--- name: copilot-rollout-planner description: Turn a plain-English brief into a phased Copilot for Microsoft 365 rollout plan with readiness audit, licensing, SharePoint hygiene, pilot design, and measurement. version: 1.0.0 author: VantagePoint Networks author_url: https://www.vpnetworks.co.uk audience: IT Managers, M365 Admins, Modern Workplace Leads, MSP Technical Consultants, DPOs output_format: Formatted Markdown rollout plan with readiness audit, licensing schedule, phased deployment, pilot cohort, comms pack, governance model, and week-by-week timeline. license: MIT last-reviewed: 2026-04 --- # Copilot Rollout Planner A Claude Code skill for IT managers and M365 admins who need to deploy Copilot for Microsoft 365 in a 20-150-person firm without leaking client data, overspending on licences, or having a pilot that quietly dies after week three. ## How to use this skill 1. Download this `SKILL.md` file. 2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows). 3. In Claude Code, run `/copilot-rollout-planner`. Describe where you are in plain English — "we want to try Copilot but don't know where to start" is fine. Answer the clarifying questions and receive a finished rollout plan. ## When to use this - Leadership has asked "should we buy Copilot?" and you need an answer with the work to back it. - You have the licences paid for, a senior partner is asking when it launches, and you need a defensible plan by Friday. - You want to pilot Copilot without risking a SharePoint "oversharing" incident that ends in a client complaint or regulator conversation. - You need to justify £24-26 per user per month against measurable outcomes, not vibes. - You are running a regulated practice (law, accountancy, finance, healthcare) and need the tenant configuration decisions documented before any user gets Copilot access. ## What you'll get A single Markdown document containing: - A **readiness audit** across tenant, SharePoint, OneDrive, labels, and legacy auth - A **licensing plan** (what to buy, for whom, on what commitment) - A **data-boundary plan** covering data residency, DLP, sensitivity labels, and Copilot data-access scope - A **pilot design** with cohort, duration, concrete use cases, and exit criteria - A **phased rollout timeline** from pilot through general availability - A **comms pack** (launch email, FAQ, helpdesk runbook, "what changes for you" one-pager) - A **measurement framework** tied to the use cases chosen - A **governance model** for ongoing scope changes and prompt libraries - A **risk register** with rollback triggers ## Clarifying questions I will ask you Before producing the plan, I will ask: 1. **What is your current base M365 tier?** (Business Standard, Business Premium, E3, E5, A3, mixed) 2. **How many users are in scope for the Copilot add-on?** (all staff, partners + associates, specific teams) 3. **Is Copilot data processing restricted to a specific region in your tenant?** (EU Data Boundary on/off) 4. **What is the state of SharePoint and OneDrive sharing right now?** (locked down, open internal, "everyone except external" common, unknown) 5. **Do you have Microsoft Information Protection labels configured?** (yes, with enforcement; yes, voluntary; no) 6. **Do you have DLP policies?** (yes — on which channels; no; partial) 7. **What is the sensitivity of the data these users touch?** (client files, privileged info, personal data, financial records, PII of third parties) 8. **Are you regulated?** (SRA, FCA, ICO-registered DPO, HIPAA-equivalent, sector-specific) 9. **Legacy auth disabled?** (yes; no; unsure) 10. **What does success look like 90 days after pilot launch?** (time saved per role, adoption rate, quality of outputs, specific use cases validated) 11. **Who is the business sponsor?** (managing partner, CEO, COO, IT sponsor only) 12. **When is your target go-live?** (date, or "no deadline") If any of these are unknown, I will flag the gap in the plan and add the discovery task to the timeline rather than guessing. ## Output template ```markdown # Copilot for Microsoft 365 — Rollout Plan: ## 1. Executive Summary - **Scope:** users across - **Base tier:** · **Copilot add-on:** seats - **Pilot start:** · **General availability target:** - **Estimated annual cost:** £ (licences only, ) - **Primary risk:** - **Go/no-go decision point:** > ## 2. Readiness Audit | Area | Current state | Gap | Remediation | |---|---|---|---| | Tenant region / EU Data Boundary | | | | | Conditional Access maturity | | | | | Legacy auth (POP/IMAP/basic) | | | | | SharePoint external sharing default | | | | | OneDrive access policies | | | | | Sensitivity labels | | | | | DLP policies (email / Teams / endpoint) | | | | | Defender for Cloud Apps coverage | | | | | Purview audit retention | | | | | Admin roles (least privilege) | | | | ## 3. Licensing Plan - **Base seat baseline confirmed:** - **Copilot add-on purchase:** - **Pilot seats vs. GA seats:** - **Contingency seats:** - **True-up schedule:** ## 4. Data Boundary & Compliance Plan - **Data residency:** - **Copilot data-access scope:** - **Sensitivity-label enforcement:** - **DLP adjustments for Copilot:** - **Audit retention:** - **Regulator alignment:** - : ## 5. SharePoint & OneDrive Hygiene (The Oversharing Fix) Before any pilot user gets Copilot, this must be complete. 1. **Site-by-site review:** flag any site with "Everyone except external users" default access. List below. 2. **Apply "Restricted SharePoint Search" or SharePoint Advanced Management site access restriction** to sensitive sites. 3. **OneDrive:** confirm orphaned accounts archived; confirm default sharing is "only people in your org". 4. **"Everyone except external" → "specific named groups"** migration for the top N oversharing sites. 5. **Label coverage check:** proportion of documents with a sensitivity label applied in pilot sites — target 80%+ before go-live. ### Sites flagged for remediation | Site | Current sharing | Sensitive content? | Action | Owner | Deadline | |---|---|---|---|---|---| | | | | | | | ## 6. Pilot Design - **Cohort size:** - **Cohort selection:** - **Duration:** - **Primary use cases to validate:** 1. 