🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AB-900 Domain 3
Domain 3 — Module 8 of 8 100%
28 of 28 overall

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free

AB-900 Study Guide

Domain 1: M365 Core Features & Objects

  • Welcome to Microsoft 365
  • Exchange Online: Mailboxes & Distribution
  • SharePoint: Sites, Libraries & Permissions
  • Microsoft Teams: Teams, Channels & Policies
  • Users, Groups & Licensing
  • Zero Trust: Never Trust, Always Verify
  • Authentication: Passwords, MFA & Beyond
  • Microsoft Defender XDR
  • Microsoft Entra: Your Identity Hub
  • PIM, Audit Logs & Identity Governance

Domain 2: Data Protection & Governance

  • Microsoft Purview: The Big Picture
  • Sensitivity Labels & Data Classification
  • Data Loss Prevention (DLP)
  • Insider Risk & Communication Compliance
  • DSPM for AI & Data Lifecycle
  • How Copilot Accesses Your Data
  • Responsible AI Principles
  • Compliance Manager & eDiscovery
  • Activity Explorer & Data Monitoring
  • Oversharing in SharePoint

Domain 3: Copilot & Agent Admin

  • What is Microsoft 365 Copilot? Free
  • What Are Agents? Free
  • Copilot vs Agents: When to Use Which Free
  • Copilot Licensing: Monthly vs Pay-as-You-Go Free
  • Researcher, Analyst & Real-World Use Cases Free
  • Managing Copilot: Billing, Monitoring & Prompts Free
  • Building Agents: Create, Test & Publish Free
  • Agent Lifecycle: Access, Approval & Monitoring Free
Domain 3: Copilot & Agent Admin Free ⏱ ~13 min read

Agent Lifecycle: Access, Approval & Monitoring

The governance side of agents — who can create them, how approvals work, and how to monitor agents running in production. This is where admin meets security.

Why agent governance matters

☕ Simple explanation

Think of agents like company credit cards.

They’re powerful tools that help people get things done faster. But if you hand them out to everyone without rules, someone will eventually make a mistake — overspend, access something they shouldn’t, or create a mess that’s hard to clean up.

Agent governance is about answering three questions:

  • Who can create agents? (Access control)
  • Who approves them before they go live? (Approval workflow)
  • How do we know they’re working correctly? (Monitoring)

Agent governance spans three domains: access control (licensing and permissions that determine who can create, manage, and use agents), approval workflows (review processes before agents are deployed to the organisation), and lifecycle monitoring (ongoing observation of agent usage, performance, errors, and compliance).

Access is controlled through a combination of Copilot licensing (M365 admin center), Copilot Studio user licenses, and environment roles (Power Platform admin center). Approvals are managed in the M365 admin center’s agent inventory. Monitoring uses both M365 admin center reports and Power Platform admin tools.

1. Controlling who can access agents

Access to agents involves two layers:

Layer 1: Copilot license (who can USE agents)

  • Users need a Microsoft 365 Copilot license to interact with agents
  • Assigned in the M365 admin center (same as regular Copilot access)
  • Without a license, agents don’t appear in Copilot Chat

Layer 2: Copilot Studio license + environment role (who can CREATE agents)

  • Creating agents requires a Copilot Studio user license
  • Plus an environment role in the Power Platform admin center:
RoleWhat They Can Do
Basic UserUse existing agents, no creation privileges
Environment MakerCreate and manage their own agents
AdminFull control — manage all agents, settings, and permissions
💡 Best practice: use security groups

Don’t assign permissions individually. Use security groups:

  • “Copilot Users” group → assign Copilot license → everyone can use agents
  • “Agent Creators” group → assign Copilot Studio license + Environment Maker role → only approved people can create agents
  • “Agent Admins” group → full admin role → IT team manages governance

Exam tip: The exam tests whether you know that USING agents and CREATING agents require different permissions. A Copilot license lets you use agents; a Copilot Studio license + environment role lets you create them.

