Control My Power App with Copilot Studio

Opening: “The AI Agent That Runs Your Power App”Most people still think Copilot writes emails and hallucinates budget summaries. Wrong. The latest update gives it opposable thumbs. Copilot Studio can now physically use your computer—clicking, typing, dragging, and opening apps like a suspiciously obedient intern. Yes, Microsoft finally taught the cloud to reach through the monitor and press buttons for you.And that’s not hyperbole. The feature is literally called “Computer Use.” It lets a Copilot agent act inside a real Windows session, not a simulated one. No more hiding behind connectors and APIs; this is direct contact with your desktop. It can launch your Power App, fill fields, and even submit forms—all autonomously. Once you stop panicking, you’ll realize what that means: automation that transcends the cloud sandbox and touches your real-world workflows.Why does this matter? Because businesses run on a tangled web of “almost integrated” systems. APIs don’t always exist. Legacy UIs don’t expose logic. Computer Use moves the AI from talking about work to doing the work—literally moving the cursor across the screen. It’s slow. It’s occasionally clumsy. But it’s historic. For the first time, Office AI interacts with software the way humans do—with eyes, fingers, and stubborn determination.Here’s what we’ll cover: setting it up without accidental combustion, watching the AI fumble through real navigation, dissecting how the reasoning engine behaves, then tackling the awkward reality of governance. By the end, you’ll either fear for your job or upgrade your job title to “AI wrangler.” Both are progress.Section 1: What “Computer Use” Really MeansLet’s clarify what this actually is before you overestimate it. “Computer Use” inside Copilot Studio is a new action that lets your agent operate a physical or virtual Windows machine through synthetic mouse and keyboard input. Imagine an intern staring at the screen, recognizing the Start menu, moving the pointer, and typing commands—but powered by a large language model that interprets each pixel in real time. That’s not a metaphor. It literally parses the interface using computer vision and decides its next move based on reasoning, not scripts.Compare that to a Power Automate flow or an API call. Those interact through defined connectors; predictable, controlled, and invisible. This feature abandons that polite formality. Instead, your AI actually “looks” at the UI like a user. It can misclick, pause to think, and recover from errors. Every run is different because the model reinterprets the visual state freshly each time. That unpredictability isn’t a bug—it’s adaptive problem solving. You said “open Power Apps and send an invite,” and it figures out which onscreen element accomplishes that, even if the layout changes.Microsoft calls this agentic AI—an autonomous reasoning agent capable of acting independently within a digital environment. It’s the same class of system that will soon drive cross-platform orchestration in Fabric or manage data flows autonomously. The shift is profound: instead of you guiding automation logic, you set intent, and the agent improvises the method.The beauty, of course, is backward compatibility with human nonsense. Legacy desktop apps, outdated intranet portals, anything unintegrated—all suddenly controllable again. The vision engine provides the bridge between modern AI language models and the messy GUIs of corporate history.But let’s be honest: giving your AI mechanical control requires more than enthusiasm. It needs permission, environment binding, and rigorous setup. Think of it like teaching a toddler to use power tools—possible, but supervision is mandatory. Understanding how Computer Use works under the hood prepares you for why the configuration feels bureaucratic. Because it is. The next part covers exactly that setup pain in excruciating, necessary detail so the only thing your agent breaks is boredom, not production servers.Section 2: Setting It Up Without Breaking ThingsAll right, you want Copilot to touch your machine. Brace yourself. This process feels less like granting autonomy and more like applying for a security clearance. But if you follow the rules precisely, the only thing that crashes will be your patience, not Windows.Step one—machine prerequisites. You need Windows 10 or 11 Pro or better. And before you ask: yes, “Home” editions are excluded. Because “Home” means not professional. Copilot refuses to inhabit a machine intended for gaming and inexplicable toolbars. You also need the Power Automate Desktop runtime installed. That’s the bridge connecting Copilot Studio’s cloud instance to your local compute environment. Without it, your agent is just shouting commands into the void.Install Power Automate Desktop from Microsoft, run the setup, and confirm the optional component called Machine Runtime is present. That’s the agent’s actual driver license. Skip that and nothing will register. Once it’s installed, launch the Machine Runtime app; sign in with your work or school Entra account—the same one tied to your Copilot Studio environment. The moment you sign in, pick an environment to register the PC under. There’s no confirmation dialog—it simply assumes you made the right decision. Microsoft’s version of trust.Step two—verify registration in the Power Automate portal. Open your browser, go to Power Automate → Monitor → Machines, and you should see your device listed with a friendly green check mark. If it isn’t there, you’re either on Windows Home (I told you) or the runtime didn’t authenticate properly. Reinstall, reboot, and resist cursing—it doesn’t help, though it’s scientifically satisfying.Step three—enable it for Computer Use. Inside the portal, open the machine’s settings pane. You’ll find a toggle labeled “Enable for Computer Use.” Turn it on. You’ll get a stern warning about security best practices—as you should. You’re authorizing an AI system to press keys on your behalf. Make sure this machine contains no confidential spreadsheets named “final_v27_reallyfinal.xlsx.” Click Activate, then Save. Congratulations, you’ve just created a doorway for an autonomous agent.Step four—confirm compatibility. Computer Use requires runtime version 2.59 or newer. Anything older and the feature simply won’t appear in Copilot Studio. Check the version on your device or in the portal list. If you’re current, you’re ready.Now, about accounts. You can use a local Windows user or a domain profile; both work. But the security implications differ. A local account keeps experiments self‑contained. A domain account inherits corporate access rights, which is tantamount to letting the intern borrow your master keycard. Be deliberate. Credentials persist between sessions, so if this is a shared PC, you could end up with multiple agents impersonating each other—a delightful compliance nightmare.Final sanity check: run a manual test from Copilot Studio. In the Tools area, try creating a new “Computer Use” tool. If the environment handshake worked, you’ll see your machine as a selectable target. If not—backtrack, because something’s broken. Likely you, not the system.It’s bureaucratic, yes, but each click exists for a reason. You’re conferring physical agency on software. That requires ceremony. When you finally see the confirmation message, resist the urge to celebrate. You’ve only completed orientation. The real chaos begins when the AI starts moving your mouse.Section 3: Watching the AI Struggle (and Learn)Here’s where theory meets slapstick. I let the Copilot agent run on a secondary machine—an actual Windows laptop, not a sandbox—and instructed it to open my Power App and send a university invite. You’d expect a swift, robotic performance. Instead, imagine teaching a raccoon to operate Excel. Surprisingly determined. Terrifyingly curious. Marginally successful.The moment I hit Run, the test interface in Copilot Studio showed two views: on the right, a structured log detailing its thoughts; on the left, a live feed of that sacrificial laptop. The cursor twitched, paused—apparently thinking—and then lunged for the Start button. Success. It typed “Power Apps,” opened the app, and stared at the screen as if waiting for applause. Progress achieved through confusion.Now, none of this was pre‑programmed. It wasn’t a macro replaying recorded clicks; it was improvisation. Each move was a new decision, guided by vision and reasoning. Sometimes it used the Start menu; sometimes the search bar; occasionally, out of creative rebellion, it used the Run dialog. The large language model interpreted screenshots, reasoned out context, and decided which action would achieve the next objective. It’s automation with stage fright—fascinating, if occasionally painful to watch.Then came the date picker. The great nemesis of automation. The agent needed to set a meeting for tomorrow. Simple for a human, impossible for anyone who’s ever touched a legacy calendar control. It clicked the sixth, the twelfth, then decisively chose the thirteenth. Close, but temporal nonsense. Instead of crashing, it reasoned again, reopened the control, and kept trying—thirteen, eight, ten—like a toddler learning arithmetic through trial. Finally, it surrendered to pure typing and entered the correct date manually. Primitive? Yes. Impressive? Also yes. Because what you’re seeing there isn’t repetition; it’s adaptation.That’s the defining point of agentic behavior. The AI doesn’t memorize keystrokes; it understands goals. It assessed that manual typing would solve what clicking couldn’t. That’s autonomous reasoning. You can’t script that with Power Automate’s flow logic. It’s the digital equivalent of “fine, I’ll do it myself.”This unpredictable exploration means every run looks a little different. Another attempt produced the right date on its third click. A third attempt nailed it instantly but missed the “OK” button afterward, accidentally reverting its work. In each run

Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-show-podcast--6704921/support.

Follow us on:
LInkedIn
Substack

WEBVTT

1
00:00:00.040 --> 00:00:04.240
Most people still think Copilot writes emails and hallucinates budget summaries. Wrong.

2
00:00:04.400 --> 00:00:07.639
The latest update gives it opposable thumbs. Copilot Studio can

3
00:00:07.679 --> 00:00:11.640
now physically use your computer, clicking, typing, dragging, and opening

4
00:00:11.720 --> 00:00:15.919
apps like a suspiciously obedient intern. Yes, Microsoft finally taught

5
00:00:15.960 --> 00:00:18.640
the cloud to reach through the monitor and press buttons

6
00:00:18.679 --> 00:00:21.199
for you. And that's not hyperbole. The feature is literally

7
00:00:21.199 --> 00:00:24.559
called computer use. It lets a copilot agent act inside

8
00:00:24.600 --> 00:00:27.600
a real Windows session, not a simulated one. No more

9
00:00:27.679 --> 00:00:30.600
hiding behind connectors and APIs. This is direct contact with

10
00:00:30.640 --> 00:00:34.280
your desktop. It can launch your power app, fill fields,

11
00:00:34.320 --> 00:00:38.280
and even submit forms, all autonomously. Once you stop panicking,

12
00:00:38.280 --> 00:00:41.679
you'll realize what that means. Automation that transcends the cloud

13
00:00:41.719 --> 00:00:44.679
sandbox and touches your real world workflows. Why does this

14
00:00:44.759 --> 00:00:47.640
matter Because businesses run on a tangled web of almost

15
00:00:47.640 --> 00:00:51.600
integrated systems. APIs don't always exist, Legacy uys don't expose logic.

16
00:00:51.719 --> 00:00:54.159
Computer use moves the AI from talking about work to

17
00:00:54.200 --> 00:00:56.880
doing the work, literally moving the cursor across the screen.

18
00:00:56.960 --> 00:01:00.640
It's slow, it's occasionally clumsy, but it's historic. For the

19
00:01:00.679 --> 00:01:03.560
first time office AI interacts with software the way humans

20
00:01:03.600 --> 00:01:06.920
do with eyes, fingers, and stubborn determination. Here's what we'll cover,

21
00:01:07.040 --> 00:01:10.519
setting it up without accidental combustion, watching the AI fumble

22
00:01:10.560 --> 00:01:14.200
through real navigation, dissecting how the reasoning engine behaves, then

23
00:01:14.239 --> 00:01:17.719
tackling the awkward reality of governance. By the end, you'll

24
00:01:17.719 --> 00:01:20.239
either fear for your job or upgrade your job title

25
00:01:20.280 --> 00:01:24.719
to AI wrangler. Both are progress. What computer use really means.

26
00:01:25.000 --> 00:01:27.799
Let's clarify what this actually is before you overestimate it.

27
00:01:28.280 --> 00:01:30.879
Computer Use inside Copilot Studio is a new action that

28
00:01:30.959 --> 00:01:33.640
lets your agent operate a physical or virtual Windows machine

29
00:01:33.680 --> 00:01:36.959
through synthetic mouse and keyboard input. Imagine an intern staring

30
00:01:37.000 --> 00:01:40.120
at the screen, recognizing the start menu, moving the pointer,

31
00:01:40.319 --> 00:01:43.480
and typing commands, but powered by a large language model

32
00:01:43.519 --> 00:01:46.799
that interprets each pixel in real time. That's not a metaphor.

