M365 AI Agent Governance - Full Reference: Licensing, Areas, Maturity Model, Decision Flowchart

Source: m365maps.com (Aaron Dinnage, 2026) — E3 E5 E7 Copilot Agent 365  |  MM4M365
E3
~$36/user/mo
Office 365 E3Windows E3EMS E3Entra ID P1Intune P1MDE P1DLPAudit StandardAIP basicCopilot Chat (web, free)
E3 + Copilot
~$36 + $30/user/mo
Copilot PremiumSAM for CopilotCS for M365Copilot Chat (work data)SharePoint AgentsCreate Agents
E5
~$57 → $60 (1.7.2026)
E3 all +Entra ID P2MDE P2MDCA (full)Endpoint DLPAudit PremiumIRMComm ComplianceSecurity CopilotPIMDSPM
E5 + Copilot
~$57 + $30/user/mo
E5 + Copilot PremiumSAM for CopilotCS for M365
E7
~$99/user/mo (GA 1.5.2026)
E5 + Copilot +Agent 365Entra SuiteEntra ID GovernanceEntra Internet AccessEntra Private AccessCopilot CoworkAgent-specific governance
Key: Agent-specific governance features (Agent DLP, Agent DSPM, Agent Comm Compliance, Agent IRM, Agent Conditional Access, Agent Identity Governance) are E7-only — not available in E5+Copilot. Copilot Studio for M365 is included in the Copilot Premium licence. SAM is included with the Copilot M365 add-on.
Standalone: Agent 365 can be added to E3 or E5 (~$15/user/mo) and Entra Suite (~$12/user/mo) without buying E7 — E7 ($99) just bundles E5 + Copilot + Agent 365 + Entra Suite at ~15% off list. From 1.7.2026: E5 list rises to $60 and Security Copilot, Intune Plan 2, Endpoint Privilege Management, Enterprise App Management and Cloud PKI fold into E5 (Defender for Office 365 P1 folds into E3).
Copilot & Agents — creation, inventory, reach control
FeatureE3E3+CopE5E5+CopE7Notes
Copilot Chat — web-grounded (free)Copilot Chat — free for all eligible M365 users since 2025. Web grounding + Enterprise Data Protection, file upload, image gen, Pages
Copilot Chat — work-data grounding (Graph)Chat answers from your emails/files/meetings — requires M365 Copilot (Premium). Adds Researcher/Analyst, app Copilot, meeting recaps
Build agents — web-grounded (Agent Builder)Agent Builder — web-knowledge agents are free in Copilot Chat, no Copilot licence
Build / run agents on org dataIncluded for licensed Copilot users; otherwise pay-as-you-go (Copilot Credits / capacity packs) — metered, not blocked by E3/E5
SharePoint AgentsSharePoint Agents
Copilot Studio for M365 (internal users)CS for M365 — external channels require PP CS add-on
Graph & Connector AccessIncluded in M365 Copilot; without it, agent access to Graph/work data is metered via Copilot Credits (PAYG)
Copilot DashboardCopilot Dashboard
Agent 365 — Registry, Map, MonitoringAgent 365E7 only
Agent 365 — Lifecycle ManagementAgent ActionsE7 only
Agent MapAgent MapE7 only
Agent Tool ControlsTool ControlsE7 only
Agent Policy TemplatesPolicy TemplatesE7 only
Agent Registry Sync (multi-cloud)Registry SyncE7 only
SharePoint & SAM
FeatureE3E3+CopE5E5+CopE7Notes
SharePoint Advanced Management (SAM)SAM — included with Copilot M365; otherwise standalone add-on
RAC + RCD + Oversharing reportsIncluded in SAM
Sensitivity Labels (manual)Sensitivity Labels — AIP basic in E3
Auto-labeling (rules-based classification)Auto-labeling — E5
Conditional Access for SitesCA for Sites — E5 (Entra P2)
Purview — DLP, audit, compliance
FeatureE3E3+CopE5E5+CopE7Notes
DLP (Exchange, SPO, Teams, M365 apps)DLP — E3 baseline
DLP on Copilot promptsDLP & Copilot
Teams DLPTeams DLP — E5
Endpoint DLP (block AI domains)Endpoint DLP — E5 + MDE
Agent DLPAgent DLPE7 only
Audit Standard (90 days)Audit — E3
Audit Premium (7 years, advanced events)Audit Premium — E5
DSPM for AI (oversharing posture)DSPM — E5 Purview
Agent DSPMAgent DSPME7 only
Insider Risk ManagementIRM — E5
Agent Insider Risk ManagementAgent IRME7 only
Communication ComplianceE5 Compliance
Agent Comm ComplianceAgent Comm Compl.E7 only
Agent Data Lifecycle ManagementAgent DLME7 only
Agent Information ProtectionAgent Info Prot.E7 only
Defender & Entra
FeatureE3E3+CopE5E5+CopE7Notes
Defender for Endpoint P1MDE P1 — in E3 (P2 is in E5)
Defender for Endpoint P2 (EDR, Hunting)MDE P2 — E5
Defender for Cloud Apps (MDCA full)MDCA — E5 Security; shadow IT discovery
Agent MDCA IntegrationAgent MDCAE7 only
Security CopilotSecurity Copilot — included in E5
Entra ID P1 (CA, MFA, SSPR)Entra P1 — E3+
Entra ID P2 (PIM, ID Protection, Risk CA)Entra P2 — E5
Agent Conditional AccessAgent CAE7 only
Agent ID Protection IntegrationAgent ID Prot.E7 only
Agent Identity GovernanceAgent ID Gov.E7 only
Agent Global Secure AccessAgent GSAE7 only (Entra Internet/Private Access)
Sentinel Benefit (data ingestion)Sentinel Benefit — E5
Power Platform — CS PP add-on (independent of M365 SKU)
FeatureE3E3+CopE5E5+CopE7Notes
Copilot Studio PP add-on (ext. channels, CEA)CS Security — standalone PP add-on, capacity billing
PPAC DLP policies (channels, auth, sources)DLP Policies — effective only when CS agents are deployed
Managed EnvironmentsManaged Env. — premium PP feature
Power Platform CoE Starter KitCoE Kit — free; requires PP + Power BI
Available Partial / standalone add-on Not available | E7 = E5 + Copilot M365 + Agent 365 + Entra Suite, GA 1.5.2026
Admin centers: Teams Admin Center (admin.teams.microsoft.com) for apps/bots & meeting policies, Purview for data governance.  |  App permission policies, Meeting policies, Bot Detection rollout 5–6/2026 (MC1251206). Note: Teams chat/channel content is a primary Copilot grounding source — transcripts, messages and shared files all feed AI.
