Customer Zero Starter Kit

Become Customer Zero first. Then sell the motion.

Use this operating guide to assign the AI owner, pick the right doers, secure the tenant, train users, govern AI demand, and know when your firm is ready to teach the motion.

Sourced as of June 2026. Microsoft tooling, asset names, and license boundaries move - re-verify before each engagement.

Problem Statement

You read the playbook. Now the executive question is: what do we do Monday morning? The answer is not "buy licenses and hope." The answer is to become Customer Zero: run the governance, readiness, training, and management motion on your own tenant first, then use the proof to guide your customers.

"Data oversharing is the single largest data security risk that organizations face when deploying Microsoft 365 Copilot."

Zero Trust Workshop AI_047

The basic governance reality does not change: Microsoft 365 Copilot does not break your permission model; it exposes it. Overshared SharePoint sites, anonymous links, stale guests, unlabeled sensitive files, risky OAuth grants, and unmanaged AI use become business risks once users can ask better questions of the data they already have access to.

Executive Principles

Go firstYour own tenant is the lab, the proof point, and the first case study.
Assign one AI ownerYour AI owner runs the motion, routes decisions, and owns the evidence library.
Pick doers, not titlesFastest ROI usually comes from people buried in meetings, email, documents, spreadsheets, and customer follow-up.
Govern before scaleAssess, restrict, remediate, simulate labels, train, then expand.

The AI Owner Runs This

Your C-suite sponsors the motion, but your day-to-day owner should be the person already fielding the internal AI questions. In the playbook language: formalize that person with title, budget line, decision rights, and authority to say "no" or "we are productizing that thing I just built." This role is your operating center for Customer Zero.

Role Customer Zero responsibility Decision rights What they capture
AI Owner / Practice Lead Owns the internal AI program, evidence library, intake, prioritization, champion rhythm, and service productization handoff. Can say no, can approve pilots, can escalate risk, can decide what becomes a repeatable service. Program decisions, use cases, blockers, champion wins, productization notes.
Executive Sponsor Funds the motion, removes blockers, protects time for training, and uses Customer Zero proof in customer conversations. Budget, staffing, risk appetite, commercial packaging priorities. Executive narrative, investment decisions, customer-facing proof themes.
Delivery Consultant / AI Specialist Runs assessment, remediation, label simulation, training buildout, and delivery runbook capture. Technical recommendations, delivery sequencing, tool-fit recommendation. Time-on-task, exact steps, gotchas, before/after deltas.
Tenant / M365 Admin Executes privileged changes across Entra ID, SharePoint, Purview, Defender, licensing, and admin center settings. Privileged access, change windows, rollback path. Change log, access review notes, admin steps that need automation.
Security / Compliance Owner Approves acceptable use, label taxonomy, DLP posture, shadow-AI decisions, and policy enforcement timing. Risk acceptance, sanction/block decisions, label enforcement, policy exceptions. Decision logs, AUP rationale, compliance overlays, exceptions.
Helpdesk / AI Support Turns recurring questions into an AI support runbook and identifies where users are blocked. Ticket routing, escalation, support scripts. FAQ, ticket patterns, training gaps, adoption blockers.
Champions / Doers Prove the actual ROI by using Copilot in real workflows and showing what changed. Workflow feedback, prompt patterns, practical adoption truth. Before/after workflow examples, saved time, prompt examples, training feedback.

Pick The Fastest-ROI Doers

The main playbook is direct on this point: a common failure mode is giving early licenses to leaders or IT-only pilots instead of the people whose daily work maps directly to Copilot's strengths. Before broad license assignment, run a 30-minute Champion Identification conversation with the business owner or an engaged department head and pick 5-10 Day 1 champions. These are not honorary roles. They are the users whose workflows become your first proof assets.

License The Doers First

The first Customer Zero cohort should include executive sponsorship, success ownership, champions, and early adopters, but the proof comes from the doers: people creating content, analyzing data, managing communications, running meetings, and serving customers.