33
00:01:46.920 --> 00:01:49.840
It literally passes the interface using computer vision and decides

34
00:01:49.840 --> 00:01:52.480
its next move based on reasoning, not scripts. Compare that

35
00:01:52.560 --> 00:01:55.599
to a power automate flow or an API call. Those

36
00:01:55.640 --> 00:02:00.079
interact through defined connectors, predictable, controlled, and invisible. This feature

37
00:02:00.120 --> 00:02:03.760
abandons that polite formality. Instead, your AI actually looks at

38
00:02:03.760 --> 00:02:06.719
the UI like a user. It can misclick pause to

39
00:02:06.760 --> 00:02:09.360
think and recover from errors. Every run is different because

40
00:02:09.400 --> 00:02:12.400
the model reinterprets the visual state freshly each time. That

41
00:02:12.520 --> 00:02:16.159
unpredictability isn't a bug, it's adaptive problem solving. You said,

42
00:02:16.199 --> 00:02:18.919
open power apps and send an invite, and it figures

43
00:02:18.960 --> 00:02:21.599
out which on screen element accomplishes that even if the

44
00:02:21.680 --> 00:02:25.439
layout changes. Microsoft cause this agentic AI an autonomous reasoning

45
00:02:25.439 --> 00:02:28.719
agent capable of acting independently within a digital environment. It's

46
00:02:28.759 --> 00:02:31.159
the same class of system that will soon drive cross

47
00:02:31.159 --> 00:02:35.639
platform orchestration in fabric or manage data flows autonomously. The

48
00:02:35.680 --> 00:02:39.000
shift is profound. Instead of you guiding automation logic, you

49
00:02:39.120 --> 00:02:42.520
set intent and the agent improvises the method. The beauty,

50
00:02:42.520 --> 00:02:46.639
of course, is backward compatibility with human nonsense, legacy desktop apps,

51
00:02:46.680 --> 00:02:50.800
outdated Internet portals, anything unintegrated, all suddenly controllable again. The

52
00:02:50.879 --> 00:02:53.879
vision engine provides the bridge between modern AI language models

53
00:02:53.879 --> 00:02:57.319
and the messy UIs of corporate history. But let's be honest.

54
00:02:57.560 --> 00:03:01.039
Giving your AI mechanical control requires more than enthusiasm. It

55
00:03:01.080 --> 00:03:04.840
needs permission, environment binding and rigorous setup. Think of it

56
00:03:04.919 --> 00:03:07.520
like teaching a toddler to use power tools. Possible, but

57
00:03:07.639 --> 00:03:11.159
supervision is mandatory. Understanding how computer use works under the

58
00:03:11.199 --> 00:03:14.639
hood prepares you for why the configuration feels bureaucratic because

59
00:03:14.639 --> 00:03:16.840
it is the next part covers exactly that set up

60
00:03:16.879 --> 00:03:19.840
pain in excruciating necessary detail. So the only thing your

61
00:03:19.840 --> 00:03:23.879
agent breaks is boredom, not production servers setting it up

62
00:03:23.919 --> 00:03:26.759
without breaking things All right, you want Copilot to touch

63
00:03:26.800 --> 00:03:30.319
your machine, brace yourself. This process feels less like grunting

64
00:03:30.360 --> 00:03:32.919
autonomy and more like applying for a security clearance. But

65
00:03:32.960 --> 00:03:35.240
if you follow the rules precisely, the only thing that

66
00:03:35.280 --> 00:03:39.080
crashes will be your patients, not Windows Step one machine prerequisites.

67
00:03:39.280 --> 00:03:41.719
You need Windows ten or eleven pro or better. And

68
00:03:41.759 --> 00:03:45.159
before you ask, yes, home editions are excluded because home

69
00:03:45.240 --> 00:03:48.520
means not professional. Copilot refuses to inhabit a machine intended

70
00:03:48.520 --> 00:03:51.439
for gaming and inexplicable tool bars. You also need the

71
00:03:51.439 --> 00:03:54.800
power Automate Desktop run Time installed. That's the bridge connecting

72
00:03:54.800 --> 00:03:58.479
copilot studios cloud instance to your local compute environment. Without it,

73
00:03:58.639 --> 00:04:01.680
your agent is just shouting demands into the void. Install

74
00:04:01.800 --> 00:04:05.520
power Automate Desktop from Microsoft, run the setup, and confirm

75
00:04:05.560 --> 00:04:08.560
the optional component called machine run Time is present. That's

76
00:04:08.599 --> 00:04:11.360
the agent's actual driver license. Skip that and nothing will

77
00:04:11.400 --> 00:04:14.759
register Once it's installed, launch the machine run time app.

78
00:04:15.199 --> 00:04:17.399
Sign in with your work or school intra account, the

79
00:04:17.439 --> 00:04:20.399
same one tied to your copilot studio environment. The moment

80
00:04:20.399 --> 00:04:22.480
you sign in, pick an environment to register the PC

81
00:04:22.639 --> 00:04:25.560
under there's no confirmation dialogue. It simply assumes you made

82
00:04:25.560 --> 00:04:29.199
the right decision Microsoft's version of trust. Step two, verify

83
00:04:29.240 --> 00:04:32.319
registration in the power Automate portal. Open your browser, Go

84
00:04:32.360 --> 00:04:35.279
to power Automate monitor machines, and you should see your

85
00:04:35.279 --> 00:04:37.839
device listed with a friendly green check mark. If it

86
00:04:37.879 --> 00:04:40.600
isn't there, you're either on Windows Home I told you,

87
00:04:40.879 --> 00:04:44.720
or the run Time didn't authenticate properly, reinstall, reboot, and

88
00:04:44.800 --> 00:04:48.639
resist cursing. It doesn't help, though it's scientifically satisfying. Step three,

89
00:04:48.879 --> 00:04:51.600
enable it for computer use. Inside the portal, open the