Agents & bots in Teams
Native Teams bots
E3
Who, Approvals, Workflows, Forms — delivered by Microsoft. Managed via App permission policies and global allow/block list.
TAC > Teams apps > Manage apps > App permission policies
Manage apps
M365 Copilot agents in Teams
Copilot
Declarative agents, Agent Builder — visible in Teams and Copilot Chat. Managed via CCS and Agent 365 Registry.
M365 Admin Center > Agents > Registry | CCS
Agents admin guide
ISV / AppSource agents
E3
Certified external publishers from Teams App Store. Admin allow/block per app or publisher. CCS publisher-type rules for automation.
TAC > Manage apps | CCS > Settings
TAC Manage apps
External meeting bots
E3
Read.ai, Otter.ai, Fireflies — data leaves your tenant. Bot Detection 5–6/2026: "Suspected threats" label in lobby. Data governed by operator's policy, not yours.
TAC > Meeting policies > Lobby | Bot Detection (MC1251206)
Meeting policies
Custom Teams bot (Bot Framework)
E3Azure
Bot Framework + Azure Bot Service. Registered in Entra, admin consent in TAC, Graph API scopes. Visible via Entra App registrations.
TAC + Entra App registrations + Azure Bot Service
Teams bots overview
Azure Foundry agents in Teams
Azure
1-click publish from Foundry Portal to Teams and M365 Copilot (GA 3/2026). Entra Agent ID for identity. Agent 365 integration (public preview).
Azure Foundry Portal > Publish to M365 | Entra Agent ID
Azure Foundry
Agent inventory by channel
E7
Agent 365 Registry filters agents by channel (Copilot, Teams, Outlook, M365 apps, SharePoint), publisher and risk. Single view of every agent surfacing in Teams.
M365 Admin Center > Agents > All agents > Registry
Agent Registry
Teams data governance & compliance (Purview)
Teams DLP — chat & channel messages
E5
Blocks or tips on sensitive info (SSN, PAN, custom SITs, trainable classifiers) in 1:1, group and channel messages. Requires E5 or E5 Compliance — not in E3. Covers content Copilot can summarise.
Purview > Data Loss Prevention > Policies (Teams location)
Teams DLP
Teams DLP — files
E3
Files shared in Teams live in SPO/OneDrive, so file-level DLP is enforced via the SPO/Exchange locations — available at E3. Only chat/channel message DLP needs E5.
Purview > DLP > Policies (SharePoint / OneDrive)
About DLP
Communication Compliance
E5
Detects policy violations (harassment, sensitive info, regulatory) in Teams chats/channels. Relevant for monitoring AI-assisted and human messaging. E5 / E5 Compliance.
Purview > Communication Compliance
Comm Compliance
Information Barriers
E5
Prevents communication/collaboration between defined groups (chat, channel membership, screen share, file access). Stops Copilot/agents bridging segregated groups. E5.
Purview > Information Barriers
Information Barriers
Sensitivity labels for Teams & meetings
E3E5 auto
Label teams, channels and meetings to control membership, sharing and encryption. Manual labels in E3; auto-labelling and dynamic watermarking need E5. Copilot honours labels.
Purview > Information Protection > Labels (container labels)
Container labels
Retention & deletion policies
E3
Retain or purge Teams chat and channel messages on a schedule. Limits how long AI-readable history persists. Baseline retention available at E3; auto-apply (ML) needs E5.
Purview > Data Lifecycle Management > Retention
Teams retention
Meeting recording & transcription policy
E3
Control who can record/transcribe. Transcripts and recordings are direct Copilot grounding data — governing them governs what meeting AI can recall and cite.
TAC > Meetings > Meeting policies > Recording & transcription
Recording/transcription
Copilot in Teams meetings
Copilot
Meeting Copilot summarises and answers from the live transcript. Governed by transcription policy + sensitivity labels; eDiscovery and audit capture Copilot interactions.
TAC + Purview (audit / labels) + Copilot Control System
Copilot & transcription
Admin center: Power Platform Admin Centeradmin.powerplatform.microsoft.com  |  Three control levels: TenantEnvironmentAgent. Most governance controls below are free Power Platform features (every M365 tenant has Power Platform) — what costs money is running agents/flows (premium connectors, RPA, Copilot Credits).