Champion profile Why they matter First workflow to prove Evidence to capture
Account Manager / Outside Sales RepThe highest-impact quick-win profile in the playbook: pre-call research, customer follow-up, proposal drafts, meeting notes, and CRM updates.Open a Teams meeting transcript and generate the follow-up email plus action list.Follow-up time saved, email quality, proposal draft cycle time, customer-facing proof.
Project Manager / Operations LeadThe communication hub for recaps, action items, status updates, and recurring meetings.Turn a recorded standup into meeting summary, assigned actions, and draft status email.Meeting-prep delta, action-item quality, status-report template, recurring-meeting pattern.
Office Manager / Executive AssistantCross-functional inbox, calendar, meeting-material, and communication work that makes Copilot visible fast.Turn a messy brain dump into a polished, appropriately toned email or agenda.Reusable prompts, communication examples, adoption objections, training questions.
HR Manager / People Operations LeadDocument-heavy work: job descriptions, onboarding, policy updates, and sensitive communication.Draft a job description from a short brief, then convert it into an onboarding checklist.Drafting time, review notes, sensitivity concerns, policy-label training needs.
Finance Manager / Controller / BookkeeperData-heavy and report-heavy work where plain-English analysis and Excel support matter.Use an anonymized spreadsheet to identify trends, outliers, and useful formulas.Analysis time saved, formula learning, control questions, board-report examples.
Marketing Coordinator / Content OwnerThe one-person content machine: social posts, email campaigns, website copy, and sales collateral.Turn a product description into social copy, customer email, and sales-deck slide.Editing-time delta, brand-review notes, prompt library, content reuse examples.
Meeting-Heavy Middle ManagerBack-to-back calendar pain where recap, missed-meeting recovery, and action extraction create immediate belief.Ask Copilot what decisions were made, what actions they own, and what needs follow-up from a missed meeting.Meeting-load baseline, recap time saved, action completion, missed-meeting recovery story.

The 30/60/90 Operating Roadmap

Before Day 1
Assign your AI owner, executive sponsor, admin owner, security owner, helpdesk owner, and 5-10 champions. Create the evidence library and capture templates.
Days 1-30
Run readiness and exposure assessment, capture before-state, identify red zones, create the first scenario deck, and launch role-specific champion enablement.
Days 31-60
Restrict the worst sites, remediate oversharing, run label simulation, discover shadow AI, draft AUP, and hold the 30-day usage check-in.
Days 61-90
Enforce tuned labels, deliver training, run one management cadence, build or govern the first internal agents, and prepare the 60-day ROI conversation.
After 90
Move from project to operating rhythm: monthly governance, executive reporting, continuous improvement, and service packaging.
Business Impact Boundary

Full Microsoft Copilot Dashboard Business Impact analysis requires at least 65 Copilot users and 65 non-Copilot users. If your firm is smaller, use role-based before/after examples, time-on-task, qualitative feedback, and executive review instead of pretending you have statistically meaningful dashboard depth.

Assessment Tools: What To Use And When

Always start native; layer only when you hit the native ceiling. Purview DSPM for AI now supports native bulk remediation at scale (Azure Feeds, Apr 8 2026), so third-party tools earn their place only when sprawl exceeds the native ceiling, or when the motion requires multi-tenant MSP operation, white-label reporting, multi-AI governance, or deep runtime monitoring.

Partner-Asset Caveat

Re-verify all partner-asset links before any customer proposal: aka.ms/SOW-Generator, aka.ms/MIP-Labeling-Assistant, aka.ms/MIP-Industry-OnePagers, aka.ms/Deploy-Scripts, aka.ms/Github-CopilotCli-Guide, and the SMB Information Protection asset pack are partner-login-gated and temporary. The Customer Zero sequencing, capture discipline, maturity gate, and GTM ladder are practitioner-consensus synthesis distilled for this motion, not Microsoft doctrine.

Microsoft-Native Baseline

Native toolWhat it answersLicense / boundaryUse it for
Copilot Readiness reportWho is technically eligible and how base apps are used.Admin Center; data can take about 72 hours to populate.Eligibility and adoption-readiness baseline.
Purview DSPM for AIOversharing, unlabeled content, and prompt/data exposure patterns.Purview spans E3/E5; richest DSPM-for-AI depth assumes E5 / E5 Compliance.Exposure baseline and data-risk story.
SharePoint Advanced ManagementData Access Governance, Restricted Content Discovery, Restricted Access Control.SAM is included with the Microsoft 365 Copilot license in the source guidance.Worst-site restriction and oversharing triage.
Defender for Cloud AppsCloud Discovery, GenAI category filter, and risk scoring.Full shadow-AI depth generally requires E5 / E5 Compliance; blocking requires Defender for Endpoint onboarding.Shadow AI inventory and sanction/block decisions.
Secure ScoreIdentity and configuration posture baseline.Included.Executive baseline and before/after posture tracking.