90
00:04:51.639 --> 00:04:54.800
machine's settings pain you'll find a toggal labeled enable for

91
00:04:54.920 --> 00:04:58.120
computer use. Turn it on. You'll get a stern warning

92
00:04:58.120 --> 00:05:01.120
about security best practices. As you should. You're authorizing an

93
00:05:01.120 --> 00:05:03.639
AI system. To press keys on your behalf. Make sure

94
00:05:03.639 --> 00:05:07.079
this machine contains no confidential spreadsheets named final V two

95
00:05:07.120 --> 00:05:11.879
seven really final XLSX, click activate, then save. Congratulations, you've

96
00:05:11.920 --> 00:05:14.600
just created a doorway for an autonomous agent. Step four,

97
00:05:14.639 --> 00:05:18.199
confirm compatibility. Computer use requires runtime version two point five

98
00:05:18.399 --> 00:05:21.000
nine on newer Anything older and the feature simply won't

99
00:05:21.000 --> 00:05:23.800
appear in Copilot Studio. Check the version on your device

100
00:05:23.879 --> 00:05:26.319
or in the portal list. If you're current, you're ready.

101
00:05:26.639 --> 00:05:29.439
Now about accounts, you can use a local Windows user

102
00:05:29.519 --> 00:05:33.240
or a domain profile. Both work, but the security implications differ.

103
00:05:33.480 --> 00:05:36.879
A local account keeps experiments self contained. A domain account

104
00:05:36.879 --> 00:05:39.959
inherits corporate access rights, which is tantamount to letting the

105
00:05:39.959 --> 00:05:44.399
intern borrow your master keycard. Be deliberate. Credentials persist between sessions,

106
00:05:44.439 --> 00:05:46.399
so if this is a shared PC, you could end

107
00:05:46.480 --> 00:05:50.360
up with multiple agents impersonating each other. A delightful compliance nightmare.

108
00:05:50.879 --> 00:05:53.639
Final sanity check. Run a manual test from Copilot Studio.

109
00:05:54.079 --> 00:05:57.160
In the tools area, try creating a new computer used tool.

110
00:05:57.480 --> 00:06:00.199
If the environment handshake worked, you'll see your machine as

111
00:06:00.199 --> 00:06:03.839
a selectable target. If not, backtrack because something's broken. Likely

112
00:06:03.879 --> 00:06:06.639
you not the system. It's bureaucratic, yes, but each click

113
00:06:06.720 --> 00:06:09.600
exists for a reason. You're conferring physical agency on software

114
00:06:09.800 --> 00:06:12.800
that requires ceremony. When you finally see the confirmation message,

115
00:06:13.000 --> 00:06:16.079
resist the urge to celebrate you've only completed orientation. The

116
00:06:16.120 --> 00:06:18.920
real chaos begins when the AI starts moving your mouse

117
00:06:19.360 --> 00:06:23.480
watching the AI struggle and learn. Here's where theory meets slapstick.

118
00:06:24.079 --> 00:06:26.560
I let the Copilot agent run on a secondary machine,

119
00:06:26.800 --> 00:06:29.399
an actual Windows laptop, not a sandbox, and instructed it

120
00:06:29.439 --> 00:06:31.879
to open my power up and sent a university invite.

121
00:06:32.160 --> 00:06:35.360
You'd expect a swift, robotic performance. Instead, imagine teaching a

122
00:06:35.439 --> 00:06:40.839
raccoon to operate Excel. Surprisingly determined, terrifyingly curious, marginally successful.

123
00:06:41.279 --> 00:06:43.959
The moment I hit run, the test interface in Copilot

124
00:06:44.000 --> 00:06:47.160
Studio showed two views. On the right, a structured log

125
00:06:47.240 --> 00:06:49.959
detailing its thoughts, on the left, a live feed of

126
00:06:49.959 --> 00:06:54.959
that sacrificial laptop. The cursor twitched, paused, apparently thinking, and

127
00:06:55.000 --> 00:06:59.040
then lunched for the start button. Success it typed power

128
00:06:59.079 --> 00:07:01.800
apps open in the app and stared at the screen

129
00:07:01.839 --> 00:07:05.120
as if waiting for applause. Progress achieved through confusion. Now,

130
00:07:05.160 --> 00:07:07.480
none of this was pre programmed. It wasn't a macro

131
00:07:07.560 --> 00:07:11.079
replaying recorded clicks. It was improvisation. Each move was a

132
00:07:11.120 --> 00:07:13.959
new decision, guided by vision and reasoning. Sometimes it used

133
00:07:13.959 --> 00:07:16.600
the start menu, sometimes the search bar, occasionally out of

134
00:07:16.639 --> 00:07:20.360
creative rebellion. It used the run dialogue, the large language model,

135
00:07:20.399 --> 00:07:24.199
interpreted screenshots, reasoned out contexts, and decided which action would

136
00:07:24.199 --> 00:07:27.920
achieve The next objective its automation with stage fright fascinating,

137
00:07:27.920 --> 00:07:30.560
if occasionally painful to watch. Then came the date picker,

138
00:07:30.680 --> 00:07:33.319
the great nemesis of automation. The agent needed to set

139
00:07:33.360 --> 00:07:36.120
a meeting for tomorrow, simple for a human, impossible for

140
00:07:36.160 --> 00:07:39.279
anyone who's ever touched a legacy calendar control. It clicked

141
00:07:39.279 --> 00:07:42.519
the sixth, the twelfth, then decisively chose the thirteenth, close

142
00:07:42.600 --> 00:07:45.800
but temporal nonsense. Instead of crashing, it reasoned again, reopened

143
00:07:45.800 --> 00:07:48.759
the control, and kept trying thirteen eight ten, like a

144
00:07:48.759 --> 00:07:51.920
toddler learning arithmetic through trial. Finally, it surrendered to pure

145
00:07:51.959 --> 00:07:55.560
typing and entered the correct date. Manually primitive. Yes, impressive.

