Making an 800-User Organisation Copilot-Ready Without Exposing Sensitive Data

The client wanted to deploy Microsoft Copilot but had significant data governance and security gaps. Permissions were overshared, there was no formal data classification model, sensitive client documents were accessible to users without a business need, and DLP was not in place.

Cloudbliss started with a data discovery phase using Microsoft Purview to understand what sensitive data existed, where it lived, and who had access to it. A four-tier sensitivity label model was created: Public, Internal, Confidential, and Restricted.

Auto-labelling policies were then configured to classify documents based on content, supported by mandatory labelling to prevent unclassified files from being saved or shared. Data Loss Prevention policies were deployed across Exchange, SharePoint, Teams, and endpoints, beginning in audit mode before moving into enforcement.

The identity layer was hardened through Entra ID Conditional Access, Privileged Identity Management, passwordless authentication, and automated access reviews. Defender XDR and Microsoft Sentinel were then deployed to provide unified detection, monitoring, and automated response.

Only after the data security foundation was in place did the organisation move towards Copilot enablement, supported by Purview Data Security Posture Management for AI.

Results

• 800-user organisation prepared for Microsoft Copilot
• Full AI Readiness Programme delivered over 16 weeks
• 200,000+ documents classified using Purview
• Four-tier sensitivity label model implemented
• DLP deployed across M365 workloads and endpoints
• Entra ID hardened with Conditional Access, PIM, and access reviews
• Defender XDR and Microsoft Sentinel deployed
• 12 custom analytics rules configured
• 5 automated incident response playbooks created
• 7 custom Sensitive Information Types created
• Microsoft Secure Score increased from 34% to 78%
• Copilot enabled with a defensible data security foundation