2. 3. - **Training plan:** <90-minute hands-on session week 1; office hours weekly thereafter> - **Weekly touchpoints:** <30-min cohort call; async Form feedback> - **Exit criteria (go/no-go to GA):** - [ ] produces outputs acceptable to in ≥ 80% of samples - [ ] Zero confirmed data-leak incidents - [ ] Measured time saved ≥ - [ ] User satisfaction ≥ ## 7. Phased Rollout Timeline | Phase | Weeks | Users | Activities | |---|---|---|---| | 0. Readiness | -4 to 0 | Admin team | SharePoint hygiene, DLP, labels, CA policies, break-glass review | | 1. Pilot | 1-6 | | Training, daily use, weekly feedback, issue triage | | 2. Review | 7 | Steering group | Go/no-go decision, cohort feedback, measurement review | | 3. Wave 1 GA | 8-10 | | Team-by-team onboarding | | 4. Wave 2 GA | 11-13 | | Remaining business users | | 5. Steady-state | 14+ | All | Ongoing governance, prompt library, monthly review | ## 8. Comms Pack ### Pre-launch email (T-7 days) > Subject: Copilot for Microsoft 365 — what's changing for you on > ... ### FAQ (top 10 expected questions) 1. **Will Copilot see my private files?** ... 2. **Can I opt out?** ... 3. **What about client confidentiality?** ... 4. **Who can I ask for help?** ... 5. ... ### Helpdesk runbook - **Tier 1 scripts** for the 5 most likely tickets (prompt not working, access denied, hallucination report, wrong result, privacy worry) - **Escalation matrix** to tenant admin ### "What changes for you" one-pager (per role) - : <3-5 concrete things Copilot helps with, 2 things it doesn't, where to ask for help> ## 9. Measurement Framework | Metric | Baseline | Target (day 90) | How measured | |---|---|---|---| | Weekly active users | 0 | 70% of licensed | Microsoft 365 admin centre | | Use-case adoption (top 3) | 0 | ≥ 60% of cohort using ≥ 1 weekly | Form + Copilot usage reports | | Self-reported time saved | n/a | | | Security incidents | 0 | 0 | Defender / Purview | ## 10. Governance Model - **Prompt library:** - **Use-case intake:** new use cases reviewed monthly for risk + ROI before endorsed - **Label / DLP change control:** tied to existing change process - **Annual compliance review:** data-boundary, regulator guidance, label coverage, audit log review ## 11. Risk Register & Rollback Triggers | Risk | Likelihood | Impact | Mitigation | Rollback trigger | |---|---|---|---|---| | Oversharing incident | Med | High | Site hygiene before pilot | Confirmed data exposure → pause cohort, investigate, remediate | | Licence overspend | Med | Med | True-up at month 3 | % unused seats → reclaim | | Regulator query | Low | High | Data-boundary + audit retention documented | Pause cohort, engage compliance, answer in writing | | Pilot adoption stalls | Med | Med | Weekly office hours, use-case refresh at week 3 | Adoption < 40% at week 3 → cohort call, reset use cases | | Legacy auth re-enabled accidentally | Low | High | CA policy locked | CA policy drift detected → rollback via Git-backed config | ## 12. Decisions Needed From Leadership - [ ] Confirm commitment term for Copilot seats (annual vs. monthly) - [ ] Confirm pilot cohort list (names) - [ ] Confirm business sponsor + signoff cadence - [ ] Approve SharePoint remediation budget/time - [ ] Approve comms tone (conservative / enthusiastic / neutral) ## 13. Out of Scope (Flagged) - Copilot Studio (custom agents) - Copilot for sales / service / finance (separate product licences) - Third-party AI tools (handle separately via AI-use policy) - Legacy on-prem integrations ``` ## Example invocation **User:** "We're a 60-person London accountancy firm. Partners want Copilot. We have M365 Business Premium, SharePoint is a bit of a mess, and we're ICAEW regulated. Budget is flexible but we don't want to waste it." **What the skill will do:** 1. Ask the 12 clarifying questions, paying particular attention to SharePoint sharing posture, ICAEW data-handling expectations, and whether sensitivity labels are already deployed. 2. Produce the complete rollout plan above with: - A readiness audit that flags "SharePoint oversharing" as the top pre-pilot remediation - A 10-seat pilot cohort (senior associates + 2 partners + 1 admin) - Three concrete use cases tied to accountancy workflows (client-email drafting, draft engagement letters, meeting-note summarisation against prior-year files) - A data-boundary decision locked to EU residency - A 90-day measurement plan with time-saved targets per cohort member - A specific list of 6 SharePoint sites to remediate before pilot go-live 3. Flag that because the firm is regulated, the plan includes an explicit ICAEW-alignment section and a request for written sign-off from the compliance partner before pilot launch. ## Notes for the requester - **Do the SharePoint work first, the Copilot licensing second.** Every failed Copilot rollout I have reviewed had one thing in common: they bought the licences before they cleaned up sharing. The "oversharing" headlines from 2024-2025 are still the single biggest risk. - **Pilot with 10-15% of your eventual population.** Smaller than that and feedback is thin; larger and you're deploying without a safety net. - **Measure time saved in hours per person per week, not in vibes.** "It feels faster" does not survive contact with a budget review. - **Document your data-boundary decision in writing before pilot launch.** Regulators (ICO, SRA, FCA, ICAEW) increasingly ask where AI processes data. Having the answer in a signed document is a 20-minute job now that saves hours of scrambling later. - **Good looks like:** at day 90, a short report the managing partner can read in 5 minutes showing adoption %, average time saved, zero incidents, and a named owner for the next-quarter use-case intake. --- *VantagePoint Networks · · Authored by Hak · Free under the MIT licence*