146
00:07:55.600 --> 00:07:58.839
Also yes, because what you're seeing there isn't repetition, its adaptation.

147
00:07:59.279 --> 00:08:02.439
That's the defining point of argentic behavior. The AI doesn't

148
00:08:02.439 --> 00:08:05.759
memorize keystrokes. It understands goals. It assessed that manual typing

149
00:08:05.920 --> 00:08:09.519
would solve what clicking couldn't. That's autonomous reasoning. You can't

150
00:08:09.560 --> 00:08:12.759
script that with power automate's flow logic. It's the digital

151
00:08:12.800 --> 00:08:16.759
equivalent of fine, I'll do it myself. This unpredictable expiration

152
00:08:16.839 --> 00:08:19.839
means every run looks a little different. Another attempt produced

153
00:08:19.839 --> 00:08:22.480
the right date on its third click. A third attempt

154
00:08:22.560 --> 00:08:25.920
nailed it instantly, but missed the OK button afterward, accidentally

155
00:08:25.920 --> 00:08:28.480
reverting its work in each run. Though it adjusted the

156
00:08:28.519 --> 00:08:32.440
failure pattern, shifting click coordinates, slightly estimating button regions, trying

157
00:08:32.440 --> 00:08:35.919
alternative UI pads. It was learning, or at least emulating learning,

158
00:08:36.000 --> 00:08:40.639
inside a single execution thread. Watching that unfold feels bizarrely human. Eventually,

159
00:08:40.720 --> 00:08:43.480
our pixel detective managed to clear a mentor name, update

160
00:08:43.519 --> 00:08:46.519
the course id, and press the check AI button. It

161
00:08:46.600 --> 00:08:48.960
waited for the confirmation color to change, because yes, it

162
00:08:49.000 --> 00:08:51.600
can detect state shifts in the UI. Then it clicked

163
00:08:51.639 --> 00:08:55.320
sent mission accomplished eight minutes and fifty six seconds later,

164
00:08:55.679 --> 00:08:59.080
slower than watching paint dry, but infinitely more futuristic. The

165
00:08:59.120 --> 00:09:01.960
power up registered sent invite. The agent even attempted to

166
00:09:01.960 --> 00:09:04.879
close the application, as if it wanted closure. This is

167
00:09:04.919 --> 00:09:07.960
the moment you realize what's happening. The cloud just manipulated

168
00:09:07.960 --> 00:09:11.360
your desktop to accomplish a business task. No connector, no flow,

169
00:09:11.679 --> 00:09:14.919
just reasoning, vision, and persistence. It's doing what testers, support

170
00:09:15.000 --> 00:09:19.039
engineers and automation specialists do, only without caffeine or context.

171
00:09:19.080 --> 00:09:23.080
You're witnessing not intelligence, but competence emerging under constraints. Here's

172
00:09:23.120 --> 00:09:25.519
the mental checkpoint. This is the worst it will ever be.

173
00:09:26.159 --> 00:09:29.120
Every update will refine its accuracy, improve speed, reduce the

174
00:09:29.200 --> 00:09:31.879
random flailing. The struggle you're watching is like watching the

175
00:09:31.919 --> 00:09:35.360
first airplane crash land and still counter's flight, imperfect execution,

176
00:09:35.600 --> 00:09:39.159
historic significance, and of course, where there's capability, there's temptation.

177
00:09:39.440 --> 00:09:41.799
If this AI can navigate a power app, it can

178
00:09:41.879 --> 00:09:45.080
navigate anything, which means the next question isn't can it act?

179
00:09:45.120 --> 00:09:47.720
But should it? Because once you give an agent hands

180
00:09:47.720 --> 00:09:50.000
and an identity, it inherits power. You might not be

181
00:09:50.039 --> 00:09:53.200
ready to supervise, and that brings us to governance, the

182
00:09:53.279 --> 00:09:56.840
part everyone ignores until it's already too late, the governance

183
00:09:56.919 --> 00:10:00.519
catch when agents get permissions. Here's the problem with autonomous software.

184
00:10:00.679 --> 00:10:03.000
Once it learns to push buttons, it also learns to

185
00:10:03.000 --> 00:10:06.720
push hierarchy. The moment you enable computer use, your copilot

186
00:10:06.720 --> 00:10:10.000
agent doesn't just borrow your mouse. It borrows your authority.

187
00:10:10.399 --> 00:10:12.879
In Microsoft's terms, that authority is represented as an intra

188
00:10:12.960 --> 00:10:16.320
agent ID, a genuine identity inside your organization's directory, not

189
00:10:16.399 --> 00:10:20.440
some shadow token, but an addressable entity with permissions, history

190
00:10:20.480 --> 00:10:23.639
and potential for mischief. You've effectively added a new employee

191
00:10:23.679 --> 00:10:25.600
to your tenant, one that works twenty four hours a

192
00:10:25.679 --> 00:10:28.879
day and never files an expense report. Enter Microsoft Fabrics

193
00:10:28.919 --> 00:10:32.799
Governance Stack, Perview for labeling and data loss prevention, Defender

194
00:10:32.840 --> 00:10:36.720
for monitoring, and entra ID for access control. Together they

195
00:10:36.759 --> 00:10:39.840
form the bureaucratic seat belt keeping this new intern from

196
00:10:39.919 --> 00:10:42.720
driving through the firewall. Because remember, every click the agent

197
00:10:42.759 --> 00:10:46.559
performs uses your license, your credentials, your network pathways. If

198
00:10:46.600 --> 00:10:49.159
you can open a confidential workbook or post in teams,

199
00:10:49.200 --> 00:10:52.240
so can it. That's convenient for automation and catastrophic for

200
00:10:52.279 --> 00:10:55.519
policy violations. The truth over sharing is already an epidemic.

