Go to content
We are the #1 Microsoft partner
#1 Microsoft partner of NL
Console Courses Working at (NL)
language_nl language_be
Home AI Business Solutions Blogs Microsoft provides greater control over data and agents

Microsoft provides greater control over data and agents

Microsoft Ignite 2025: Andries' insights on data governance and AI agents in Microsoft 365
Blogs
SharePoint
Governance
Andries den Haan
25-11-2025
During Ignite 2025, held in San Francisco, Microsoft presented important innovations for managing data and agents within Microsoft 365. These developments are essential for organizations that want to minimize their data risks and strengthen governance in an era of AI-driven workflows.

Agents will play a crucial role in information work, and their number is expected to reach 1.3 billion by 2028. Among other things, they will work with data in Microsoft 365. 

Agents will collaborate (with each other) and with us as clients using the data available within the Microsoft Cloud (365, Fabric). Given the expected scale, this requires robust (automated) control of both agents and the data itself in order to maintain oversight and minimize risks throughout the entire lifecycle of both.

In this post, you will find some of the important innovations I saw at Ignite that I think are important for organizations that want more control over data and the agents that work with it.  

Unified DSPM

The revamped Data Security Posture Management (DSPM) experience in Microsoft Purview brings together various data security and governance components in one central location. The goal is to unify visibility, control, and active remediation of data risks, especially in an era of AI-based agents and autonomous workflows.

Key capabilities: 

  • Outcome-based workflows: First, you select a data security objective (e.g., “prevent sensitive data exfiltration to high-risk destinations”), after which DSPM displays a risk profile, relevant metrics, and a recommended action plan, including the expected impact.

  • AI Observability for agents: DSPM now includes an inventory of AI or automation agents (both internal and external), assigns risk levels to those agents, and displays agent posture metrics. This provides visibility into agent behavior, linked to data access and usage. AI Observability for agents: DSPM now includes an inventory of AI or automation agents (both internal and external), assigns risk levels to those agents, and displays agent posture metrics. This provides visibility into agent behavior, linked to data access and usage. AI Observability for agents: DSPM now includes an inventory of AI or automation agents (both internal and external), assigns risk levels to those agents, and displays agent posture metrics. This provides visibility into agent behavior, linked to data access and usage.

  • Comprehensive coverage & remediation: - Item-level analysis of overshared content (e.g., in SharePoint) plus bulk remediation of overshared links. SharePoint Advanced Management also provides insight into this, but with DSPM in Purview, you can also take immediate action in the event of oversharing.

  • Reports and monitoring: Configured reports (including use of confidentiality labels, effectiveness of auto-labeling, drift in label assignment) provide insight into how security and governance measures are developing.

  • Security of agents and autonomous workflows: DLP (Data Loss Prevention), Information Protection, and Insider Risk Management are being extended to agent identities (e.g., via Entra Agent ID), so that both human users and agents are subject to consistent governance. Personally, I think this is one of the more exciting developments. Agent ID), so that both human users and agents are subject to consistent governance. Personally, I think this is one of the more positive developments. An agent is assigned an identity in Entra ID just like a user, and can therefore be subject to the same policies and rights.  

For whom and why 

The new unified DSPM is interesting for organizations that manage a rapidly growing data environment, use AI agents, automation, or advanced analytics, and therefore face new data risks (such as oversharing, uncontrolled access, agent chains) and/or need a single, centralized view of their data risks (instead of separate tools).

The platform helps prioritize risks, understand which data is vulnerable, who has access to it, how it is used, and what actions you can take — in line with the AI & Agentic reality of tomorrow.  

What this means in practice  

  • Security and compliance teams get a unified dashboard for data risks: from data at rest, data in transit to users/agents;

  • Automation of risk remediation: for example, automatically detecting overshared links in SharePoint and taking bulk action;

  • Agents are assigned identities, risk scores, and policies—they are no longer a blind spot in your security.

  • Expansion of policy enforcement: policy rules (such as DLP) now also apply to agent behavior and not just to human interactions;

  • Broader view of the entire data environment: outside Microsoft platforms, hybrid cloud environments, and SaaS solutions are included.  

A nice final point here: DSPM looks at active and “stale” (outdated data), with the latter currently going back up to a year. However, this will become configurable, so that an organization can determine and set for itself what constitutes outdated data when using DSPM.  

SharePoint Advanced Management  

For those who are not yet familiar with it: SharePoint Advanced Management (SAM) is the governance framework for SharePoint Online and OneDrive for Business within Microsoft 365, which helps you prevent content sprawl, manage the lifecycle of sites and content, and control access and permissions more tightly. Business within Microsoft 365, which helps you prevent content sprawl, manage the lifecycle of sites and content, and control access and permissions more tightly.

Virtually all SAM functionality is available to organizations that have at least one Microsoft 365 Copilot license. Only Restricted Site Creation is excluded.

Starting with Ignite 2025, several new features have been announced that enhance SAM in the context of AI, agent management, and lifecycle governance.  

The most important innovations: 

  • Content Management Assessment: A new start experience in the SharePoint Admin Center that allows administrators to quickly perform a baseline measurement: what is the current state of your SharePoint environment, which sites stand out, and where action is needed. Incidentally, this functionality was already being rolled out in Microsoft 365 tenants just before Ignite. This assessment provides insights and recommendations (via AI insights) based on reporting data.