Partner Tool Comparison

Scores below are a 1-5 partner-usefulness read for this Customer Zero motion, not an independent benchmark. Where pricing is not publicly stated by the vendor, do not estimate it in a customer proposal. Native Purview DSPM for AI closes much of the bulk-remediation gap; use third-party tooling only when the delivery model exceeds the native ceiling.

Tool Primary job Explicit Copilot readiness? Remediation fit Target size MSP fit Public pricing Overall
Syskit PointSharePoint/Teams governance + readinessYes - Copilot Readiness Dashboard5SMB-to-mid4Not publicly stated (quote)4.3
AvePointGovernance + automated remediation + lifecycleYes - Copilot Readiness and Sustainable Adoption5Mid-to-enterprise + MSP5Not publicly stated (quote)4.4
Cloudiway AI ReadinessWhite-label MSP assessmentYes - AI Readiness / Copilot readiness3SMB via MSP5MSP charges client ~$5K-$15K/audit; platform subscription not public3.8
Rencore GovernanceM365 + multi-AI governanceYes - M365 Copilot Governance4SMB-to-enterprise + MSP4Public: ~$0.55-$1.10 / user / month4.1
ShareGate ProtectMigration heritage + governance/securityYes - Copilot readiness in Protect4SMB-to-mid3Migrate tiers public; Protect "Contact Us"3.9
VaronisData security posture + runtime monitoringYes - Varonis for M365 Copilot5Enterprise / regulated3Not publicly stated (quote)4.3
LayerXBrowser / AI-runtime securityYes - AI/browser data-leak protection2Enterprise3Not publicly stated (quote)3.4
UnifyCloud CloudAtlas AIAgentic AI build + AI governanceIndirect - AI Guardian shadow-AI/data-leak prevention2SMB-to-enterprise via partner4Not publicly stated (Azure Marketplace)3.6

Phase-By-Phase Customer Zero Guide

Use this as the operating map: the phase tells the team what decision they are driving, the tools tell them where to work, and the capture column tells leadership what must come back as evidence.

Phase Primary tools / accelerants What they are used for Evidence leadership expects
AssessmentCopilot Readiness report; Purview DSPM for AI; SAM Data Access Governance; Defender for Cloud Apps; Secure Score.Baseline exposure, eligibility, identity posture, and shadow-AI signal.Exposure heat map, license boundary, scan limitations, before-state screenshots.
FoundationEntra ID; Conditional Access; PIM; SAM Restricted Access Control; Purview; PowerShell Deployment Script.Harden identity, restrict worst sites, remediate oversharing, land policy floor.Remediation runbook, -WhatIf output, before/after delta, time-on-task.
Pilot / adoptionMicrosoft Scenario Library; Copilot Dashboard / Viva Insights; role-specific prompt guides; Business Case Builder / Value Envisioning where appropriate.Pick doers, map scenarios, run adoption check-ins, prepare ROI conversation.Champion roster, prompt guides, workflow proof, adoption blockers.
Shadow AIDefender for Cloud Apps Cloud Discovery; GenAI category filter; app risk scoring; Defender for Endpoint if blocking is required.Discover, sanction/block, protect, govern, and redirect AI demand.Ranked GenAI app inventory, decision log, AUP starter, redirect comms.
Information protectionPurview labels; auto-labeling simulation; Guided Labeling Assistant; Industry One-Pagers; SMB Secure by Default label model; MIP SOW Generator.Design labels, simulate before enforce, train users, package label work.Taxonomy, simulation log, training deck, user questions, SOW inputs.
Management / agent readinessPurview/SAM trend reports; Defender review; Secure Score trend; Copilot Dashboard; helpdesk/SOC patterns; Agent Registry / Agent 365 as maturity requires.Operate recurring governance, report drift, route support, govern agent requests.Management cadence, SLA, trend report, agent intake, recurring-service scope.
Phase 0

Assess Before You Touch Anything

Microsoft Data Security Index (Jan 2026) reports that "40% of enterprise data-security incidents are linked to AI systems, up from 27% the prior year." Use that as the why-now opener for assessment, not as a substitute for your own tenant evidence. This is Microsoft-commissioned survey data, not an independent study.

