Administration

SharePoint Admin Agent: 12 Prompts Every Admin Should Run

The SharePoint Admin Agent is GA. Here are the 12 highest-value prompts for oversharing, agent access, and content lifecycle — with the exact wording.

SharePoint Support Team2026-07-0611 min read
SharePoint Admin Agent: 12 Prompts Every Admin Should Run - Administration guide by SharePoint Support
SharePoint Admin Agent: 12 Prompts Every Admin Should Run - Expert Administration guidance from SharePoint Support

The SharePoint Admin Agent went GA in June 2026 and it is the fastest governance win a SharePoint admin can score right now. It runs on top of SharePoint Advanced Management, understands your tenant's data access posture, and answers plain-English questions about oversharing, agent activity, and stale content. This post is the 12 prompts our SharePoint Support Team runs on every new customer engagement — the exact wording, why each matters, and how to interpret the output.

Prerequisites — Do These Before You Prompt

The Admin Agent has hard prerequisites. Skip these and the agent will either refuse to run or return incomplete results.

SharePoint governance framework showing policies, roles, and compliance
SharePoint governance model with policies and compliance controls
  • SharePoint Advanced Management (SAM) license. Included with Microsoft 365 E5 and available as an add-on for E3. Without SAM, the agent's data access governance surfaces are unavailable.
  • SharePoint Advanced Management Administrator role. This is a distinct Entra role — separate from SharePoint Administrator. Assign it in Entra admin center → Roles and admins. Global Administrator alone will work but grants far more than you need.
  • Purview unified audit logging enabled. Some prompts pull from audit — if it is off, they return empty.
  • Data Access Governance reports have run at least once. In SharePoint admin center → Reports → Data access governance, run the initial permission scan. First run can take 24 to 72 hours on a large tenant.

Once those are in place, you can invoke the agent from three surfaces: the SharePoint admin center (Copilot icon top-right), the Copilot app (add the SharePoint Admin Agent from the agent library), or Microsoft Teams (install the SharePoint admin agent app). We prefer the SharePoint admin center because it links results directly back to the underlying admin console.

Reference: Content governance agent for SharePoint.

Group 1 — Oversharing Prompts (Run First)

Oversharing is the primary risk vector for any Copilot in SharePoint deployment. Any file a user can access is a file Copilot can quote back. These four prompts triage the tenant in under 30 minutes.

Prompt 1

> "List the top 20 sites in the tenant with the highest number of unique permission grants over the last 90 days, and tell me which of those have Copilot in SharePoint enabled."

Why it matters: Permission sprawl compounds — a site with 800 unique grants is almost always oversharing. Combining that list with Copilot-enabled state prioritizes the remediation queue.

How to read it: Any site with >500 unique grants + Copilot enabled is a P1 remediation. Any site with >1,000 unique grants regardless of Copilot state is a P2.

Prompt 2

> "Find every site shared with 'Everyone except external users' and rank them by storage size."

Why it matters: "Everyone except external users" is the SharePoint equivalent of "public within the company." It is the most common oversharing pattern we find on new customer audits — usually attached to sites nobody remembers making public.

How to read it: Anything over 10 GB with this share pattern is high-priority. Ask the site owner why — if there is no business reason, remove the grant.

Prompt 3

> "Show me sites where sensitivity labels are missing on 50% or more of files, and identify the site owners."

Why it matters: Missing labels means content is treated as unlabeled for Copilot grounding and DLP evaluation. Sites owned by leavers or by shared mailboxes are the worst cases.

How to read it: Cross-reference the owners against your leaver list from HR. Reassign ownership before you push auto-labeling.

Prompt 4

> "Which sites have inactive external guests still holding permissions?"

Why it matters: External guests who have not signed in for 90+ days but still hold permissions are a compliance finding for most regulated frameworks (SOC 2, ISO 27001, HIPAA).

How to read it: Use the output as the input to a bulk deprovisioning workflow — the agent will not remove permissions for you, but it will hand you the exact list.

Group 2 — Agents Access Prompts (Copilot & Cowork Hunting)

The Agents Access Insights heatmap is now GA (see the companion post on hunting rogue agents). These four prompts extract signal from it.

Prompt 5

> "Show me the top 20 Copilot agents by access volume in the last 14 days, and flag any that accessed 5 or more sites they had not accessed in the prior 28 days."

Why it matters: New-site-access spikes are the primary "unusual pattern" indicator for a compromised or misconfigured agent.

