2026 Update: Unlock the Power of Agents inside SharePoint and OneDrive

The session showed you Mark Kashman building interactive AI agents across the Microsoft 365 ecosystem. Here's how you'd build that same thing today.

As of April 2026, the landscape of Microsoft 365 Copilot extensibility has matured from the experimental capabilities demonstrated in May 2025 into a deeply integrated, enterprise-grade control plane. The foundational concepts demonstrated previously remain conceptually accurate, but the user interfaces, underlying grounding mechanics, and governance frameworks have been entirely overhauled. The introduction of the March 2026 SharePoint visual refresh, the new Work IQ semantic grounding pipeline, and the impending May 2026 launch of Microsoft Agent 365 have standardized how localized AI is constructed and governed. This report provides an exhaustive, step-by-step reconstruction of those original demonstrations using current production toolsets and administrative boundaries.

1. What's Changed Since This Session

2. How to Build This Today

The original session showcased a rapid transition from basic content repositories to interactive, AI-driven knowledge bases. Today, the Microsoft platform handles this by embedding the Agent Builder directly into the flow of work, eliminating the need to pivot to external developer environments for standard knowledge-retrieval scenarios 6].

The following sections reconstruct the three primary demonstrations from the original session, mapped exactly to the Microsoft 365 interfaces and architectural standards active in April 2026.

Demo 1: The 'Ask Iz' SharePoint Agent

The Original Build: The demonstration featured the creation of a lightweight agent named 'Ask Iz' on the internal "Intro Zone" podcast SharePoint site. The agent was grounded exclusively on the site's pages and libraries, configured with specific instructions, and published for site visitors. Security boundaries strictly respected the site's existing permissions.

Building 'Ask Iz' Today (April 2026):

The architectural foundation of SharePoint shifted dramatically in March 2026 with a massive visual refresh. The entire interface is now oriented around three core scenarios: Discover, Publish, and Build 3]. Building a custom agent no longer requires navigating away from the site context. Furthermore, every modern SharePoint site now comes with a ready-made agent out of the box, which automatically searches all site content that the user has permission to view. However, to recreate the highly tailored 'Ask Iz' experience, a Custom-built agent must be explicitly generated.

Step 1: Define the Agent's Purpose and Scope Before interacting with the software, the exact scope must be determined by the site administrator or developer. In the original demo, the agent was grounded on specific podcast assets. Today, relying on broad site-level permissions is widely considered a severe security vulnerability. If a document library contains an outdated "Everyone except external users" permission grant, a broadly scoped agent will instantly surface that sensitive data to unauthorized viewers. The scope must be meticulously restricted to specific, curated document libraries or folders. A best practice involves creating a dedicated document library serving strictly as the agent's knowledge base.

Step 2: Access the Agent Builder in SharePoint

Navigate directly to the target SharePoint site (e.g., the 'Intro Zone' site). Under the new March 2026 user experience, utilize the new app bar navigation elements.

• Select the Build panel from the new front-door interface located on the left-hand navigation rail.
• Alternatively, navigate to the classic Site settings gear icon, select the new Copilot agents option, and click Create agent(https://sharepointsupport.com/blog/sharepoint-copilot-agents-enterprise-guide-2026)].
• This action seamlessly launches the integrated Microsoft 365 Copilot Agent Builder as a persistent right-hand pane directly within the browser window.

Step 3: Configure via Natural Language The Agent Builder initially defaults to a conversational interface. This is the fastest, most frictionless method to establish the baseline configuration and bypass manual entry.

• In the chat interface pane, type the core intent: "Create an agent named Ask Iz that answers questions about the Intro Zone podcast using a friendly, broadcasting tone."
• The Agent Builder engine automatically intercepts this intent and populates the agent's internal Name, Description, and Instructions fields based on this plain-language prompt.
• Command the builder to restrict its knowledge base dynamically: "Only use information from the 'Season 3 Transcripts' folder and the 'Guest Biographies' library." The builder will automatically query the site hierarchy and attach these specific SharePoint artifacts as explicit knowledge sources.

Step 4: Refine the Configuration Manually For precise architectural control matching the original demonstration, it is necessary to bypass the conversational interface by selecting the Configure tab located at the top of the builder pane.