What You Do

Tools In This Phase

Copilot Readiness report; Purview DSPM for AI; SharePoint Advanced Management Data Access Governance; Defender for Cloud Apps Cloud Discovery; Secure Score. Use a third-party assessment tool only if native reporting cannot support the delivery motion you need.

People

Lead: AI owner with the tenant/M365 admin. Accountable: executive sponsor or your partner principal. Consulted: security/compliance owner and delivery consultant. Informed: helpdesk and champion leads.

Process

Inventory first, interpret second, act later. The point of this phase is to establish the before-state and decide where the risk is concentrated before anyone starts changing permissions or labels.

Quotable

"Data oversharing is the single largest data security risk that organizations face when deploying Microsoft 365 Copilot" (Zero Trust Workshop AI_047).

Done When

You have a dated before-state: overshared sites, EEEU-configured sites, anonymous links, stale guests, unlabeled sensitive data, Secure Score, label coverage, and GenAI app inventory. Leadership has approved the first risk priorities and knows which findings are limited by license depth.

Ready For Next Phase

Move forward only when the team can name the first sites/users/apps to contain and has preserved the evidence needed to prove the before/after delta.

Capture

Exposure heat map, tool-selection memo, scan time-on-task, screenshots, first list of "we need to fix this before scale" items.

Phase 1

Secure The Foundation In The Right Order

Enforced Order

RestrictRemediateLabel

Tools In This Phase

Entra ID; Conditional Access; PIM; SharePoint Advanced Management Restricted Access Control; Purview; PowerShell Deployment Script. Run -WhatIf before landing the Purview policy floor.

People

Lead: tenant/M365 admin with security/compliance owner. Accountable: AI owner. Consulted: delivery consultant and affected site owners. Informed: helpdesk and champion leads.

Process

Restrict the worst exposure first, prevent new broad grants, remediate the permission model, then prepare labels and DLP. Do not use labels as a substitute for access cleanup. Broken inheritance is not a button-click cleanup; it is often a business-owner decision about whether an exception is valid.

Important Caveat

PowerShell Deployment Script (aka.ms/Deploy-Scripts; public repo GitHub - amirjafarian/SMBBestPracticeTool, Deploy-PurviewBestPractice.ps1, MIT, idempotent, -WhatIf) (launched May 18 2026; reviewed with TD SYNNEX May 29 2026; aka.ms link partner-login-gated and temporary).

Done When

Worst exposure is contained, tenant-level EEEU prevention is in place, structural remediation is underway, broken-inheritance decisions have owners, before/after delta is visible, and temporary restrictions have a planned exit. Restricted is not remediated.

Ready For Next Phase

Move forward when the pilot group can use Copilot without the team knowingly exposing the worst overshared locations or privileged-risk gaps identified in assessment.

Capture

Restriction decisions, permission fixes, exception list, -WhatIf output, before/after screenshots, elapsed remediation time, and helpdesk issues created by the changes.

Phase 2

Pilot With Champions And Scenarios

What You Do

Tools In This Phase

Microsoft Scenario Library; Copilot Dashboard / Viva Insights; role-specific prompt guides; Copilot Business Case Builder and Value Envisioning Tool from the Modern Work partner portal where appropriate.

People

Lead: AI owner with champion leads. Accountable: executive sponsor or practice leader. Consulted: delivery consultant, helpdesk, and department managers. Informed: tenant/M365 admin and security/compliance owner.

Process

Start with the doers most likely to show visible ROI: account managers, project/operations leads, office managers/EAs, HR, finance, marketing, and meeting-heavy managers. Avoid IT-only and leader-only pilots.

Done When

Every champion has at least one real workflow, one prompt pattern, one before/after example, and one support path. Adoption is a formal deliverable, not an afterthought.

