Skip to main content
Inflection Point
Editorial collage showing AI agent icons inside a Microsoft Copilot Chat panel, with halftone textures and bold red yellow and cyan accents on black
Microsoft 365 12 June 2026 12 min read Verified 12 June 2026

Microsoft Copilot Chat: 5 agents most UK SMEs aren't using, and the licensing and governance reality to fix first

I

Iain Godding

Owner / Founder / Managing Director

Pragmatic Works AI Academy ran a useful tour through five underused agents in Microsoft Copilot Chat: SharePoint List, SharePoint Admin, SharePoint Page, Microsoft 365 Admin and Microsoft Forms Surveys. Worth knowing. But the more useful question for a UK SME paying £28+ per user per month for Copilot is: do you actually have the licence tier that unlocks these agents, who is allowed to invoke them, and what shows up in your audit log when they do? This post is the implementer's view, with the governance, licensing and Cyber Essentials Plus implications the source video doesn't have room for.

The five agents, in 60 seconds

The Pragmatic Works video runs about 13 minutes and is worth a watch if you've never opened the agents pane in Copilot Chat. Quick summary so you don't have to:

  1. SharePoint List Agent. Tell it "build a software-requests tracking list with requester, department, software name, approval status and priority" and it spins up the list with the right column types, in the site you point it at.
  2. SharePoint Admin Agent. Site-level admin tasks via natural language. Permissions, sharing settings, lifecycle.
  3. SharePoint Page Agent. Generates SharePoint pages by description, useful for fast internal comms and intranet content.
  4. Microsoft 365 Admin Agent. Tenant-level admin tasks via prompt. Read-only by default in current rollouts but the write surface is expanding.
  5. Microsoft Forms Surveys Agent. Generates a Forms survey from a brief, including question types, branching and themes.

Honourable mentions in the video: Researcher, Analyst, Copilot Cowork. Useful, but they're closer to "Copilot with a different hat on" than purpose-built builders.

You can find the original here: Pragmatic Works AI Academy: My Top 5 Agents You HAVE To Try!. Credit to Amelia Roberts for surfacing them.

Now the bit your finance director and your IT manager actually need.

1. Licensing reality: not every Copilot licence unlocks every agent

The number one question we field after a video like this is "we have Copilot, why isn't this agent showing up?". The answer is usually one of three things.

Microsoft 365 Copilot is a paid add-on. You need it on top of an eligible base plan (Business Standard, Business Premium, or one of the Enterprise SKUs). Listed at £28 per user per month at time of writing, billed annually. The "free" Copilot Chat experience in Edge or copilot.com is a different product and does not include the agents above.

Most of the named agents require a Copilot licence on the user. SharePoint List and Page agents lean on the Microsoft Graph integration that ships with M365 Copilot, not on the SharePoint plan you already pay for. If a user without a Copilot licence opens Copilot Chat and looks for these agents, they will not appear.

The M365 Admin agent has a separate access bar. It needs both a Copilot licence and an eligible admin role (Global Admin, SharePoint Admin, or a custom role with the right permissions). Granting "give this person access to the M365 Admin Agent" is the same as granting an admin role, with all the audit and review implications that brings.

Where we see waste: SMEs who bought Copilot for the whole company because the demo looked good, then discovered six months later that only the marketing team and the MD use it. The agents in this video make the case stronger, but only if you actually deploy them, not just licence them.

2. Governance: the M365 Admin Agent is a governance hotspot

This is where most SMEs walk straight into a hole.

The SharePoint List, Page and Forms agents are relatively low-risk. The worst case is a poorly-structured list or a survey with a typo. Annoying, easy to roll back. Fine.

The M365 Admin Agent is a different beast. It sits on top of tenant-wide admin surfaces. Even in the current read-mostly preview, it can surface licence assignments, mailbox configurations, sharing settings, conditional access policies and security defaults. Once the write surface lands (and Microsoft has been clear it is coming), an admin with the agent enabled can invoke significant changes by typing English instead of clicking through admin centres.

