Agents and Access in Microsoft 365 Copilot
With the introduction of Microsoft 365 Copilot Chat, the entire workforce of every Microsoft 365 organization can use agents in Microsoft 365 Copilot. Microsoft 365 Copilot Chat is an AI chat that's available at no extra cost with Microsoft 365. It serves as the default chat experience for every organization that deploys Microsoft 365. Microsoft 365 Copilot Chat includes web grounding, the latest large language models, Copilot Pages, IT controls, and enterprise-grade privacy and security.
Microsoft 365 Copilot Chat is a powerful on-ramp for everyone in an organization to build the AI habit. However, organizations that want to take their Copilot experience to the next level can purchase a Microsoft 365 Copilot plan for all or selected members of their workforce.
Microsoft 365 Copilot remains Microsoft's premier personal AI assistant for work, encompassing all features of Microsoft 365 Copilot Chat and more. When a user is assigned a Microsoft 365 Copilot license, Copilot Chat becomes even more powerful. It utilizes the company's Microsoft 365 data through Microsoft Graph, integrates directly with Microsoft 365 apps, and utilizes advanced measurement and management tools.
Agents in Microsoft 365 Copilot Chat and Microsoft 365 Copilot
Microsoft 365 Copilot Chat and Microsoft 365 Copilot both support creating agents in Copilot Studio. These agents can automate routine workflows, retrieve information, and execute business tasks. Agents created in Copilot Studio can use web grounding to pull in publicly available information from the internet—similar to how Microsoft 365 Copilot Chat uses Bing based web grounding. This capability is included at no extra cost in both Microsoft 365 Copilot Chat and Microsoft 365 Copilot (full license). Web grounding doesn’t access any organizational or tenant data; it only uses public web sources to enrich an agent’s responses.
However, the two plans differ significantly in how they handle Work data, which is also known as tenant Graph grounding. Work data refers to information stored and managed within your organization’s Microsoft 365 environment. Tenant Graph grounding of Work data ensures that responses are relevant to your organization’s content, security, and compliance policies.
Work data includes files and content stored in SharePoint, OneDrive, and other Microsoft 365 apps that integrate with Microsoft Graph. It can also include data synchronized through Microsoft Graph connectors, such as records from non-Microsoft systems (for example, CRM, ERP, or HR solutions). Work data doesn't include personal Graph data such as user emails, Teams chats, or calendar entries.
Copilot Chat and Copilot Studio agents don’t use a user’s personal Graph data when generating responses. Personal data is only used within the specific Microsoft 365 apps that already have access to it. For example, Outlook Copilot can reference your inbox, and Teams Copilot can reference your meeting chats. However, Copilot Chat and Copilot Studio built agents never use personal Graph data, even when tenant Graph grounding is enabled. This feature ensures a consistent privacy boundary across agent experiences.
Copilot Studio agent creation is available to both plans, but capabilities differ:
Microsoft 365 Copilot Chat (no usage billing). Users can create agents, but those agents can't access work data unless the tenant enables usage billing. SharePoint Agents specifically require usage billing.
Microsoft 365 Copilot (full license). Agents can use work data without extra billing.
In summary, both plans allow agent creation in Copilot Studio, but only tenants with usage‑based billing or Microsoft 365 Copilot licenses can enable agents to access work data or build SharePoint Grounding plugins.
The following sections examine how both plans handle Work data.
Microsoft 365 Copilot Chat (Copilot for All)
For organizations that haven't purchased a Microsoft 365 Copilot license, all eligible users are automatically covered under the Microsoft 365 Copilot Chat plan—sometimes referred to as “Copilot for all.” By default, Copilot Chat in this plan is grounded only in Web data. This means that when a user interacts with Copilot Chat, the responses are generated using publicly available information and general knowledge, not organizational files or internal data.
Organizations that want to extend these capabilities to include Work data can do so by configuring Copilot Studio and enabling tenant Graph grounding. To access this feature, the tenant must:
Purchase a pay-as-you-go (metered) Copilot billing plan. Organizations only pay for the amount of tenant Graph grounding used.
Enable tenant Graph grounding in Copilot Studio. Agents can retrieve and reason over data in Microsoft Graph.
When tenant Graph grounding is enabled, not every generative response is billed. Rather, you incur a pay-as-you-go cost in Copilot Credits only when the agent performs a grounding retrieval (searching organizational data). The number of credits consumed depends on the complexity and scope of the grounding operation (for example, how much data the model needs to access or process).
This model allows organizations to test and scale Copilot experiences without committing to full Copilot licensing.
Microsoft 365 Copilot (Full License)
Organizations with Microsoft 365 Copilot licenses get a more integrated and powerful experience. For licensed users, Copilot can automatically access tenant Graph grounding, which means it can use your organization’s Microsoft 365 data to provide smarter, more relevant responses—with no extra setup or pay-as-you-go charges.
