Manual GRC in Microsoft 365 Is Broken – Build This Agent Instead

Opening — The Pain of Manual GRC

Let’s talk about Governance, Risk, and Compliance reports—GRC, the three letters responsible for more caffeine consumption than every SOC audit combined. Somewhere right now, there’s a poor analyst still copying audit logs into Excel, cell by cell, like it’s 2003 and macros are witchcraft. They’ll start with good intentions—a tidy workbook, a few filters—and end up with forty tabs of pivot tables that contradict each other. Compliance, supposedly a safeguard, becomes performance art: hours of data wrangling to reassure auditors that everything is “under control.” Spoiler: it rarely is.

Manual GRC reporting is what happens when organizations mistake documentation for insight. You pull data from Microsoft Purview, export it, stretch it across spreadsheets, and call it governance. The next week, new activities happen, the data shifts, and suddenly, your pristine charts are lies told in color gradients. Audit trails that should enforce accountability end up enforcing burnout.

What’s worse, most companies treat Purview as a vault—something to be broken into only before an audit. Its audit logs quietly accumulate terabytes of data on who did what, where, and when. Useful? Absolutely. Readable? Barely. Each entry is a JSON blob so dense it could bend light. And yes, you can parse them manually—if weekends are optional and sanity is negotiable.

Now, contrast that absurdity with the idea of an AI Agent. Not a “magic” Copilot that just guesses the answers, but an automated, rules-driven agent constructed from Microsoft’s own tools: Copilot Studio for natural language intelligence, Power Automate for task orchestration, and Purview as the authoritative source of audit truth. In other words, software that does what compliance teams have always wanted—fetch, analyze, and explain—with zero sighing and no risk of spilling coffee on the master spreadsheet.

Think of it as outsourcing your GRC reporting to an intern who never complains, never sleeps, and reads JSON like English. By the end of this explanation, you’ll know exactly how to build it—from connecting your Purview logs to automating report scheduling—all inside Microsoft’s ecosystem. And yes, we’ll cover the logic step that turns this from a simple automation into a fully autonomous auditor. For now, focus on this: compliance shouldn’t depend on caffeine intake. Machines don’t get tired, and they certainly don’t mislabel columns.

There’s one logic layer, one subtle design choice, that makes this agent reliable enough to send reports without supervision. We’ll get there, but first, let’s understand what the agent actually is. What makes this blend of Copilot Studio and Power Automate something more than a flow with a fancy name?

Section 1: What the GRC Agent Actually Is

Let’s strip away the glamour of “AI” and define what this thing truly is: a structured automation built on Microsoft’s stack, masquerading as intelligence. The GRC Agent is a three-headed creature—each head responsible for one part of the cognitive process. Purview provides the raw memory: audit logs, classification data, and compliance events. Power Automate acts as the nervous system: it collects signals, filters noise, and ensures the process runs on schedule. Copilot Studio, finally, is the mouth and translator—it takes the technical gibberish of logs and outputs human-readable summaries: “User escalated privileges five times in 24 hours, exceeding policy threshold.” That’s English, not JSON.

Here’s the truth: 90% of compliance tasks aren’t judgment calls—they’re pattern recognition. Yet, analysts still waste hours scanning columns of “ActivityType” and “ResultStatus” when automation could categorize and summarize those patterns automatically. That’s why this approach works—because the system isn’t trying to think like a person; it’s built to organize better than one.

Let’s break down those components. Microsoft Purview isn’t just a file labeling tool; it’s your compliance black box. Every user action across Microsoft 365—sharing a document, creating a policy, modifying a retention label—gets logged. But unless you’re fluent in parsing nested JSON structure, you’ll never surface much insight. That’s the source problem: data abundance, zero readability.

Next, Power Automate. It’s not glamorous, but it’s disciplined. It triggers on time, never forgets, and treats every step like gospel. You define a schedule—say, daily at 8 a.m.—and it invokes connectors to pull the latest Purview activity. When misconfigured, humans panic; when misconfigured here, the flow quietly fails but logs the failure in perfect detail. Compliance loves logs. Power Automate provides them with religious regularity.