Governance controls (PPAC — free with Power Platform)
CS Authors Control
E3
Restricts agent creation to a specific security group. Blocks free trial sign-ups without admin approval. Free PPAC governance — no CS licence needed to set it.
PPAC > Settings [Tenant]
CS Governance
Control AI Features
E3
Blocks generative AI (LLM) in Copilot agents across the tenant. Free PPAC setting — key precisely for orgs without a Copilot licence.
PPAC > Settings [Tenant]
CS Security
Environment Routing & Isolation
E3
Routes makers to correct environment groups. Dev / Test / Prod isolation. Foundation for a proper ALM process.
PPAC > Settings > Env Routing [Tenant]
Env Routing
DLP — Channel Control
E3
Blocks agent publishing to Teams, Direct Line, Facebook, Omnichannel. Free PPAC DLP — note external channels themselves require the CS PP add-on to publish.
PPAC > DLP Policies [Tenant/Env]
DLP Policies
DLP — Knowledge Sources
E3
Blocks SPO, OneDrive, public websites or documents as knowledge sources. Controls what the agent "knows". Free PPAC DLP.
PPAC > DLP Policies [Tenant/Env]
DLP Policies
DLP — Auth Control
E3
Disables "No Auth" and "Generic OAuth" — enforces Entra ID authentication for all agents in the environment. Free PPAC DLP.
PPAC > DLP Policies [Tenant/Env]
DLP Policies
DLP — HTTP & Event Triggers
E3
Blocks HTTP calls (exfiltration risk) and autonomous event-driven triggers. Critical for autonomous agents in production. Free PPAC DLP — but HTTP/premium connectors need premium PA licensing to run.
PPAC > DLP Policies [Tenant/Env]
DLP Policies
ALM Pipeline (Dev/Test/Prod)
PP Premium
Versioned, controlled agent deployment. In-product pipelines or Azure DevOps / GitHub Actions. Requires Managed Environments.
PPAC > Pipelines | Azure DevOps
PP Pipelines
CoE Starter Kit
E3
Inventory of all PP/CS agents in tenant, usage reporting, governance workflows. Open-source, free. Requires Power BI.
GitHub: microsoft/coe-starter-kit | Power BI
CoE Kit
Licensing & consumption — what actually gates an agent
Copilot Chat vs M365 Copilot
E3Copilot
Copilot Chat (free) for all M365 users: web-grounded chat + web-knowledge agents. M365 Copilot ($30) adds work-data grounding, app Copilot and included agent usage. The licence decides grounding, not whether agents exist.
M365 Admin Center > Copilot > Settings
Copilot overview
Copilot Studio billing — Credits / PAYG
CopilotAzure
Agents on org data / premium features consume Copilot Credits. Buy capacity packs (25,000 credits/mo, prepaid) or use pay-as-you-go. As of 4/2026, prepaid packs no longer need an Azure subscription.
M365 Admin Center > billing | PPAC > billing policy
CS billing
CS PP add-on (external channels)
CS PP add-on
Standalone Copilot Studio — required for external/customer-facing channels (web, Direct Line), Customer Engagement Agents and autonomous tenant-wide scenarios. Capacity / message billing.
PPAC > Copilot Studio capacity
CS licensing
Power Automate — Free vs Premium connectors
E3 stdPremium
Seeded/Free PA covers standard connectors only. Premium & custom connectors (HTTP, SQL, Azure, 3rd-party) and attended RPA need Power Automate Premium (~$15/user). Agents calling premium connectors inherit this requirement.
PPAC | Power Automate > Licenses
PA licensing
Power Automate Process / Hosted (RPA)
Capacity
Capacity licences for unattended flows/bots regardless of user licence — Process (~$150/flow) and Hosted Process (Microsoft-hosted RPA). Needed for autonomous agents that run desktop/unattended automation.
PPAC > Environment capacities
Process licences
AI Builder credits
Capacity
AI actions (form processing, classification, prediction) consume AI Builder service credits. Premium PA includes 5,000/mo; heavier use needs add-on credit packs.
PPAC > Capacity > AI Builder
PP add-ons
Managed Environments
PP Premium
Advanced controls: sharing restrictions, Maker Welcome Message, environment group policies, block unmanaged solutions. Requires premium Power Platform licensing (incl. PA Premium / Managed Env entitlement).
PPAC > Environment Groups [Env]
Managed Env.
Admin centers: SPO Admin Center + SAM. Most SAM features unlock once at least one Copilot M365 licence is assigned in the tenant (since 2025); a few need the standalone SAM Plan 1 add-on. Key principle: Copilot reads what the user can already see — oversharing is a direct AI risk, and SAM is the toolkit to find and contain it (applies to SharePoint and OneDrive).
SharePoint Advanced Management (SAM) — Copilot readiness & oversharing
SPO Copilot agents
Copilot
Agents bound to a specific SPO site or library. Inventory in Agent 365 Registry (E7) or M365 Admin Center.
M365 Admin Center > Agents > Registry | SAM
SharePoint Agents
Restricted Access Control (RAC)
Copilot
Restricts a site (SPO or OneDrive) to specific groups. Copilot / agents cannot read outside the allowed scope — primary oversharing defence.
SPO Admin > SAM > RAC (or site admin)
RAC
Restricted Content Discovery (RCD)
Copilot
Hides site content from Copilot, agents and org-wide search without changing access permissions. Complements RAC for "accessible but not discoverable" content.
