Microsoft Scout entered the Frontier program experimental preview in May 2026 and it represents a class of agent SharePoint architects have not had to think about yet: the always-on autonomous agent. Not a user-triggered Copilot prompt. Not a Copilot Studio agent responding to a webhook. A persistent agent that runs on its own schedule, under its own identity, and reads SharePoint on its own initiative.
If your permission model was designed for humans and short-lived apps, Scout will find every gap. This post is what our team is telling customers to lock down before they enroll a tenant.
What Scout is, architecturally
Scout is the first shipping Autopilot agent in the Microsoft product line. Autopilot is the internal name for the persistent-agent runtime — an agent lifecycle that stays resident, executes on a schedule (or on triggers, or continuously depending on the mode), and reports back to a user or workflow asynchronously.
The three architecturally interesting properties of Scout, from a SharePoint permissions perspective:
- Persistent identity. Scout runs under an Entra Agent Identity that persists across sessions. It is not a per-invocation identity. Whatever access the identity has, Scout has, all the time.
- Own schedule. Scout can read a SharePoint site at 3am on a Sunday without a human ever prompting it. The audit trail records the agent, not a triggering user.
- Bring-its-own-context. Because Scout can run without a triggering user, "act on behalf of the current user" is not always available. Some Scout tasks run purely under the agent identity.
Official reference: Microsoft Scout overview.
This is a new content-consumer class for SharePoint. Historically SharePoint has had three consumer classes: users (with human ACLs), apps (with app registrations and Graph scopes), and service accounts (with everything, please stop using them). Scout does not fit cleanly into any of them:
| Consumer class | Identity model | Access pattern | Audit trail |
|----------------|----------------|----------------|-------------|
| User | Entra user | On-demand, session-scoped | User in audit log |
| App (short-lived) | App registration / managed identity | On-demand, request-scoped | App identity in audit log |
| Service account (deprecated) | User account with many perms | Always-on, everything-scoped | Service account name in audit log |
| Scout (Autopilot agent) | Entra Agent Identity | Always-on, agent-scoped | Agent identity in audit log |
The last row is the new one. Autopilot agents are always-on and first-class in the audit log, unlike service accounts. That combination is what makes Scout tolerable in enterprise environments — but only if you prep the permissions correctly.
Four things to lock down before enrollment
1. Dedicated Entra security group for agent identities
Before you enroll any tenant in Scout, create a dedicated Entra security group — we typically name it `SP-AutopilotAgents` — that will hold every Autopilot agent identity in the tenant. Scout is the first, but it will not be the last. Grant permissions to the group, not the individual agent, so future agents inherit the model rather than each getting a bespoke access grant.
Rule: no Autopilot agent identity should have SharePoint access via a group membership other than `SP-AutopilotAgents`. If Scout ends up in a general "All Company" group, you have a lateral-movement problem the first time an agent is compromised.
2. Sensitivity-label gating as the primary permission control
Scout inherits the Agent 365 sensitivity-label ceiling model. This is where you do the load-bearing lockdown. Set the ceiling explicitly, per Autopilot agent:
- Scout default policy: allowed sensitivity labels = `General`, `Internal`. Everything else is blocked at the Agent 365 layer, regardless of the underlying SharePoint permission.
- Elevated Scout policy (per-tenant approval required): add `Confidential-Internal` on a per-use-case basis, with a documented business justification.
- Never Scout policy: `Highly Confidential`, `Regulated`, `Legal Hold`. These labels should never be reachable by an always-on agent. If Scout needs regulated data, that is a specific-purpose Copilot Studio agent with human triggering, not Autopilot.
This gating is non-negotiable. Users can accidentally save a Highly Confidential document to a General-labeled site. Scout should not be the discovery mechanism for that mistake.
3. DLP policy alignment
Data Loss Prevention policies apply to Autopilot agents the same way they apply to users — but the exceptions list is where things break. Review every DLP exception in the tenant and ask: "does this exception apply to Scout?" The answer should almost always be no.
Common exceptions that must NOT include Scout:
- "Legal team can share Highly Confidential externally." Scout is not a legal team member.
- "Executive assistants can copy documents between confidential libraries." Scout is not an assistant.
- "Compliance investigators can access all sites." Scout is not an investigator.
Explicitly exclude the `SP-AutopilotAgents` group from every DLP exception. This is a 30-minute audit and it eliminates a whole class of accidental over-permission.