For example, a user with a Microsoft 365 Copilot license can ask: “Summarize our current Q4 marketing plan based on SharePoint documents and Teams meeting notes.” In this case, Copilot automatically retrieves and synthesizes information from authorized tenant sources such as SharePoint, Teams, or OneDrive, adhering to the organization’s access controls and security boundaries.
Because tenant Graph grounding is included as part of the Microsoft 365 Copilot license, organizations don't incur separate pay-as-you-go charges for using Work data. This feature makes the full Copilot plan ideal for enterprises that want consistent, organization-wide grounding across Microsoft 365 apps and custom agents.
Note
Keep in mind that a company can assign Microsoft 365 Copilot licenses to some users while also using the pay-as-you-go model for other users. For example, a company might assign Microsoft 365 Copilot licenses to its core users who need full access to Copilot features. At the same time, the company might apply its pay-as-you-go billing plan to other users who don’t have a Microsoft 365 Copilot license, but who still need to use certain Copilot features, such tenant Graph grounding in Copilot Chat or Copilot Studio agents. The company would get charged for these users based on their grounding usage, measured in Copilot Credits.
Agents in SharePoint
The ability for a user to create and use agents on a SharePoint site depends on whether the user is a site member or a site visitor.
Site members. Site members can create and use agents on a SharePoint site if they're assigned Edit permission or higher for the site. This requirement enables them to develop their own agents that extend the functionality of the site. It also allows them to create, edit, and delete documents, lists, and libraries within the site. They can also participate in discussions, create and modify pages, and perform various other activities based on the permissions granted to them.
Site visitors. These users generally have Read-only permission for a site. This permission level means they can view content, but they can't create, edit, or delete any content on the site. Site visitors with Read-only permission can use agents that are shared with them, but they can't create or edit these agents. The SharePoint agent approval process allows other site members or visitors to access approved agents. The person who creates an agent can use it without approval, but approval is required to make the agent available for other site users.
Important
While site membership determines basic access to SharePoint content, creating Copilot agents also requires an assigned Microsoft 365 Copilot license. Without this license, neither internal or external users can create agents, even if they have Edit permissions.
External users and SharePoint agents
An external user is an individual who isn't part of an organization but is granted access to one or more of the company's SharePoint sites. Since they can access selected SharePoint sites, let's examine whether they can also create and use agents for those sites.
To begin with, let's examine who external users are. External users can include vendors, partners, clients, or customers. They typically authenticate using their own credentials from another organization or a personal Microsoft account. External users can collaborate on documents and content stored in SharePoint Online, and their access is managed through the SharePoint's external sharing feature.
You can identify an external user by their email address, which isn't part of your organization's domain. External users can be granted various levels of access, similar to internal employees. External users can be given permissions ranging from Read-only to Full Control, depending on what the site owner or admin decides.
An external user can be granted different levels of access to a SharePoint site. A site owner or admin can also assign them as a site member. To assign an external user as a site member, the site owner or admin can add the external user's email address to the site's members group. This process is similar to adding internal users as site members.
If an external user isn't explicitly assigned as a site member, they typically default to being considered a site visitor with "Read" permissions, similar to internal employees.
Important
External users are treated as either site members or site visitors, so the rules for agent access outlined earlier still apply. However, by default, external users can't create agents unless they're added to the tenant and assigned a Copilot license. Simply being added to the site as a member isn't sufficient.
Some organizations also treat selected external users as internal employees. They do so by assigning one of the company's Microsoft 365 licenses and Microsoft 365 Copilot licenses to these external users. While this situation isn't a common practice, it does happen in specific scenarios where external collaborators or partners must have the same capabilities as internal employees to contribute effectively to a project.
Here are a few examples where organizations must explicitly provision external users with Microsoft 365 and Microsoft 365 Copilot licenses:
External consultants. Companies often hire external consultants or contractors to work closely with internal teams on specific projects. In these situations, a company might assign Copilot licenses to these external workers so they can create and use agents in SharePoint. Doing so ensures they have the necessary tools to collaborate and contribute effectively.
Joint ventures. In cases where two or more companies are working together on a joint venture, they might assign Copilot licenses to key personnel from each organization. Doing so allows all parties to have equal access to the tools and capabilities needed for the project.
Long-term partnerships. For long-term partnerships where external partners are deeply integrated into the company's workflows, assigning Copilot licenses can help streamline collaboration. It can also ensure that external partners can fully participate in the creation and use of agents.
Special projects. For special projects that require extensive collaboration with external stakeholders, companies might assign Copilot licenses to ensure that all participants have the necessary capabilities to contribute effectively.
These scenarios highlight the flexibility of the Copilot licensing model, which allows organizations to extend the capabilities of their internal tools and SharePoint agents to external collaborators when needed.