201
00:10:55.639 --> 00:10:59.399
Studies show a significant fraction of business critical files inside

202
00:10:59.399 --> 00:11:03.039
three sixty five are accessible to far more people than necessary.

203
00:11:03.120 --> 00:11:05.320
Now add an AI that inherits those same rights and

204
00:11:05.360 --> 00:11:08.600
never gets tired, you've industrialized the risk. A poorly scoped

205
00:11:08.679 --> 00:11:12.399
prompt summarize all recent finance emails could pull half a

206
00:11:12.480 --> 00:11:16.000
department's secrets into a chat window. The danger isn't intent,

207
00:11:16.080 --> 00:11:19.039
its reach. This is where perviews labels and DLP rules

208
00:11:19.080 --> 00:11:22.679
earn their salary. When applied correctly. Sensitivity labels follow the

209
00:11:22.759 --> 00:11:26.399
data even when an agent touches it. An argentic AI

210
00:11:26.559 --> 00:11:29.960
can't forward a restricted document if the underlying policy forbids it.

211
00:11:30.159 --> 00:11:33.399
That's the theory. At least, enforcement depends on administrators maintaining

212
00:11:33.440 --> 00:11:37.000
parity between human and agent identities. Treat them like users,

213
00:11:37.000 --> 00:11:40.519
not utilities. If you'd revoke an employee's access during off boarding,

214
00:11:40.879 --> 00:11:44.600
you should also deactivate the agent's credentials. Otherwise you've built

215
00:11:44.600 --> 00:11:48.240
the world's first immortal contractor Now consider control at runtime.

216
00:11:48.320 --> 00:11:50.879
Microsoft Defender for Cloud observes these agents like an air

217
00:11:50.879 --> 00:11:54.159
traffic controller watches a hyperactive flock of drones. It looks

218
00:11:54.159 --> 00:11:58.200
for call frequency anomalies, abnormal endpoints, and erratic vision usage.

219
00:11:58.399 --> 00:12:00.559
When an agent starts clicking where it should couldn't say,

220
00:12:00.600 --> 00:12:04.559
an administrative console, Defender can throttle or quarantine the behavior

221
00:12:04.600 --> 00:12:08.200
in real time. Quarantine for code essentially timeout for software.

222
00:12:08.559 --> 00:12:12.679
This is governance as reactive parenting, security architects underline another layer,

223
00:12:12.799 --> 00:12:15.279
zero trust boundaries. Remember that your agent runs on a

224
00:12:15.279 --> 00:12:18.600
physical or virtual Windows machine. That environment must obey the

225
00:12:18.600 --> 00:12:21.759
same micro segmentation as any workstation. Don't let it share

226
00:12:21.840 --> 00:12:24.960
drives with production servers unless you crave the digital equivalent

227
00:12:25.000 --> 00:12:29.080
of cross contamination. For regulated industries, Microsoft goes further post

228
00:12:29.159 --> 00:12:33.279
quantum cryptography and VBS enclave isolation in plain English, a

229
00:12:33.360 --> 00:12:36.600
locked hardware vault. For AI computations, your agent can act

230
00:12:36.639 --> 00:12:40.000
freely inside its bubble, but cannot smuggle data across encrypted walls.

231
00:12:40.240 --> 00:12:43.639
Its computational quarantine for compliance addicts. Of course, nothing ruins

232
00:12:43.639 --> 00:12:47.039
a utopia faster than audit logs. Fortunately, every keystroke the

233
00:12:47.039 --> 00:12:50.320
agent generates is captured by the unified administration audit trail

234
00:12:50.720 --> 00:12:53.759
inside fabric and power platform admin center. That means when

235
00:12:53.840 --> 00:12:56.200
legal or compliance comes knocking, you can prove whether the

236
00:12:56.240 --> 00:12:58.960
AI opened a file or only thought about it. Traceability

237
00:12:58.960 --> 00:13:02.440
transforms chaos into governance. Admittedly, the system is still immature.

238
00:13:02.919 --> 00:13:06.840
Meta data sometimes lags, contact entries drop, and replaying sequences

239
00:13:06.879 --> 00:13:09.200
feels like watching security footage from two thousand and three.

240
00:13:09.559 --> 00:13:13.519
But it's improving. Every preview build brings tighter logging and correlation.

241
00:13:14.559 --> 00:13:19.000
Here's the inconvenient punchline. You wanted self driving workflows, Congratulations,

242
00:13:19.039 --> 00:13:22.399
you've inherited the responsibility of maintaining seat belts, speed limits,

243
00:13:22.399 --> 00:13:26.679
and traffic cameras. Governance isn't optional, it's infrastructure without it.

244
00:13:26.919 --> 00:13:29.879
Your agentic AI is a teenager with root access. You

245
00:13:29.960 --> 00:13:33.399
may marvel at how efficiently it completes tasks while ignoring policies,

246
00:13:33.600 --> 00:13:36.559
right up until the compliance team discovers that efficiency was theft.

247
00:13:36.799 --> 00:13:39.519
So what's the mitigation plan? Start by mapping every privilege

248
00:13:39.519 --> 00:13:43.080
the agent inherits from its entra identity segment access as

249
00:13:43.120 --> 00:13:45.759
if you were designing least privilege for an external vendor,

250
00:13:45.919 --> 00:13:49.080
because that's precisely what an autonomous bot is. Aligne per

251
00:13:49.159 --> 00:13:52.960
view labels with business sensitivity tiers, enforced DLP rules that

252
00:13:53.000 --> 00:13:56.759
pre empt accidental exfiltration, monitor defender dashboards for early signs

253
00:13:56.759 --> 00:13:59.519
of rebellion, and for every agent you deploy, ensure there's

254
00:13:59.519 --> 00:14:02.759
a living here, human responsible for it. Automation without accountability

255
00:14:02.840 --> 00:14:06.080
is negligence disguised as progress. If this sounds excessive, remember

