How to Get Your Microsoft 365 Tenant Ready for Copilot Cowork: A Governance-First Guide for IT Leaders
If you manage a Microsoft 365 environment for a mid-market organisation, you’ve probably already heard the buzz: Copilot Cowork is here, and it’s not just another Copilot feature. Getting your copilot cowork tenant ready is a governance exercise first and a technical toggle second. This guide walks you through every step — from Frontier enrollment to oversharing remediation to pilot group design — so you can turn Cowork on with confidence, not crossed fingers.
Microsoft announced Copilot Cowork on March 9, 2026, and it’s currently in Research Preview through the Microsoft 365 Frontier program. Access is expanding to more Frontier customers through late March. If you’re an IT Director or senior IT leader at a company with 200 to 1,000 employees, the window to prepare is right now — before your CEO reads about it on LinkedIn and asks why it’s not turned on yet.
What Is Copilot Cowork and Why Does It Change the Game?
Regular Microsoft 365 Copilot responds to prompts. You ask it a question, it gives you an answer. Copilot Cowork is fundamentally different: it can autonomously execute multi-step tasks across your Microsoft 365 environment. Think of it as the difference between asking someone a question and delegating an entire project.
Cowork can draft emails in Outlook, create presentations in PowerPoint, analyse data in Excel, compile information from SharePoint, and coordinate across these applications — all from a single instruction. It doesn’t just retrieve information; it acts on it.
For IT leaders, this distinction matters enormously. When Copilot reads a SharePoint document to answer a question, the blast radius of a permissions mistake is limited. When Cowork autonomously pulls data from multiple SharePoint sites, drafts a report, and emails it to a distribution list, every overshared permission in your tenant becomes a potential data leak at scale.
That’s why getting your tenant ready for Copilot Cowork is not a licensing question. It’s a governance question.
How Is Copilot Cowork Different from Claude Cowork?
If you’ve been following the AI space, you may have noticed that Anthropic released its own Claude Cowork product for Mac and Windows earlier in 2026. Copilot Cowork was built in close collaboration with Anthropic and uses the same underlying reasoning model — but there are critical differences for enterprise IT.
Claude Cowork runs locally on a user’s device. Copilot Cowork runs in the cloud, inside your Microsoft 365 tenant. That distinction matters because Copilot Cowork operates within your existing security, identity, and governance framework — Entra ID, Purview, Defender, and your compliance policies all apply by default. It also draws on Work IQ, Microsoft’s intelligence layer that connects context from Outlook, Teams, SharePoint, and the rest of your M365 environment, giving it a richer understanding of your organisation’s work than a locally-run tool can achieve.
For IT leaders evaluating both: Claude Cowork may suit individual power users working with local files. Copilot Cowork is the enterprise play — auditable, permission-scoped, and governed by the controls you already manage.
Step 1: Confirm Your Licensing and Frontier Program Enrollment
Before anything else, you need the right licences and program enrollment in place.
Licensing requirements:
Copilot Cowork requires Microsoft 365 Copilot licences for every user who will access it. As of March 2026, this means either standalone Copilot licences added to your existing E3 or E5 plan, or the new Microsoft 365 E7 “Frontier Suite” (GA May 1, 2026). E7 bundles Microsoft 365 E5, Microsoft 365 Copilot, Agent 365, and the Microsoft Entra Suite — including Entra ID P2, Entra Internet Access, and Entra Private Access — into a single licence at $99/user/month. That’s roughly a 15% saving over purchasing these components separately.
If you’re currently on E3, you’ll need Copilot add-on licences. If you’re on E5, the same applies — though the upcoming E5 price increase to $60/user/month from July 1, 2026, may make E7 worth evaluating for your pilot group. If you’re weighing your licensing options, get in touch — we can walk you through the E3 vs E5 vs E7 math for your specific environment.
Joining the Microsoft 365 Frontier program:
Copilot Cowork is currently available only through the Frontier program, Microsoft’s early-access program for organizations willing to test cutting-edge features. To enroll:
1. Sign in to the Microsoft 365 admin centre as a Global Administrator.
2. Navigate to Settings > Org settings > Organization profile.
3. Look for Release preferences and select Targeted release for selected users or Targeted release for entire organization (the former is strongly recommended for a controlled rollout).
4. Apply for the Frontier program through the admin centre banner or the dedicated Frontier enrollment page. Microsoft is approving applications on a rolling basis through late March 2026.
Note: Frontier program enrollment is separate from Targeted Release. You need both — Targeted Release for the technical preview features, and Frontier enrollment for Cowork specifically.
How much does Copilot Cowork cost?
