unified audit logging
Select Compliance > Audit. If auditing is off, click Start recording user and admin activity. This enables logging for all Copilot interactions. - Search Copilot audit logs
In the Audit page, click Search. Under Activities, type Copilot and select Copilot interaction. Set a date range for the past 7 days and click Search. - Export logs weekly
Click Export and save the CSV file. Store it in a secure SharePoint library with restricted access. Schedule a weekly reminder to export logs. - Set retention policy
Go to Compliance > Data lifecycle management > Retention policies. Create a policy that retains audit logs for 90 days. Small tenants can use 90 days as the minimum.
Step 4: Assign Copilot Licenses to Specific Users Only
- Open the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with a Global admin or License admin account. - Go to Billing > Licenses
Select Billing > Licenses. Locate Copilot for Microsoft 365 in the list. - Assign licenses to a test group
Click the product, then Assign licenses. Select a security group that contains only the users who need Copilot. Do not assign licenses to all users by default. - Remove unassigned licenses
If you have unassigned licenses, remove them from the tenant to avoid accidental activation. Go to Billing > Your products > Copilot for Microsoft 365 > Cancel subscription and reduce the count.
Common Governance Gaps in Small Tenants
Copilot Returns Information from Personal OneDrive Files
When OneDrive access is enabled, Copilot can surface personal documents in responses. This happens even if the file is not shared. The fix is to disable OneDrive access in the Copilot data sources settings as shown in Step 1. After disabling, wait up to 24 hours for the change to propagate.
Users Can Bypass MFA for Copilot
If the Conditional Access policy does not include the Copilot app explicitly, users can sign in without MFA. Verify the policy targets All cloud apps and excludes only the Copilot app. Test by signing in as a user without MFA and confirming the block.
Audit Logs Show No Copilot Activity
Unified audit logging may be disabled or the search query may be incorrect. Confirm auditing is on by checking the Audit page in the compliance center. Use the activity filter Copilot interaction and ensure the date range includes recent usage. If logs still show empty, run the Search-UnifiedAuditLog PowerShell cmdlet to verify.
| Item | Small Tenant Default | Governed State |
|---|---|---|
| Data source scope | All SharePoint sites and OneDrive | Restricted to specific SharePoint sites only |
| Web grounding | Enabled | Disabled |
| Conditional Access MFA | Not configured | Required for all Copilot users |
| Audit logging | May be disabled | Enabled with 90-day retention |
| License assignment | Assigned to all users | Assigned to a security group only |
Now you have a complete Copilot governance checklist for your small tenant. Start by restricting data sources in the Microsoft 365 admin center and enabling audit logging. Next, configure Conditional Access policies in Entra to enforce MFA. Review the audit logs weekly and adjust the allowed SharePoint sites as your team grows. For an advanced step, create a sensitivity label policy that blocks Copilot from reading documents labeled Highly Confidential.