And finally, Copilot Studio, which turns structured data into a narrative. You feed it a structured summary—maybe a JSON table counting risky actions per user—and it outputs natural language “risk summaries.” This is where the illusion of intelligence appears. It’s not guessing; it’s following rules embedded in the prompt you design. For example, you instruct it: “Summarize notable risk activities, categorize by severity, and include one recommendation per category.” The output feels like an analyst’s memo, but it’s algorithmic honesty dressed in grammar.

Now, let’s address the unspoken irony. Companies buy dashboards promising visibility—glossy reports, color-coded indicators—but dashboards don’t explain. They display. The GRC Agent, however, writes. It translates patterns into sentences, eliminating the interpretive gap that’s caused countless “near misses” in compliance reviews. When your executive asks for “last month’s risk patterns,” you don’t send them a Power BI link you barely trust—you send them a clean narrative generated by a workflow that ran at 8:05 a.m. while you were still getting coffee.

Why haven’t more teams done this already? Because most underestimate how readable automation can be. They see AI as unpredictable, when in fact, this stack is deterministic—you define everything. The logic, the frequency, the scope, even the wording tone. Autonomy isn’t random; it’s disciplined automation with language skills.

Before this agent can “think,” though, it must see. That means establishing a data pipeline that gives it access to the right slices of Purview audit data—no more, no less. Without that visibility, you’ll automate blindness. So next, we’ll connect Power Automate to Purview, define which events matter, and teach our agent where to look. Only then can we teach it what to think.

Section 2: Building the Purview Data Pipeline

Before you can teach your GRC agent to think, you have to give it eyes—connected directly to the source of truth: Microsoft Purview’s audit logs. These logs track who touched what, when, and how. Unfortunately, they’re stored in a delightful structural nightmare called JSON. Think of JSON as the engineer’s equivalent of legal jargon: technically precise, practically unreadable. The beauty of Power Automate is that it reads this nonsense fluently, provided you connect it correctly.

Step one is Extract. You start with either Purview’s built‑in connector or, if you like pain, an HTTP action where you call the Purview Audit Log API directly. Both routes achieve the same thing: a data stream representing everything that’s happened inside your tenant—file shares, permission changes, access violations, administrator logins, and more. The more disciplined approach is to restrict scope early. Yes, you could pull the entire audit feed, but that’s like backing up the whole internet because you lost a PDF. Define what events actually affect compliance. Otherwise, your flow becomes an unintentional denial‑of‑service on your own patience.

Now, access control. Power Automate acts only as the permissions it’s granted. If your flow’s service account can’t read Purview’s Audit Log, your agent will stare into the void and dutifully report “no issues found.” That’s not reassurance; that’s blindness disguised as success. Make sure the service account has the Audit Logs Reader role within Purview and that it can authenticate without MFA interruptions. AI is obedient, but it’s not creative—it won’t click an authenticator prompt at 2 a.m. Assign credentials carefully and store them in Azure Key Vault or connection references so you remain compliant while keeping automation alive.

Once data extraction is stable, you move to Filter. No one needs every “FileAccessed” event for the cafeteria’s lunch menu folder. Instead, filter for real risk identifiers: UserLoggedInFromNewLocation, RoleAssignmentChanged, ExternalSharingInvoked, LabelPolicyModified. These tell stories auditors actually care about. You can filter at the query stage (using the API’s parameters) or downstream inside Power Automate with conditional logic—whichever keeps the payload manageable. Remember, you’re not hoarding; you’re curating.

Then comes the part that separates professionals from those who think copy‑paste is automation: Feed. You’ll convert those JSON blobs into structured columns—something your later Copilot module can interpret. A simple method is using the “Parse JSON” action with a defined schema pulled from a sample Purview event. If the terms “nested arrays” cause chest discomfort, welcome to compliance coding. Each property—UserId, Operation, Workload, ResultStatus, ClientIP—becomes its own variable. You’re essentially teaching your future AI agent vocabulary words before conversation begins.

At this stage, you’ll discover the existential humor of Microsoft’s data formats. Some audit fields present as arrays even when they hold single values. Others hide outcomes under three layers of nesting, like Russian dolls of ambiguity. Power Automate handles this chaos with expressions. The syntax items(’Apply_to_each’)?[’UserId’] may look arcane, but it’s how you tell automation to dig through JSON and surface meaning. A minor typo here creates spectacular nonsense later—so test each extraction with small sample runs. Yes, debugging flows is glamorous work.

