Scout 12 June 2026 · by Susanth Sutheesh · 7 min read

Microsoft Scout — Admin Install & Frontier Setup

↗ the IT admin's two-gate install walkthrough for Microsoft Scout — Frontier in the M365 admin centre, Intune policy, attestation form, and the GitHub Copilot license assignment that sign-in needs.

On this page

The hub for this series — Microsoft Scout — The Complete Guide — covers what Scout is, how it differs from Copilot, what it costs, and the honest take. This spoke is the install reference.

The two-gate access model in plain English

Microsoft’s own admin docs make this explicit: Microsoft Scout sits behind two separate admin gates, and both must be complete before any user can sign in. Gate 1 enables the Frontier surface for your tenant. Gate 2 enables Microsoft Scout specifically for the devices and users you choose.

Frontier is the umbrella programme; Scout is one of the products inside it. Same Frontier umbrella also gates other Microsoft preview agents (Opal Frontier, for example) — separate toggles, same enrollment.

The good news: you only do all of this once per tenant.

This is the part that takes longest the first time. The two gates also explain the most-asked support question — “I installed Scout and it won’t sign in.” Almost always, that means one of the gates isn’t complete yet. The hub guide’s FAQ section covers the most common cases.

Gate 1 — Turn on Frontier in the Microsoft 365 admin centre

You need to be signed in as an admin with one of these roles:

AI Admin (preferred — the role designed for this)
Security Admin
Office Apps Admin
Global Admin works too, but you should be using a least-privilege role wherever possible

Frontier users you assign access to also need a Microsoft 365 Copilot license — verify license assignment for your pilot users before they try to sign in to Scout.

Step 1 — Open the M365 admin centre

You land on the M365 admin centre home page. Mine looks like this (CDX/Contoso demo tenant — yours will show your own org name, your real user counts, and your real Copilot activity):

The Microsoft 365 admin centre home page in our CDX/Contoso demo tenant. The dashboard layout is the new “all in one place” view (toggle at the top). The Copilot and Agents entries in the left navigation are the two we care about for the rest of this walkthrough.

Step 2 — Navigate to Copilot Settings

Click Copilot in the left navigation, then Settings, then the View all tab at the top of the settings page.

Copilot → Settings → View all. The full Copilot settings list is long — search is faster than scrolling.

Sidebar — Opal (Frontier) is a separate setting. You’ll notice Opal (Frontier) in the settings list too. That’s a different Microsoft Frontier-preview product (a workspace-design tool) — same Frontier umbrella, separate access toggle. Don’t confuse it with Copilot Frontier (the umbrella that gates Scout). I’ll cover Opal in its own post.

Step 3 — Search for Frontier

Top right of the settings view is a Search all Copilot settings box. Type frontier and Microsoft narrows the list to the Frontier-related settings:

Search results for “frontier” — two settings appear. The one to click for Scout access is the second row, Copilot Frontier (description: “Enable exclusive early access program in your organization”).

Step 4 — Open Copilot Frontier and pick who gets access

Click Copilot Frontier. The “Turn on Frontier features” flyout slides in:

The Copilot Frontier flyout — three access options (No access, All users, Specific users), with Specific users selected here for our demo and three demo users assigned. Notice the TAP note at the top of the panel and the 3-hour propagation warning. Both matter.

You have three options:

No access — default. Nobody in your tenant gets Frontier features. Pick this to disable Scout access cleanly.
All users — every licensed Microsoft 365 Copilot user in your tenant gets Frontier features automatically. Pick this if you’ve decided Frontier is your default release channel for all your Copilot users. Most enterprises start more cautiously than this.
Specific users — only the named users get Frontier features. Pick this for a controlled pilot — usually 3-10 users from across functions while you validate Scout against your org’s policies and risk posture.

Click Save. Then wait up to three hours for the change to propagate. Tell your pilot users not to attempt sign-in until the next business hour at the earliest.

Gate 1 done.

Gate 2 — Intune policy, attestation, GitHub Copilot license

Gate 2 has three required admin actions. All must be completed before users can sign in to Microsoft Scout.

Gate 2.1 — Enable access via an Intune policy

An IT admin must configure an Intune policy for Microsoft Scout that:

Sets the required registry and device conditions
Enables login capability for the app

Without this policy in place, users can’t sign in to Microsoft Scout even if they install the app successfully.

