Microsoft 365 · AI

Microsoft Copilot rollout for London SMBs: how to deploy without leaking client data

By Hak, VantagePoint Networks · Published 18 April 2026 · 11 min read

If you run a 20–150-person London firm, you've probably had the same conversation three times this quarter: "should we buy Copilot for Microsoft 365?" Your staff are already using ChatGPT on their phones. Your Microsoft rep is pushing licences. Your competitors claim they've "rolled out AI". And you still don't know whether £26-ish per user per month is going to save time or quietly leak client data into a SharePoint site nobody's looked at since 2022.

This post is the deployment guide I wish every SMB had before they signed the order form. It covers licensing, data governance, SharePoint hygiene, tenant configuration, change management and the specific pitfalls I see wreck first-time rollouts in London firms — particularly in law and financial services, where "oversharing" is a regulatory problem, not just an embarrassment.

Step 1 — Decide what you actually want Copilot to do

Most failed rollouts I audit have one thing in common: nobody wrote down the use case. "We want AI" is not a use case. "We want fee earners to summarise 40-page contracts in under two minutes, grounded in our precedent library" — that's a use case. It tells you what to license, what to secure, and how to measure success.

Before you buy a single licence, spend an afternoon listing the top five things people in your firm spend time on that are repetitive, text-heavy, and low-judgement. Typical candidates:

If three or more of those land, Copilot is probably worth the money. If only one does — look at a narrower tool (a transcription add-in, or a third-party document-summarisation service) before committing the whole firm.

Step 2 — Understand the licensing trap

Copilot for Microsoft 365 is an add-on. It requires an eligible base licence (Microsoft 365 Business Standard/Premium, or E3/E5 on the enterprise side). Most London SMBs I work with are on Business Premium, which is the sensible floor — it gives you Intune, Defender for Business, conditional access and DLP, all of which you'll lean on heavily once Copilot is live.

Three licensing traps I watch for:

  1. Annual commitment pricing. Microsoft's annual tier is cheaper per month but locks you in for twelve months. If you're piloting, pay the monthly rate for the first 3 months across a small group, then convert.
  2. Unassigned seats. Teams love to buy "a few extra" and leave them sitting in the tenant. Audit quarterly — every unassigned Copilot seat is roughly £320/year of pure waste.
  3. Third-party connectors (Graph connectors, Copilot agents). These can add another line to your bill, and some vendors market "Copilot-compatible" tools that are nothing of the sort. Check the Microsoft partner listing, not the vendor's own site.

Step 3 — Fix your SharePoint permissions before you turn it on

This is the single most important paragraph in this article, so read it twice.

Copilot surfaces anything the user already has permission to read. If your SharePoint is full of sites with "Everyone except external users" and five years of historical HR docs that were never locked down, Copilot will cheerfully summarise them into a chat window.

I've seen Copilot produce salary tables, under-NDA contract drafts, and one memorable "unresolved complaints" log — all because a shared site had broken inheritance and nobody had noticed. The tool is not the problem; the permissions were always wrong, the AI just made the wrongness visible.

Before rollout, do the following — in this order:

  1. Run a SharePoint oversharing report. Microsoft's Purview "Data Security Posture Management" gives you one, or SharePoint Advanced Management if you're on E5. If you're on Business Premium, an independent scan using a tool like ShareGate or AvePoint is worth the one-off cost.
  2. Fix "Everyone except external users" links. These are the biggest single source of exposure. Replace with named groups.
  3. Classify sensitive sites. Use Sensitivity Labels to mark HR, finance, board-level and privileged client sites as "Confidential — do not summarise". Copilot respects these when configured.
  4. Set default link expiration. 90 days for external guest access is a reasonable starting point.
  5. Archive old team sites. Anything not touched in 24 months is a candidate for read-only archive or deletion. Document the decision.
Rule of thumb

If you wouldn't be comfortable with a new graduate searching every SharePoint site on day one, you are not ready for Copilot. Fix that first; everything else is downstream.