  • AI Insights for Governance: SAM allows you to run reports and then have AI Insights analyze them for patterns (e.g., many ownerless sites, active but uncontrolled sites) and receive recommendations. And also in the area of Storage Management (e.g., what is the trend in storage usage, how long will it take before the available storage is full); AI Insights for Governance: Through SAM, you can run reports and then have AI Insights analyze patterns (e.g., many ownerless sites, active but uncontrolled sites) and receive recommendations. AI Insights for Storage Management: Through SAM, you can run reports and then have AI Insights analyze patterns (e.g., what is the trend in storage usage, how long will it take before the available storage is full) and receive recommendations. AI Insights for Governance: Through SAM, you can run reports and then have AI Insights analyze patterns (e.g., many ownerless sites, active but uncontrolled sites) and receive recommendations. AI Insights for Storage Management: Through SAM, you can run reports and then have AI Insights analyze patterns (e

  • Agent & AI integration in SharePoint Governance: SAM now provides visibility into agents working in SharePoint (such as “SharePoint Admin Agent”) — this includes monitoring inactive sites, permission sprawl, and automatic actions such as archiving. Site Catalog: will soon make it possible to categorize sites and OneDrives based on site metadata (property bag), PDL (Preferred Data Location), and site permissions.

  • Site Catalog: will soon make it possible to categorize sites and OneDrives based on site metadata (property bag), PDL (Preferred Data Location), or user properties. This categorization can be used to target very specific inactive site policies to certain groups of sites. Once these are set up, sites with no activity can be set to read-only after x months, unless the site owners confirm that they want to keep them. If they don't, the site will be archived as read-only in Microsoft 365 Archive after x months.

  • Enhanced access and rights control: Further options within SAM to restrict sites or OneDrives—for example, restrictions on content discovery, restrictions on site creation, restrictions on OneDrive access per group—all aimed at reducing risks.

For whom and why  

These innovations are particularly interesting for organizations that want to gain more control over their data. Consider the following scenarios:  

  • A rapidly growing SharePoint/OneDrive environment and struggling with data management and work locations (old sites, ownerless, inactive);  

  • Want to use AI & agent functionality within SharePoint (e.g., Copilot, agents) and therefore run new governance risks. Want to strengthen governance and compliance with minimal overhead: SAM helps automate, visualize, and report.  

  • Want to ensure that SharePoint/OneDrive remains a reliable basis for collaboration, knowledge sharing, and AI workflows.  

What this means in practice  

  • Administrators get a dashboard-like experience (assessment) to quickly see where sites deviate from policy;  

  • AI helps identify risks such as ownerless sites, excessive permissions, inactive content — and provides concrete action points.

  • Site owners are actively involved through checks, so that sites are regularly validated for relevance;

  • Access to sensitive content or its discovery can be restricted, strengthening the compliance position;

  • Integration with Copilot means that governance + AI come together: a well-managed SharePoint environment is a better basis for AI agents and knowledge work.  

One last interesting development that I picked up from a conversation with one of the speakers. Microsoft is also working on gaining insight into duplicate files stored in different locations. This can be particularly powerful when organizations want to achieve clarity about where specific data is stored. She told me that this is still in its infancy. As soon as more is known, I will of course let you know.

Microsoft Agent 365 

Microsoft Agent 365  is the central management panel for AI agents in the Microsoft 365 Copilot ecosystem and beyond. It introduces capabilities that enable organizations to register, manage, secure, and deploy agents (both Microsoft and third-party) in business workflows.

Key capabilities: 

  • Register: All agents within the organization are centrally inventoried—both self-created agents and “shadow” agents or third-party agents.

  • Access and security management (Access Control / Security): Agents are assigned identities with access rights. Through policies (such as those for users), you can give agents access only to the resources they need, and risks such as agent compromise are actively mitigated.

  • Visualization and monitoring: Real-time dashboards show the connections between agents, people, and data, including behavior, performance, and impact on the organization.

  • Interoperability and workflow integration: Agents can be linked to apps, data sources, and workflows (such as via Work IQ, Microsoft 365 apps) so that they actually work in business processes.

  • Security & Governance: Integration with existing security, identity, and compliance tools (such as Microsoft Purview, Microsoft Entra, Microsoft Defender) to protect agents and their data. 

For whom and why 

Microsoft Agent 365 is particularly important for organizations that: 

  • use AI agents in their workflows (automation, process agents, integration with apps) and want to manage this at the enterprise level;

  • Want to treat agents and users equally in terms of identity, access management, and risk control;

  • Want to embed the governance, compliance, and security of agents in their existing infrastructure (rather than separate point tools);

  • Want to scale up to many agents and want to prevent management from getting out of hand; so-called “agent sprawl.”

What this means in practice 

  • IT and security teams get a dashboard for all agents—visibility into who is active, what they can do, and what their impact is;

  • Agents are no longer unsupervised tools: they get controlled access, logging, and monitoring.

  • Integration with existing MFA/identity/policy tooling means that agents are subject to the same controls as users;

  • Workflow creators can build and deploy agents (via Copilot Studio, for example), but with governance from day one, so that innovation and control go hand in hand.

  • Workflow integration means that agents can work together with people, apps, and data: practical automation, not just experimentation. 

What now?

To be honest, I can't wait to get started with customers and use this new functionality to gain control over data.

Would you like to know more about the innovations Microsoft is rolling out to give you more control over your data? Then please contact me. I look forward to talking to you.

 

Contact me
Our author

Andries den Haan

Andries lays the foundation for productive and secure AI applications by applying best practices in content management, governance, security, and migration of unstructured information. His approach helps organizations work more efficiently and use AI responsibly and effectively.
Contact me. See all articles of Andries.