Agent management updates | Copilot Control System

7 min readMay 6, 2025

Manage the rise of generative AI across your organization using the Copilot Control System in Microsoft 365. Control who can find, use, and create agents, define permissions, approve or block agent deployments, and configure billing models including pay-as-you-go or prepaid options.

Get detailed visibility into how agents are used, which users and groups are driving consumption, and how much they’re costing you. With Microsoft Purview integration, monitor for sensitive data exposure, track compliance risks, and audit agent activity to stay secure and aligned with your organization’s data policies.

Jeremy Chapman, Director of Microsoft 365, shares how to configure, deploy, monitor, and secure AI agents at scale.

Define agent access by group or user.

Customize permissions with Microsoft 365 admin controls. See how to use the Copilot Control System.

Enable pay-as-you-go agent billing with message-based metering.

No upfront commitment. Check out Copilot Chat, included with any Microsoft 365 or Office 365 work account.

Gain full visibility and access control over AI agent interactions.

Check out how agents are being used with detailed reporting in the Microsoft 365 admin center.

Watch our video here.

QUICK LINKS:

00:00 — Copilot Control System

01:34 — Copilot Chat

02:21 — Manage agent use

03:23 — Agent deployment

04:09 — Visibility into how agents are used

05:10 — Copilot Dashboard

06:06 — DSPM for AI

06:47 — Microsoft Purview agent protections

07:32 — Wrap up

Link References

Check out https://aka.ms/CopilotAgentControls

Unfamiliar with Microsoft Mechanics?

As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries
Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog
Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast

Keep getting this insider knowledge, join us on social:

Follow us on Twitter: https://twitter.com/MSFTMechanics
Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/
Enjoy us on Instagram: https://www.instagram.com/msftmechanics/
Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics

Video Transcript:

-Agents are the evolution of generative AI, and if you’re in IT and looking to support this shift, we’ve built you new options as part of the Copilot Control System, like control over who can discover, use, and author agents, whole visibility into which agents are being used and if there’s risk with how they’re being used, and the ability to view potentially risky agent activities directly and search if sensitive or high-value information is shared with or processed by agents. Microsoft 365 Copilot is the only service of its kind to provide complete enterprise-ready controls across agent management, starting with agent discovery, access management, and user permissions.

-From the Microsoft 365 Admin Center, navigating to Copilot takes you to the Copilot Control System Central Hub to configure Copilot settings and view insights into Copilot in how people are using it. As part of these updates to Copilot Control System, we’ve added new options for Overview, Agents & connectors, Prompts, Billing & usage, and Settings. First, from Settings and under Agents, you can configure exactly which groups or users will be able to find and access agents in Copilot Chat, as well as other agent-enabled Copilot apps. Importantly, if any of your managed users have a Microsoft 365 Copilot license and they’re scoped for this control, they can use and create retrieval-based agents using Microsoft Graph knowledge as part of that license.

-That said, for the free Copilot Chat that’s included with any Microsoft 365 or Office 365 license, agents can still be used with consumption-based billing, where agent usage is metered with messages as the measure of time and effort taken by the agent to respond to user prompts and ultimately, how costs are calculated. You can now set up pay-as-you-go billing without a prepaid commitment right from the Microsoft 365 Admin Center where you can create and manage billing plans. Now, these billing plans use an Azure subscription and resource group as part of the configuration and billing process. Additionally, the prepaid message pack option as part of Microsoft 365 Copilot Studio license is also available. Now, once you grant the right permissions and you’ve configured what you need for people to start creating, finding, and using agents, at that point, you can now manage agent use right from the Microsoft 365 Admin Center.

-Under Copilot controls, Agents & connectors is your primary hub for managing agents used with Microsoft 365 Copilot, including your agent inventory as a unified view of the agents that people build in Copilot Studio themselves, agents published to the Agent Store by your organization, or agents that you’ve approved from third parties. You can now see whether agents are managed, their availability, and in which apps they’re supported, and more. From each, you can also take actions like blocking or publishing the agent. More on that in a second. Or get more details, including users where you can manage access and see who is using each agent, then moving over to requested agents. These are agents that are submitted for approval from IT where you can take action to approve or block them.

-For the shared and third-party agents that you manage from the Agent Store, as an administrator, you also have full control over agent deployment, where you can select the agents that you want to deploy, target users or groups who will have access to the agents. Here, for example, I’ll specify the users and groups that I want to include, and for agents that require special permissions to external knowledge via connector or API, you can authorize agent access using strong authentication and ensure that only the users and groups that you added in scope will be able to access that data. And from there, you can confirm and finish the deployment to make the agents available to users that you added in scope.

-Next, as agent adoption grows, you have the visibility into how agents are being used. As a Microsoft 365 admin, you’ll find detailed reporting in the Microsoft 365 Admin Center, alongside other Copilot reports. Starting with the message consumption report, it provides you details on the costs associated with agent use in your organization. Here you can see message consumption trends for metered usage of Microsoft 365 Copilot Chat help you understand where and how messages and agents are being consumed. You’ll find top agent and user message consumption details to help you plan and manage resource allocation and make agent deployment decisions.

-Then in the Agents report, you can see overall usage trends by license type, and below that, the types of agents people are using, like user and organization-created agents, as well as agents built by Microsoft and partners, along with a list of top agents in use and top users leveraging those agents. And for broader reporting that you can share with other stakeholders in your organization, you can use Copilot Analytics as part of Viva Insights, where you’ll find summaries for the number of agent sessions of enabled agents across your environment, how usage is trending over time, user satisfaction and resolution rates for agents at aggregate levels, and you can even see the top agents used and how many people are engaging with them. In fact, drilling into that report also shows you how each agent is trending month over month, the satisfaction per agent and resolution rate for each. Drilling in Further, you’ll find additional details for session outcomes, if they were abandoned, escalated, or resolved, estimates of agent-assisted hours to gauge ROI, and even a detailed breakdown of the most popular topics people are using agents for.

-Next, let’s switch gears to your data security options for AI apps and agents as part of Microsoft Purview. In Data Security Posture Management, or DSPM, for AI, you’ll find details for each agent in use in your organization. Each shows protection status, high-level usage trends and accounts of protection and compliance policies that apply to each. Then drilling into any agent gives you even more detail about potentially risky activities used with that agent, unethical or inappropriate use flagged by communication compliance policy controls that you have in place, and the use of classified and labeled content as part of agent interactions and sessions. And that’s just scratching the surface for agent protections and controls in Microsoft Purview.

-In fact, all agent activity is recorded in audit logs to help conduct investigations whenever needed, and these activities also power additional Microsoft Purview solutions like insider risk management, letting your security teams detect risky AI prompts as part of their investigations into risky users, communication compliance to aid investigation into non-compliant use and AI interactions such as a user trying to get information on sensitive information like an acquisition plan, and eDiscovery where interactions across your Copilot’s agents and AI apps can be collected and reviewed, help conduct investigations and respond to litigations. And those were your controls to set up services and deploy agents in Microsoft 365. Also, where you can find usage insights and your data protection controls specific to agents in Microsoft Purview.

-To learn more, check out aka.ms/CopilotAgentControls and keep watching Microsoft Mechanics for the latest updates, and thanks so much for watching.