How to read it: Any agent flagged here goes into triage. Check the agent's owner, the sites accessed, and whether the access was interactive or unattended.

Prompt 6

> "List every agent in the tenant that has been granted write access to more than 3 SharePoint sites, and identify the agent owner and creation date."

Why it matters: Agents with write access can create pages, modify list items, and (with Cowork) drive browser sessions. Write-access sprawl is the risk vector that Cowork GA introduced.

How to read it: Anything over 3 sites with write is a review candidate. If the owner is a leaver, it is a P1 remediation.

Prompt 7

> "Which agents have accessed sites labeled Highly Confidential or Restricted in the last 28 days?"

Why it matters: Labeled-content access is the highest-signal audit event. An agent hitting Restricted content deserves a same-day review.

How to read it: For each hit, confirm the agent's purpose, the requesting user, and whether the label allows Copilot grounding. Escalate to Purview if unclear.

Prompt 8

> "Show me agents that ran outside business hours (10 PM to 6 AM local time) in the last 7 days."

Why it matters: Legitimate scheduled agents are known and expected. Ad-hoc off-hours access from human-triggered agents is not.

How to read it: Cross-reference against your known scheduled agent inventory. Anything unexpected goes to your incident queue.

Group 3 — Content Lifecycle Prompts

Stale content is the other side of the oversharing coin. It is grounding fuel for Copilot, storage cost, and compliance risk.

Prompt 9

> "List every site where no file has been modified in the last 12 months, and tell me the owner and storage size."

Why it matters: These are archive candidates. Some are legitimate (compliance retention), most are not.

How to read it: Sites over 1 GB with no activity are high-value archive targets. Sites owned by leavers with no activity are P1 for ownership reassignment or archival.

Prompt 10

> "Which sites have retention labels that expire in the next 90 days, and which of those need review before disposal?"

Why it matters: Records disposition is a compliance obligation. Missing a review window can be a records-management finding in an audit.

How to read it: This is your review queue for the next quarter. Assign each to a records-management owner before the expiration date.

Prompt 11

> "Find all files marked as read-only that have been accessed more than 100 times in the last 30 days, and identify the site."

Why it matters: High-access, read-only files are usually critical reference documents — SOPs, policy documents, compliance guides. They deserve a governance review.

How to read it: Confirm each file is version-controlled and has a designated owner. Add a review cadence.

Prompt 12

> "Show me sites that use custom permission levels (not the default Read / Contribute / Edit / Full Control) and identify what those custom levels grant."

Why it matters: Custom permission levels are governance debt. They are often forgotten, undocumented, and grant more than the site owner remembers.

How to read it: Any custom level that grants Manage Permissions to non-admins is a P1 review. Document, or replace with a standard level.

Making the Agent a Weekly Habit

Running these prompts once during a health check finds problems. Running them weekly prevents new ones. Our team schedules the agent runs on a Tuesday cadence (Monday is inbox catchup, Tuesday is governance). We export the output to a governance channel in Teams and assign each finding to a named owner with a due date.

The agent is not a replacement for your admin skill — it is a force multiplier. It surfaces the signal, you make the decision. Do not accept its recommendations blindly. Check the source data every time until you have calibrated on its behavior for your tenant.

Related docs: Content governance agent for SharePoint — read the "How the agent grounds its answers" section so you understand what data it can and cannot see.

Expert help from our SharePoint consultants

Our SharePoint Support Team runs the Admin Agent prompt battery on every governance engagement — we've refined the exact wording above by iterating across dozens of tenants. If you want a structured Admin Agent rollout, license positioning, or help interpreting the output on a large tenant, engage our SharePoint consultants or reach out for a scoping conversation. We tie the agent output to a remediation runbook so the signal actually turns into fixed sites.

Share this article:

Written by the SharePoint Support Team

Senior SharePoint Consultants | 25+ Years Microsoft Ecosystem Experience

Our senior SharePoint consultants bring deep expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments. We cover SharePoint Online, Microsoft 365, migrations, Copilot readiness, and large-scale governance.

