Manage Microsoft 365 Copilot agents in the admin center

Agents expand Copilot’s functionality by providing search features, custom actions, connectors, and APIs. These agents are customized versions of Microsoft 365 Copilot that combine instructions, knowledge, and skills to perform specific tasks or scenarios. Copilot Studio allows developers and makers to create and test their applications in an accessible interface.

Before agents are made available to users, they must go through a submission and approval process. Users can only access agents that have been permitted by the admin and that they have installed or been assigned.

Agent Types Available for Management

In Microsoft 365 Copilot, administrators can oversee several categories of agents, each designed for specific functions:

Custom Agents: Developed with predefined instructions and actions, these agents employ structured logic suitable for predictable, rule-based assignments. Custom agents must undergo an administrative review and publishing process prior to user availability, ensuring compliance and operational readiness.

Shared Agents: Configured for access by multiple users or groups, these agents are individually shared by their creators with designated audiences.

First-Party Agents: Created by Microsoft and seamlessly integrated within Microsoft 365 services.

External Agents: Developed by external parties or vendors; their permissions and availability can be managed as required.

Frontier Agents: Represent experimental or advanced functionalities incorporating new integrations or capabilities. These agents may be in early development or testing phases and typically necessitate increased oversight or limited deployment.

Administrators with the following roles have authority to manage agents within the Microsoft 365 admin center:

·         AI Admin

·         Global Admin

·         Global Reader (view-only; no editing privileges)

Agents can be managed via the Agents & Connectors section on the Copilot Control System page within the Microsoft 365 admin center. Available actions include:

·         Viewing available, deployed, or blocked agents

·         Configuring agent accessibility and permissions

·         Deploying, blocking, or removing agents as needed

Turn Copilot extensibility on or off

You can manage Copilot extensibility in your organization by adjusting agent access settings in Microsoft 365 admin center:

·         Go to Copilot > Settings.

·         Select Agents and choose one of three options:

·         All users: Everyone in the organization can access agents (default).

·         No users: Blocks access for all users; agents are hidden from app lists.

·         Specific users/groups: Grants access only to selected users or groups.

Only those selected in this setting can use agents.

Set up user access rights for installing agents

Agents can be assigned or unassigned to specific users or groups using the standard gestures and controls available in the Microsoft 365 admin center, consistent with other applications.

You can assign or remove the app for all users or specific groups. Changing an agent's assignment alters its availability and features in Copilot, Outlook, Teams, and other Microsoft 365 products.

Agent Actions

Below are the agent management actions available for your organization:

Publish: Make an agent available to specific users or groups. This means the agent is listed in the store and can be installed by those users.

Deploy: Install an agent on behalf of a user by accepting Microsoft Entra permissions for them. This action makes the agent active and usable for specific users or groups.

Remove: Remove the agent from the inventory. This action is applicable only for first-party or external agents. The agent can be re-added to the inventory by acquiring it from the store.

Block: Prevent any users in the tenant from accessing the agent. This action ensures that the agent can't be used by anyone in the organization.

Publish agents

The publishing process in the Microsoft 365 admin center for agents submitted via Copilot Studio is structured to maintain governance and quality of custom applications. It automates the submission of manifests, decreasing manual intervention for developers and administrators. The approval process is streamlined to reduce the time required for app approval and facilitate management of custom applications within the Microsoft 365 admin center.

The publishing process consists of several steps:

·         Developers create and test agents in Copilot Studio, which offers an interface for specifying application parameters and data.

·         Agents are submitted for approval from within Copilot Studio to the Microsoft 365 admin center.

·         Applications with agents awaiting approval can be found under the Requested Apps tab in the Integrated Apps section of the admin center. This tab lists the name, host products, status, and Copilot readiness of each application. New apps display a status of "Publish pending," while updates to existing apps are marked as "Update pending."

·         Selecting a pending application reveals further details and metadata, including the description, requester, request date, and current status. These details provide information for decision-making regarding publication or rejection.

·         Pending applications may be approved or rejected by selecting Publish or Reject.

·         Approved applications become available to organization users according to the organization's default settings for custom apps. They are also added to the Available apps list in the admin center, where administrators can manage user assignments and other relevant settings.

·         If an application is rejected, it is removed from the Pending approval list in the admin center, and the status is communicated to Copilot Studio. Developers have the option to modify and resubmit the application for approval.

Managing Agents Using Embedded File Content as a Knowledge Source in the Microsoft 365 Admin Center

Agent builders can utilise the Copilot Studio agent builder to upload files that serve as sources of knowledge for agents. These uploaded files are stored within tenant-owned SharePoint Embedded containers, enabling the file content to be incorporated into the agent’s responses as embedded knowledge.

Supported file types and limits

Embedded knowledge agents support uploading files as knowledge sources. Only the text content of these files is used for grounding.

Supported file types

• .doc, .docx

• .ppt, .pptx

• .xls, .xlsx

• .pdf

• .txt

Maximum file size

• 150 MB for .doc, .ppt, .xls, .xlsx, and .txt

• 512 MB for .docx, .pptx, and .pdf

Files that exceed these limits aren't accepted.

Maximum number of files

Users can upload up to 20 files per agent.

SharePoint Embedded Containers

Files uploaded to an agent are stored in a tenant-owned SharePoint Embedded container, which is created automatically and listed under the application name Declarative Agent in the SharePoint admin center and PowerShell.

Important: Do not delete these containers, as agents depend on them and their removal may disrupt functionality.

Delete agents

Agents can be deleted from the Microsoft 365 admin center. Deleting an agent removes it from inventory, deletes all associated files, and also deletes the SharePoint Embedded container.

This deletion process is irreversible. After deleting an agent, it may take up to 24 hours for the change to appear for all users. During this period, the agent might still be visible but cannot be accessed once deletion is complete.

Note:

·         Agents created with Copilot Studio agent builder or the Microsoft 365 Agents Toolkit can be deleted in the Microsoft 365 admin center.

·         Agents from Copilot Studio can be managed and deleted via the Power Platform admin center.

Sensitivity labels and access control

Sensitivity labels for agents are set based on the most restrictive label among uploaded files or the organization's default sensitivity policy, whichever is stricter. If a default policy exists, a label is assigned automatically. Sensitivity labels apply only to agents created in Copilot Studio Agent Builder with embedded files. You can see each agent's label in the Overview tab of the Microsoft 365 admin center.

User Access and Visibility

Users without extract rights for any sensitivity labels assigned to uploaded files will not have access to the agent.

Users possessing extract rights can view the agent’s sensitivity label within the agent details pane.

Microsoft 365 Copilot connectors

Microsoft 365 Copilot connectors follow your content source's permissions, so users only access content they are authorized to view.

Connector architecture

The architectural diagram below illustrates how Microsoft 365 Copilot connector content is indexed and delivered to users in Microsoft Search clients.

Microsoft 365 Copilot connectors are capable of retrieving data from both cloud-based (SaaS) and on-premises data sources. Although the diagram above illustrates connections to only two sources, tenants may configure up to ten connections. The Microsoft 365 admin center provides tools to establish and manage any Microsoft 365 Copilot connector. To create a connection with a data source, administrators must have authenticated access to all relevant content repositories. Data is transmitted to the Microsoft 365 Copilot connector service for the purpose of indexing.

Microsoft-built Copilot connectors

Microsoft offers over 30 Copilot connectors for popular data sources.

Limitations

Once published, most connection details can't be edited; to change them, you must delete and recreate the connection.

License requirements

A valid Microsoft 365 or Office 365 license is required for users to access connector data in search results.