• Name: Ensure the name is exactly "Ask Iz" (the system enforces a strict maximum of 30 characters).
• Icon: The system permits using AI to generate a custom icon, choosing from a default library, or uploading a standard PNG file (limit 1MB, 192x192 resolution).
• Description: Write a highly precise summary (maximum 1,000 characters). The underlying Large Language Model (LLM) orchestration engine reads this exact description to determine when to route a user's organic Copilot chat query to this specific agent.
• Instructions: This is the most critical programmatic component. Input detailed behavioral directives (permitting up to 8,000 characters). Define authorized topics, dictate required tones, and explicitly instruct the agent to utilize source citations. It is highly recommended to add a strict fallback instruction: "If the exact answer is not found in the podcast transcripts, state clearly that the information is unavailable and do not speculate.".15
• Knowledge: Verify the correct SharePoint libraries are attached. The system permits a maximum of 20 distinct foundational sources. Never link the entire site root URL unless absolutely necessary and fully audited.
• Capabilities: For a text-based podcast assistant, ensure the Code interpreter and Image generator toggles remain in the off position to reduce processing latency and prevent unnecessary token consumption.

Quick Win: Leverage Copilot Tuning Templates

If the host organization holds more than 5,000 Microsoft 365 Copilot licenses, practitioners should utilize the newly released (April 2026) Copilot Tuning templates within the Agent Builder. These templates allow developers to bypass manual instruction writing by applying pre-approved organizational standards, governance policies, and proprietary data models directly to the new agent. This drastically reduces configuration time and ensures compliance 16].

Step 5: Test and Publish the Agent

Before deploying 'Ask Iz' to the wider podcast audience, it must be thoroughly validated in a safe environment.

• Navigate to the Try it tab located within the builder interface. This sandbox instance becomes active immediately after the Name and Instructions fields contain data.
• Query the agent with expected standard questions ("Who was the guest on episode 4?") alongside adversarial probing questions ("What is the host's exact salary?") to ensure the grounding boundaries hold firm and sensitive data is not leaked.
• Once validated against the test matrix, click Save. The agent is now formalized as a tangible asset. To make it widely available, the Site Owner must formally approve it (detailed in Demo 3 below).

The resulting backend architecture is entirely different from the 2025 iteration. Today, data retrieval is processed strictly through the Microsoft Graph Semantic Index via the newly deployed Work IQ pipeline. This means the agent inherently respects the exact item-level permissions of whoever is currently asking the question. If a standard user asks 'Ask Iz' a question, and the answer resides in a transcript document they do not hold explicit read access to, the agent will behave as if that document does not exist, guaranteeing zero data leakage.

Demo 2: The Personal OneDrive Agent

The Original Build: The session demonstrated building a distinct agent inside OneDrive. Unlike the SharePoint site-bound agent, this entity was bound exclusively to specific personal documents and private libraries, allowing the creator to query their own personal content securely without exposing it to wider site members.

Building a OneDrive Agent Today (April 2026):

The ability to seamlessly bundle multiple personal files into a single, queryable AI entity is now generally available natively within the OneDrive web interface. This eliminates the tedious process of querying files one at a time. The fundamental output of this entire process is an independent .agent file stored directly alongside standard documents within the user's personal storage 10, 19].

Step 1: Initiate Creation from Source Files

Access the OneDrive web platform using standard corporate credentials. To build an agent around a specific personal project (e.g., an agent dedicated to analyzing "Q3 Financial Reviews"):

• Navigate to the target folder containing the relevant documents.
• Select the specific files via the checkbox interface. The system enforces a strict hard limit of exactly 20 source files. Supported file formats are currently restricted to DOC, DOCX, PPT, PPTX, PDF, TXT, RTF, and MD.
• Locate the top horizontal toolbar and select the Create agent button. Alternatively, this identical option is available via the standard right-click context menu.
• Alternative Path: Click the + Create or upload button in the primary left-hand navigation, select Create an agent from the subsequent dropdown menu, and then manually attach the 20 files through the picker interface.

