Copilot Deployment Prerequisites
Comprehensive checklist of prerequisites for deploying Microsoft 365 Copilot in government environments. Covers licensing foundations, Entra ID readiness, SharePoint and OneDrive checks, and the baseline configurations you must confirm before assigning a single Copilot license.
Overview
Deploying Microsoft 365 Copilot isn’t just about assigning licenses. Copilot touches everything your users can access—email, files, chats, meetings—so your Microsoft 365 foundation has to be solid before you flip the switch.
This video walks through every prerequisite you need to confirm before enabling Copilot in GCC, GCC High, or DoD environments. By the end, you’ll have a go/no-go checklist you can use to verify readiness and proceed with confidence.
What You’ll Learn
- Licensing Foundation: Which base licenses and add-ons are required, including government-specific SKUs
- Entra ID Readiness: Identity model, MFA, and Conditional Access requirements
- SharePoint and OneDrive: Permission reviews, oversharing checks, and content indexing readiness
- Exchange and Teams: Mailbox provisioning, transcription policies, and retention settings
- Network Baseline: Required endpoints, bandwidth considerations, and supported clients
Script
Hook: why prerequisites matter more than you think
Copilot touches everything your users can access. Email, files, chats, meetings, SharePoint sites, OneDrive documents—all of it. That means your Microsoft 365 foundation has to be solid before you enable Copilot for anyone.
Skip the prerequisites and you’ll get surprises during rollout. Users seeing content they shouldn’t. Copilot unable to access files it should. Help desk tickets you could have prevented.
This video gives you the complete checklist. Every prerequisite, every configuration you need to verify, so you can deploy with confidence.
Licensing foundation
Let’s start with the foundation: licensing.
Microsoft 365 Copilot requires two things. First, a qualifying base license. Second, the Copilot add-on license itself.
For the base license, your users need one of these: Microsoft 365 E3, Microsoft 365 E5, Office 365 E3, or Office 365 E5. In government environments, these are the GCC, GCC High, or DoD variants of those plans. If your users are on E1 or F-series plans, they don’t qualify for Copilot today.
The Copilot add-on is a separate per-user license. It’s called “Microsoft 365 Copilot” in the admin center. You purchase it in addition to the base license.
Here’s the government-specific piece. Copilot availability differs by cloud environment. GCC has the broadest feature parity with commercial. GCC High and DoD have Copilot available but may have feature gaps or delayed rollouts for certain capabilities. Check the Microsoft 365 roadmap and the government cloud service description for current availability in your environment.
To verify your licensing, go to the Microsoft 365 admin center, then Billing, then Licenses. Confirm you have both qualifying base licenses and Copilot add-on licenses available. If you’re planning a pilot, make sure you have enough Copilot licenses for your pilot group before proceeding.
Don’t assume your existing Enterprise Agreement covers Copilot. It’s a separate line item. Verify with your Microsoft account team or licensing reseller if you’re not sure.
Entra ID readiness
Next: identity. Copilot relies on Microsoft Entra ID—formerly Azure Active Directory—for authentication and authorization. Your identity configuration needs to be solid.
First, understand your identity model. Are you cloud-only or hybrid? If you’re hybrid, is Entra Connect syncing properly? Are there stale or orphaned accounts that could create unexpected access patterns when Copilot starts indexing?
Clean up your directory before you enable Copilot. Disable stale accounts, review group memberships, and make sure your user population is accurate.
Second, Entra ID plan requirements. You need Entra ID P1 at minimum. P1 gives you Conditional Access, which is essential for controlling how and where users access Copilot. If you’re in GCC High or DoD, you likely already have P2 as part of your E5 licensing. Verify this.
Third, MFA. Multi-factor authentication must be enforced for all Copilot users. This isn’t optional in government environments. If you’re still using legacy per-user MFA, migrate to Conditional Access-based MFA policies. The security defaults alone are not sufficient for government compliance requirements.
Fourth, Conditional Access policies. Before enabling Copilot, validate that your existing policies apply to Copilot scenarios. Specifically, check that device compliance requirements are enforced, that managed device policies are in place, and that session controls like sign-in frequency and persistent browser sessions are configured appropriately.
Copilot sessions are long-running. Users interact with Copilot throughout their workday. Make sure your session timeout and reauthentication policies account for this usage pattern.
Finally, review any app registration or service principal configurations that might affect Copilot. Microsoft manages the Copilot service principal, but if you have restrictive policies on enterprise applications or consent workflows, verify that Copilot is allowed.
SharePoint and OneDrive readiness
This is the prerequisite area that catches most organizations off guard. SharePoint is Copilot’s primary content index. When users ask Copilot questions about their organization’s content, Copilot searches SharePoint and OneDrive to find answers. That means your SharePoint environment directly determines what Copilot can and cannot do.