2. The agent approval process

When someone creates an agent and wants to share it across the organisation, it goes through an approval workflow:

How it works

  1. Creator builds and tests the agent locally
  2. Creator submits for approval — the agent appears in the admin’s Agent inventory in the M365 admin center
  3. Admin reviews the request:
    • What does the agent do?
    • What data does it access?
    • Does it comply with org policies?
    • Who will use it?
  4. Admin decides: Approve ✅, Reject ❌, or Send back for changes 🔄
  5. If approved → agent is published to the organisation

Agent categories in the inventory

CategoryWhat It Means
CustomBuilt by users in your organisation
SharedShared with specific people or groups
First-partyBuilt by Microsoft
ExternalFrom third-party vendors
Publisher attestedVendor has declared compliance with standards
Microsoft 365 certifiedPassed Microsoft’s rigorous security review
💡 Scenario: Northwave's governance board reviews agents

Northwave receives 12 agent requests in one month:

  • 5 simple Q&A bots (HR, Finance, Marketing, Sales, IT) → Maya reviews: low risk, scoped to specific SharePoint sites → Approve all 5
  • 3 agents with external connectors (Salesforce, Jira, ServiceNow) → Jordan (CISO) reviews: need to verify connector permissions and data flows → 2 approved, 1 sent back (too broad permissions)
  • 2 agents from external vendors → Priya (Compliance) reviews: check Publisher attested status, data residency → 1 approved, 1 rejected (no attestation)
  • 2 advanced agents with automation → Full governance review: what actions do they take? What happens if they fail? → 1 approved with conditions (human approval step required for critical actions), 1 sent back for redesign

This is the governance model the exam expects you to understand.

3. Monitoring agents in production

Once agents are live, admins need to monitor them continuously:

Agent monitoring checklist
What to MonitorWhere to CheckWhat to Look For
UsageM365 admin center → Copilot reportsHow many people use each agent, frequency, popular queries
PerformancePower Platform admin centerResponse times, error rates, failed actions
ErrorsAgent dashboards + logsConnectivity failures, permission errors, timeout issues
AdoptionCopilot AnalyticsWhich agents are used, which are abandoned
ComplianceAudit logs + PurviewData access patterns, policy violations

Agent lifecycle stages

Agents go through a lifecycle:

  1. Draft → being built and tested
  2. Submitted → awaiting approval
  3. Published → live and available to users
  4. Active → being used regularly
  5. Declining → usage dropping (investigate why)
  6. Blocked/Removed → admin disables or deletes the agent

When to take action

SignalAction
Agent has high error rateInvestigate connectivity or permission issues
Agent usage is decliningCheck if it’s still relevant; update or retire
Agent accesses unexpected dataReview permissions; check for oversharing
New version of agent submittedReview changes before approving the update
Agent abandoned (zero usage)Consider removing to reduce governance overhead
ℹ️ Troubleshooting common agent issues

When an agent isn’t working correctly, check these in order:

  1. Licensing — does the user have a Copilot license?
  2. Permissions — does the agent have access to its knowledge sources?
  3. Connectivity — are Copilot connectors to external systems working?
  4. Instructions — are the agent’s instructions clear and unambiguous?
  5. Knowledge sources — is the content up to date and accessible?

Exam tip: Agent troubleshooting questions almost always start with “check licensing and permissions first.”

🎬 Video walkthrough

🎬 Video coming soon

Agent Governance & Lifecycle — AB-900 Module 28

Agent Governance & Lifecycle — AB-900 Module 28

~11 min

Flashcards

Question

What two things does a user need to CREATE agents (not just use them)?

Click or press Enter to reveal answer

Answer

1) A Copilot Studio user license (from M365 admin center). 2) An environment role (Environment Maker or Admin) in the Power Platform admin center. A regular Copilot license only lets you USE agents.

Click to flip back
Question

What are the three possible decisions an admin can make when reviewing an agent approval request?

Click or press Enter to reveal answer

Answer

1) Approve — agent is published to the organisation. 2) Reject — agent is denied. 3) Send back — return to creator with feedback for changes.

Click to flip back
Question

What's the first thing to check when an agent stops working?

Click or press Enter to reveal answer

Answer

Licensing and permissions. Does the user have a Copilot license? Does the agent still have access to its knowledge sources? Then check connectivity to external systems, instructions clarity, and content freshness.

Click to flip back

Knowledge Check

Knowledge Check

Clearfield Council wants to allow their IT team to create agents, but restrict all other departments to only USING agents. How should Director Chen configure access?
Knowledge Check

Maya notices an agent at Northwave has a high error rate and declining usage. When she investigates, she finds the agent's SharePoint knowledge source was moved to a new site. What should she do?

🎉 Congratulations! You’ve completed all 8 modules in Domain 3: Copilot & Agent Admin. You now understand how Copilot works, what agents are, how licensing works, and how to manage the full agent lifecycle.

Next: Continue to Domain 1 (M365 Core Features) or Domain 2 (Data Protection) to prepare for the full exam.

← Previous

Building Agents: Create, Test & Publish

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.