Microsoft announced Scout at Build 2026 on June 2 — and it represents a genuine shift in what enterprise AI means for IT admins. Where Copilot waits for you to ask it something, Scout runs continuously in the background, monitors your work environment, and takes actions on your behalf. Microsoft calls it their first "Autopilot agent". For IT teams, that means an entirely new governance and identity surface to manage.
Scout vs Copilot — What Actually Changes
The fundamental difference is the execution model. Copilot is reactive — you open it, ask a question, get an answer, and it stops. Scout is proactive — it has a schedule, a goal, and its own Entra identity, and it keeps working when you close your laptop.
| Dimension | Copilot | Scout (Autopilot Agent) |
|---|---|---|
| Execution model | Reactive — responds to prompts | Proactive — runs continuously on schedule |
| Identity | Runs as the signed-in user | Own Entra identity per agent |
| Works when device is off | No | Yes — cloud-hosted task execution |
| Can run shell commands | No | Yes — PowerShell, git, curl, code |
| Browser control | Limited | Full browser task execution |
| Purview DLP respected | Yes | Yes — sensitivity labels enforced |
| Required licence | M365 Copilot add-on | M365 E5 + GitHub Copilot Business/Enterprise |
| Audit trail | Copilot interaction logs | Full Entra sign-in + M365 unified audit log |
How Scout Works — The OpenClaw Engine
Scout runs on OpenClaw, the open-source autonomous agent framework that accumulated 180,000 GitHub stars within three months of its January 2026 launch. OpenClaw enables desktop UI automation — Scout can interact with any Windows application, including legacy systems that expose no modern API, by operating through the UI layer as a human would.
Early integrations demonstrated at Build 2026 included SAP, ServiceNow, and mainframe terminal emulators — systems that have no REST API, controllable purely through UI automation.
Scout connects natively to Teams, Outlook, OneDrive, and SharePoint, and can also access local files, run shell commands (PowerShell, git, curl), control the browser, and execute code or Automations and Skills on the local machine.
Enterprise Identity Model — Every Agent Gets Its Own Entra ID
This is the most important governance point for IT admins. Scout does not run under the user's identity or a shared service account. Every Scout agent instance is provisioned with its own Entra managed identity — scoped to the specific task it is authorised to perform.
# List all Scout agent identities in your Entra tenant
# Requires Microsoft Graph PowerShell SDK
Connect-MgGraph -Scopes "Application.Read.All"
# Scout agents appear as service principals with a specific tag
Get-MgServicePrincipal -Filter "tags/any(t:t eq 'MicrosoftScoutAgent')" |
Select-Object DisplayName, AppId, CreatedDateTime, ServicePrincipalType |
Format-Table -AutoSizeDeployment Requirements Checklist
| Requirement | Details | How to verify |
|---|---|---|
| M365 E5 licence | Required — E3 not sufficient for new Scout enrollments | M365 admin centre → Licences |
| GitHub Copilot Business or Enterprise | Required for Scout installation | GitHub admin console → Billing |
| Intune-managed device | Device must be enrolled in Intune (not just Entra registered) | dsregcmd /status → MDMEnrollmentURL |
| Frontier preview enrollment | Tenant must be in M365 Frontier programme | M365 admin centre → Frontier |
| Opt-in attestation | Admin must complete attestation acknowledging autonomous agent governance responsibilities | Scout admin centre → Attestation |
Auditing Scout Activity
# Pull Scout agent activity from the M365 Unified Audit Log
Connect-ExchangeOnline
$auditResults = Search-UnifiedAuditLog `
-StartDate (Get-Date).AddDays(-7) `
-EndDate (Get-Date) `
-Operations "ScoutAgentTaskExecuted","ScoutAgentFileAccessed","ScoutAgentEmailSent" `
-ResultSize 5000
$auditResults | Select-Object CreationDate, UserIds, Operations,
@{n="Detail";e={($_.AuditData | ConvertFrom-Json).ObjectId}} |
Export-Csv ".\scout-audit-7days.csv" -NoTypeInformation
Write-Host "Exported $($auditResults.Count) Scout events to scout-audit-7days.csv"What IT Admins Should Do Now
Scout is in Frontier preview — most organisations are not yet affected. But the governance infrastructure you put in place now will determine how smoothly Scout rolls out when it reaches public preview in August 2026 and general availability later this year. Recommended preparation steps:
- Review your Entra ID service principal governance — do you have processes for reviewing new service principals? Scout agent identities will appear here.
- Ensure Microsoft Purview sensitivity labels are deployed and applied to data Scout will touch — Teams, SharePoint, OneDrive. Scout respects labels; unprotected content is unprotected.
- Review your Conditional Access policies for service principals — scope them to require MFA-equivalent assurance for agent identities.
- Check your Intune device compliance policies — Scout requires an Intune-managed device. Non-compliant devices won't be eligible.
- Assess your E5 licence position — Scout requires E5. If you're on E3, build this into your next licence review.