Most Microsoft 365 environments are not properly configured, and most business owners do not know it
If your business runs on Microsoft 365, the honest answer to whether your environment is properly secured is probably no. That is not anything you did wrong. Most Microsoft 365 tenants are set up, turned on, and never reviewed again. The default settings stay in place, and nobody comes back to question them.
A staff member who left eighteen months ago still has an active account with access to every shared drive they used while employed. A SharePoint folder created for a vendor project was never restricted after the project ended. Multi-factor authentication is enabled for the admin account but optional for everyone else. None of these show up as errors. Microsoft 365 still works. Email still arrives. Files still open.
These are the same gaps we find in tenant review after tenant review, and most business owners had no idea they were there.
Why this matters more now that Copilot is in the picture
Copilot is that trigger. It reads your emails, searches your files, summarizes your meetings, and answers questions using the content already living in your environment. That is what makes it useful. It is also what makes an improperly configured tenant a different kind of problem.
Paul said it plainly at a recent technology seminar: “You don’t configure Copilot for security. Copilot inherits the back end of the tenant’s governance.”
There is no separate security layer that comes with Copilot. No scan of your environment or flagging of what should be restricted. The tool works inside the permissions and access controls already in your tenant, whatever state those happen to be in. A file that is accessible under your current setup can be found and surfaced. A folder shared too broadly three years ago and never caught looks the same as any other. The only thing Copilot reads is what the settings say.
This is not a scare tactic.
Most of the issues we find in a tenant review are fixable in a matter of hours. The point is to find them before Copilot does.
What does Microsoft 365 tenant security mean?
What a tenant is and why its configuration affects everything that runs inside it
When your business uses Microsoft 365, everything runs inside a single dedicated environment called a tenant. Think of it as the foundation the entire building sits on. Outlook, Teams, SharePoint, OneDrive, and Copilot are all rooms inside that building. If the foundation has structural issues, those issues exist in every room whether you can see them or not.
When your tenant was first set up, it came with default settings designed for general use, not for the specific way your business operates. Configuring it correctly means going back through those defaults and making deliberate decisions about each one.
The settings most small businesses never touch after initial setup
The settings that most often get left at their defaults are also the ones that matter most from a security standpoint. These are the areas that come up most consistently in tenant reviews:
| Setting | Properly Configured | Typically Left at Default |
| User Access Permissions | Each user has access only to what their role requires | Everyone can access all shared drives and folders by default |
| Multi-Factor Authentication (MFA) | MFA enforced for all users and all apps | MFA optional or only enabled for admin accounts |
| External Sharing | Restricted and controlled by policy with approval required | Anyone with a link can access shared files |
| Legacy Authentication | Older sign-in methods that bypass MFA are blocked | Still active, leaving a back door into the environment |
| Guest Access | Guests have time-limited, scoped access only | No restrictions. Guests retain access indefinitely |
| Data Classification | Files labeled by sensitivity: confidential, internal, public | No labels. Copilot cannot distinguish sensitive from general content |
| Inactive Accounts | Reviewed and disabled within 30 days of employee departure | Former employees may still have active credentials |
What “governance” means in plain English and why it is not just an IT word
Governance is a word that gets used in IT conversations and tends to make business owners’ eyes glaze over. But it is the set of rules and policies that determine who can access what, how information is shared, and what happens when someone leaves the organization.
It is not only a technical concept but a business operations concept. Who should be able to see the payroll folder? Should a vendor you brought in last quarter still have access to your SharePoint? Can any employee share any document with anyone outside the company? Governance is just the answers to those questions. Most environments have never had those questions asked out loud, let alone answered deliberately.
Here is what Copilot inherits from your tenant
That lack of deliberate configuration is exactly where the Copilot conversation starts.
Most business owners assume that because Copilot is a Microsoft product running inside a Microsoft platform, Microsoft has handled the security side of it. That is a reasonable assumption. It is also incorrect.
Microsoft secures the infrastructure Copilot runs on, but it does not configure your tenant for you. The permissions, access controls, and sharing policies are your organization’s decisions to make, and most organizations have never made them deliberately.
What does that mean if your permissions, access controls, or data classifications are not in order?
In a properly configured tenant, each user can only access the information their role requires. A sales rep’s Copilot session stays within sales data. A manager’s session reflects the access that manager is supposed to have. The AI surfaces the work each person is already authorized to do.
In an improperly configured tenant, the access problem gets amplified. If permissions are too broad, the search goes too broadly. If sensitive files are not properly labelled or restricted, they get treated like any other content. The result is not a security breach in the traditional sense. It is something subtler and harder to catch. Information surfaces to the wrong people through the tool you paid for and trusted.