SPO Admin > SAM > RCD
RCD
Restricted SharePoint Search (RSS)
Copilot
Tenant-wide "safety net": limit org search & Copilot grounding to an allow-list of up to 100 curated sites while you remediate the rest. Temporary measure during rollout.
SPO Admin > Settings > Restricted SharePoint Search
RSS
Data Access Governance (DAG) reports
Copilot
Snapshot + activity reports: "Anyone"/org-wide sharing links, "Everyone except external users" (EEEU), sensitivity-labelled files, permission state. Finds the highest-risk sites for Copilot.
SPO Admin > Reports > Data access governance
DAG Reports
Site Lifecycle Management
Copilot
Policies to detect inactive sites and notify owners / archive / restrict. Stale content degrades Copilot answers — lifecycle hygiene = answer quality.
SPO Admin > Policies > Site lifecycle management
Site Lifecycle
Site Ownership Policies
Copilot
Ensure every site has accountable, valid owners (auto-attestation, ownerless-site policy). Ownership is the prerequisite for any access-review or remediation.
SPO Admin > Policies > Site ownership
SAM features
Block Download Policy
Copilot
View-only access on a site — users (and anything acting as them) can open but not download/sync/print. Limits exfiltration of sensitive content surfaced via AI.
SPO Admin > SAM > Block download (PowerShell)
Block download
Change History & site monitoring
Copilot
Reports on setting/permission changes per site, plus "compare site policies" to spot sites with similar content but inconsistent security. Audit trail for governance.
SPO Admin > Reports > Change history
SAM reports
Conditional Access for sites
E5
Authentication-context CA on a site (MFA, compliant device, managed network) — controls the conditions under which content (and Copilot grounding on it) is reachable. Needs Entra P2.
SPO Admin > site > Conditional access | Entra
CA for Sites
Restricted Site Creation
SAM standalone
Restrict who can create new sites by group. Not in the Copilot-included SAM set — requires the standalone SAM Plan 1 add-on.
SPO Admin > Settings (standalone SAM)
Restricted Site Creation
Information protection (Purview)
Sensitivity Labels (manual)
E3
Label files and sites. Copilot honours labels when displaying and citing content, and inherits the most restrictive label on generated output. Foundation for AI content protection.
Purview > Information Protection > Labels
Sensitivity Labels
Auto-labeling
E5
Automatic file labelling based on content. Rules-based classification (E5) or ML-assisted trainable classifiers. Scales protection beyond manual effort.
Purview > Information Protection > Auto-labeling
Auto-labeling
Default library labels
E5
Apply a default sensitivity label to all new files in a document library, so newly created/AI-generated content is protected by design.
Purview / SPO library settings
Library default label
This page covers the full governance picture — operating model, the security & audit tooling that enforces it (E3→E5→E7), and the concrete configuration reference. Control plane: Copilot Control System (CCS) in M365 Admin Center, complemented by PPAC (Power Platform / Copilot Studio) and SAM (SPO content). Structure follows the Power CAT Copilot Studio Governance & Security Guide.
Project lifecycle — Power CAT guide
1 — Discovery & Planning
Align · Classify · Budget
Stakeholder & compliance alignment (GDPR/HIPAA), data residency & retention, target scenarios, classify data sources, naming & disclaimer standards, licence/capacity assessment.
2 — Architecture & Design
Isolate · Secure · Decide
Env strategy (Dev/Test/Prod) + per-env DLP, tenant hardening (Lockbox, IP firewall, Private Link), CA/MFA/RBAC, least privilege, orchestration & agent-type choices.
3 — Build & Integration
Compose · Validate
Shared components, custom instructions/prompts, validate connectors against DLP per env, Managed Environments & groups, agent-level settings, heed security warnings.
4 — Testing, Deploy & Launch
Prove · Ship
Power CAT kit scenario tests, CI/CD via Azure DevOps/GitHub, DLP & RBAC validation, Azure resource review, prod knowledge sources, telemetry (App Insights/AKV), CoE Kit.
5 — Monitoring & Optimisation
Watch · Improve
Analytics dashboards, Sentinel alerts, Purview audit, transcript & content moderation, PPAC security page, user feedback, quarterly reviews, capacity monitoring.
Governance foundations
Naming Conventions
E3
Agent and solution naming standards (e.g. Contoso-HR-Agent-v1 / ContosoCopilot solution). Solution naming prevents non-prod solutions reaching prod via ALM. COE defines and enforces.
Internal standard | PPAC solution naming
CS Governance
Agent Owner & Accountability
E3E7 auto
Every agent must have an assigned owner. Ownership as a principle is process (E3); automated Missing Owner alerts come via CCS (Copilot) and the Agent 365 Missing Owner report (E7).
M365 Admin Center > Agents > Registry > Missing Owner
Manage Agents
CCS Publisher-Type Rules
E3
Allow or block agents by publisher: Microsoft / Your org / External. Basic reach control without a Copilot licence.
M365 Admin Center > Copilot > Settings > Agents
CCS Overview
CCS Agent Policies (IFTTT)
Copilot
Governance automation: "if agent has no owner, deactivate" etc. Reduces manual overhead. Full functionality with Copilot add-on.
M365 Admin Center > Copilot > Settings > Agent policies
Agents admin guide
Responsible AI Disclaimers
E3
Every agent must include a disclaimer in the conversation start topic. Document a shared template. Org standard per Power CAT guide.
CS > Agent > Topics > Conversation Start
CS Governance
Shared Components & Custom Instructions
E3
Mandatory reusable entities (knowledge, topics, component collections) and governed custom instructions/prompt templates (e.g. "don't reference competitors"). Drives consistency.