Ready For Next Phase

Move forward when the champions are producing real usage questions and the team can distinguish training issues from data-access, policy, or tool-fit issues.

Capture

Champion roster, scenario deck, prompt guides, training questions, workflow before/after examples, ROI conversation notes.

Phase 3

Discover, Govern, And Redirect Shadow AI

Enforced Order

DiscoverBlock / SanctionProtectGovern

Tools In This Phase

Defender for Cloud Apps Cloud Discovery; Generative AI category filter; app risk scoring; Defender for Endpoint where blocking is required; Purview DSPM for AI for complementary visibility across Microsoft 365 Copilot and non-Microsoft GenAI prompt/data activity; AI acceptable use policy and redirect communications.

People

Lead: security/compliance owner with AI owner. Accountable: executive sponsor. Consulted: tenant/M365 admin, helpdesk, and delivery consultant. Informed: champions and department managers affected by sanction/block decisions.

Process

Discover first, then decide which tools are sanctioned, monitored/warned, blocked, or redirected. Every block needs a sanctioned path and a support message so users are redirected instead of forced back into unmanaged workarounds. The custom block message is not just a control; it is the training moment.

Why It Matters

LayerX measured that "77% of users paste data into GenAI tools, and 82% of this activity comes from unmanaged accounts." Microsoft 2024 Work Trend Index reports that 78% of AI users bring their own AI to work, rising to 80% at small and medium companies. Vendor-telemetry stats are real but self-selected; treat direction and magnitude as solid, not survey-representative.

Done When

You have a ranked GenAI inventory, sanction/monitor/block decisions, customized redirect messaging, an AI acceptable use policy starter, and a support path for users asking why a tool is blocked or where approved AI work should happen.

Ready For Next Phase

Move forward when the team can explain what AI tools are allowed, what is blocked, what data can be used, and where users should go for approved workflows.

Capture

Ranked app list, sanction/block decision log, AI acceptable use policy, redirect comms, helpdesk scripts.

Phase 4

Information Protection, Labels, And User Training

Enforced Order

DesignSimulateTuneEnforceTrain

Tools And Boundaries

Purview sensitivity labels; container labels; default sensitivity label settings; auto-labeling simulation; email label policy testing; Guided Labeling Assistant (aka.ms/MIP-Labeling-Assistant); 5 Industry One-Pagers (aka.ms/MIP-Industry-OnePagers); SMB Secure by Default 8-label model; MIP SOW Generator when packaging the customer offer. The SMB asset pack launched May 18 2026 and was reviewed with TD SYNNEX May 29 2026; links are partner-login-gated and temporary, verify before a customer proposal.

SMB Asset Pack Spine

Use the SMB asset pack as Enable -> Position -> Decide -> Sell -> Deploy: GitHub Copilot CLI Quick Guide (aka.ms/Github-CopilotCli-Guide), Industry One-Pagers (aka.ms/MIP-Industry-OnePagers), Guided Labeling Assistant (aka.ms/MIP-Labeling-Assistant), MIP SOW Generator (aka.ms/SOW-Generator), and PowerShell Deployment Script (aka.ms/Deploy-Scripts). The SMB asset pack launched May 18 2026 and was reviewed with TD SYNNEX May 29 2026; all aka.ms links are partner-login-gated and temporary, verify before a customer proposal.

People

Lead: security/compliance owner with AI owner. Accountable: executive sponsor. Consulted: tenant/M365 admin, delivery consultant, department managers, and champions. Informed: helpdesk and all trained users.

Process

Design the taxonomy, deploy the container-label and default-label plan, simulate auto-labeling for at least two weeks, tune thresholds, then enforce. Training follows the label design so users understand what the labels mean, when to use them, and how Copilot behaves with labeled or encrypted content.

Copilot respects usage rights; it needs EXTRACT + VIEW rights to use labeled/encrypted content, and output inherits the highest-priority sensitivity label. DKE content is invisible to Copilot.

Done When

The label model is approved, container labels are deployed where needed, a default label is set for new content, auto-labeling has been simulated for at least two weeks and tuned, email label behavior has been tested, pilot users have been trained, and helpdesk has a simple answer path for label confusion, access issues, and Copilot behavior questions.

