Skip to main content

Microsoft Scout Deployment

Get your Microsoft 365 estate ready for Scout before access reaches your tenant.

Microsoft Scout is in the Microsoft 365 Frontier early-access programme. It books meetings, surfaces blockers, and prepares meeting materials across Teams, Outlook, SharePoint, and OneDrive without being prompted. When it opens to your tenant, switching it on takes minutes. The work that takes longer sits underneath: which data sources the agent identity reaches, how Purview DLP policies govern its actions, and what the audit trail shows your auditors. We set that foundation up now. You are ready the day Scout opens, and the same governance lets you adopt the frontier agents that follow it without starting over.

Fixed fee
€15,000
Duration
4 weeks
Format
Remote-first

At a glance

Fixed fee
€15,000
Duration
4 weeks
Format
Remote-first
Markets served
DACH and Benelux

Who it's for

  • Your organisation is on Microsoft 365 Frontier or applying for it, and you want the identity and governance groundwork done before Scout reaches your tenant, not assembled the week it does.
  • A GDPR review or a cyber-insurance renewal is on the calendar, and you want an autonomous agent with access to Outlook, Teams, and SharePoint documented as a processing activity before it ever goes live, not after.
  • Scout is approved in principle, and the question is how to scope the Purview controls, design the staged rollout, and produce the EU AI Act Article 50 transparency notices now, so the day access opens you are configuring, not deciding.
  • Your security team has already said no to autonomous agents once, and you need a documented control model to bring back to them before asking again.
  • You are choosing between piloting Scout narrowly in one department first or preparing the whole tenant at once, and want the governance work to support either path.

Scope and format

Four weeks, remote-first, with one optional on-site working session. The engagement runs in three phases. In the first, we check your M365 Frontier enrollment status, Intune policy configuration, GitHub Copilot license, and Purview DLP posture, and design the Entra identity model for Scout: what data sources the agent's identity gets, which mailboxes and document libraries are in scope, and what is explicitly excluded. In the second, we map the use cases and access model: which teams and workflows benefit from Scout's scheduling, meeting-prep, and blocker-detection capabilities, with the ROI read per use case and the access scoped per department. In the third, we set up the governance and the deployment-ready configuration: the Purview DLP policies scoped to Scout's identity, the monitoring design in Microsoft Purview Audit, the GDPR Article 30 record of processing activities, and the EU AI Act Article 50 transparency notices. If your tenant already has Scout access, we deploy it to a pilot group inside this phase and validate the controls live. If access has not opened yet, you receive a deployment-ready package and runbook, so the day it opens the rollout is a configuration step, not a design project. Senior practitioners do the work. You give us access to the tenant, the people who own the workflows, and your security team as a checkpoint at each phase boundary.

What you get

M365 readiness report

What prerequisites are in place and what needs fixing before Scout can run. Frontier enrollment status, Intune policy configuration, GitHub Copilot license, and Purview DLP posture assessed explicitly against Microsoft's published Frontier onboarding requirements, not a generic checklist.

Entra identity and Purview design

The Scout agent identity scoped to the agreed data sources, with Purview DLP policies designed and, where your tenant already has access, applied and tested before any wider rollout.

Use-case and access map

Which teams run Scout, what the agent can and cannot access per department, and the ROI read per use case. Written for your security team to review.

Governance documentation

GDPR Article 30 Record of Processing Activities entry, EU AI Act Article 50 transparency notices for users, and audit trail design in Microsoft Purview Audit. The same baseline governs the frontier agents that follow Scout, so each new capability inherits it instead of restarting the review.

Deployment-ready configuration and runbook

Scout's identity scope, Purview controls, and monitoring packaged so the rollout is execution, not design. Where your tenant already has access, this includes a staged pilot with monitoring live.

Incident response runbook

The steps your security team takes if Scout's Entra identity is compromised or the agent behaves unexpectedly. Written before go-live.

Pricing

A fixed fee of €15,000. The scope above is the scope, agreed before we start, and covers all three phases.

If you ran a Cloud Security & Identity Review or a Microsoft Landscape Assessment with us in the last eight weeks, that fee comes off this engagement.

Where your data sits

We work in your tenant with least-privilege access scoped to each phase. Scout's Entra identity model and the Purview policies we design stay in your tenant and your Azure region. Where data residency is an obligation, we configure Scout to process within the Germany West Central Azure region. We sign your data processing agreement before the first access and produce the GDPR processing record as a deliverable.