CS > Component collections | Agent instructions
CS Governance
Entra ID Conditional Access
E3
MFA, compliant device, named location. Foundation for all agents authenticated via Entra ID. MFA globally recommended.
Entra Admin Center > Protection > Conditional Access
Conditional Access
RBAC, Least Privilege & Service Accounts
E3
Power Platform RBAC via security groups (admin/maker/end-user). Restrict agents to essential data sources; use a service principal for prod deployment & custom-connector auth.
PPAC > Environments > Security roles
PP RBAC
Tenant & environment hardening
E5Azure
Customer Lockbox (E5); Dataverse auditing; IP firewall & IP cookie binding (Managed Environments / PP premium); Azure Private Link / service endpoints (Azure) to minimise public exposure of agent endpoints.
PPAC + Azure (Private Link) + Purview (Lockbox)
IP cookie binding
Access Reviews (Entra)
E5
Periodic review of user access to agents, app registrations, and privileged roles. Key for agent lifecycle governance.
Entra Admin Center > ID Governance > Access Reviews
Access Reviews
Entra App Registration Audit
E3
Regular review of all app registrations and OAuth consent grants. Detects unauthorised or abandoned applications and bots.
Entra Admin Center > App registrations | Purview Audit
App Permissions
Transcript retention & export
E3Azure
Conversation transcripts sit in the Dataverse transcripts table, 30-day default retention. Extend retention, or export raw transcripts to Azure Data Lake Gen2 via Synapse Link for cheaper long-term storage.
Dataverse > Conversation transcripts | Synapse Link
Transcripts
Content moderation
E3
Track the count of blocked queries as part of Responsible AI. Tune moderation level per agent and monitor effectiveness over time.
PPAC > Copilot page (blocked queries)
CS Governance
Copilot Data Collection & Feedback
E3
Tenant settings to allow or block sharing of prompts/requests and user feedback with Microsoft. Set per your privacy and data-handling policy.
PPAC > Settings (tenant)
Copilot data
PPAC unified security page
E3
Single pane for tenant, environment and agent security posture, with greater visibility and one-click controls. Pair with Action Center (Advisor) + Copilot center recommendations.
PPAC > Security | Action Center (Advisor)
PP Security
Quarterly Governance Review
E3
Reassess DLP settings, env config, agent inventory, ownership and compliance posture at least quarterly per Power CAT guide.
PPAC + M365 Admin Center + Purview + CoE Kit
CoE Kit
Microsoft Secure Score
E3
Measures overall tenant security posture. Includes Copilot and agent governance recommendations. Useful as a KPI for the governance team.
Defender Portal > Secure Score
Secure Score
Agent 365 Registry & Map
E7
The inventory & ownership foundation: every agent discovered, named, owned and risk-scored; visual Agent Map; cross-cloud Registry Sync (Bedrock, Vertex AI, Salesforce, Databricks).
M365 Admin Center > Agents > Registry / Map
Agent Registry
Agent Identity Governance
E7
Lifecycle workflows and access reviews for agent identities via Entra ID Governance — provisioning to retirement, ML-assisted reviews.
Entra Admin Center > ID Governance (agents)
Agent ID Gov.
Agent Lifecycle automation
E7
Automated governance actions across the fleet — deactivate/retire inactive or orphaned agents, act on missing-owner and risk signals.
M365 Admin Center > Agents > Governance actions
Agent Actions
Agent Policy Templates
E7
Reusable allow/block policy templates applied consistently across many agents — standardises governance instead of per-agent config.
Agent 365 admin > Policy templates
Policy Templates
Agent Tool Controls
E7
Govern which tools / MCP connectors an agent is allowed to call — per-agent control of the action surface.
M365 Admin Center > Agents > Tool controls
Tool Controls
Security & audit tooling — by licence tier
The controls above are the operating model; the tooling that enforces it layers by licence: E3 baseline, E5 advanced (Purview/Defender/Entra P2), E7 agent-specific data & threat protection.
E3 baseline
DLP on Copilot prompts
E3
Blocks sensitive data (credit card numbers, SSNs...) in prompts sent to Copilot or agents. E3 baseline.
Purview > DLP > Policies
DLP & Copilot
Audit (Standard)
E3
Unified audit log of user/admin activity incl. Copilot interaction events. ~180-day retention. Baseline forensic trail for AI usage.
Purview > Audit > Search
Audit Standard
Shadow AI page (Agent 365)
E3
Local AI agents on managed devices. Intune policy to block execution. Public preview 6/2026. Powered by Defender + Intune.
M365 Admin Center > Agent 365 > Shadow AI
Agent 365
Microsoft Sentinel
E3Azure
Custom detections for CS/Copilot events. KQL queries for anomalous AI behaviour. E5 includes Sentinel data ingestion benefit.
Azure Portal > Microsoft Sentinel
Sentinel
Defender for Endpoint P1
E3
Next-gen AV, attack surface reduction, device control. Foundation for endpoint AI-domain controls (P2 adds EDR/hunting in E5).
Defender Portal > Endpoints
MDE P1
E5 advanced tools
Endpoint DLP (block AI domains)
E5
Blocks upload of sensitive data to unsanctioned AI services (ChatGPT.com, Gemini...) at the endpoint, regardless of browser.
Purview > DLP > Endpoint policies | MDE
Endpoint DLP
DSPM for AI
E5
Oversharing risk assessment, item-level investigation. Identifies the most exposed data before AI deployment.