Ready For Next Phase

Move forward when labels are no longer just a configuration. They must be a trained business behavior with an owner, examples, and a support path.

Capture

Taxonomy rationale, container-label decisions, default-label decision, simulation results, threshold changes, email-label testing notes, training deck, user questions, label examples, and customer-safe explanation of Copilot label behavior.

Phases 5-6

Expand, Manage, And Prepare To Teach Customers

What You Do

Tools In This Phase

Purview and SAM trend reports; Defender for Cloud Apps review; Secure Score trend; Copilot Dashboard / Viva Insights; helpdesk/SOC ticket patterns; Agent Registry or Agent 365 when agent governance maturity requires it.

People

Lead: AI owner. Accountable: your partner principal or executive sponsor. Consulted: security/compliance owner, tenant/M365 admin, helpdesk, SOC owner, delivery consultant, and practice lead. Informed: champions and customer-facing sales/service leaders.

Process

Move from project to operating cadence: review exposure, labels, shadow AI, adoption, support tickets, agent requests, and executive reporting on a recurring rhythm. The monthly executive report should be leadable in 30 seconds: one visible delta metric, one risk trend, and one recommended action. This is where the internal motion becomes the managed-service pattern.

Done When

You can show the before-state, explain the order of operations, prove the after-state, train a user cohort, operate a recurring cadence, refresh labels/training quarterly, use anonymized proof in a customer conversation, and describe which work becomes fixed-fee vs recurring.

Ready For Services

Move to the sellable-services guide when you have completed at least one full governance cadence and can show customer-safe proof for assessment, remediation, shadow AI, labels/training, adoption, and management.

Capture

Trend report, SLA, recurring tasks, quarterly retraining plan, packaging notes, delivery-readiness gaps, customer-conversation notes, anonymized proof.

Training And Enablement Are Part Of The Build

Do not treat training as a closing webinar. The playbook frames adoption as a formal deliverable: a 30-60-90 day adoption plan with a kickoff session, role-specific prompt guides, a 30-day usage check-in, and a 60-day ROI conversation. Training is how you turn secure deployment into changed behavior, and changed behavior is what your customers can believe. Keep label training intentionally simple: why this exists, the four-tier label model, Copilot-specific label behavior, examples, and what to do when unsure.

Champion kickoff

Explain the mission, expected workflows, support path, and evidence capture. Champions are there to prove useful workflows and surface support needs early.

Role prompt guides

Build role-specific guides for sales, operations, HR, finance, marketing, and meeting-heavy managers from real internal work.

Label training

Give users one-line "when to use it" guidance. A label without usage guidance is a failure mode.

Quarterly refresh

Refresh label examples, Copilot behavior guidance, and shadow-AI redirects every quarter so the operating model stays current.

AI support runbook

Route AI questions, policy exceptions, risky prompts, agent requests, and "why was this blocked?" tickets consistently.

Agent Creation And Management

The main playbook pushes partners to use Copilot internally and build a small number of real internal agents, such as ticket summarization, proposal drafting, or QBR prep. This guide adds the governance companion: make sure those agents inherit the same identity, permission, lifecycle, monitoring, and evidence discipline as the rest of the Customer Zero motion.

QuestionGovernance answerCapture
Who can request an agent?Your AI owner owns intake; security and admin owners review data access and risk.Agent request form, decision log, rejected/approved rationale.
What data can it touch?Use existing permissions, labels, DLP, and least-privilege review before publishing.Data-source inventory, access review, label/DLP notes.
How is it monitored?Fold agent usage and exceptions into the management cadence.Usage notes, exception log, helpdesk issues.
When does Agent 365 matter?Agent 365 is real, GA May 1 2026, and solves governance/control-plane problems. It is usually not the near-term priority for most SMBs. It is not included in E3/E5; current packaging cited here is standalone $15/user/month or bundled in E7, with a free Agent Registry for any Microsoft Cloud subscriber. Re-verify pricing and packaging before proposal.Registry screenshot, maturity decision, cost/fit note.
Boundary

This guide does not rename the governance motion as AgentOps. The playbook covers the broader adoption and agent operating model; this Customer Zero guide covers the governance readiness companion.

Definition Of Done

You are not done when Copilot works. You are done when you can explain, prove, operate, and repeat the motion.