Microsoft Copilot is one of the most talked-about productivity tools in professional services right now. It can draft emails, summarize long documents, build presentations from your data, and answer questions about your files, all inside the Microsoft 365 apps your firm already uses.

But there’s a catch most firms don’t hear until it’s too late: Copilot can only work with the data it can see. And it sees everything your users can see.

That’s great if your Microsoft 365 environment is well-organized, properly permissioned, and free of stale data. It’s a problem if things have gotten a little messy over the years, which is the case for most firms we work with.

Before you flip the switch on Copilot, there’s work to do. We call it data readiness, and it’s the difference between a tool that makes your firm faster and one that creates risk.

Why Copilot changes the stakes

In a traditional Microsoft 365 setup, disorganized files and loose permissions are annoying but mostly invisible. An attorney might stumble across the wrong folder once in a while, or a paralegal might find an old version of a document. Not great, but the harm is limited because people generally only look at what they need.

Copilot changes that. When a user asks Copilot to “find all documents related to the Johnson matter” or “summarize our latest client communications,” it searches across everything that user has access to: SharePoint, OneDrive, Teams, email, and more. And with the recent introduction of Copilot Cowork, Microsoft’s new execution layer, Copilot can now run multi-step tasks autonomously — coordinating across your files, calendar, and email on your behalf. It doesn’t distinguish between current case files and a draft partnership agreement from 2019 that someone stored in the wrong folder. It doesn’t know that the HR folder with salary information shouldn’t be accessible to everyone. It just surfaces — and now potentially acts on — what it finds.

For a law firm, where privilege and confidentiality are non-negotiable, this is a serious concern. An associate asking Copilot a reasonable question could inadvertently pull up files from a matter they’re not staffed on, or worse, information that creates a conflict.

What data readiness actually looks like

Getting your environment ready for Copilot isn’t a massive IT overhaul. It’s focused effort across four areas.

Permissions audit

This is the big one. Over time, Microsoft 365 permissions tend to drift. Someone gets added to a SharePoint site for a quick project and never gets removed. A Teams channel is created with broad access because it was easier. Shared drives migrate from an on-premise server with permissions that don’t translate cleanly.

The question is simple: can every user access only what they should?

For law firms, that means matter-level access controls so only attorneys and staff on a case can see those files. Sensitive categories like HR, financials, and partnership documents locked to the right people. No “Everyone” or “All Staff” permissions on sensitive SharePoint sites. Guest and external sharing settings reviewed and tightened.

Data classification

Not all files are equal. Client files are confidential. Internal policies are sensitive. Marketing materials are public. Your Microsoft 365 environment should reflect those distinctions.

Microsoft 365 includes built-in tools for this: sensitivity labels and data loss prevention policies that can tag and protect files based on their classification. Most firms we encounter aren’t using them. Before deploying Copilot, setting up even a basic classification scheme helps control what gets surfaced and how sensitive content is handled.

A starting point for most law firms:

Confidential — Client Matter: Case files, correspondence, work product
Confidential — Internal: HR records, financial statements, partner compensation
Internal Use: Policies, procedures, templates
Public: Marketing materials, published content

Stale content cleanup

How many files in your SharePoint or OneDrive haven’t been touched in three years? Five years?

Every one of those files is something Copilot can find and reference. Old drafts that were never finalized, outdated templates with wrong language, correspondence from closed matters that should have been archived. All of it becomes part of Copilot’s working dataset.

Cleanup doesn’t mean deleting everything old. It means archiving closed matters to a location that’s excluded from active search, removing duplicate files, deleting true junk (draft versions, test documents, files with no business purpose), and establishing retention policies so it doesn’t accumulate again.

Folder structure and naming conventions

Copilot works better when your data is organized logically. If every matter has a consistent folder structure, Copilot can find and summarize relevant documents more accurately. If your SharePoint is a grab bag of inconsistently named folders, the results will reflect that.

This doesn’t require a massive reorganization. It means establishing a standard going forward and bringing high-priority content into alignment where practical: consistent matter folder templates, naming conventions that include matter numbers or client identifiers, and clear separation between active matters and archived ones.

What happens if you skip this

Firms that deploy Copilot without doing data readiness work typically hit one of two walls.

The first is embarrassing results. Copilot surfaces a draft document from six years ago as if it’s current, or pulls information from a matter that creates a conflict. The firm pulls back on Copilot usage and the investment stalls.

The second is that nobody uses it. Attorneys try Copilot, get unhelpful or inaccurate results because the underlying data is disorganized, and conclude the tool doesn’t work. Adoption flatlines.

Neither outcome is what you want from a paid-per-user investment, whether that’s the full Microsoft 365 Copilot license or the lower-cost Copilot for Business tier.

This is a project, not a setting

Data readiness isn’t something you accomplish by checking a box in the admin console. It takes planning, execution, and ongoing maintenance. The good news is that it’s a bounded effort: most firms can get to a solid baseline in a few weeks with the right help.

A typical engagement starts with mapping your current SharePoint structure, permissions model, and data landscape. From there, identify the biggest exposure areas (overshared sites, unprotected sensitive data, stale content volumes), then remediate: fix permissions, apply sensitivity labels, archive or remove stale content, and establish folder standards. Configure retention policies, DLP rules, and Copilot-specific settings. Then test Copilot behavior against the cleaned-up data to verify it surfaces what it should and nothing it shouldn’t.

This is the kind of work where having an IT provider who understands law firm data makes a real difference. A generalist can fix permissions, but they’ll miss things like matter-level isolation or privilege implications that are specific to legal.

Do this first

Deploying Copilot on top of a disorganized, overshared Microsoft 365 environment creates risk. It surfaces things it shouldn’t, returns bad results, and kills adoption before it starts.

Do the data readiness work first. Your attorneys will get better results, your clients’ data stays protected, and you’ll actually get what you’re paying for.

Thinking about deploying Copilot at your firm? Artech Solutions helps Iowa law firms prepare their Microsoft 365 environments for AI, from permissions audits to data classification and ongoing management. Let’s talk about getting your data ready.