Purview > DSPM for AI
DSPM for AI
Insider Risk Management
E5
Correlates risky user activity (mass download, risky AI usage, departing employees) into investigatable cases. E5 / E5 Compliance.
Purview > Insider Risk Management
IRM
Communication Compliance
E5
Detects policy violations in messaging (Teams, Exchange, Copilot prompts). Surfaces inappropriate or risky AI interactions. E5.
Purview > Communication Compliance
Comm Compliance
Audit (Premium)
E5
Long-term retention (1 yr default, extendable to 10), high-value events (e.g. MailItemsAccessed) and richer Copilot audit detail.
Purview > Audit (retention policies)
Audit Premium
Defender for Cloud Apps
E5
Shadow IT discovery: who uses which AI tools. OAuth app governance. Sanctioned / unsanctioned apps. Conditional blocking.
Defender Portal > Cloud Apps
MDCA Shadow IT
Security Copilot
E5
AI assistant for security teams — Defender, Entra, Intune, Purview integration. Rolling into E5 at no extra cost (from 4/2026), metered SCUs.
Defender Portal | Purview | Entra
Security Copilot
Entra ID P2 (PIM, Risk CA)
E5
Privileged Identity Management, risk-based Conditional Access, ID Protection. Full identity security for agent admins.
Entra Admin Center > ID Governance | Protection
Entra P2
E7 — agent-specific governance (Agent 365 + Entra Suite)
Agent DLP
E7
DLP policy scoped to individual agents — controls what data a specific agent may surface or transmit, beyond user-level DLP.
Purview > DLP (agent scope)
Purview for AI
Agent DSPM
E7
Per-agent data security posture: which agent touches which sensitive data, oversharing exposure mapped to the agent itself.
Purview > DSPM for AI (agent view)
Agent DSPM
Agent Insider Risk Management
E7
Treats agents as risk subjects — detects anomalous agent behaviour and correlates it with the owning identity.
Purview > Insider Risk Management (agent)
Agent IRM
Agent Communication Compliance
E7
Monitors agent-generated and agent-mediated messages for policy violations — agent equivalent of Comm Compliance.
Purview > Communication Compliance (agent)
Agent Comm Compl.
Agent Conditional Access
E7
CA policies that target an agent's Entra Agent ID — location, device, risk and session controls applied per agent.
Entra Admin Center > Conditional Access (Agent ID)
Agent CA
Agent ID Protection
E7
Risk detections for agent identities (risky agents). Feeds risk-based CA and remediation, mirroring user ID Protection.
Entra Admin Center > ID Protection (risky agents)
Agent ID Prot.
Agent MDCA Integration
E7
Defender for Cloud Apps + Defender XDR map agent ↔ device ↔ MCP/tool relationships and detect agent threats.
Defender Portal > Cloud Apps / XDR
Agent MDCA
Agent Global Secure Access
E7
Entra Internet/Private Access secures and inspects agent outbound traffic — AI web gateway controls for agents.
Entra Admin Center > Global Secure Access
Agent GSA
Copilot Studio configuration settings — by level (Power CAT)
Tenant and DLP-level controls are free Power Platform governance. DLP-level settings can be scoped tenant-wide or per environment. Reference: Copilot Studio security & governance.
Tenant-level — PPAC → Settings / Capacity (Power Platform Admin)
SettingPurposeLocation
Trial License ControlBlock free trial sign-ups without admin permissionAzure PowerShell
Control Agents with AI FeaturesBlock generative AI (LLM) usage in Copilot agents tenant-widePPAC → Settings
Copilot Studio Authors ControlRestrict who can author agents to a security groupPPAC → Settings
Environment RoutingRoute makers to specific environment groups (own Dev env)PPAC → Settings
AI Builder Credits ControlDecide whether tenant-level AI credits can be used by environmentsPPAC → Settings
Copilot Data CollectionEnable or block sharing prompts/requests with MicrosoftPPAC → Settings
Copilot Feedback ControlEnable or block user feedback to MicrosoftPPAC → Settings
Message CapacityAllocate Copilot message capacity to each environmentPPAC → Capacity
Tenant or Environment — via DLP policies (PPAC → DLP Policies)
SettingPurposeLocation
Telemetry / App Insights ControlBlock agent makers from connecting to Application InsightsPPAC → DLP Policies
Authentication ControlDisable "No-Auth" & "Generic OAuth" as agent auth providersPPAC → DLP Policies
Channel ControlBlock channels: Direct Line, Facebook, M365/Teams, OmnichannelPPAC → DLP Policies
Knowledge Source ControlBlock SharePoint, OneDrive, documents or public websites as knowledgePPAC → DLP Policies
Skills ControlBlock makers from using Skills in Copilot StudioPPAC → DLP Policies
HTTP Requests ControlPrevent HTTP requests to reduce data-exfiltration riskPPAC → DLP Policies
Event Triggers Control (autonomous)Block autonomous / event-driven agent triggersPPAC → DLP Policies
Environment-level — PPAC → Environment (Environment Admin)
SettingPurposeLocation
Generative AI Control (Bing Search)Allow or block Bing Search grounding in agentsEnvironment → Generative AI
AI Prompts ControlEnable or block AI prompts in Power PlatformEnvironment → Features
Copilot in Power AppsEnable or block Copilot in Power AppsEnvironment → Features
Block Solutions w/ Unmanaged Custom.Prevent importing unmanaged customizationsEnvironment → Features
Sharing Agents (Editor / Viewer)Manage whether agents can be shared with Editor/Viewer rolesEnvironment Groups (Managed Env)
Environment AuditingEnable auditing in production environmentsEnvironment → Settings → Auditing
Maker Welcome MessageDisplay privacy / compliance message to makersEnvironment Groups (Managed Env)
Agent-level — within Copilot Studio (Agent Author)
SettingPurposeLocation
Agent AuthenticationConfigure No Auth / Entra ID / CertificatesCS → Agent → Settings → Security
Agent Web Channel SecurityManage secrets / tokens for the Direct Line web channelCS → Agent → Settings → Security
Inspired by the M365 Maturity Model (MM4M365). Five levels — each builds on the previous. Use this to assess your current state and plan the next step. Licence requirements shown per capability.
