Security

Microsoft Scout: Prep Your SharePoint Permissions

Microsoft Scout entered Frontier program experimental preview in May 2026. It is the first persistent Autopilot agent that runs on its own schedule, under its own identity, and reads SharePoint on its own. Here is how to prep.

SharePoint Support Team2026-06-289 min read
Microsoft Scout: Prep Your SharePoint Permissions - Security guide by SharePoint Support
Microsoft Scout: Prep Your SharePoint Permissions - Expert Security guidance from SharePoint Support

Microsoft Scout entered the Frontier program experimental preview in May 2026 and it represents a class of agent SharePoint architects have not had to think about yet: the always-on autonomous agent. Not a user-triggered Copilot prompt. Not a Copilot Studio agent responding to a webhook. A persistent agent that runs on its own schedule, under its own identity, and reads SharePoint on its own initiative.

If your permission model was designed for humans and short-lived apps, Scout will find every gap. This post is what our team is telling customers to lock down before they enroll a tenant.

What Scout is, architecturally

Scout is the first shipping Autopilot agent in the Microsoft product line. Autopilot is the internal name for the persistent-agent runtime — an agent lifecycle that stays resident, executes on a schedule (or on triggers, or continuously depending on the mode), and reports back to a user or workflow asynchronously.

SharePoint architecture diagram showing hub sites, team sites, and content structure
Enterprise SharePoint architecture with hub sites and connected team sites

The three architecturally interesting properties of Scout, from a SharePoint permissions perspective:

  • Persistent identity. Scout runs under an Entra Agent Identity that persists across sessions. It is not a per-invocation identity. Whatever access the identity has, Scout has, all the time.
  • Own schedule. Scout can read a SharePoint site at 3am on a Sunday without a human ever prompting it. The audit trail records the agent, not a triggering user.
  • Bring-its-own-context. Because Scout can run without a triggering user, "act on behalf of the current user" is not always available. Some Scout tasks run purely under the agent identity.

Official reference: Microsoft Scout overview.

This is a new content-consumer class for SharePoint. Historically SharePoint has had three consumer classes: users (with human ACLs), apps (with app registrations and Graph scopes), and service accounts (with everything, please stop using them). Scout does not fit cleanly into any of them:

| Consumer class | Identity model | Access pattern | Audit trail |

|----------------|----------------|----------------|-------------|

| User | Entra user | On-demand, session-scoped | User in audit log |

| App (short-lived) | App registration / managed identity | On-demand, request-scoped | App identity in audit log |

| Service account (deprecated) | User account with many perms | Always-on, everything-scoped | Service account name in audit log |

| Scout (Autopilot agent) | Entra Agent Identity | Always-on, agent-scoped | Agent identity in audit log |

The last row is the new one. Autopilot agents are always-on and first-class in the audit log, unlike service accounts. That combination is what makes Scout tolerable in enterprise environments — but only if you prep the permissions correctly.

Four things to lock down before enrollment

1. Dedicated Entra security group for agent identities

Before you enroll any tenant in Scout, create a dedicated Entra security group — we typically name it `SP-AutopilotAgents` — that will hold every Autopilot agent identity in the tenant. Scout is the first, but it will not be the last. Grant permissions to the group, not the individual agent, so future agents inherit the model rather than each getting a bespoke access grant.

Rule: no Autopilot agent identity should have SharePoint access via a group membership other than `SP-AutopilotAgents`. If Scout ends up in a general "All Company" group, you have a lateral-movement problem the first time an agent is compromised.

2. Sensitivity-label gating as the primary permission control

Scout inherits the Agent 365 sensitivity-label ceiling model. This is where you do the load-bearing lockdown. Set the ceiling explicitly, per Autopilot agent:

  • Scout default policy: allowed sensitivity labels = `General`, `Internal`. Everything else is blocked at the Agent 365 layer, regardless of the underlying SharePoint permission.
  • Elevated Scout policy (per-tenant approval required): add `Confidential-Internal` on a per-use-case basis, with a documented business justification.
  • Never Scout policy: `Highly Confidential`, `Regulated`, `Legal Hold`. These labels should never be reachable by an always-on agent. If Scout needs regulated data, that is a specific-purpose Copilot Studio agent with human triggering, not Autopilot.

This gating is non-negotiable. Users can accidentally save a Highly Confidential document to a General-labeled site. Scout should not be the discovery mechanism for that mistake.

3. DLP policy alignment

Data Loss Prevention policies apply to Autopilot agents the same way they apply to users — but the exceptions list is where things break. Review every DLP exception in the tenant and ask: "does this exception apply to Scout?" The answer should almost always be no.

Common exceptions that must NOT include Scout:

  • "Legal team can share Highly Confidential externally." Scout is not a legal team member.
  • "Executive assistants can copy documents between confidential libraries." Scout is not an assistant.
  • "Compliance investigators can access all sites." Scout is not an investigator.

Explicitly exclude the `SP-AutopilotAgents` group from every DLP exception. This is a 30-minute audit and it eliminates a whole class of accidental over-permission.

