Security

Hunting Rogue Copilot Agents With SharePoint Agent Access Insights

Agent Access Insights is GA. Here is how to read the heatmap, spot rogue Copilot agents, and triage without drowning in false positives.

SharePoint Support Team2026-07-059 min read
Hunting Rogue Copilot Agents With SharePoint Agent Access Insights - Security guide by SharePoint Support
Hunting Rogue Copilot Agents With SharePoint Agent Access Insights - Expert Security guidance from SharePoint Support

Agent Access Insights hit GA in June 2026 and it is the first native SharePoint surface for hunting rogue Copilot activity. The heatmap shows every agent operating in your tenant across 1, 7, 14, and 28-day windows, ranks the top 20, and flags "unusual patterns" — new-site access, permission-boundary crossings, and volume spikes. This post is our SharePoint Support Team's triage playbook: what the heatmap actually shows, how to distinguish signal from noise, and the escalation path when you find something real.

What Agent Access Insights Actually Shows

Agent Access Insights lives in SharePoint admin center → Copilot → Agent access. The default view is a heatmap of agents (rows) by sites (columns), with cell intensity indicating access volume. Above the heatmap, a summary card lists the top-20 agents by activity across the chosen time window.

SharePoint governance framework showing policies, roles, and compliance
SharePoint governance model with policies and compliance controls

The data is pulled from the tenant's audit stream and the Copilot semantic index request log. Both must be active. If audit is off, the heatmap will show only agent metadata and no access data. If your tenant has never had a Copilot license, you will not see this surface at all.

Reference: Insights on agent access in SharePoint.

The four time windows

  • 1-day — real-time triage. Use during an active incident.
  • 7-day — weekly review. This is the default for our team's weekly governance sync.
  • 14-day — trend detection. Good for spotting agents that have quietly ramped up.
  • 28-day — baseline calibration. Use this to establish "normal" for your tenant before you start hunting.

Our recommended sequence for a new tenant: run the 28-day view first to see who the top agents are and what "normal" access patterns look like. Then run the 7-day view weekly to catch anomalies against that baseline. Save the 1-day for incident response.

The four "unusual pattern" indicators

The heatmap flags an agent with a small icon when it exhibits one of four patterns. These are the signals worth investigating:

| Indicator | What it means | Common cause |

|-----------|---------------|--------------|

| New site access | Agent accessed sites it had not touched in the prior 28 days | Legitimate scope expansion, or a scope leak |

| Permission boundary cross | Agent accessed content from a different sensitivity tier | Label misconfiguration, or credential misuse |

| Volume spike | Access count >3x the agent's 28-day median in a single day | Scheduled bulk job, or runaway automation |

| Access outside business hours | Access between 10 PM and 6 AM local time | Scheduled agent (expected), or human-triggered off-hours access (investigate) |

None of these are proof of a rogue agent on their own. They are triggers for a review — not for a takedown.

Triage Playbook — 5 Steps for Every Flagged Agent

When the heatmap flags an agent, follow this sequence. It is designed to eliminate the common false positives before you escalate.

Step 1 — Identify the agent owner and creation date

Click the agent row to open the details pane. Note the owner identity and the creation timestamp. If the owner is a leaver, or the creation date is more than 30 days after the last owner login, that is your first red flag. Agents with unclear ownership are the top cause of governance issues.

Step 2 — Cross-reference against your known agent inventory

Every tenant should have a "known agents" inventory — a list of agents your organization built or deployed, with owner, purpose, and expected access scope. If the flagged agent is on that list and its behavior matches the expected scope, you are done. If it is not on the list, or its behavior does not match, keep going.

If you do not have a known-agents inventory, build one today. The SharePoint Admin Agent prompts post has the exact wording for extracting the inventory in bulk.

Step 3 — Check the accessed sites for sensitivity labels

For every site the flagged agent accessed, check the sensitivity label. If any of them are labeled Confidential or Highly Confidential and the agent's owner is not authorized for that tier, escalate immediately. If they are all labeled General or Public, and the volume is reasonable, the flag is likely a scope expansion — not a compromise.