100 — Initial
Ad hoc · Chaotic · Reactive
No formal governance. Agents appear spontaneously. No inventory, no owners, no policy. IT firefights incidents.
200 — Managed
Routine · Variable · Siloed
Some processes defined but inconsistently applied. Partial inventory. Ownership informal. Shadow AI widespread.
300 — Defined
Documented · Controlled · Stable
Policies documented and enforced. Inventory maintained. Owners assigned. DLP and audit active. COE established.
400 — Predictable
Measured · Effective · Adaptable
Metrics tracked. Governance automated via CCS/PPAC policies. Risk posture measured. Regular reviews with evidence.
500 — Optimising
Systematic · Proactive · Assured
Continuous improvement. Agent-specific governance across identity, compliance, security. Cross-cloud visibility. Full lifecycle automation.
Dimension 100 — Initial 200 — Managed 300 — Defined 400 — Predictable 500 — Optimising
Inventory & Discovery No inventory. Agents unknown to IT. Partial list in spreadsheet. Some agents discovered reactively. TAC + PPAC CoE Kit inventory. All agents registered, named, owned. E3 Agent 365 Registry with automated discovery. Missing owner alerts. Copilot Agent Map + Registry Sync across M365, Azure, partner ecosystems. Real-time. E7
Naming & Ownership No standards. Agents named ad hoc. No clear owner. Informal ownership. Some naming patterns emerging per team. Naming convention enforced (Contoso-HR-Agent-v1). Owners documented. E3 Ownership enforced via CCS policy. Orphaned agents auto-flagged. Copilot Agent Identity Governance — lifecycle workflows, ML-assisted access reviews. E7
Publishing Control Anyone can publish to any channel. No approval process. Informal review. Some channels blocked reactively after incidents. PPAC DLP: channels, auth, knowledge sources blocked by policy. TAC app permission policies. E3 CCS publisher-type rules. Agent policies automate allow/block decisions. Copilot Agent Tool Controls. Full channel governance with Entra CA integration per agent. E7
Data Protection No DLP. Sensitive data freely accessible to agents. Sensitivity labels manually applied to some content. DLP rules exist for email. DLP on Copilot prompts. Sensitivity labels on SPO. SAM oversharing assessment run. E3 +SAM w/ Copilot DSPM for AI. Auto-labeling. Endpoint DLP blocks AI domain uploads. E5 Agent DLP + Agent Information Protection. Per-agent data classification policy. E7
Identity & Access Agents run with shared or no credentials. No MFA. Some agents use Entra ID. MFA partially enforced. No PIM for admins. Entra ID P1: Conditional Access + MFA enforced globally. Agent auth policy via PPAC DLP. E3 Entra ID P2: PIM, risk-based CA, Access Reviews for agent roles. E5 Agent Conditional Access + Agent ID Protection. Entra Agent ID for all agents. Identity Governance lifecycle. E7
Audit & Monitoring No logging. Incidents discovered by users, not IT. Basic M365 activity reports. Audit Standard enabled but rarely reviewed. Audit Standard + Purview Activity Explorer for AI. App Insights on CS agents. Sentinel rules for CS events. E3 +Azure Audit Premium (7 yr). Copilot Dashboard. DSPM risk reports. Regular review with metrics. E5 Agent Usage Insights (advanced). Agent DSPM. Agent IRM. Defender context mapping agent–device–MCP. E7
Shadow IT & External AI No visibility. Unknown AI tools in use across org. Meeting bots join unchallenged. MDCA occasionally checked. Some AI tools manually blocked via web filter. Shadow AI page in Agent 365 (E3, preview). TAC meeting bot detection. Entra OAuth audit. E3 MDCA full: shadow IT discovery, OAuth governance, sanctioned app catalogue. Endpoint DLP blocks AI domains. E5 Agent MDCA Integration. Defender context mapping. Cross-cloud registry sync (AWS Bedrock, GCP). E7
ALM & Lifecycle No versioning. Prod changes done directly. No rollback. Manual exports as backup. Dev/Prod somewhat separated but inconsistently. PPAC environment isolation (Dev/Test/Prod). CoE Kit tracks solutions. Basic ALM. E3 In-product pipelines / Azure DevOps CI/CD. Managed Environments. Staged rollout. PP Premium Agent Lifecycle Management via Agent 365. Policy Templates. Automated retirement of inactive agents. E7
People & Process No training. No COE. No responsible AI framework. IT handles ad hoc requests. Some awareness of risks. No formal COE. COE established. Naming, disclaimer, approval process documented. Quarterly governance review. E3 COE runs CoE Starter Kit dashboards. Training programme active. Secure Score as KPI. E3 Continuous improvement loop. Feedback to agent owners. Responsible AI embedded in SDLC. Metrics drive investment. E3
Decision roadmap — where to start by licence
First locate yourself in the maturity grid above, then use this roadmap to pick concrete next actions. Answer three questions: what is your licence, what is your immediate goal, and what is your risk tolerance. Each path below maps to concrete first actions.