The Intune policy templates ship in the public GitHub repo at github.com/microsoft/scout-resources/tree/main/admins:

microsoft-scout.admx — policy definitions
en-US/microsoft-scout.adml — policy display strings
README with every policy explained

The key policy to enable here is AllowScoutFrontierAccess set to Enabled, targeted at the device groups whose users should be allowed to sign in.

For the full step-by-step inside Intune, see Microsoft’s Set up Microsoft Scout with Intune doc. It walks every screen.

Gate 2.2 — Complete the attestation and opt-in

Because Microsoft Scout can route data outside Microsoft 365 to third-party inference paths (specifically GitHub, since Scout uses your GitHub Copilot license for token billing), admins must explicitly attest and opt in for their organisation. This is an additional gating layer beyond Frontier enrollment, and it applies even if Gate 1 is already complete.

The attestation lives in a Microsoft Forms-based M365 Admin Frontier organisation sign-up form. Open it as a tenant admin and walk through the questions. Microsoft links to this form from the official admin-access overview.

The attestation isn’t just a tick-box — it’s a 9-point organisational commitment that names every concession your tenant is making during the Preview. Worth reading carefully: EU Data Boundary doesn’t apply, sensitivity labels are read but not applied, GitHub Copilot processes Scout prompts under the GitHub Customer Agreement (not your M365 DPA), and automation configurations are your responsibility, not Microsoft’s. If any of those is a non-starter for your tenant, you’ve found your blocker before Scout is even installed.

Three required fields after the terms: Accept radio, Name of organization, and Tenant ID. The Tenant ID hint tells you to look it up in the Azure portal under Azure Active Directory — that’s the GUID your tenant is identified by; it’ll be the same one your Intune policy targets. The form doesn’t collect your name or email unless you choose to add them.

Gate 2.3 — Provision GitHub Copilot licenses

Admins must ensure that users who’ll use Scout have GitHub Copilot Business or Enterprise licenses assigned. This step is only required if users aren’t already licensed.

For more information, see:

What happens if any gate is incomplete

Installing the Microsoft Scout app always succeeds. The download isn’t heavily gated. Sign-in is where access is enforced.

If Frontier isn’t turned on for the user, or the Intune policy isn’t deployed, or the attestation form hasn’t been submitted, sign-in is blocked and the app doesn’t show a clear in-product indication of why. The fix lives on the admin side, not the client.

If users report sign-in problems, verify both gates first before investigating the client:

Check	Where	What “green” looks like
Gate 1	M365 admin centre → Copilot → Settings → Copilot Frontier	User’s UPN appears in Specific users (or All users is selected)
Gate 2.1	Intune → Devices → Configuration → Scout policy	Policy assigned to user’s device, last sync recent
Gate 2.2	Internal record from the Forms submission	Attestation submitted by a tenant admin
Gate 2.3	GitHub.com org → Settings → Copilot → Access	User’s GitHub account has a GitHub Copilot Business or Enterprise seat

End-user requirements (after both gates are complete)

Once you’ve completed both admin gates, end users still need to:

Download and install the Microsoft Scout app
Have a GitHub account — Microsoft Scout uses your GitHub account for token billing, so each user needs one before signing in
Sign in with work credentials — sign-in only succeeds after both admin gates are complete

User-side walkthrough (download → install → sign-in → permissions setup) is in the hub guide Quick Start section.

Monday-morning admin checklist

If you’re an M365 admin reading this on a Sunday evening and want to act before standup tomorrow:

This morning (5 min): Check whether your org is enrolled in the Frontier program. M365 admin centre → Copilot → Settings → search “Frontier” → Copilot Frontier. If it’s set to No access, you have a decision to make.
This morning (5 min): Confirm your own admin account has a Microsoft 365 Copilot license assigned. Without it, the Frontier setting won’t render.
This morning (5 min): Decide your pilot scope. 3-10 users from across functions is a sensible starting size for a Specific users enrollment. Pick people with low fear and high curiosity.
This week (30 min): Walk through Gate 2 end-to-end for the pilot group. Intune policy + attestation form + GitHub Copilot license.
This week (30 min): Install Scout on your own device, sign in, run one simple task end-to-end. Don’t try to break it on day one — feel the shape.
This week (30 min): Walk through the five high-impact settings from the secure-config spoke. Closes the bulk of the practical risk.