4.3.1. Configuring User Access to Agents

💡 First Principle: Access to agents is controlled at two levels: tenant-wide availability (which agents exist in your org) and per-user access (which users can access which agents). Admins configure both through the Microsoft 365 admin center and the Power Platform admin center.

Tenant-wide agent controls (Microsoft 365 admin center → Copilot → Agents):

• Enable or disable specific agents for the entire tenant
• Control whether users can discover and install agents from the Microsoft AppSource catalog
• Control whether users can create their own agents (this can be restricted to IT teams only)
• Set the default state for new agents: disabled by default until explicitly enabled, or enabled by default

Per-user access (Power Platform admin center):

• Assign specific agents to specific user groups
• View which users have access to which agents
• Monitor agent usage per user

Agent availability modes:

⚠️ Exam Trap: Even after an admin publishes an agent org-wide, users must explicitly access it — it's not automatically pinned to their Copilot experience. Availability ≠ adoption.

Reflection Question: Your IT team builds an agent for the help desk that answers common IT questions. They want it available to all employees but not visible to external guest users. Which admin center do they use to configure this, and what access mode do they select?