Control 1.1: Copilot Readiness Assessment and Data Hygiene — PowerShell Setup

Automation scripts for conducting Copilot readiness assessments and data hygiene evaluations at scale.

Prerequisites

• PowerShell 7.x or later
• Microsoft Graph PowerShell SDK (Microsoft.Graph)
• SharePoint Online Management Shell (Microsoft.Online.SharePoint.PowerShell) — requires SharePoint Admin role
• Exchange Online Management module (ExchangeOnlineManagement) — requires Purview Compliance Admin or equivalent role
• Global Reader or Security Reader role (minimum for Graph-based read operations; SharePoint Admin required for SPO cmdlets)

Scripts

Script 1: SharePoint Site and Sharing Inventory

# Generate SharePoint site and sharing inventory for Copilot readiness
# Requires: Microsoft.Graph module with Sites.Read.All

Import-Module Microsoft.Graph.Sites

Connect-MgGraph -Scopes "Sites.Read.All"

$report = @{
    AssessmentDate = Get-Date -Format "yyyy-MM-dd"
    TotalSites = 0
    SitesWithOversharing = 0
    UnlabeledDocuments = 0
    PermissionAnomalies = 0
}

# Enumerate SharePoint sites and check sharing settings
$sites = Get-MgSite -Search "*" -All
$report.TotalSites = $sites.Count

foreach ($site in $sites) {
    $permissions = Get-MgSitePermission -SiteId $site.Id -ErrorAction SilentlyContinue
    $externalShares = $permissions | Where-Object {
        $_.GrantedToIdentities.Application -or $_.GrantedToIdentitiesV2.SiteUser.LoginName -like "*#ext#*"
    }
    if ($externalShares.Count -gt 0) {
        $report.SitesWithOversharing++
    }
}

$report | ConvertTo-Json | Out-File "CopilotReadinessReport_$(Get-Date -Format 'yyyyMMdd').json"
Write-Host "Readiness assessment complete. Results saved to JSON report."

Script 2: Data Hygiene Scan — Stale and Overshared Content

# Identify stale content and overshared sites for hygiene remediation
# Requires: SharePoint Online Management Shell

Import-Module Microsoft.Online.SharePoint.PowerShell

Connect-SPOService -Url "https://<tenant>-admin.sharepoint.com"

$results = @()
$sites = Get-SPOSite -Limit All -IncludePersonalSite $false

foreach ($site in $sites) {
    $siteDetail = Get-SPOSite -Identity $site.Url -Detailed
    $row = [PSCustomObject]@{
        Url                = $site.Url
        Title              = $site.Title
        SharingCapability  = $siteDetail.SharingCapability
        LastContentModified = $siteDetail.LastContentModifiedDate
        StorageUsageMB     = [math]::Round($siteDetail.StorageUsageCurrent, 2)
        IsStale            = ($siteDetail.LastContentModifiedDate -lt (Get-Date).AddDays(-180))
        IsOvershared       = ($siteDetail.SharingCapability -eq "ExternalUserAndGuestSharing")
    }
    $results += $row
}

$staleCount = ($results | Where-Object { $_.IsStale }).Count
$oversharedCount = ($results | Where-Object { $_.IsOvershared }).Count

Write-Host "Total sites: $($results.Count)"
Write-Host "Stale sites (>180 days): $staleCount"
Write-Host "Overshared sites: $oversharedCount"

$results | Export-Csv "DataHygieneScan_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

Script 3: Sensitivity Label Configuration Report

# Report on sensitivity label configuration and publishing status
# Requires: Security & Compliance PowerShell (Purview Compliance Admin or equivalent role)

Import-Module ExchangeOnlineManagement
Connect-IPPSSession

$labelPolicies = Get-LabelPolicy
$labels = Get-Label

Write-Host "=== Sensitivity Label Configuration ==="
Write-Host "Active label policies: $($labelPolicies.Count)"
Write-Host "Published labels: $($labels.Count)"

foreach ($label in $labels) {
    Write-Host "  - $($label.DisplayName) | Priority: $($label.Priority) | Enabled: $(-not $label.Disabled)"
}

# Export label configuration for documentation
$labels | Select-Object DisplayName, Priority, @{Name="Enabled";Expression={-not $_.Disabled}}, ParentId, ContentType |
    Export-Csv "SensitivityLabelConfig_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

Scheduled Tasks

Task	Frequency	Purpose
Readiness Assessment	Weekly during pre-deployment	Track remediation progress
Data Hygiene Scan	Monthly	Identify new stale or overshared content
Label Configuration Report	Weekly	Monitor label publishing and policy status

Configure scheduled tasks using Azure Automation or Windows Task Scheduler to run these scripts on the recommended cadence.

Next Steps

• See Verification & Testing for validation procedures
• See Troubleshooting for common script issues
• Back to Control 1.1: Copilot Readiness Assessment