If your finance director can ask the M365 Admin Agent to "give everyone in finance access to the leadership SharePoint site", they will. And the audit log will be the only thing that knows.

The fix is not "don't use the agent". The fix is to govern it like you govern any admin action.

  • Pin admin agent access to a small named list of users via Microsoft Entra ID role assignments.
  • Require Privileged Identity Management (PIM) just-in-time elevation for the role that includes M365 Admin Agent access. So invoking the agent requires an active approval window, not standing access.
  • Enable Conditional Access policies that block agent admin actions from unmanaged devices and from outside trusted countries.
  • Turn on Microsoft Purview audit logging for all Copilot interactions, and make sure your retention is set to your compliance requirement (90 days minimum for Cyber Essentials Plus, 1+ years for ISO 27001).
  • Review the audit log monthly. Not weekly, not "if there's an incident". Monthly. Put it in someone's calendar.

The same logic applies to the SharePoint Admin Agent, scaled down. Site collection admins are powerful enough that "the SharePoint Admin Agent can do whatever I can do" is not a comforting sentence.

3. Security: what the agents touch, what gets logged, and what your assessor will ask

Cyber Essentials Plus and ISO 27001 both have a view on agent-style automation that wasn't there in the previous certification cycle. The short version: any system that can read user content and act on the user's behalf is an in-scope system, and it needs the same access control, audit and incident-response coverage as the rest of your stack.

A short checklist before you turn any of these agents on for your team.

  • Identify what each agent reads. SharePoint List and Page agents read the SharePoint sites the invoking user has access to. The M365 Admin Agent reads the tenant. The Forms Survey Agent reads the prompts you give it (and, in some configurations, the responses to surveys, which can include sensitive data if you let respondents type free-text answers).
  • Confirm Data Loss Prevention (DLP) policies cover agent outputs. If your DLP catches "credit card number in an email", it should also catch "credit card number in a SharePoint list a Copilot agent just created". Many SMEs have DLP on email and Teams and not on SharePoint or OneDrive.
  • Check audit log coverage. Microsoft Purview Audit logs agent invocations under the `CopilotInteraction` event. Confirm it is enabled, confirm retention is set, confirm someone has a query saved that surfaces "admin actions invoked via agent".
  • Add agent invocation to your incident response playbook. When a credential is compromised, your playbook should already have "revoke all sessions and tokens for the user". Add "review the Copilot interaction log for the last 30 days for that user". Agents are the new login.
  • Confirm Conditional Access blocks agent use from risky contexts. Same rules you apply to any admin action. Unmanaged device, anonymous IP, atypical location, all should require step-up authentication or block entirely.

If your business handles regulated data (financial services, healthcare, professional services with PII obligations) and you are about to roll out Copilot agents, your compliance officer and your IT provider need to be in the same room. We have had several conversations where a marketing team enabled the SharePoint Page Agent for a fast-turnaround intranet refresh, and the auditor flagged it three months later. That conversation is much easier to have before the rollout than after.

4. What's missing from the list

The Pragmatic Works video stops at 5 agents plus 3 honourable mentions. Here are three the video doesn't mention that, in our experience, deliver more value to a typical UK SME than at least one of the named five.

Power Automate Copilot agent (still in preview at time of writing). Lets you describe a flow ("when a new finance request lands in this SharePoint list, route it to my line manager for approval, and notify me in Teams") and it builds the flow. This is the agent that turns Copilot from "fast text" into "fast process". Once it leaves preview, it will rank above several of the named five.

Word Copilot agent for long-form drafting. Yes, you can do this in Copilot Chat already. The dedicated agent is better at structured documents (contracts, policies, technical write-ups) because it understands document-level context, not just chat history. Many SMEs use Copilot Chat for everything because they don't know the dedicated agents exist.