Step 2: Navigate the First Run Experience If this is the very first time an agent is being compiled by the user within the tenant, the system will aggressively intercept the workflow with a "First run experience" modal dialog. This guided overlay is prominently labeled "Build your own AI assistant." The user must either complete or explicitly dismiss this mandatory tutorial to proceed to the main builder interface.

Quick Win: The 20-File Sweet Spot Do not attempt to indiscriminately attach an entire root OneDrive folder to an agent. If a selected folder contains more than 20 distinct files, the creation process will abruptly fail or silently truncate the source list. Instead, curate a highly specific, flat list of high-value documents (such as final meeting notes and strategic briefs) to maximize the precision and accuracy of the LLM's generated responses.

Step 3: Configure and Save the .agent File

The internal OneDrive builder interface is a slightly streamlined version of the SharePoint builder, optimized for rapid personal deployment.

• Provide a highly specific, easily identifiable name for the assistant (e.g., "Q3 Finance Copilot").
• Modify the internal behavioral instructions to dictate precisely how it should read the attached personal files (e.g., "Always summarize numerical financial data in bullet points and explicitly highlight any mathematical discrepancies across the attached Q3 reports").
• Select the Save or Save as command.
• The platform backend generates a distinct file bearing an .agent extension. By default, this file is securely saved directly in the identical folder where the creation process was initially initiated. However, if the creation was triggered from a dynamic "Shared" or "Favorites" view, the system automatically routes the file to the dedicated My Files > Documents > Agents directory.

Step 4: Interact with the Personal Agent

To utilize the newly minted personal assistant, simply locate the .agent file within the OneDrive directory structure and click to execute it.

• The file does not open in a traditional document editing interface; instead, it launches a dedicated full-screen, interactive chat viewer.
• Submit complex, multi-file queries into the chat interface, such as "What exact decisions were finalized in the last three meeting notes regarding the marketing budget?".10
• The agent will cross-reference the 20 bounded documents simultaneously and generate a synthesized response featuring explicit source citations mapped back to the original documents.

To modify the personal agent at a later date, simply click the ... (More actions) menu next to the .agent file in the directory list and select Edit, which instantly reopens the configuration pane.

Demo 3: Custom Agents, Management, and Troubleshooting

The Original Build: The final segment of the 2025 session focused heavily on the operational realities of AI integration: managing custom agents at scale, publishing them securely, locating the underlying definition files, sharing them with colleagues without breaking permissions, and troubleshooting complex grounding boundaries.

Managing and Troubleshooting Today (April 2026):

Governance and lifecycle management have witnessed the most drastic evolution across the entire Microsoft 365 stack. The platform now treats AI agents as first-class, highly governable identities, rather than abstract background processes. Managing them securely requires a firm grasp of SharePoint permission levels, the physical location of .agent files, and the new tenant-wide administrative controls rolling out ahead of the massive May 2026 Agent 365 launch 5].

Step 1: Locating and Monitoring .agent Files Agents are no longer abstracted background services floating in the ether; they are tangible files strictly governed by standard SharePoint document lifecycle rules and retention policies.

• Finding Files: In modern SharePoint, custom agents are physically stored as .agent files directly within the specific document library where they were instantiated.
• Monitoring Usage: Site administrators no longer need to rely on external, disconnected dashboards to track agent popularity or token consumption. Simply navigate to the site's native Site usage reports to view comprehensive interaction statistics, or alternatively, select an individual .agent file and open the Details pane to view its localized, file-specific interaction statistics.

Step 2: Approving and Setting Site Defaults By default, any standard site member can easily create an agent, but it remains strictly visible only to them or those they explicitly share the file link with. To elevate a custom agent (like the 'Ask Iz' example) for general availability to all site visitors, the designated Site Owner must actively intervene.

• Open the SharePoint site's main agent picker interface from the app bar.
• Locate the target custom agent, click the ellipsis (...) next to its name, and explicitly select the Set as approved command.
• Confirm the action when prompted. The .agent file is immediately and automatically relocated to a highly visible central repository located at: Site Assets > Copilots > Approved. It is now permanently available in the picker interface for all general site visitors.
• To make this specific custom agent the primary, default interface for the entire site—effectively overriding the generic, built-in "ready-made agent"—click the ellipsis again and select Assign as site default. The custom agent will now be the very first conversational experience loaded when any visitor opens the site's chat pane.

