Manage access to agents in SharePoint
Agents in SharePoint, powered by AI, help users quickly find information and insights on SharePoint sites, pages, and document libraries. Agents in SharePoint access your organization's data the same way Copilot in other Microsoft 365 apps does, responding to users based on their access permissions to the data. As a SharePoint admin, you can manage users' access to an agent in multiple ways by managing:
- Who can access the agents
- What information the user can access through the agent
- Where agents are available
Manage who can access the agents
Currently, users with a Microsoft 365 Copilot license can use the agents. You can use the Microsoft 365 Copilot setup guide in the Microsoft 365 admin center to assign the required licenses to users. For more information, see Assign licenses to users in the Microsoft 365 admin center and Microsoft 365 Copilot requirements.
Note
From December 1, 2024, to June 30, 2025, enterprise tenants with 50 or more Microsoft 365 Copilot licenses will receive 10,000 free Agents in SharePoint queries for unlicensed users every month as a trial. Users with a role SharePoint administrators or higher can check the trial promotion status and set trial promotion using PowerShell cmdlets. Please see terms of trial usage here.
Manage what information a user can access through the agents
With built-in SharePoint features
Agents in SharePoint use SharePoint sites, pages, and document libraries as knowledge sources to respond to the user. You can control a user’s access to the information when they use an agent by controlling their access to the site. SharePoint provides many tools to control access to a site:
- Control access to a site that is associated with a Microsoft 365 group by setting the site as private (team sites only) and controlling group membership.
- Control access to a site that isn't associated with a group using site permissions.
- Control access with access governance policies available in the SharePoint admin center and PowerShell.
Learn more about using SharePoint built-in features to control access here.
With SharePoint Advanced Management
Currently, to restrict access to a site by Microsoft 365 Copilot, the SharePoint Admin can set up a restricted access control policy. As a result, all access to the site is restricted to only the group of users specified in the policy. Accordingly, the content from this site is visible in Microsoft 365 Copilot only for this restricted group of users. You can restrict access to individual sites or OneDrive. Learn more about more features to prevent oversharing, control access, and enhance your content governance with SharePoint Advanced Management here.
With Microsoft Purview Data Loss Prevention (DLP)
You can prevent selected files from being used by agents by using sensitivity labels along with Microsoft Purview Data Loss Prevention (DLP). You do this by creating a DLP custom policy with the Content contains > Sensitivity labels condition to exclude items from being processed. Identified items are available in the citations of the response, but the content of the item isn't used in the response. We don’t yet support adding a sensitivity label directly to the .agent file. If you want to govern your .agent file with DLP, instead of using the Sensitivity labels as the condition, you can use conditions based on the .agent extension. We'll support the ability of adding a sensitivity label directly to a .agent file in the future.
Manage where agents are available in SharePoint with restricted content discovery
You as a SharePoint Admin can turn off all agent-related features on individual sites with the restricted content discovery. Once a site is flagged with restricted content discovery, users can't see the Copilot icon on the upper right of the site. Therefore, they don’t have access to use the ready-made agent, create new agents, or add content from that site to any other agents. The restricted content discovery policy leaves site access unchanged but prevents the site's content from being surfaced in Microsoft 365 Copilot or organization-wide Search for all users. You as a SharePoint Admin can turn off all agent-related features on individual sites with the restricted content discovery. Once a site is flagged with restricted content discovery, users can't see the Copilot icon on the upper right of the site. Therefore, they don’t have access to use the ready-made agent, create new agents, or add content from that site to any other agents. The restricted content discovery policy leaves site access unchanged but prevents the site's content from being surfaced in Microsoft 365 Copilot or organization-wide Search for all users.