Governance & compliance

  • Scout's Entra identity scoped to the agreed data sources before the agent runs.
  • Purview DLP policies designed, and tested in a pilot where access is open, before any wider rollout.
  • GDPR Article 30 record of processing activities produced as a deliverable, before go-live.
  • EU AI Act Article 50 transparency notices written for employees who will interact with Scout.
  • Audit trail in Microsoft Purview Audit configured and ready before the pilot group goes live.
  • A governance baseline the frontier agents following Scout inherit, so each new capability does not restart the review.

Includes EU AI Act positioning and how we classify AI systems.

Read our governance approach

Common questions

Is Scout available to our tenant yet?

Scout is in Microsoft's 365 Frontier early-access programme, rolling out in stages. Some tenants have it, many do not yet. This engagement prepares your estate and governance so you are ready the day access reaches you. Where you already have access, it includes a staged pilot inside the four weeks.

Why prepare now if access has not opened to us?

Because the work that gates a safe rollout is governance, not the switch. Scoping the identity, designing the Purview controls, and producing the GDPR and EU AI Act documentation takes weeks of review with your security team. Doing it now means the day access opens you deploy in days. The same foundation governs the frontier agents that follow Scout, so the review is done once, not per agent.

What does our organisation need before it can run Scout?

At minimum: Microsoft 365 Frontier enrollment, Intune policy configured to Scout's device-management requirements, and a GitHub Copilot license. If any of these are missing or misconfigured, the first phase identifies exactly what needs to change. We do not assume readiness.

Is Scout classed as an AI system under the EU AI Act?

An autonomous agent that acts on behalf of individual employees, accesses their calendar, email, and files, and makes scheduling decisions sits at minimum under the transparency obligations in Article 50 of the Act. Users who interact with Scout need to be informed they are interacting with an AI system acting for them. The governance documentation we produce covers this explicitly.

What data does Scout's Entra identity access?

Scout's identity can access Teams, Outlook, OneDrive, and SharePoint by default. The engagement designs an explicit scope for what the agent's identity is permitted to reach, which Purview sensitivity labels and DLP policies apply, and what is blocked. Nothing is left at the default.

Do you stay on after the engagement?

The engagement ends with a runbook and a handover session. If you want us to run the rollout when access opens, extend it across the organisation, or manage the monitoring, that is a separate engagement.

Who actually does the tenant work, and is any of it subcontracted?

The same senior practitioners who scope the engagement do the identity and Purview design themselves, inside your tenant. Nothing is subcontracted or handed to an offshore delivery team. The credentials behind that work include AZ-500 for identity and security architecture and IAPP AI Governance Professional for the EU AI Act documentation.

Do you handle the Microsoft 365 Frontier and GitHub Copilot licensing, or only the configuration?

We check what license and enrollment status you already have and tell you exactly what's missing in the readiness report. We don't procure licenses or negotiate the commercial terms with Microsoft; that stays with your Microsoft account team or reseller. Once the licenses are in place, we configure the identity, Purview, and governance work around them.

How does this fit with our wider EU AI Act compliance programme?

This engagement produces the Article 50 transparency notices and processing record for Scout specifically, scoped to this one agent. If you're classifying AI systems and building governance across more than Scout, that risk-classification model sits at /governance; the records we produce here are written to plug into it rather than stand apart from it.

What if our security team has already rejected an autonomous agent proposal before?

That is a common starting point, and usually the rejection was correct given what was on the table: no identity scoping, no DLP design, no audit trail. This engagement produces exactly what a security team needs to say yes: the identity boundary, the Purview controls, and the incident response runbook, before you ask again.

Can we pilot Scout in one department only, rather than tenant-wide?

Yes, and a single-department pilot is usually the right first step. The use-case and access map scopes Scout per department from the start, so a narrow pilot and a later tenant-wide rollout use the same governance model rather than two different reviews.

What happens to Scout's identity if an employee leaves or changes role?

Scout's access follows the same joiner-mover-leaver process as any other identity in Entra ID. The engagement documents how deprovisioning and role changes propagate to the agent's effective access, so it is not a manual step someone has to remember.

Does this engagement cover other Microsoft 365 Copilot agents, or only Scout?

The identity, Purview, and governance model we build is specific to Scout, but it is designed as the template the next Frontier agent inherits rather than a one-off. Extending it to a second agent is a smaller, scoped follow-on, not a repeat of this engagement.

Request the Scout readiness engagement