Step 3: Sharing and Tenant Governance Sharing an agent is functionally identical to sharing a standard Microsoft Word document. The user selects the .agent file and clicks Share. However, there is a critical, uncompromising architectural caveat that practitioners must understand: The recipient must hold independent access rights to the underlying source files. If a user is granted access to the 'Ask Iz' .agent file via a sharing link, but they fundamentally lack read permissions for the internal podcast transcript document library, the agent will return blank responses or state it cannot find the requested information. The agent serves purely as an analytical lens; it does not, under any circumstances, bypass native file permissions or elevate privileges.

At the highest organizational level, Tenant Admins now wield absolute, granular control over agent sharing behaviors. Within the Microsoft 365 admin center, under the dedicated Copilot Control System, administrators dictate overarching sharing policies:

• All users (default): Permits the open sharing of .agent files across the organization.
• Specific users or groups: Restricts sharing capabilities solely to authorized power users or security groups.
• No users: Executes a complete, instantaneous disablement of org-wide agent sharing.

Furthermore, administrators can utilize the detailed Copilot license management page to toggle the specific 'Microsoft 365 Copilot for SharePoint' service plan on or off on a strict per-user basis. This action instantly revokes the user's ability to interact with any SharePoint agent, without necessitating complex alterations to the underlying document permissions.

Step 4: Advanced Troubleshooting When an agent fails to retrieve documents, the root cause in 2026 is almost exclusively tied to the complexities of the Microsoft 365 Grounding (Work IQ) pipeline. The legacy direct-connection model utilized in 2025 is completely obsolete.

Quick Win: Check the Semantic Index First

If an agent responds with the generic message "Sorry, I wasn't able to respond", practitioners must immediately verify the indexing status. Because the modern agent relies entirely on the Microsoft Graph Semantic Index, recently uploaded documents may simply not be indexed yet. If the target document does not appear in standard SharePoint keyword search results, the AI agent is physically incapable of seeing it 4, 24].

If indexing is verifiably complete but the agent still fails to retrieve data, administrators must execute the following diagnostic protocol:

1. Verify Licensing Coverage: Ensure the specific user asking the question possesses a valid, active Microsoft 365 Copilot license. Unlicensed users absolutely cannot utilize custom agents unless the overarching organization has explicitly enabled the new pay-as-you-go billing model.
2. Verify Environment Status: Developers testing SharePoint grounding features within non-production sandbox environments must hold the specific Microsoft 365 Copilot Developer License. Standard commercial licenses will silently fail to authenticate the Graph connection in non-production tenants.
3. Verify Authentication Posture: Ensure the agent's internal connection settings strictly dictate User authentication. The usage of Service principals and app-only authentication methods are strictly and entirely unsupported for any SharePoint grounding scenarios, resulting in immediate connection refusals.

3. Licensing Quick Reference

The overarching licensing architecture governing Copilot and AI agents underwent a massive, systemic restructuring leading into 2026. While the core Agent Builder functionality is fully accessible with a standard Copilot license, deploying fully autonomous, multi-step workflows, or governing thousands of discrete agents at scale requires advancing up the complex license hierarchy.

The highly anticipated launch of Microsoft 365 E7 (The Frontier Suite) on May , 2026, introduces an entirely new tier specifically designed for the "agent-operated enterprise." This comprehensive suite aggressively bundles the foundational E5 security features, the Entra Suite, Microsoft 365 Copilot, and the highly anticipated Agent 365 control plane for centralized, tenant-wide governance 2, , 14].

The matrix below explicitly outlines the necessary licensing paths for various agent deployment strategies as of April 2026.

(Note: The newly announced Microsoft 365 E7 suite features significant promotional discounts ranging from 10-15% on annual terms starting May , 2026, specifically designed for eligible CSP direct bill partners and distributors 11]. Furthermore, organizations actively utilizing non-production developer environments must secure the highly specific Microsoft 365 Copilot Developer License to successfully authenticate Microsoft Graph grounding connections, as standard licenses will universally fail in these restricted environments.)