Start with OneDrive provisioning. Every user you plan to enable for Copilot must have a provisioned OneDrive. If users haven’t signed into OneDrive yet, their personal storage isn’t provisioned and Copilot won’t have access to their files. You can pre-provision OneDrive for users using PowerShell or the SharePoint admin center.
Next, and this is critical: review your SharePoint permissions and sharing posture.
Copilot respects existing permissions. It only shows users content they already have access to. But here’s the problem: many organizations have oversharing they don’t know about. SharePoint sites with “everyone except external users” permissions. OneDrive folders shared with entire departments. Team sites that were never locked down after a project ended.
Use SharePoint Advanced Management to run oversharing reports. These reports identify sites and content that are shared more broadly than intended. Before enabling Copilot, remediate the worst offenders. You don’t need to fix everything, but you need to fix the high-risk items.
Review external sharing settings at both the tenant and site level. In government environments, external sharing should be restricted or disabled for most sites. Verify your configuration.
Check that sensitivity labels are applied to your most important document libraries and sites. Labels that restrict access or apply encryption will be respected by Copilot. If your sensitive content isn’t labeled, now is the time to fix that.
Finally, verify that the SharePoint search index is healthy. Copilot uses the search index to find content. If your index is stale or sites are excluded from search, Copilot won’t find that content. Run a search health check in the SharePoint admin center.
Exchange Online and Teams readiness
Exchange Online and Teams are the other two major data sources for Copilot.
For Exchange Online, verify that all target users have provisioned mailboxes. Copilot needs access to a user’s mailbox to summarize emails, draft responses, and surface calendar information. Make sure modern authentication is enabled—legacy authentication protocols are not supported.
Review your mailbox policies. If you have information barriers or mailbox access restrictions, verify that they work as expected with Copilot. Copilot accesses email on behalf of the signed-in user, so existing access controls apply.
For Teams, the key prerequisites are transcription and recording policies.
Copilot in Teams meetings relies on meeting transcription. If transcription is disabled in your tenant or for specific meeting policies, Copilot cannot generate meeting summaries or recap content. Decide whether to enable transcription for your pilot users and configure the appropriate meeting policies.
Similarly, review your Teams retention settings. Copilot can reference chat history and channel conversations. If your retention policies delete content aggressively, Copilot may not have access to recent conversations. Align your retention settings with your intended Copilot use cases.
Network and endpoint baseline
The network requirements for Copilot are straightforward but essential.
Microsoft publishes required URLs and IP address ranges for all Microsoft 365 services, including Copilot. Your proxy servers and firewalls must allow traffic to these endpoints. If you’re in a government environment with restricted internet access, work with your network team to add the required Copilot endpoints to your allow lists.
Bandwidth is generally not a concern for Copilot. It uses text-based interactions that consume minimal bandwidth compared to Teams video or large file transfers. However, if you’re on a constrained network, monitor traffic during your pilot to establish a baseline.
For client endpoints, Copilot requires current versions of Microsoft 365 apps. That means Microsoft 365 Apps for Enterprise on the Current Channel or Monthly Enterprise Channel. Older versions and perpetual Office licenses do not support Copilot. Verify that your pilot users are on supported versions before enabling their licenses.
Copilot is also available in the web browser through Microsoft 365 web apps. Make sure your supported browsers are current and that any browser-based security policies don’t block Copilot functionality.
Close: your go/no-go checklist
Here’s your checklist. Work through each item before you assign your first Copilot license.
Licensing: qualifying base licenses confirmed, Copilot add-on licenses procured and available.
Identity: Entra ID directory is clean, MFA is enforced via Conditional Access, device compliance policies are applied, session controls are configured.
SharePoint and OneDrive: OneDrive provisioned for all target users, oversharing reports reviewed and high-risk items remediated, external sharing settings verified, sensitivity labels applied to critical content, search index healthy.
Exchange and Teams: mailboxes provisioned with modern auth, transcription policies configured, retention settings aligned with Copilot use cases.
Network: required endpoints allow-listed, client apps on supported versions.
If you can check every box, you’re ready to assign licenses and start your pilot. If you have gaps, address them first. Every hour you spend on prerequisites saves you days of troubleshooting during rollout.
Sources & References
- Microsoft 365 Copilot requirements — Primary requirements reference for Copilot deployment
- Microsoft 365 Copilot setup — Setup checklist and readiness steps
- Enable users for Microsoft 365 Copilot — User enablement and license assignment guidance
- Get ready for Copilot with SharePoint Advanced Management — SharePoint oversharing and readiness tools