Continuous Copilot Readiness monitoring
A one-time Copilot Readiness assessment is a snapshot. Continuous monitoring turns it into a feed — the tenant is re-scanned every month, scored on a trend chart, diffed against the previous run, and an email fires when something material changes. Use it to keep a signed-off tenant clean through a Copilot rollout, or to catch drift on an MSP customer between engagements.
Example tenant trending upward through a remediation quarter. Bars are colored by the readiness verdict band at each snapshot.
WHAT YOU'LL SEE
The trend chart sits above the findings list on any monitored assessment. Current score, prior score, 30-day delta, and a three-column diff (new / persistent / resolved) are the four numbers you review at the start of every monitoring email.
Before you start
- A purchased (non-Free) assessment. Monitoring is per-assessment. Free-tier assessments can't be promoted — re-purchase at Insight or above.
- Valid credential. The original credential is re-used for every scheduled run. If the Azure AD app secret rotates, re-test at Credentials → Test or the next run fails.
- Alert destination. Email (every paid tier) or webhook (Partner+).
Enabling monitoring
- Open the assessment's detail page (Governance → Assessments).
BreadcrumbGovernance › Assessments › Northridge Copilot Readiness
- Click Enable monitoring in the top-right.
Enable monitoringExport
- Choose cadence: Monthly (default), Fortnightly, or Weekly (Partner+).
Monthly Fortnightly Weekly
- Pick an alert threshold:
- Any change — fires on every new, resolved, or persistent finding movement.
- New findings only (recommended) — fires only on findings that weren't present before.
- Score drop > N points — best for MSPs watching many tenants.
✓New findings only (recommended) - Add recipients (comma-separated) or a webhook URL.
Recipients:rishabh@cloudshift.ca, ops@northridge.com
- Click Enable. The next run appears as Scheduled.
Status✓ Enabled · next run: May 15, 02:00 UTC
TIP
For client-facing MSP work, use Score drop > 0.3. It filters out routine noise like a new anonymous link on a single site, and fires only when the overall readiness posture actually slips — the signal a client expects you to surface.
The trend chart
Once monitoring has produced 2+ runs, the assessment's detail page shows a trend chart above the findings list. The chart plots:
- Overall readiness score (0–100) as the main line.
- Per-module scores as toggleable overlays — Security, Identity, Data Governance, Teams, SharePoint, Purview, Copilot. Click a legend chip to isolate one module.
- Total finding count on a secondary axis, color-coded by severity.
Hover any point to see the run date, score delta from the previous run, and a "View run" link that opens that snapshot's full report in a new tab. Every historical run is preserved indefinitely — you can reference a run from 14 months ago during an audit.
RESULT
A year of monthly runs renders as 12 bars with color-banded verdicts — the story tells itself to a client or an auditor without narration. Screenshot the chart for the top of your quarterly review deck.
The diff view
Clicking Diff vs previous on any run opens a three-column view:
| Column | What it contains |
|---|---|
| New | Findings that appeared in this run but were not in the previous run. Likely caused by a tenant config change, a new user, a new site, or a drifted policy. |
| Persistent | Findings present in both runs. The count tells you what is still outstanding from the original baseline — the backlog your remediation plan still needs to clear. |
| Resolved | Findings present in the previous run but absent from this run. Evidence the remediation is working. |
How the diff algorithm works
Each finding has a deterministic identity key derived from (moduleId, ruleId, targetResourceId) — for example, (sharepoint, anonymous-link-policy, 84a1-...) for a specific site's anonymous-link configuration. Diffing compares identity keys across the two runs:
// pseudocode const prev = new Set(previous.findings.map(key)); const curr = new Set(current.findings.map(key)); new = curr - prev; // in current, not in previous resolved = prev - curr; // in previous, not in current persistent = prev ∩ curr; // in both
Because the key includes the target resource ID, replacing one non-compliant site with another still correctly shows the first as resolved and the second as new — not as a persistent single finding. Rules can also version-bump internally; when they do, the old rule is marked resolved and the new rule appears as new, with a note on the finding card explaining the rule change (so you don't panic about a spike in "new" findings the month we ship a rule update).
Email alerts
Alert emails include score delta, top 5 new findings (title + severity + resource), and a deep link to the diff view. Subject line format is stable for inbox rules:
[MigrationFox] <tenant> readiness — <new> new, <resolved> resolved
Edit recipients at Monitoring → Manage alerts. Pause monitoring during planned config windows via Pause monitoring — history is preserved, the next run picks up on the next cadence slot.
Troubleshooting
"Scheduled run failed — credential invalid"
Azure AD secret/cert expired or rotated. Update under Credentials, click Retry now on the failed row.
40+ "new" findings overnight
Either a real tenant change (check M365 audit log for the run's 24h window) or a rule update. Rule updates show a banner on the diff page and appear in Governance → Rule Updates.
No email, run completed
Check: (1) threshold — Score drop > N does not fire on improvements, (2) recipient verified at Profile → Email verification, (3) per-day alert cap (default 100) not hit. See Monitoring → Delivery log.
What's next
- M365 Assessment Suite overview — the 7 assessment modules and what each scores.
- Running an assessment — first-time setup.
- Exports — PDF / CSV / JSON formats shared with the monitored view.
- Dependency Graph scan — pair with monitoring to keep track of what's safe to restructure as the tenant evolves.