Agent Lifecycle: Access, Approval & Monitoring
The governance side of agents β who can create them, how approvals work, and how to monitor agents running in production. This is where admin meets security.
Why agent governance matters
Think of agents like company credit cards.
Theyβre powerful tools that help people get things done faster. But if you hand them out to everyone without rules, someone will eventually make a mistake β overspend, access something they shouldnβt, or create a mess thatβs hard to clean up.
Agent governance is about answering three questions:
- Who can create agents? (Access control)
- Who approves them before they go live? (Approval workflow)
- How do we know theyβre working correctly? (Monitoring)
1. Controlling who can access agents
Access to agents involves two layers:
Layer 1: Copilot license (who can USE agents)
- Users need a Microsoft 365 Copilot license to interact with agents
- Assigned in the M365 admin center (same as regular Copilot access)
- Without a license, agents donβt appear in Copilot Chat
Layer 2: Copilot Studio license + environment role (who can CREATE agents)
- Creating agents requires a Copilot Studio user license
- Plus an environment role in the Power Platform admin center:
| Role | What They Can Do |
|---|---|
| Basic User | Use existing agents, no creation privileges |
| Environment Maker | Create and manage their own agents |
| Admin | Full control β manage all agents, settings, and permissions |
Best practice: use security groups
Donβt assign permissions individually. Use security groups:
- βCopilot Usersβ group β assign Copilot license β everyone can use agents
- βAgent Creatorsβ group β assign Copilot Studio license + Environment Maker role β only approved people can create agents
- βAgent Adminsβ group β full admin role β IT team manages governance
Exam tip: The exam tests whether you know that USING agents and CREATING agents require different permissions. A Copilot license lets you use agents; a Copilot Studio license + environment role lets you create them.
2. The agent approval process
When someone creates an agent and wants to share it across the organisation, it goes through an approval workflow:
How it works
- Creator builds and tests the agent locally
- Creator submits for approval β the agent appears in the adminβs Agent inventory in the M365 admin center
- Admin reviews the request:
- What does the agent do?
- What data does it access?
- Does it comply with org policies?
- Who will use it?
- Admin decides: Approve β , Reject β, or Send back for changes π
- If approved β agent is published to the organisation
Agent categories in the inventory
| Category | What It Means |
|---|---|
| Custom | Built by users in your organisation |
| Shared | Shared with specific people or groups |
| First-party | Built by Microsoft |
| External | From third-party vendors |
| Publisher attested | Vendor has declared compliance with standards |
| Microsoft 365 certified | Passed Microsoftβs rigorous security review |
Scenario: Northwave's governance board reviews agents
Northwave receives 12 agent requests in one month:
- 5 simple Q&A bots (HR, Finance, Marketing, Sales, IT) β Maya reviews: low risk, scoped to specific SharePoint sites β Approve all 5
- 3 agents with external connectors (Salesforce, Jira, ServiceNow) β Jordan (CISO) reviews: need to verify connector permissions and data flows β 2 approved, 1 sent back (too broad permissions)
- 2 agents from external vendors β Priya (Compliance) reviews: check Publisher attested status, data residency β 1 approved, 1 rejected (no attestation)
- 2 advanced agents with automation β Full governance review: what actions do they take? What happens if they fail? β 1 approved with conditions (human approval step required for critical actions), 1 sent back for redesign
This is the governance model the exam expects you to understand.
3. Monitoring agents in production
Once agents are live, admins need to monitor them continuously:
| What to Monitor | Where to Check | What to Look For |
|---|---|---|
| Usage | M365 admin center β Copilot reports | How many people use each agent, frequency, popular queries |
| Performance | Power Platform admin center | Response times, error rates, failed actions |
| Errors | Agent dashboards + logs | Connectivity failures, permission errors, timeout issues |
| Adoption | Copilot Analytics | Which agents are used, which are abandoned |
| Compliance | Audit logs + Purview | Data access patterns, policy violations |
Agent lifecycle stages
Agents go through a lifecycle:
- Draft β being built and tested
- Submitted β awaiting approval
- Published β live and available to users
- Active β being used regularly
- Declining β usage dropping (investigate why)
- Blocked/Removed β admin disables or deletes the agent
When to take action
| Signal | Action |
|---|---|
| Agent has high error rate | Investigate connectivity or permission issues |
| Agent usage is declining | Check if itβs still relevant; update or retire |
| Agent accesses unexpected data | Review permissions; check for oversharing |
| New version of agent submitted | Review changes before approving the update |
| Agent abandoned (zero usage) | Consider removing to reduce governance overhead |
Troubleshooting common agent issues
When an agent isnβt working correctly, check these in order:
- Licensing β does the user have a Copilot license?
- Permissions β does the agent have access to its knowledge sources?
- Connectivity β are Copilot connectors to external systems working?
- Instructions β are the agentβs instructions clear and unambiguous?
- Knowledge sources β is the content up to date and accessible?
Exam tip: Agent troubleshooting questions almost always start with βcheck licensing and permissions first.β
π¬ Video walkthrough
Flashcards
Knowledge Check
Clearfield Council wants to allow their IT team to create agents, but restrict all other departments to only USING agents. How should Director Chen configure access?
Maya notices an agent at Northwave has a high error rate and declining usage. When she investigates, she finds the agent's SharePoint knowledge source was moved to a new site. What should she do?
π Congratulations! Youβve completed all 8 modules in Domain 3: Copilot & Agent Admin. You now understand how Copilot works, what agents are, how licensing works, and how to manage the full agent lifecycle.
Next: Continue to Domain 1 (M365 Core Features) or Domain 2 (Data Protection) to prepare for the full exam.