During Research Preview, Cowork is included with existing Copilot licences at no additional charge. Microsoft has not announced separate pricing for Cowork post-preview. Current indications suggest it will remain part of the standard Copilot licence, though pricing decisions are ultimately Microsoft’s to make. The E7 licence at $99/user/month includes everything. Keep an eye on the Microsoft 365 roadmap for pricing updates.
Step 2: Audit and Fix SharePoint Oversharing — Before You Turn Anything On
This is the single most important step in your Copilot Cowork readiness plan. It’s also the one most organisations skip, and the one that causes the most damage.
Copilot Cowork respects your existing Microsoft 365 permissions. That sounds reassuring until you realise what it actually means: every “Everyone except external users” sharing link, every site with broken inheritance, every team with 500 members who shouldn’t have access — Cowork will use all of it. And unlike a human user who might never stumble into the wrong SharePoint site, Cowork will systematically access everything it’s permitted to access when executing a task.
What permissions does Copilot Cowork need to access my data?
Cowork uses the same permissions model as the user who initiated the task. If you ask Cowork to compile a report, it can access every SharePoint site, OneDrive folder, email, and Teams channel that you can access. No more, no less. The risk isn’t that Cowork has special permissions — it’s that your users already have too many permissions, and Cowork will actually use them.
Run an oversharing audit:
1. Open the SharePoint admin centre and navigate to Sites > Active sites.
2. Use SharePoint Advanced Management (included with E5 and Copilot licences) to run a Data Access Governance report. This shows you which sites have the broadest sharing patterns.
3. Look specifically for: sites shared with “Everyone except external users,” sites with more than 100 unique permissions, sites where sharing links have been created without expiration dates, and sites where inheritance has been broken at the folder or file level.
4. Use Microsoft Purview Data Security Posture Management (DSPM) for AI to get a Copilot-specific oversharing assessment. Navigate to Purview compliance portal > DSPM for AI > Recommendations to see which content is most at risk.
Remediation priorities for mid-market organisations:
You don’t need to fix everything before enabling Cowork for a pilot group. Focus on these three areas first:
Start with your executive and finance SharePoint sites. These contain the most sensitive information and are the most likely to cause real damage if surfaced inappropriately. Verify that permissions are limited to the people who actually need access. Remove any “Everyone except external users” links.
Next, address your HR and legal content. Personnel files, salary data, legal correspondence — lock these down with explicit permissions and sensitivity labels. If you’re unsure how to approach this systematically, this is exactly the kind of issue our M365 assessment is designed to surface.
Finally, review your Teams-connected SharePoint sites. Every Microsoft Teams team creates a SharePoint site. Many organisations have dozens of abandoned teams with open membership. Each one is a potential data source for Cowork. Archive or delete teams that are no longer active, and tighten membership on the rest.
Not sure where your tenant stands? Floor 16’s complimentary Microsoft 365 assessment gives you a clear picture of your governance posture, oversharing risks, and Copilot readiness — in a single session, with actionable recommendations you can implement immediately.
Step 3: Enable and Configure Agent 365
Agent 365 is Microsoft’s new AI agent control plane, announced alongside E7 and going GA on May 1, 2026, at $15/user/month as a standalone add-on or included with E7. While Copilot Cowork can function without Agent 365, the control plane gives you critical governance capabilities that you’ll want in place — especially for a mid-market organisation where the IT team is small and can’t manually monitor every AI interaction.
What is Agent 365 and do I need it for Copilot Cowork?
Agent 365 provides centralised management for all AI agents in your Microsoft 365 environment, including Copilot Cowork. It extends Entra ID, Purview, and Defender to cover AI agents — letting you assign agent identities, audit their actions, apply compliance policies, and monitor for risky behaviour. Think of it as Group Policy for AI.
During Research Preview, Agent 365 features are limited but growing. To prepare:
1. In the Microsoft 365 admin centre, navigate to Settings > Copilot (or Settings > Agent 365 if the new navigation has rolled out to your tenant).
2. Review the AI provider settings. Ensure that only approved AI providers are enabled. For most mid-market organisations, this means Microsoft’s own models only — disable third-party AI provider access unless you have a specific, reviewed use case.
3. Set up agent usage policies for your pilot group. Start restrictive: limit which applications Cowork can interact with, which SharePoint sites it can access, and whether it can send communications (emails, Teams messages) on behalf of users.
4. Enable audit logging for all Copilot and agent activities. Navigate to Purview compliance portal > Audit and ensure that Copilot interaction events are being captured.
Step 4: Design Your Pilot Group and Governance Guardrails
Do not roll Copilot Cowork out to your entire organisation at once. This is not a feature you flip on globally and hope for the best. A structured pilot is essential — both for managing risk and for building the internal knowledge you’ll need to support a broader rollout.