4. Site-scoped access grants, never tenant-scoped

The most important operational discipline: Scout should only be granted access to specific sites, not tenant-wide. There are two ways to get this wrong:

  • Adding Scout to the tenant "SharePoint Reader" role. Do not do this. There is no legitimate reason for an Autopilot agent to have read on every site in the tenant.
  • Granting Scout Sites.Read.All Graph permission. Same problem, different path. Use Sites.Selected instead, then grant per-site access.

The correct pattern is Sites.Selected on the Graph permission side, plus explicit per-site access grants for the sites Scout needs to read. When Scout needs a new site, that is a change-managed grant, not an automatic inheritance.

Additional prep worth doing

  • Establish an agent-identity review cadence. Quarterly, walk through the `SP-AutopilotAgents` group membership and re-attest each identity. Agents that are no longer running get removed.
  • Wire agent-specific audit alerts. Agent 365 audit stream + Sentinel: alert on Scout accessing a site it has not touched in the last 30 days, or on Scout accessing more than N sites in a rolling hour.
  • Tabletop the compromise scenario. What happens if an attacker gains control of a Scout task list? They can potentially cause Scout to read sensitive data on their behalf. Verify sensitivity-label gating catches this.

When Scout is worth enrolling

Scout is early. Frontier program preview means "experimental" — API surface will change, feature set will change, and there may be reliability wobbles. The tenants where enrolling makes sense right now are ones with a specific use case where an always-on agent produces value that on-demand Copilot cannot: continuous monitoring of a specific site collection for compliance triggers, scheduled cross-tenant reporting, or persistent workflow orchestration where the schedule is the point.

For most tenants, we are advising a "watch closely, do not enroll yet" posture until GA. The permission prep above should happen anyway — because Scout is not the last Autopilot agent, and every subsequent one will use the same identity model.

Expert help from our SharePoint consultants

Autonomous agents are a new consumer class for SharePoint and the tenants that prep for them ahead of enrollment save weeks of remediation later. Our SharePoint consultants run the four-item lockdown above as a standard readiness engagement, including the DLP exception audit that most tenants skip. If Scout enrollment is on your 2026 roadmap or you are already in the Frontier preview, reach out and we will scope a permissions-prep engagement.

Share this article:

Written by the SharePoint Support Team

Senior SharePoint Consultants | 25+ Years Microsoft Ecosystem Experience

Our senior SharePoint consultants bring deep expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments. We cover SharePoint Online, Microsoft 365, migrations, Copilot readiness, and large-scale governance.

Frequently Asked Questions

Is Scout the same thing as Copilot?
No. Copilot is a user-triggered assistant — you prompt it, it responds, the session ends. Scout is a persistent Autopilot agent — it runs on its own schedule, under its own identity, without a triggering user. The identity model, the access pattern, and the audit surface are all different. Treating Scout as "just another Copilot" is the mistake that leads to over-permissioning.
Do we have to enroll our tenant to prep the permissions?
No, and we advise against it. The four permission lockdowns — dedicated Entra group, sensitivity-label gating, DLP alignment, site-scoped grants — are appropriate preparation regardless of whether you ever enroll Scout. Autopilot is the identity model that every subsequent persistent agent will use, so the prep pays off across the whole agent portfolio. Enroll Scout only when you have a specific use case that justifies the experimental preview status.
How does Scout show up in audit logs?
As the agent identity, not as a user. Under Agent 365, the audit stream carries both the agent identity and — where applicable — the user context that Scout is operating on behalf of. In tasks where Scout has no triggering user (a scheduled scan, for example), only the agent identity appears. Your Sentinel and Purview queries should include the `SP-AutopilotAgents` group as a first-class actor category alongside users and apps.
What is the blast radius if a Scout task list is compromised?
An attacker who controls the task list can direct Scout to read any site the Scout identity has been granted access to. This is why site-scoped access grants matter so much — the blast radius is exactly the set of sites explicitly granted to the identity. If you followed the site-scoped grant discipline, a compromise reveals the sites on the grant list, no more. If you granted tenant-wide access, the blast radius is the entire tenant. This is the single strongest argument for the discipline.
Can Scout run without any user context at all?
Yes, in scheduled and continuous modes. This is architecturally intentional — some Autopilot tasks (nightly compliance scans, weekly cross-tenant reports) inherently have no triggering user. Those tasks run purely under the agent identity, which is why the sensitivity-label ceiling on the agent identity is doing the load-bearing security work. If your policy is "no agent reads Highly Confidential without a triggering user," the ceiling must enforce it — because the runtime will not.
How does Scout interact with SharePoint version history?
Scout reads are logged as read operations against the current version of items in the sites it has access to. Scout does not have a special version-history bypass. If your governance requires version-history redactions to be respected, they are respected. That said, Scout reading a document does not create a new version — reads are not writes — so version history is not modified by Scout activity.
When will Scout hit general availability?
Microsoft has not published a firm GA date as of mid-2026. The Frontier program experimental preview typically runs 6-12 months before GA. Our expectation is late 2026 or early 2027 for Scout GA, and shortly after that, additional Autopilot agents will appear across the Microsoft 365 product line. Treat the permissions prep as a 2026 investment that pays returns across the whole persistent-agent portfolio, not just Scout.

Need Expert Help?

Our SharePoint consultants are ready to help you implement these strategies in your organization.