256
00:14:06.080 --> 00:14:09.480
that agentic AI doesn't make moral decisions. It completes objectives,

257
00:14:09.480 --> 00:14:12.159
not context. Tell it sent this report, and it will

258
00:14:12.320 --> 00:14:14.720
even if the file is marked confidential, and the recipients

259
00:14:14.720 --> 00:14:18.840
are competitors. Parameters aren't ethics. Governance provides the missing conscience,

260
00:14:19.200 --> 00:14:22.519
the corporate nervous system that says no faster than curiosity

261
00:14:22.559 --> 00:14:25.799
says yes. Still, we shouldn't ignore the opportunity hidden inside

262
00:14:25.840 --> 00:14:28.799
all this regulation. By treating agents as first class identities,

263
00:14:28.919 --> 00:14:32.679
enterprises gain unprecedented visibility and control. You can measure productivity

264
00:14:32.679 --> 00:14:37.279
per agent, isolate workflows by department, and retire automations safely,

265
00:14:37.600 --> 00:14:41.639
all through standard identity governance. What feels bureaucratic today becomes

266
00:14:41.679 --> 00:14:44.320
operational hygiene tomorrow. So as dazzled as you are by

267
00:14:44.320 --> 00:14:47.519
watching Copilot click your power apps buttons, realize that the

268
00:14:47.559 --> 00:14:50.879
real revolution isn't dexterity, it's accountability at machine speed. The

269
00:14:50.919 --> 00:14:54.200
more capable these systems become, the more meticulous your permissions

270
00:14:54.240 --> 00:14:57.000
must be set the guardrails now while the AI still

271
00:14:57.039 --> 00:14:59.919
asks permission to log in, because soon it won't ask,

272
00:15:00.200 --> 00:15:03.120
it'll assume. And that's the governance ketch. An building a

273
00:15:03.159 --> 00:15:07.240
responsible AI agentic workflow. Responsible use of agentic AI starts

274
00:15:07.240 --> 00:15:09.559
with an admission you are not its master, You are

275
00:15:09.600 --> 00:15:13.519
its babysitter. Treating an autonomous agent like an obedient macro,

276
00:15:14.080 --> 00:15:17.200
is how enterprises end up explaining breaches to auditors. The

277
00:15:17.200 --> 00:15:20.759
operative principle is sandbox first, Build, test, and observe your

278
00:15:20.759 --> 00:15:24.440
copilot agents on isolated machines or green zones before even

279
00:15:24.519 --> 00:15:27.679
thinking about production. A green zone is a segregated environment,

280
00:15:27.879 --> 00:15:31.360
no shared drives, no corporate credentials, no confidential data, designed

281
00:15:31.399 --> 00:15:34.080
for learning without collateral damage. Take the same power app

282
00:15:34.120 --> 00:15:37.200
demo we've been tormenting. Instead of having your copilot agent

283
00:15:37.279 --> 00:15:40.519
control the live version connected to enterprise data, clone the

284
00:15:40.519 --> 00:15:44.159
app into a developmental workspace. Let it misclick, freeze, or

285
00:15:44.240 --> 00:15:47.879
interpret delete record as performance art. Because every mistake in

286
00:15:47.919 --> 00:15:51.679
a sandbox saves you a dozen security tickets in production. Next,

287
00:15:52.120 --> 00:15:55.799
embrace minimal privilege configuration. Give your agent only the access

288
00:15:55.799 --> 00:15:58.919
it needs to complete its assigned task, nothing more, nothing adjacent.

289
00:15:59.320 --> 00:16:02.080
The temptation is to reuse the service account that already

290
00:16:02.120 --> 00:16:05.879
connects to everything. Resist it. Create a dedicated entraagent ID

291
00:16:05.960 --> 00:16:08.159
tied to the environment scope, not the entire tenant. Then

292
00:16:08.240 --> 00:16:11.919
layer environment segmentation on top. Development, test and production should

293
00:16:11.960 --> 00:16:15.519
be isolated like quarantine species. If your university invite agent

294
00:16:15.600 --> 00:16:18.679
goes feral it stays in the test terrarium rather than

295
00:16:18.720 --> 00:16:22.360
infecting the enterprise ecosystem. A practical technique is to implement

296
00:16:22.440 --> 00:16:25.639
human in loop control. Even with computer use driving the keyboard,

297
00:16:25.679 --> 00:16:29.360
you can route critical steps through power automate approvals before

298
00:16:29.360 --> 00:16:32.440
the agent actually commits a transaction, say submitting a record

299
00:16:32.519 --> 00:16:35.559
or modifying a schedule, require an approval flow triggered by

300
00:16:35.600 --> 00:16:38.759
the agent's intent. The AI pauses, the human reviews, the

301
00:16:38.799 --> 00:16:42.480
workflow resumes. This introduces latency, yes, but latency is cheaper

302
00:16:42.519 --> 00:16:46.080
than litigation. Human in loop oversight converts blind autonomy into

303
00:16:46.080 --> 00:16:50.000
supervised independence. Now integrate these controls with power platforms, evolving

304
00:16:50.039 --> 00:16:53.879
agent supervision systems, research features like plan Designer and agent

305
00:16:53.919 --> 00:16:57.039
feed in power apps and copilot studio. Plan Designer maps

306
00:16:57.039 --> 00:16:59.720
objectives to granular steps, making it easier to confine an

307
00:16:59.720 --> 00:17:04.079
agent sandbox, agent feed surfaces, live telemetry, its choices, errors,

308
00:17:04.079 --> 00:17:07.839
and context transitions, so you can audit behavior without performing

309
00:17:07.839 --> 00:17:12.079
digital forensics afterward. The combination turns agent management into observable

310
00:17:12.119 --> 00:17:15.640
science rather than superstition. The next layer is governance telemetry

311
00:17:15.759 --> 00:17:19.400
pair entra Id's access control data with Pervius classification and

312
00:17:19.440 --> 00:17:22.880
Defender's behavioral analytics. Think of them as the nervous, circulatory

313
00:17:22.880 --> 00:17:27.319
and immune systems of your automation organism. Entra Govern's identity

314
00:17:27.359 --> 00:17:32.000
scope perview labels the data the agent touches. Defender watches

315
00:17:32.039 --> 00:17:36.799
for fever spikes, unusual traffic sequence, repetition, or cross environment activity.