Selecting your pilot group:
For a mid-market organisation with 200 to 1,000 employees, aim for a pilot group of 10 to 25 users. Choose people who meet all of these criteria: they have well-scoped SharePoint and OneDrive permissions (you’ve already audited these in Step 2), they work in a department where the productivity gains are obvious and measurable, they’re comfortable providing feedback and reporting issues, and their manager is supportive and willing to participate in weekly check-ins.
Good pilot departments for mid-market companies: marketing (content creation and coordination), project management (status reports and cross-team updates), and operations (data compilation and reporting). Avoid starting with finance, HR, or legal — the data sensitivity is too high for an initial pilot, regardless of how well you’ve cleaned up permissions.
Governance guardrails to establish before day one:
Write a one-page Copilot Cowork Acceptable Use Policy. It doesn’t need to be a legal document — it needs to set clear expectations. Cover these points: what types of tasks are appropriate for Cowork (drafting documents, compiling information, scheduling) and what types are not (sending external communications without review, accessing sensitive data repositories, making financial transactions). Define the review requirement — must a human review every Cowork output before it’s shared externally? For the pilot, the answer should be yes.
Establish a feedback channel. Create a dedicated Teams channel where pilot users can report unexpected behaviour, share tips, and flag concerns. Assign someone on your IT team to monitor this channel daily during the first two weeks.
Set up weekly pilot review meetings. Fifteen minutes, every Friday. Review what worked, what didn’t, what was surprising. Document everything — this becomes your rollout playbook.
Step 5: Prepare Your Change Management Communications
Your pilot users need context, not just access. Before turning on Cowork for the pilot group, send a brief communication covering what Copilot Cowork is and how it differs from regular Copilot, what they can and can’t use it for (reference the Acceptable Use Policy), how to report issues or unexpected behaviour, and that this is a pilot — their feedback directly shapes the broader rollout.
Don’t oversell it. The biggest change management mistake with AI tools is setting expectations too high. Position Cowork as a powerful assistant that needs guidance, not a replacement for human judgment. Frame it this way: “Cowork can handle the first draft. You handle the final version.”
Also prepare a brief FAQ document for your pilot users covering common questions: “Can Cowork access my personal OneDrive files?” (Yes, if you initiate the task.) “Will my manager see what I ask Cowork to do?” (Audit logs capture interactions, but they’re reviewed by IT, not individual managers, unless your policy states otherwise.) “What happens if Cowork makes a mistake?” (You review everything before it’s final — that’s the point of the pilot.)
Step 6: Monitor, Measure, and Iterate
Once the pilot is live, your job shifts from preparation to observation. Set up these monitoring practices from day one:
Usage metrics: Track how many Cowork interactions each pilot user has per week, what types of tasks they’re delegating, and how long tasks take compared to manual completion. The Microsoft 365 admin centre’s Copilot usage reports (under Reports > Usage) provide baseline data. Supplement with feedback from your weekly pilot meetings.
Security monitoring: Watch the Purview audit logs for any Copilot interactions that accessed content outside the pilot users’ expected scope. Set up alerts for Cowork interactions involving sensitivity-labelled content. If a pilot user’s Cowork task accessed an executive SharePoint site they technically have permissions to but never visit, that’s a signal to tighten permissions — not a Cowork bug.
Iterate your governance policies: After two weeks of pilot data, revisit your Acceptable Use Policy. You’ll likely need to adjust the boundaries based on what pilot users are actually trying to do. Some restrictions you set initially will be too tight (preventing legitimate productivity gains) and others too loose (allowing interactions you hadn’t anticipated).
Plan for a four-week pilot minimum before considering broader rollout. At the end of four weeks, you should have enough data to answer three critical questions: Is the productivity gain real and measurable? Are the governance guardrails holding? What needs to change before we expand to the next group?
What Comes Next
Getting your Microsoft 365 tenant ready for Copilot Cowork isn’t a weekend project, but it’s not a six-month initiative either. For a mid-market organisation, a focused IT leader can complete the licensing, oversharing audit, pilot design, and governance setup in one to two weeks. The pilot itself runs four weeks. By mid-May 2026, you could have a proven Copilot Cowork deployment with data to support expanding it across your organisation.
The organisations that get this right will have a significant advantage — not just in productivity, but in confidence. They’ll know their data is protected, their governance is solid, and their team is ready. The ones that skip the preparation will spend months cleaning up the mess.
If you’re not sure where your tenant stands today, Floor 16’s complimentary Microsoft 365 assessment gives you a clear picture of your governance posture, oversharing risks, and Copilot readiness — in a single session, with actionable recommendations you can implement immediately.