Step 4 — Correlate with Purview audit for the same time window

Open Purview → Audit → Search and filter by the agent identity, the same time window, and the accessed site URLs. Look for two patterns: legitimate app-only OAuth tokens (normal), or user-impersonation tokens outside the owner's typical use (investigate). Purview will show you the auth method that granted the access — that is the ground truth for "is this the agent doing what it should be doing."

Step 5 — Decide: monitor, restrict, or disable

Based on the evidence from steps 1 through 4, choose one:

  • Monitor. Add the agent to a watch list, run the 7-day view every day for two weeks. Use this when the behavior is unusual but not clearly wrong.
  • Restrict. Reduce the agent's scope via SharePoint permissions or via the agent's configuration. Use this when the scope is broader than the owner intended but there is no evidence of misuse.
  • Disable. Turn the agent off entirely, revoke its OAuth grants, and open an incident ticket. Use this when there is evidence of unauthorized access or the owner is unreachable.

Common False Positives — What Not to Panic About

A large share of first-week alerts are false positives. This table is what our team learned to filter out.

| Flag | Frequent innocuous cause | How to confirm |

|------|--------------------------|----------------|

| New site access | Agent owner moved teams or joined a new project | Check the owner's Entra group memberships — new group = new site access |

| Volume spike on Monday | Weekly scheduled report ran | Check the agent config for scheduled triggers |

| Off-hours access | Agent runs on server time, not user local time | Confirm the agent runs on a scheduled job, not interactively |

| Permission boundary cross | Owner has multi-tier access; label was upgraded on the site | Check site label change history in the audit log |

| Multiple flags at once | Agent was reconfigured recently | Check the agent's change log — a reconfig can trigger every indicator at once |

The heuristic our team uses: one flag = triage in the next weekly review; two flags = triage today; three or more flags = triage in the next hour.

When to Escalate to Purview vs Entra vs SAM

Three different teams may need to know about a rogue agent. Choosing the right one saves hours of ping-pong.

  • Escalate to Purview when: the incident is about labeled content access, DLP violation, records disposition, or eDiscovery hold. Purview owns the data governance decisions.
  • Escalate to Entra when: the incident is about OAuth grants, service principal creation, or authentication anomalies. Entra owns the identity and access decisions.
  • Escalate to SharePoint Advanced Management (SAM) when: the incident is about permission sprawl, site ownership, or SharePoint-specific admin actions. SAM owns the SharePoint governance surface.

For a rogue Copilot agent, you often need all three. Open the ticket with the most senior owner and CC the others.

Reference: read the Insights on agent access doc's "Working with agent access data" section for how the underlying schema is structured — that helps enormously when you are correlating with Purview.

Rogue Agent Signals to Take Seriously

None of these should ever be a false positive:

  • Agent accessing sites the owner has no group membership for.
  • Agent running with app-only permissions the tenant admin did not grant.
  • Agent access to a site holding regulated data (PHI, PCI, ITAR) with no compliance-owner review.
  • Agent whose creation timestamp is after the owner's HR termination date.
  • Agent accessing >100 sites in a 24-hour window (scope-crawl pattern).

Any of these are P1 incidents. Disable the agent, revoke OAuth grants, and open the ticket.

Weekly Habit — 15-Minute Cadence

Our team's weekly rhythm:

  • Open Agent Access Insights, set 7-day window.
  • Sort by "unusual pattern" indicators.
  • Triage the top 5 with the 5-step playbook above.
  • Log dispositions in the governance channel.
  • Update the known-agents inventory if a new legitimate agent has been added.

Fifteen minutes on Tuesday morning, every week. That is the difference between a governed Copilot rollout and an audit finding.

Expert help from our SharePoint consultants

Our SharePoint Support Team runs Agent Access Insights triage for regulated tenants — we've seen every false positive pattern above and can shortcut the calibration process. If you need help building your known-agents inventory, tuning the Purview correlation, or running an incident response for a real rogue-agent finding, talk to our SharePoint consultants or reach us via our contact page. Rogue agent hunts are one of the highest-leverage governance activities you can run right now — a small investment prevents a much larger incident.

