The SharePoint Admin Agent went GA in June 2026 and it is the fastest governance win a SharePoint admin can score right now. It runs on top of SharePoint Advanced Management, understands your tenant's data access posture, and answers plain-English questions about oversharing, agent activity, and stale content. This post is the 12 prompts our SharePoint Support Team runs on every new customer engagement — the exact wording, why each matters, and how to interpret the output.
Prerequisites — Do These Before You Prompt
The Admin Agent has hard prerequisites. Skip these and the agent will either refuse to run or return incomplete results.
- SharePoint Advanced Management (SAM) license. Included with Microsoft 365 E5 and available as an add-on for E3. Without SAM, the agent's data access governance surfaces are unavailable.
- SharePoint Advanced Management Administrator role. This is a distinct Entra role — separate from SharePoint Administrator. Assign it in Entra admin center → Roles and admins. Global Administrator alone will work but grants far more than you need.
- Purview unified audit logging enabled. Some prompts pull from audit — if it is off, they return empty.
- Data Access Governance reports have run at least once. In SharePoint admin center → Reports → Data access governance, run the initial permission scan. First run can take 24 to 72 hours on a large tenant.
Once those are in place, you can invoke the agent from three surfaces: the SharePoint admin center (Copilot icon top-right), the Copilot app (add the SharePoint Admin Agent from the agent library), or Microsoft Teams (install the SharePoint admin agent app). We prefer the SharePoint admin center because it links results directly back to the underlying admin console.
Reference: Content governance agent for SharePoint.
Group 1 — Oversharing Prompts (Run First)
Oversharing is the primary risk vector for any Copilot in SharePoint deployment. Any file a user can access is a file Copilot can quote back. These four prompts triage the tenant in under 30 minutes.
Prompt 1
> "List the top 20 sites in the tenant with the highest number of unique permission grants over the last 90 days, and tell me which of those have Copilot in SharePoint enabled."
Why it matters: Permission sprawl compounds — a site with 800 unique grants is almost always oversharing. Combining that list with Copilot-enabled state prioritizes the remediation queue.
How to read it: Any site with >500 unique grants + Copilot enabled is a P1 remediation. Any site with >1,000 unique grants regardless of Copilot state is a P2.
Prompt 2
> "Find every site shared with 'Everyone except external users' and rank them by storage size."
Why it matters: "Everyone except external users" is the SharePoint equivalent of "public within the company." It is the most common oversharing pattern we find on new customer audits — usually attached to sites nobody remembers making public.
How to read it: Anything over 10 GB with this share pattern is high-priority. Ask the site owner why — if there is no business reason, remove the grant.
Prompt 3
> "Show me sites where sensitivity labels are missing on 50% or more of files, and identify the site owners."
Why it matters: Missing labels means content is treated as unlabeled for Copilot grounding and DLP evaluation. Sites owned by leavers or by shared mailboxes are the worst cases.
How to read it: Cross-reference the owners against your leaver list from HR. Reassign ownership before you push auto-labeling.
Prompt 4
> "Which sites have inactive external guests still holding permissions?"
Why it matters: External guests who have not signed in for 90+ days but still hold permissions are a compliance finding for most regulated frameworks (SOC 2, ISO 27001, HIPAA).
How to read it: Use the output as the input to a bulk deprovisioning workflow — the agent will not remove permissions for you, but it will hand you the exact list.
Group 2 — Agents Access Prompts (Copilot & Cowork Hunting)
The Agents Access Insights heatmap is now GA (see the companion post on hunting rogue agents). These four prompts extract signal from it.
Prompt 5
> "Show me the top 20 Copilot agents by access volume in the last 14 days, and flag any that accessed 5 or more sites they had not accessed in the prior 28 days."
Why it matters: New-site-access spikes are the primary "unusual pattern" indicator for a compromised or misconfigured agent.
How to read it: Any agent flagged here goes into triage. Check the agent's owner, the sites accessed, and whether the access was interactive or unattended.
Prompt 6
> "List every agent in the tenant that has been granted write access to more than 3 SharePoint sites, and identify the agent owner and creation date."
Why it matters: Agents with write access can create pages, modify list items, and (with Cowork) drive browser sessions. Write-access sprawl is the risk vector that Cowork GA introduced.
How to read it: Anything over 3 sites with write is a review candidate. If the owner is a leaver, it is a P1 remediation.
Prompt 7
> "Which agents have accessed sites labeled Highly Confidential or Restricted in the last 28 days?"
Why it matters: Labeled-content access is the highest-signal audit event. An agent hitting Restricted content deserves a same-day review.
How to read it: For each hit, confirm the agent's purpose, the requesting user, and whether the label allows Copilot grounding. Escalate to Purview if unclear.
Prompt 8
> "Show me agents that ran outside business hours (10 PM to 6 AM local time) in the last 7 days."