316
00:17:37.319 --> 00:17:39.680
Neglect any of these systems and your AI becomes an

317
00:17:39.720 --> 00:17:43.440
unsupervised lab experiment. If this starts to feel like parenting good,

318
00:17:43.640 --> 00:17:47.039
it should. Agents are interns with infinite stamina. They require

319
00:17:47.079 --> 00:17:52.359
clear instructions, constant supervision, and zero access to payroll. Never

320
00:17:52.400 --> 00:17:55.559
hand them domain admin privileges. That's equivalent to giving the

321
00:17:55.599 --> 00:17:58.279
new hire both the office keys and the nuclear codes,

322
00:17:58.319 --> 00:18:02.279
because it's just faster. Every privileged escalation breeds dependence and risk.

323
00:18:02.680 --> 00:18:05.400
Keep your AI hungry and bored. That's the posture of

324
00:18:05.400 --> 00:18:09.960
a safe intern. There's also the ethical dimension transparency around automation.

325
00:18:10.160 --> 00:18:15.119
Document every agentic workflow as you would a contractor agreement, state, purpose, scope, boundaries,

326
00:18:15.119 --> 00:18:18.559
and maintenance schedule. When users know which actions are AI driven,

327
00:18:18.599 --> 00:18:21.920
they can critically assess anomalies instead of assuming human error.

328
00:18:22.079 --> 00:18:25.279
Lack of awareness is what makes automation scandals blossom. A

329
00:18:25.319 --> 00:18:29.279
workable architecture evolves through governance, layering entra id for identity,

330
00:18:29.400 --> 00:18:32.799
per view for data, defender for behavior. Together they redefine

331
00:18:32.799 --> 00:18:36.599
accountability from who clicked it to which entity, with delegated

332
00:18:36.640 --> 00:18:40.440
reasoning clicked it. Each log line becomes a story when, where,

333
00:18:40.480 --> 00:18:43.640
and under what instruction. That's how you keep explainability intact.

334
00:18:43.640 --> 00:18:47.799
When autonomy increases, Eventually the sandbox graduates into limited production.

335
00:18:47.960 --> 00:18:51.240
That transition requires what pilots called type certification, formal sign

336
00:18:51.319 --> 00:18:53.799
of that a given agent can be trusted on certain systems,

337
00:18:54.119 --> 00:18:57.279
run controlled dry tests with mirror data, confirm that, perview

338
00:18:57.319 --> 00:19:00.920
and defender register events, and only then promote the agent. Remember,

339
00:19:01.359 --> 00:19:05.400
you are building a workforce of synthetic employees. Onboarding should

340
00:19:05.440 --> 00:19:09.319
be formal, not impulsive. The ultimate payoff is sustainable experimentation.

341
00:19:09.680 --> 00:19:12.680
You get the thrill of autonomy without the compliance migraines.

342
00:19:13.039 --> 00:19:16.359
Picture a digital workforce of narrow specialists, each agent dedicated

343
00:19:16.359 --> 00:19:19.720
to one procedure, operating under strict governance, logging every interaction.

344
00:19:20.039 --> 00:19:23.039
They're fast, tireless, and incapable of gossip, but they're also

345
00:19:23.119 --> 00:19:27.279
highly supervised. That balance execution Autonomy under corporate discipline is

346
00:19:27.319 --> 00:19:30.200
what will make agentic AI viable long terms. So yes,

347
00:19:30.240 --> 00:19:32.720
computer use can steer your power apps and invites, or

348
00:19:32.720 --> 00:19:35.200
even mimic testing scenarios, but its real function is to

349
00:19:35.200 --> 00:19:39.039
teach the organization new habits around automation. Test before trust,

350
00:19:39.200 --> 00:19:42.519
observe before delegate, and monitor after deploy. If you treat

351
00:19:42.559 --> 00:19:45.960
autonomy as privileged rather than entitlement, your agents will remain

352
00:19:46.000 --> 00:19:50.119
brilliant assistance instead of existential threats. Computer use in Copilot

353
00:19:50.160 --> 00:19:53.559
Studio doesn't just generate insights, it performs them. It turns

354
00:19:53.559 --> 00:19:56.440
Copilot from an advisor into an operator capable of acting

355
00:19:56.480 --> 00:19:59.400
in the same visual world humans navigate. The early demos

356
00:19:59.440 --> 00:20:02.039
may look clumy, but behind those misclicks lies a preview

357
00:20:02.039 --> 00:20:06.039
of leaderless governed automation that could redefine digital labor. The

358
00:20:06.160 --> 00:20:09.880
essential lesson autonomy requires discipline. Setting up Computer use is

359
00:20:09.920 --> 00:20:13.880
engineering governing, it is stewardship. Enterprises that combine both will

360
00:20:13.920 --> 00:20:17.359
lead this next phase of automation safely. If this helped

361
00:20:17.359 --> 00:20:19.640
you see Copilot Studio not as a novelty, but as

362
00:20:19.680 --> 00:20:22.519
an architectural shift, stay tuned. The next deep dives will

363
00:20:22.519 --> 00:20:26.480
explore fabric agents, purview, compliance, wiring, and the ethics of

364
00:20:26.519 --> 00:20:30.359
automated decision making. Lock in your upgrade path, subscribe, enable alerts,

365
00:20:30.400 --> 00:20:33.359
and let each new episode deploy automatically. No manual checks,

366
00:20:33.400 --> 00:20:36.759
no misedreleases, continuous delivery of useful knowledge. Proceed