On July 1, Microsoft is rolling out new SKUs: Microsoft 365 Business Standard with Copilot and Microsoft 365 Business Premium with Copilot. These are new, higher-priced plans that bundle Copilot into the subscription rather than selling it as a separate $30/user add-on. The original plans without Copilot will still exist alongside them.

For firms that have been weighing the Copilot add-on and waiting for the right moment, the bundled SKUs simplify the math. But the deployment question is the same whether you add Copilot today or buy into a bundled plan on July 1: is your environment ready for what Copilot can see and do?

Most firms treat Copilot as a licensing decision. It’s actually a configuration decision. The license (however you buy it) just flips the switch. What happens next depends entirely on what your M365 environment looks like when that switch gets flipped.

What’s new in the bundled Copilot

Whether you’re buying the new bundled SKU or adding Copilot to your existing plan, the product has changed significantly since early versions. Here’s what’s included now:

Multi-model access. Copilot now gives users access to both OpenAI (GPT) and Anthropic (Claude) models within the same interface. Users can choose which model to use for a given task. This is a significant change from the GPT-only approach of earlier Copilot versions.

1,000+ connectors. Copilot can reach beyond M365 into CRM, accounting, project management, and other business systems. For firms using Clio, Xero, QuickBooks, or similar tools, Copilot can pull context from those systems into responses and workflows.

Work IQ. Microsoft’s context engine now connects information across your M365 apps (email, calendar, files, Teams) to give Copilot a broader picture of what you’re working on, not just the document in front of you.

Sensitivity label enforcement. If you’ve configured Purview sensitivity labels (marking documents as confidential, internal-only, etc.), Copilot respects those labels. It won’t surface restricted content to users who shouldn’t see it, and it won’t include labeled content in outputs that violate your policies.

What to configure before you turn it on

Whether you’re deploying Copilot next week or next quarter, there are things you want in place before it goes live, not after. We wrote about data readiness in March, and everything in that post still applies. But here’s the tactical checklist for a Copilot deployment:

1. Audit your SharePoint and OneDrive permissions. Copilot can access anything the logged-in user can access. If your SharePoint permissions have drifted over the years (and they have), Copilot will surface content from folders people shouldn’t be seeing. HR documents, partner compensation data, client matters they’re not staffed on. This is the #1 issue firms discover after deploying Copilot without preparation.

2. Configure sensitivity labels in Purview. Even on Business Standard, you can apply basic sensitivity labels to documents and emails. At minimum, label anything that contains client financial data, privileged communications, or HR records. Copilot will respect these labels and exclude labeled content from inappropriate responses.

3. Set up an AI acceptable use policy. Your team is about to have a powerful AI tool inside every Office app. Before that happens, they need to know: what’s appropriate to ask Copilot? Can they paste client information into prompts? Should they verify AI-generated content before sending it to clients? What about court filings? (Florida just mandated that all filers certify cited authorities are accurate, effective June 15. Other states will follow.)

4. Review OAuth consent grants. Copilot’s 1,000+ connectors work via OAuth. When users connect external apps, they’re granting persistent access. If you haven’t restricted OAuth consent in Entra, now is the time. You want admin approval required for any new app connections, especially with Copilot making those connections more visible and tempting to use.

5. Decide on a rollout sequence. Just because Copilot is included doesn’t mean you have to turn it on for everyone at once. You can control Copilot availability via licensing assignment in the M365 admin center. Consider a phased approach: start with 2-3 power users, identify what works and what surfaces unexpectedly, then expand.

What most firms get wrong

The most common mistake we see is treating Copilot deployment as a licensing event rather than a configuration event. The license is now bundled with these new SKUs. The configuration, governance, and user training are where the actual work lives.

Firms that skip the preparation step typically discover one of these problems within the first two weeks:

A junior associate asks Copilot to summarize recent client communications and gets results from matters they’re not supposed to know about (permissions problem)
A partner uses Copilot to draft a brief and sends it without checking citations (process problem, increasingly a compliance problem)
Someone connects a third-party AI scheduling tool via Copilot’s connector framework and grants it mailbox access without realizing it (OAuth problem)
The firm receives a cyber insurance renewal questionnaire asking about AI governance policies they don’t have yet

All of these are preventable with 2-3 days of configuration work before Copilot goes live.

The bigger picture

Microsoft is making AI the default, not the exception. The July 1 bundling is step one. Microsoft Scout (an always-on autonomous agent announced last week) is step two. M365 is becoming an AI-first platform, and firms that haven’t prepared their environment for AI are going to encounter problems that compound over time rather than resolve themselves.

The good news: if your permissions are clean, your data is classified, and your team knows the boundaries, Copilot is genuinely useful. It drafts faster. It summarizes accurately. It finds information you’d otherwise spend 20 minutes hunting for. The firms that do the preparation work get the productivity gains. The ones that don’t get the governance headaches.

If your firm is planning a Copilot deployment (bundled or add-on), give yourself 2-3 weeks of preparation time. That’s enough to audit permissions, configure labels, write a policy, and plan a phased rollout. It’s not enough time to do all of that after something goes wrong.