Step 4 — Configure the tenant for grown-ups

Out of the box, Copilot is configured for demos. Before real users touch it, change the following:

Step 5 — Pilot before you scale

A 100-seat rollout on day one is a stress test you will fail. The rollout I recommend looks like this:

  1. Weeks 1–2: Sponsor plus 5–10 volunteers across different roles. No training yet — just watch how they use it and where it gets in the way.
  2. Weeks 3–4: One-hour training for the pilot group, tailored to their actual use cases (not a generic "here are 50 prompts" session). Write down the top three prompts per role.
  3. Weeks 5–6: Expand to a department. Appoint a "Copilot champion" in each team — the person everyone already goes to with Excel questions.
  4. Weeks 7–10: Firm-wide rollout with role-based training materials, a prompt library in SharePoint, and a clear support path.
  5. Week 12: Review usage metrics from Microsoft's Copilot Dashboard. Reclaim any seat that hasn't been used 3+ times in a month. Reallocate to the waitlist.

Step 6 — Measure something that isn't "activations"

Microsoft will happily show you dashboards of activations, prompts sent, and apps used. None of that tells you whether Copilot is earning its keep. Pick two or three outcome metrics before you start, and measure them at weeks 0, 6 and 12:

If none of those move, something is wrong with the deployment, not the tool. The fix is usually SharePoint content quality, not licences or training.

Common failure modes

"Copilot keeps giving me weird summaries"

Almost always a grounding problem. Copilot is reading the wrong SharePoint sites, or the right ones are poorly structured. Fix the content, then retry.

"It surfaced something it shouldn't have"

Permissions, almost always. Treat it as a data-protection incident: identify the source, fix the ACLs, review your DLP policies, document what happened. Don't blame the tool.

"Staff have stopped using it"

Usually because the first two weeks felt underwhelming. The fix is role-specific training and a shared prompt library. Generic prompt guides don't survive contact with real work.

"Our regulator / auditor is asking about AI use"

Produce: a written AI policy, your Copilot audit logs, your Sensitivity Label scheme, your DLP policies, and evidence of staff training. That's the evidence pack for an SRA review, an FCA visit, or a Cyber Essentials renewal.

Should you do this yourself or bring someone in?

If you have a competent internal IT lead with SharePoint admin experience, a Copilot rollout is doable in-house — expect 4–6 weeks of focused part-time work, plus the cost of one external SharePoint oversharing audit. If your IT is outsourced to a generalist MSP, ask them directly: "have you delivered three or more Copilot rollouts, and can I speak to the clients?" If the answer is vague, bring in a specialist for the governance piece even if your MSP handles the hands-on deployment.

The worst outcome isn't a failed rollout — it's a rollout that quietly works while exposing the wrong data for six months before anyone notices. The governance work up-front costs a fraction of the breach response afterwards.

If you only do one thing

Run a SharePoint oversharing audit before you enable Copilot for anyone. Everything else — licensing, training, change management — can be fixed later. A shared link you didn't know about cannot.

Frequently asked questions

How much does Microsoft Copilot cost per user in the UK?

Copilot for Microsoft 365 is an add-on to eligible base licences. List price sits at roughly £24–£26 per user per month on annual commitment. Budget also for a base M365 Business Premium seat if you're not on one already.

Do we need Microsoft 365 E3 or E5 to use Copilot?

No. Business Standard and Business Premium are eligible, which covers most 5–300-seat firms. E3 or E5 are only required for advanced Purview, eDiscovery Premium, or Defender XDR features.

Can Copilot expose data that staff shouldn't see?

Yes, if your SharePoint permissions are wrong. Copilot surfaces anything the user already has read access to — so broken inheritance and "Everyone except external users" links become visible through AI summaries. Fix oversharing before enabling.

How long does a Copilot rollout take for a 50-person firm?

Typical end-to-end rollout is 8–12 weeks: 2 weeks scoping and SharePoint audit, 4 weeks remediation and pilot, 2–4 weeks phased expansion with training.

Is Copilot data kept within the UK or EU?

Yes if configured. Set your tenant region to United Kingdom and confirm the EU Data Boundary is applied. It's a simple setting but must be verified before rollout, not assumed.

Keep reading

Private AI vs ChatGPT Enterprise: what UK SMBs need to know about data sovereignty

Where your data actually goes when your staff use ChatGPT Enterprise, Copilot or Claude — and when a self-hosted LLM is the right answer.

Cyber Essentials Plus for London law firms and finance SMBs

What the SRA and FCA actually expect, what scope to choose, and the common reasons firms fail their first audit.

Want a Copilot rollout that doesn't embarrass you six months in?

Free 20-minute strategy call. I'll tell you honestly whether your SharePoint is ready, what licences you actually need, and what "rollout" should look like in your firm.

Free 20-min Strategy Call