Real examples of what can go wrong when Copilot pulls from an unsecured environment
The most common examples involve access that outlived its purpose. A folder shared with a vendor during a project that was never locked down afterward. A former employee’s account still active six months after departure. A shared drive set to company-wide access when it was only ever meant for one department. None of these were mistakes. They were defaults that nobody went back to review. When Copilot is turned on, it searches inside whatever access controls exist. It does not distinguish between content someone should have seen and content that was simply never restricted.
How do you know if your tenant is configured correctly?
Why there are usually no visible warning signs
The honest answer to “how do I know if my tenant is configured correctly” is that most business owners do not know because there is nothing to see. No error message, no alert, no moment where Microsoft 365 stops working. The gaps that accumulate from years of default settings sit quietly in the background. The misconfiguration does not announce itself.
That is what makes a tenant review different from most IT work. It is not a response to something breaking. It is a deliberate look at what is already there, before something gives it a reason to matter.
What a proper Microsoft 365 security and governance review covers
A Datasmith Microsoft 365 security and governance review covers the areas that matter most to Copilot readiness and overall tenant health: user access permissions, multi-factor authentication enforcement, external sharing policies, legacy authentication protocols, guest access settings, inactive accounts, and data sensitivity labeling. The review produces a clear findings summary with specific items to address, organized by priority. Most of what comes out of it can be resolved in a single working session. A few items — like developing a file sensitivity structure for SharePoint — require a short conversation about how your business organizes information before anything gets configured.
What the review produces and what happens after it
A tenant governance review is not a report that sits in a drawer. Most of what gets found can be resolved quickly. Outdated sign-in protocols, guest access policies, and inactive accounts can typically be addressed in a single working session. Others, like developing a file sensitivity structure for SharePoint, require a conversation about how your business organizes information before anything gets configured.
The output is a clear picture of what is in place, what is not, and what to fix first. It is a starting point, not a verdict.
A properly configured tenant does not just reduce risk around Copilot. It affects how your backups work, how your organization handles compliance obligations, and how efficiently day to day support gets resolved. Licensing gets used correctly, access controls reflect how the business works, and when something goes wrong there is a clear path to resolution. A clean tenant is simply a better running environment across everything Microsoft 365 touches.
Frequently Asked Questions
If I already have Microsoft 365, does that not mean it’s secure?
Not necessarily. Microsoft 365 includes strong security capabilities, but they are not automatically configured for your organization. Most small business environments have never had a tenant review, which means many of those capabilities have never been turned on.
What exactly is a Microsoft 365 tenant?
Your tenant is the dedicated Microsoft 365 environment your organization runs on. Every user, file, email, and application lives inside it. The settings that control who can access what, how information is shared, and how security is enforced are all configured at the tenant level.
Do I need to fix my tenant before I can use Copilot?
You can turn Copilot on regardless of your tenant configuration. But Copilot works inside whatever permissions and access controls are already in place. If those settings have never been reviewed, it operates within them including any that are broader than they should be.
What does Datasmith’s Microsoft 365 security review include?
Datasmith’s tenant governance review covers user access permissions, multi-factor authentication, external sharing policies, legacy authentication, guest access, inactive accounts, and data sensitivity labels. The review produces a prioritized findings summary. Most items are resolved in a single working session. For pricing and timeline, book a direct conversation with Paul.
What to do next
If you are not sure whether your tenant is properly configured, that is the starting point
Most business owners have no reason to know that until something forces the question. For a lot of organizations, Copilot is becoming that moment.
Copilot works inside whatever your tenant already has in place. If the permissions are too broad, the search goes too broadly. If sensitive files are not labeled, they get treated like everything else. A tenant that was never reviewed does not become a different kind of problem when Copilot gets turned on. It becomes the same problem, with an AI searching through it.
Most of what a review uncovers is fixable quickly. The work is not starting over. It is going through the settings deliberately, for the first time, with someone who knows what to look for.
What a conversation with Datasmith looks like
On June 23 at 11 AM EST we are hosting a live webinar that walks through the Copilot readiness process step by step, beginning with the tenant assessment. If you are running Microsoft 365 and have been curious about Copilot but want to understand what needs to be in place before you turn it on, this is where to start.
Register here to the Copilot Webinar on June 23 11 AM EST
Do you want to find out how secure your current M365 environment actually is? Datasmith offers a complimentary IT assessment for companies in New England. What we will do is understand your security posture and current setup, to give you an honest picture of where you stand. It is a conversation without any commercial obligation. If you feel this could be useful to you, go ahead and schedule it.