Why it matters: Legitimate scheduled agents are known and expected. Ad-hoc off-hours access from human-triggered agents is not.
How to read it: Cross-reference against your known scheduled agent inventory. Anything unexpected goes to your incident queue.
Group 3 — Content Lifecycle Prompts
Stale content is the other side of the oversharing coin. It is grounding fuel for Copilot, storage cost, and compliance risk.
Prompt 9
> "List every site where no file has been modified in the last 12 months, and tell me the owner and storage size."
Why it matters: These are archive candidates. Some are legitimate (compliance retention), most are not.
How to read it: Sites over 1 GB with no activity are high-value archive targets. Sites owned by leavers with no activity are P1 for ownership reassignment or archival.
Prompt 10
> "Which sites have retention labels that expire in the next 90 days, and which of those need review before disposal?"
Why it matters: Records disposition is a compliance obligation. Missing a review window can be a records-management finding in an audit.
How to read it: This is your review queue for the next quarter. Assign each to a records-management owner before the expiration date.
Prompt 11
> "Find all files marked as read-only that have been accessed more than 100 times in the last 30 days, and identify the site."
Why it matters: High-access, read-only files are usually critical reference documents — SOPs, policy documents, compliance guides. They deserve a governance review.
How to read it: Confirm each file is version-controlled and has a designated owner. Add a review cadence.
Prompt 12
> "Show me sites that use custom permission levels (not the default Read / Contribute / Edit / Full Control) and identify what those custom levels grant."
Why it matters: Custom permission levels are governance debt. They are often forgotten, undocumented, and grant more than the site owner remembers.
How to read it: Any custom level that grants Manage Permissions to non-admins is a P1 review. Document, or replace with a standard level.
Making the Agent a Weekly Habit
Running these prompts once during a health check finds problems. Running them weekly prevents new ones. Our team schedules the agent runs on a Tuesday cadence (Monday is inbox catchup, Tuesday is governance). We export the output to a governance channel in Teams and assign each finding to a named owner with a due date.
The agent is not a replacement for your admin skill — it is a force multiplier. It surfaces the signal, you make the decision. Do not accept its recommendations blindly. Check the source data every time until you have calibrated on its behavior for your tenant.
Related docs: Content governance agent for SharePoint — read the "How the agent grounds its answers" section so you understand what data it can and cannot see.
Expert help from our SharePoint consultants
Our SharePoint Support Team runs the Admin Agent prompt battery on every governance engagement — we've refined the exact wording above by iterating across dozens of tenants. If you want a structured Admin Agent rollout, license positioning, or help interpreting the output on a large tenant, engage our SharePoint consultants or reach out for a scoping conversation. We tie the agent output to a remediation runbook so the signal actually turns into fixed sites.
Written by the SharePoint Support Team
Senior SharePoint Consultants | 25+ Years Microsoft Ecosystem Experience
Our senior SharePoint consultants bring deep expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments. We cover SharePoint Online, Microsoft 365, migrations, Copilot readiness, and large-scale governance.
Expert SharePoint Services
Frequently Asked Questions
What license do we need to run the SharePoint Admin Agent?▼
Do I need Global Admin to use the SharePoint Admin Agent?▼
Where can I invoke the SharePoint Admin Agent from?▼
How fresh is the data the Admin Agent uses?▼
Can I automate these prompts on a schedule?▼
What is the difference between the SharePoint Admin Agent and Copilot in SharePoint?▼
How do we get started if we have never run the Data Access Governance reports?▼
Need Expert Help?
Our SharePoint consultants are ready to help you implement these strategies in your organization.
Continue Reading in Administration
SharePoint Admin Center: Administration Guide
Master the SharePoint Admin Center with this guide covering site management, policies, settings, and monitoring capabilities for tenant administrators.
AdministrationSharePoint Storage Management: M365 Guide
Master SharePoint storage management with strategies for monitoring usage, optimizing quotas, archiving content, and planning capacity for your Microsoft 365 tenant.
AdministrationRecycle Bin Management: Data Recovery Best Practices
Master SharePoint recycle bin management for reliable data recovery. Learn first-stage and second-stage recycle bins, retention policies, PowerShell recovery commands, and enterprise backup strategies.
AdministrationSharePoint vs OneDrive: When to Use Each (And When You...
Clear guide to when to use SharePoint vs OneDrive in Microsoft 365. Explains the key differences, ideal use cases for each, how they work together, and the most common mistakes organizations make.
AdministrationSharePoint Admin Center: Complete Guide for 2026
Master the SharePoint Admin Center with this comprehensive guide covering site management, settings, policies, external sharing, storage quotas, and modern admin features.
AdministrationSharePoint Online Storage Management: Administrator...
Optimize SharePoint Online storage usage, understand tenant storage pools, manage site quotas, identify version history bloat, reclaim wasted space, and implement storage governance policies to control costs and prevent read-only site incidents.