Excel Copilot agent for analysis. Same logic. The chat experience does basic things. The Excel agent can run iterative analysis across a workbook with charts, named ranges and formulas. For finance teams and sales operations, this is the highest-ROI agent in the suite and almost nobody we work with is using it.

If you have to pick three to start with, our recommendation for a typical 20-100 user SME is: Excel Copilot, SharePoint List Agent, Power Automate (when generally available). The list is not always the same as the headline.

5. A 30-60-90 rollout playbook for SME owners

What we run with new managed-IT clients who are bringing Copilot agents into a business that already has the licences.

Days 0-30: audit, don't deploy.

  • Pull licence usage from the M365 Admin Centre. Who has Copilot? Who has used it in the last 14 days? Many SMEs are paying for 30 seats and have 8 active users.
  • Identify the 5 power users in the business. Not necessarily senior people. Often a marketing manager, a finance analyst, a project coordinator, an office manager and one technical lead.
  • Pilot one agent with the power users only. SharePoint List Agent is a safe first choice because the blast radius is contained.

Days 30-60: govern, then expand.

  • Deploy the governance bundle: DLP policies covering SharePoint and OneDrive, Conditional Access policies blocking admin agent access from unmanaged devices, Purview audit logging with retention configured, PIM for the admin agent.
  • Document a one-page "what each agent does and does not do" for the team. Most agent failures are expectation failures.
  • Expand the pilot to a department. Capture the use cases that worked and the ones that didn't.

Days 60-90: scale, train, measure.

  • Roll out to the wider business with role-based access. Marketing get Page and Forms. Finance get Excel and Power Automate (when GA). Operations get List and Cowork. IT get the admin agents under PIM.
  • Run a 45-minute team training. Not a Microsoft webinar. A 45-minute session showing your specific team how to use the specific agents you have deployed for the specific use cases you have identified.
  • Measure: hours saved per user per month. We aim for 4 hours minimum, which on a £28 licence is a hard yes. Lower than 4, something is wrong with the rollout, not the technology.

6. The honest answer on adoption

We manage IT for over 200 UK SMEs, mostly in professional services, financial services, healthcare and tech. Around 60% have Microsoft 365 Copilot licences on at least some users. In our experience, fewer than 1 in 5 of those businesses are using anything beyond the chat experience: the agents are sitting there, in the panel on the left, unused.

That is not a Microsoft problem. The licences are right. The agents work. The gap is in adoption: most SMEs don't have a structured rollout, the agents look intimidating in the panel, and nobody has explicitly given the team permission to use them.

That gap is closeable in a quarter, with the playbook above, by anyone competent. The reason it doesn't get closed is not technical. It's that "deploy Copilot agents" is below "fix the printer" on most internal IT teams' priority list, and external Copilot consultancies cost more than the licences they unlock.

This is exactly the work we do for clients. It is not the most exciting thing on our service catalogue but it is one of the highest-ROI conversations we have.

Bottom line

The five agents in the Pragmatic Works video are real, useful and underused. The reason most UK SMEs aren't using them is not that they need someone to make a video about them. The reason is that turning "we have Copilot licences" into "we use Copilot agents productively, safely, and within our compliance perimeter" needs three things at once: the right licence tier, a governance bundle that survives an ISO 27001 audit, and a 30-60-90 rollout the team actually follows.

If you have Copilot licences and you're getting less than 4 hours saved per user per month, you do not have a Copilot problem. You have a deployment problem.

About this article

Source video: Pragmatic Works AI Academy: "My Top 5 Agents You HAVE To Try!" by Amelia Roberts. Watched and synthesised on 2026-06-12.

Further reading:

About Inflection Point

Inflection Point is a UK managed-IT and cyber-security firm. 200+ active clients across the UK, 16+ years EOS-run, founder-led with 25 years industry experience. ISO 27001 certified, Cyber Essentials Plus, Microsoft Solutions Partner, rated 4.9/5 across 150+ Trustpilot reviews. We help UK SMEs deploy Microsoft 365 Copilot and the agents they actually need, with under-15-minute remote response and 1-hour on-site SLA. From £39 per user per month for managed IT.