Frequently Asked Questions

What license do we need to run the SharePoint Admin Agent?
You need SharePoint Advanced Management (SAM), which is included with Microsoft 365 E5 or available as an add-on for Microsoft 365 E3. Without SAM, the Admin Agent will run but the data access governance surfaces will be unavailable — meaning the oversharing prompts return empty results. Some agent-access prompts also depend on SAM being active. If you are on E3 without the SAM add-on and are evaluating Copilot in SharePoint at scale, the SAM add-on is effectively a prerequisite.
Do I need Global Admin to use the SharePoint Admin Agent?
No — and you should not use Global Admin for it. Assign the SharePoint Advanced Management Administrator role in Entra to the identities that need to run the agent. That role is scoped to exactly the surfaces the agent operates on, following least-privilege. Global Administrator will work but grants far more permissions than the agent needs, which fails most compliance reviews. In Entra admin center, go to Roles and admins, search for SharePoint Advanced Management Administrator, and assign it to your SharePoint operations team.
Where can I invoke the SharePoint Admin Agent from?
Three surfaces are supported at GA: the SharePoint admin center (Copilot icon in the top-right of any admin page), the Copilot app on the web or desktop (add the SharePoint Admin Agent from the agent library), and Microsoft Teams (install the SharePoint Admin Agent app). We recommend the SharePoint admin center for the initial rollout because the links in agent responses deep-link back to the admin console pages, which reduces the click count on remediation. Teams is convenient for ad-hoc questions during meetings.
How fresh is the data the Admin Agent uses?
The agent grounds on the Data Access Governance reports, which run on a scheduled basis. First run on a new tenant can take 24 to 72 hours. Subsequent runs are typically daily. For the freshest picture, run the Data Access Governance report manually before an audit engagement. Agent Access Insights data has its own refresh schedule and can lag by 4 to 24 hours. If the agent tells you "no results found," check the report status in the admin center — the report may still be running.
Can I automate these prompts on a schedule?
Not directly from the agent UI at GA — the agent is an interactive surface. However, the underlying data (Data Access Governance reports, Agent Access Insights, sensitivity label coverage) is available via Microsoft Graph and the SharePoint Online Management PowerShell module. Our team automates the same queries as scheduled reports that feed a Power BI dashboard, then uses the agent interactively for the "why is this like this" follow-up questions. That gives you continuous monitoring and interactive troubleshooting from the same data.
What is the difference between the SharePoint Admin Agent and Copilot in SharePoint?
Copilot in SharePoint is the end-user chat surface on modern sites — it grounds on the current site's content and helps users find information. The SharePoint Admin Agent is an admin-only surface that grounds on tenant governance data (permissions, agents, labels, storage) and helps admins run the tenant. They share the Copilot brand but are distinct products with different licenses, different roles, and different data. An end user cannot access the Admin Agent; an admin using the Admin Agent is not seeing user content, they are seeing tenant metadata.
How do we get started if we have never run the Data Access Governance reports?
Start in SharePoint admin center → Reports → Data access governance. Run the initial scan on your top oversharing categories — content shared with Everyone except external users, and content shared via anyone-links. First scan on a large tenant can take 24 to 72 hours. While it is running, assign the SharePoint Advanced Management Administrator role, confirm your SAM licensing, and confirm Purview unified audit logging is on. Once the scan completes, run Prompt 1 through 4 in sequence. That gives you a triaged oversharing queue in under an hour.

Need Expert Help?

Our SharePoint consultants are ready to help you implement these strategies in your organization.

Continue Reading in Administration

Administration

SharePoint Admin Center: Administration Guide

Master the SharePoint Admin Center with this guide covering site management, policies, settings, and monitoring capabilities for tenant administrators.

Administration

SharePoint Storage Management: M365 Guide

Master SharePoint storage management with strategies for monitoring usage, optimizing quotas, archiving content, and planning capacity for your Microsoft 365 tenant.

Administration

Recycle Bin Management: Data Recovery Best Practices

Master SharePoint recycle bin management for reliable data recovery. Learn first-stage and second-stage recycle bins, retention policies, PowerShell recovery commands, and enterprise backup strategies.

Administration

SharePoint vs OneDrive: When to Use Each (And When You...

Clear guide to when to use SharePoint vs OneDrive in Microsoft 365. Explains the key differences, ideal use cases for each, how they work together, and the most common mistakes organizations make.

Administration

SharePoint Admin Center: Complete Guide for 2026

Master the SharePoint Admin Center with this comprehensive guide covering site management, settings, policies, external sharing, storage quotas, and modern admin features.

Administration

SharePoint Online Storage Management: Administrator...

Optimize SharePoint Online storage usage, understand tenant storage pools, manage site quotas, identify version history bloat, reclaim wasted space, and implement storage governance policies to control costs and prevent read-only site incidents.