Share this article:

Written by the SharePoint Support Team

Senior SharePoint Consultants | 25+ Years Microsoft Ecosystem Experience

Our senior SharePoint consultants bring deep expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments. We cover SharePoint Online, Microsoft 365, migrations, Copilot readiness, and large-scale governance.

Frequently Asked Questions

Where do I find Agent Access Insights in the SharePoint admin center?
Sign in to the SharePoint admin center at admin.sharepoint.com, then navigate to Copilot → Agent access. The heatmap and top-20 summary card appear on the default view. If you do not see the Copilot menu, confirm your tenant has at least one Microsoft 365 Copilot license active and that you have the SharePoint Administrator or SharePoint Advanced Management Administrator role. The surface will not appear for tenants with zero Copilot licenses. Data population can lag 4 to 24 hours after a tenant first activates Copilot.
What is the difference between "new site access" and "permission boundary cross"?
New site access means the agent accessed a site it had not touched in the prior 28-day baseline — the agent expanded its scope. Permission boundary cross means the agent accessed content in a different sensitivity tier than its prior behavior — for example, an agent that has only accessed General-labeled content suddenly accessing Confidential content. New site access is often benign (scope expansion for a legitimate project). Permission boundary cross is a much higher signal because it implies the agent, or its user identity, has moved into content the owner's access rights may not have anticipated.
How do I build a known-agents inventory?
Start with the SharePoint Admin Agent prompt: "List every agent in the tenant with its owner, creation date, and current access scope." Export the result to a shared spreadsheet or SharePoint list. For each agent, add three columns: business purpose, expected access scope, and review cadence. Owner each agent to a named identity (not a shared mailbox). Review the list monthly. When a new agent is created, the creator adds it to the inventory as part of the deployment step — that discipline is what turns the inventory from a one-time snapshot into a living document.
Should I disable an agent immediately when I see multiple flags?
Only if you have evidence of actual harm. Multiple flags at once are common when an agent is reconfigured — the change resets the baseline and can trigger new-site-access, volume spike, and boundary cross flags all at once even though nothing is wrong. Follow the 5-step playbook: identify the owner, cross-reference against the known-agents inventory, check accessed labels, correlate with Purview audit, then decide. If the correlation shows unauthorized OAuth grants, or the owner is unreachable, or regulated content was touched, then yes — disable and open an incident ticket. Otherwise monitor for a week.
Does Agent Access Insights capture Copilot Cowork activity?
Yes. Copilot Cowork agents appear in the heatmap alongside conventional Copilot agents. Cowork agents can be higher-risk because they execute multi-step tasks including page writes on SharePoint intranets, so we recommend adding a "cowork" tag to your known-agents inventory column and filtering the heatmap by that tag during weekly reviews. See our Copilot Cowork guardrails post for the seven governance controls we recommend for cowork agents specifically. The Purview audit correlation is especially important for cowork because the write actions leave a distinct trail.
How long is the data retained in Agent Access Insights?
The heatmap surface shows 1, 7, 14, and 28-day windows. The underlying data feeds from Purview unified audit, which retains 90 days by default and up to 10 years with Audit (Premium) licensing. For long-term forensic capability, ensure Audit (Premium) is licensed on the identities that manage Copilot agents. Without it, you lose the ability to investigate historical incidents beyond the 90-day window. Set a calendar reminder to export the top-20 agent list monthly so you have a longitudinal record even if the live surface only shows 28 days.
What is the fastest way to reduce false positives?
Calibrate on the 28-day window first. Establish who the top-20 agents are, what their normal access looks like, and what their owner community is. Once you have that baseline, the flags on the 7-day view become meaningful — before you have the baseline, everything looks unusual. Add a suppression list for known scheduled agents (weekly report bots, IT automation agents) so their expected volume spikes and off-hours access do not fire flags every week. Two weeks of calibration typically cuts weekly review time from 60 minutes to 15 minutes.

Need Expert Help?

Our SharePoint consultants are ready to help you implement these strategies in your organization.