If you have Copilot licences and want a structured rollout of the agents above (with the governance, DLP and audit-log work done properly), book a 30-minute discovery call. We'll tell you which 3 agents to deploy first, what to lock down before turn-on, and what we'd remove from your current licence bill.

Iain Godding is the founder of Inflection Point. He has 25 years of UK IT and cyber security industry experience.

Frequently Asked Questions

What Microsoft 365 licence do I need to use these Copilot agents?

You need a Microsoft 365 Copilot licence (currently around £28 per user per month, billed annually) on top of an eligible base plan: Business Standard, Business Premium, or one of the Enterprise SKUs. The free Copilot Chat experience in Edge or copilot.com is a separate product and does not include the SharePoint List, SharePoint Admin, SharePoint Page, M365 Admin or Forms Survey agents. The M365 Admin Agent additionally requires an eligible admin role in Microsoft Entra ID.

Are Copilot agents safe to enable for everyone in my business?

The SharePoint List, SharePoint Page and Microsoft Forms Surveys agents are relatively low-risk and can be enabled broadly with normal DLP and audit log coverage. The SharePoint Admin Agent and especially the Microsoft 365 Admin Agent are different: they should be pinned to a small named list of admin users via Privileged Identity Management with just-in-time elevation, blocked from unmanaged devices via Conditional Access, and have their invocations reviewed monthly via Microsoft Purview audit logs. Treat the M365 Admin Agent as you would any tenant-level admin access.

Which Copilot agents should a UK SME start with?

For a typical 20-100 user UK SME, we recommend starting with Excel Copilot (highest ROI for finance and operations analysis), SharePoint List Agent (low-risk, fast wins for tracking systems), and the Power Automate Copilot Agent (when it leaves preview) to start automating routine business processes. SharePoint Page and Forms Surveys come next. Hold off on the M365 Admin Agent until your governance, Conditional Access and audit logging are configured.

How long does a proper Microsoft Copilot agent rollout take?

A structured rollout to a typical UK SME takes 90 days. Days 0 to 30 are audit and pilot with five power users. Days 30 to 60 are deploying the governance bundle (DLP policies, Conditional Access, Purview audit logging, PIM for admin agents) and expanding the pilot to a department. Days 60 to 90 are wider rollout with role-based access, a 45-minute team training session, and measurement against a 4-hours-saved-per-user-per-month target. If you are getting less than 4 hours saved on a £28 monthly licence, the problem is the rollout, not the technology.

Sources

  1. Pragmatic Works AI Academy (YouTube). My Top 5 Agents You HAVE To Try! . (2026)
  2. Microsoft. Microsoft 365 Copilot plans and pricing . (2026)
  3. Microsoft Learn. Microsoft Purview Audit (Copilot Interaction events) . (2026)
  4. Microsoft Learn. Conditional Access policy templates for admin actions . (2026)
  5. NCSC. Cyber Essentials Plus requirements for cloud services . (2026)

Topics

Microsoft 365 CoPilot Cyber Security Artificial Intelligence

Share this article

Share on X Share on LinkedIn
IG

Written by

Iain Godding

Owner / Founder / Managing Director

Iain has over 25 years’ experience delivering large-scale technology programmes across public and private sectors. As our MD he brings this enterprise-grade IT expertise to SMEs in the South West in a way that’s accessible, scalable, and commercially valuable. A champion of innovation, he’s at the forefront of applying AI and automation to help clients streamline operations, improve decision-making, and unlock new value. Iain has built a culture that prioritises innovation, service excellence, and long-term client partnerships, helping businesses of all sizes achieve more with technology. Outside work, Iain advises growing businesses as a board member and non-executive director.

View all posts by Iain

You might also like

More articles in this category

View all articles
Get Expert Help

Ready to transform your IT?

Our team of experts is here to help you navigate technology decisions and find solutions that drive real business value.

Book a consultation Explore more articles