4. Site-scoped access grants, never tenant-scoped
The most important operational discipline: Scout should only be granted access to specific sites, not tenant-wide. There are two ways to get this wrong:
- Adding Scout to the tenant "SharePoint Reader" role. Do not do this. There is no legitimate reason for an Autopilot agent to have read on every site in the tenant.
- Granting Scout Sites.Read.All Graph permission. Same problem, different path. Use Sites.Selected instead, then grant per-site access.
The correct pattern is Sites.Selected on the Graph permission side, plus explicit per-site access grants for the sites Scout needs to read. When Scout needs a new site, that is a change-managed grant, not an automatic inheritance.
Additional prep worth doing
- Establish an agent-identity review cadence. Quarterly, walk through the `SP-AutopilotAgents` group membership and re-attest each identity. Agents that are no longer running get removed.
- Wire agent-specific audit alerts. Agent 365 audit stream + Sentinel: alert on Scout accessing a site it has not touched in the last 30 days, or on Scout accessing more than N sites in a rolling hour.
- Tabletop the compromise scenario. What happens if an attacker gains control of a Scout task list? They can potentially cause Scout to read sensitive data on their behalf. Verify sensitivity-label gating catches this.
When Scout is worth enrolling
Scout is early. Frontier program preview means "experimental" — API surface will change, feature set will change, and there may be reliability wobbles. The tenants where enrolling makes sense right now are ones with a specific use case where an always-on agent produces value that on-demand Copilot cannot: continuous monitoring of a specific site collection for compliance triggers, scheduled cross-tenant reporting, or persistent workflow orchestration where the schedule is the point.
For most tenants, we are advising a "watch closely, do not enroll yet" posture until GA. The permission prep above should happen anyway — because Scout is not the last Autopilot agent, and every subsequent one will use the same identity model.
Related SharePoint security
- SharePoint consulting for permission architecture reviews.
- SharePoint support for the operational cadence around agent identity attestation.
- Emergency support if you have already enrolled Scout and are seeing unexpected access patterns.
Expert help from our SharePoint consultants
Autonomous agents are a new consumer class for SharePoint and the tenants that prep for them ahead of enrollment save weeks of remediation later. Our SharePoint consultants run the four-item lockdown above as a standard readiness engagement, including the DLP exception audit that most tenants skip. If Scout enrollment is on your 2026 roadmap or you are already in the Frontier preview, reach out and we will scope a permissions-prep engagement.
Written by the SharePoint Support Team
Senior SharePoint Consultants | 25+ Years Microsoft Ecosystem Experience
Our senior SharePoint consultants bring deep expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments. We cover SharePoint Online, Microsoft 365, migrations, Copilot readiness, and large-scale governance.
Expert SharePoint Services
Frequently Asked Questions
Is Scout the same thing as Copilot?▼
Do we have to enroll our tenant to prep the permissions?▼
How does Scout show up in audit logs?▼
What is the blast radius if a Scout task list is compromised?▼
Can Scout run without any user context at all?▼
How does Scout interact with SharePoint version history?▼
When will Scout hit general availability?▼
Need Expert Help?
Our SharePoint consultants are ready to help you implement these strategies in your organization.
Continue Reading in Security
SharePoint Security Hardening: Protect Your Enterprise...
Comprehensive security guide covering permissions, external sharing, sensitivity labels, and advanced threat protection.
SecuritySharePoint Backup and Recovery: Enterprise Protection Guide
Protect your SharePoint data with comprehensive backup and recovery strategies. Learn about native tools, third-party solutions, and disaster recovery planning.
SecuritySharePoint External Sharing: Secure Collaboration Guide
Enable secure external collaboration in SharePoint while maintaining governance and compliance. Learn sharing policies, guest access, and security best practices.
SecuritySharePoint Extranet Setup Guide: Secure External...
Complete guide to setting up a SharePoint extranet for clients, vendors, and partners. Covers architecture options, security controls, permissions, and governance for B2B collaboration.
SecuritySharePoint Permissions Management
Master SharePoint permissions with this enterprise guide. Covers permission levels, inheritance, groups, unique permissions, broken inheritance risks, auditing, and modern best practices.
SecuritySharePoint External Sharing & Guest Access
Securely configure SharePoint external sharing and guest access for enterprise collaboration. Learn sharing policies, guest user management, conditional access, auditing external activity, and compliance controls.
