Control 1.1: Copilot Readiness Assessment and Data Hygiene — Troubleshooting

Common issues and resolution steps for Copilot readiness assessment and data hygiene procedures.

Common Issues

Symptoms: The Optimization Assessment reports that a high percentage of endpoints are on Semi-Annual Enterprise Channel or an unsupported Office update channel
Root Cause: Semi-Annual Enterprise Channel does not receive Copilot feature updates. Endpoints on this channel may install the Copilot license but will not have access to the latest Copilot capabilities.
Resolution:
Use Microsoft Intune (Devices > Update rings for Microsoft 365 Apps) to move endpoints from Semi-Annual Enterprise Channel to Current Channel or Monthly Enterprise Channel
For Group Policy-managed environments, update the "Update Channel" policy to "Current Channel" (or "Monthly Enterprise Channel" for environments requiring monthly patch cycles)
For a phased approach, move Copilot pilot users first, then expand as each group transitions channels
Allow 1-7 days for channel transitions to complete after policy change
Re-run the Optimization Assessment to confirm update channel compliance improves after the transition

Symptoms: Dashboard loads but displays "No data available" or shows stale information older than 7 days
Root Cause: The readiness assessment requires specific licensing and tenant configuration to generate data. Data may not populate until Copilot licenses are assigned to at least one user or the assessment service has not completed its initial scan.
Resolution:
Verify at least one Microsoft 365 Copilot license exists in the tenant (even if unassigned)
Check that the signed-in account has Global Administrator or Global Reader role
Wait 48-72 hours after initial license provisioning for data to populate
If data remains unavailable, open a Microsoft support ticket referencing the Copilot readiness service

Symptoms: The DSPM for AI report shows fewer sites than expected, or known sensitive sites are not appearing in the oversharing assessment
Root Cause: DSPM scanning may not cover all site types by default. Personal OneDrive sites, Teams-connected sites with specific configurations, or recently created sites may be excluded from the initial scan scope.
Resolution:
Verify DSPM for AI is enabled in Microsoft Purview > Data Security Posture Management
Check that the scan scope includes all relevant site templates
Manually add missing sites to the DSPM assessment scope
Allow 24-48 hours for newly added sites to appear in reports

Symptoms: Scripts fail with "Access Denied", "Insufficient privileges", or "Connect-MgGraph: Interactive authentication is not supported"
Root Cause: Graph API consent may not be granted, or the execution environment does not support interactive authentication (e.g., Azure Automation runbooks).
Resolution:
For interactive sessions: Run Connect-MgGraph -Scopes "Sites.Read.All" and consent to permissions
For automated execution: Register an Entra ID app with certificate authentication and required API permissions
Verify the app registration has admin consent for required Graph API scopes
For SPO Management Shell: Confirm the account has SharePoint Administrator role

Symptoms: Label analytics shows coverage well below expected levels despite active labeling policies
Root Cause: Label analytics may have reporting delays of up to 7 days. Additionally, labels applied via client-side labeling (manual) may not be reflected until documents are next accessed or indexed.
Resolution:
Verify reporting timeframe in Label Analytics (default may be 7-day window)
Check auto-labeling policy status — confirm policies are enabled and not in simulation mode
Review label policy scoping — labels may not be published to all user groups
Force a re-index of key SharePoint sites using Request-SPOReIndex

Symptoms: Sites actively used by teams are flagged as stale in the hygiene scan
Root Cause: The LastContentModifiedDate property in SharePoint may not update for certain activity types such as viewing, commenting, or metadata-only changes
Resolution:
Cross-reference flagged sites with audit log activity using Search-UnifiedAuditLog
Adjust the staleness threshold from 180 days to a value appropriate for your organization
Exclude site templates known to have low write activity (e.g., communication sites used primarily for reading)
Supplement with Microsoft 365 usage reports for a complete activity picture

When encountering unexpected results from readiness assessments:

Check service health: Verify Microsoft 365 service health at admin.microsoft.com > Health > Service health for any active incidents affecting Purview or SharePoint
Validate permissions: Run Get-MgContext to confirm the current session has required scopes
Review audit logs: Check unified audit log for any relevant admin actions that may have affected results
Test with a single site: Isolate the issue by running assessment scripts against a single known site before running tenant-wide scans
Compare data sources: Cross-reference portal data with PowerShell output to identify discrepancies

Severity	Condition	Escalation Path
Low	Minor data discrepancies in reports	IT Operations team for investigation
Medium	Readiness dashboard not populating after 72 hours	Microsoft Premier Support ticket
High	Assessment reveals critical oversharing of regulated data	CISO and Compliance Officer immediately
Critical	Assessment blocked — unable to evaluate readiness	Governance committee and Microsoft TAM