Create and Apply Governance Templates for Agent Publishing and Activation
Implementation Effort: Medium – Requires defining policy bundles that span Microsoft Entra, Microsoft Purview, and SharePoint, then associating them with agent activation and publishing workflows in the Microsoft 365 admin center.
User Impact: Low – Templates are applied by administrators during publishing and activation; end users experience the resulting policies but are not involved in template configuration.
Overview
Governance templates are reusable policy bundles that administrators apply to agents during the publishing and activation workflows in the Microsoft 365 admin center. Each template defines a set of security, compliance, and data protection controls drawn from Microsoft Entra, Microsoft Purview, and SharePoint that are automatically enforced when an agent is approved. Templates exist to solve the consistency problem: without them, every agent publishing or activation decision becomes an ad-hoc negotiation between the administrator and the agent's capabilities, with no guarantee that the same security baseline is applied across agents.
Microsoft provides default templates that include essential controls:
- Microsoft Entra controls cover identity protection (flagging anomalous agent activities), network visibility (enabling secure web and AI gateway access for agents), and lifecycle management (governing Agent IDs at scale with lifecycle policies).
- Microsoft Purview controls include audit enablement (logging all agent activities for observability), data security policies (safeguarding against sensitive data leaks and oversharing), and AI compliance assessment (continuous monitoring for compliance gaps).
- SharePoint controls address restricted external content sharing (allowing or restricting agents from sharing site content with guests), access control for sites and OneDrive (specifying which agents and users can access a given site), agent access insights (reporting on content and sites permissioned to agents), and content permissions insights (monitoring agent access to SharePoint and OneDrive).
For customers enrolled in the Frontier program with an active Agent 365 license, default templates also automatically assign the Agent 365 license during activation, eliminating manual license management.
Custom templates extend the default baseline with additional policies. Organizations create custom templates when the default controls are insufficient for their regulatory or operational requirements—for example, adding an Entra Access Package requirement or restricting external content sharing beyond the default settings. Two default template variants exist: one for agents that allow instance creation, and one for agents that do not. Administrators select the appropriate template during the activation or publishing wizard.
This activity supports Verify explicitly by ensuring that every agent published or activated has a documented, auditable set of policies applied—not just whatever the approving administrator remembered to check. It supports Use least privilege access by bundling data access controls (SharePoint site restrictions, Purview DLP policies) into the approval flow so that agents cannot reach production users without those controls in place. It supports Assume breach by layering multiple detection and restriction controls (Entra identity protection, Purview audit trails, SharePoint access monitoring) so that a compromised agent is contained and observable.
Without governance templates, administrators make inconsistent approval decisions. One agent gets published with full SharePoint access and no Purview audit; another gets strict controls because a different administrator reviewed it. This inconsistency creates blind spots that threat actors exploit—they target the agents that were approved with weaker controls because those are the ones with broader data access and less monitoring. Templates eliminate this variance by codifying the organization's security baseline into a repeatable, selectable policy bundle.