Start here
Org wants to govern AI agents in M365
What is your current M365 licence?
Path A — E3 only (no Copilot add-on)
1Immediate: lock down the perimeterBlock all external publisher agents in TAC. Enable CCS publisher-type rules. Audit Entra App registrations for OAuth consent.
TAC M365 Admin > CCS Entra
2Enable baseline DLPConfigure DLP policies on Exchange, SPO, Teams apps. Apply sensitivity labels to sensitive SPO sites. Run oversharing assessment (requires SAM standalone add-on or wait for Copilot).
Purview > DLP
3Deploy CoE Starter KitGet an inventory of all Power Platform solutions and agents in your tenant. Define naming conventions and assign owners.
PPAC + CoE Kit
4Set up PPAC DLP policiesBlock generative AI features in CS. Restrict CS authoring to a security group. Block No-Auth channels. This prevents ungoverned agent creation even if no CS licence is held today.
PPAC > Settings PPAC > DLP
5Establish governance processDocument agent approval flow. Set quarterly review cadence. Define responsible AI disclaimer template. Publish to IT and makers.
Internal process
Gaps on E3 only: No SAM (oversharing blind spot), no MDCA (limited shadow IT visibility), no Audit Premium, no Endpoint DLP. Meeting bots undetected until Bot Detection rollout 5–6/2026. Maturity ceiling: ~200–250.
Path B — E3 + Copilot M365 (wanting to enable agents)
1Before enabling Copilot for usersRun SAM Oversharing Assessment first. Fix RAC/RCD on sensitive SPO sites. Set up sensitivity labels on critical content. Do not skip this step.
SPO Admin > SAM Purview > Labels
2Configure CCS fullySet publisher-type rules. Define which groups can create agents. Set org-wide sharing link permissions. Activate CCS Agent Policies for automation (e.g. orphaned agent deactivation).
M365 Admin > CCS
3PPAC DLP for CS agentsChannel control (Teams only, block Direct Line/Facebook). Block HTTP requests. Block No-Auth. Block public web knowledge sources unless approved. Isolate Dev/Test/Prod environments.
PPAC > DLP Env. Routing
4Use Agent 365 RegistryRegister all agents. Assign owners. Review Agent Map. Set up Missing Owner alerts. Monitor usage via Copilot Dashboard.
M365 Admin > Agents
5Add Sentinel + App InsightsIngest Purview audit logs into Sentinel. Create detection rules for unusual CS agent activity. Add App Insights to all production CS agents.
Sentinel + Azure
Gaps vs E5: No MDCA full shadow IT, no Endpoint DLP (AI domain blocking), no Audit Premium (only 90 days), no DSPM for AI, no Teams DLP, no IRM, no PIM for admins. Maturity ceiling: ~300–350.
Path C — E5 (+ Copilot) or planning E7
1Complete all Path B steps firstE5 builds on a solid E3+Copilot foundation. Do not skip Path B steps. DSPM and MDCA are only effective once DLP and labelling are in place.
Path B prerequisite
2Enable DSPM for AIRun data security posture assessment. Identify highest-risk AI interactions. Use item-level investigation to remediate before expanding Copilot rollout.
Purview > DSPM for AI
3Activate MDCA for shadow ITDiscover all AI tools in use. Build sanctioned app catalogue. Configure OAuth app governance. Set session policies for high-risk AI apps.
Defender Portal > Cloud Apps
4Deploy Endpoint DLP + IRMBlock upload of sensitive data to unsanctioned AI domains. Enable Insider Risk Management with AI activity correlation.
Purview > Endpoint DLP + IRM
5Enable PIM + Access ReviewsJIT privileged access for all agent admins. Quarterly access reviews for agent roles and app registrations. Risk-based Conditional Access.
Entra ID P2
6If planning E7: prepare nowEnsure Entra Agent IDs are assigned to all custom agents. Design agent identity governance model. Map agent-to-data relationships before Agent DSPM goes live. Evaluate Agent 365 preview programme.
E7 readiness
E7 unlocks: Agent 365 (Registry, Map, Lifecycle, Tool Controls), Agent DLP, Agent DSPM, Agent IRM, Agent Comm Compliance, Agent Conditional Access, Agent Identity Governance, Agent MDCA Integration, Agent Global Secure Access, Entra Suite. Maturity 400–500.
Quick self-assessment — where are you today?
Do you know how many agents are active in your tenant? No → Level 100 Partially → Level 200 Yes, in a registry → Level 300+
Is there a documented approval process for publishing agents? No → Level 100 Informal → Level 200 Documented & enforced → Level 300+
Can you show which AI tools users are accessing outside M365? No → Level 100–200 Partial (web filter only) → Level 200 Yes, via MDCA → Level 400
Are governance actions automated (e.g. orphaned agent deactivation)? No → Level 100–200 Some scripts → Level 300 CCS/PPAC policies → Level 400+
Do you have per-agent DLP, DSPM, and identity governance? No → Level 100–300 E5 tooling active → Level 400 Agent-specific (E7) → Level 500
Available Partial / add-on Not available | E3 Copilot M365 E5 E7 CS PP add-on Azure sub.