You might want to persist this cleaned data somewhere—SharePoint, Dataverse, or even a SQL database—depending on how heavy your reports are. This store acts as short‑term memory, giving your agent historical comparison without hammering Purview repeatedly. Think of it as caching intelligence: yesterday’s events help today’s analysis sound informed. If you need columnar capability or relationships between data sets, Dataverse plays nicer with Power Automate; SharePoint is easier but clumsier beyond a few thousand rows.

Next: Scheduling. Define cadence. Daily summaries for dynamic environments, weekly for calmer ecosystems. Use the Power Automate “Recurrence” trigger—set it to your timezone, not UTC, unless you enjoy wondering why reports arrive at 3 a.m. The flow kicks off automatically, extracts the filtered data, transforms it, stores it, and prepares the payload for the next phase—the logic brain. Compliance consistency is no longer dependent on human enthusiasm; it’s clockwork.

While you’re configuring, handle error tolerance. Suppose Purview’s API throws a “TooManyRequests” error—because, shockingly, every other analyst tried to query logs at the same second. Build retry policies and fallback messages. Even automation should fail gracefully: write the error to a log file and post a Teams message if thresholds exceed expected parameters. That way, you’re managing failure as data, not as drama. Remember, auditors don’t penalize errors; they penalize missing documentation of them.

You now have a living pipeline: Purview streaming data through Power Automate’s arteries into whatever storage organ you’ve chosen. It replaces the manual process of data collection with something far more disciplined. If done right, it also introduces subtle cultural change—suddenly your compliance reporting isn’t a sprint before audits but a continuous heartbeat.

And for the record, yes, you could accomplish the same by manually querying Purview every Friday and copying results into Excel. You could also churn your own butter. The pipeline doesn’t exist because you can’t do it another way—it exists because you value weekends. The joke’s on those still scrolling through log exports, claiming “automation is risky.” The only real risk left is sticking with a process so brittle that one absent analyst breaks the audit trail.

Now that your agent has sight—a constant data feed with structure and schedule—it’s time to give it cognition. The next layer turns raw information into interpretation: decision thresholds, conditional logic, and data summarization. Essentially, we move from eyes to brain. The foundation is set; let’s teach it how to think.

Section 3: Giving the Agent a Brain — Power Automate Logic

Power Automate isn’t intelligent; it’s disciplined. It doesn’t hypothesize or improvise—it obeys. And in compliance, obedience beats imagination. This predictability is how your so‑called “AI agent” earns the label autonomous.

The Ritual Trigger

Everything begins with recurrence. Set up a Recurrence trigger—daily, weekly, or whenever your auditors demand predictability. Use your local timezone unless you prefer mystery reports arriving at 3 a.m. Once triggered, initialize variables like TotalEvents, HighRiskCount, and RunDate. These become the agent’s short‑term memory, its workspace for logic.

Extract and Clean

Next, call the Purview Audit Logs connector or hit the Audit Log API directly. The response? Dozens of irrelevant system pings mixed with valuable events. Insert a Filter Array step to trim anything useless—like heartbeat telemetry masquerading as action. Then de‑duplicate. The Union() expression quickly wipes away redundant entries. When finished, you have a clean sample worth analyzing instead of a fog of noise.

Categorize Behavior

Group records by UserPrincipalName and Operation. Power Automate’s Select and Apply to each actions produce counts per user. From there, apply simple numeric thresholds:

* If PrivilegeEscalations > 3: mark High Risk

* If ExternalShares > 1: mark Medium Risk

* Otherwise: Normal

That’s it—the illusion of judgment emerging from arithmetic. You’ve replaced human hunches with deterministic math.

Conditional Reasoning

Create nested Condition actions. Push each result into arrays—HighRiskArray, MediumRiskArray, and so forth. If none qualify, deliberately write “No findings detected.” In compliance, silence isn’t virtue; it’s missing evidence. Every run should end with an explicit statement, even if it’s “Nothing happened.”

Error Handling and Recovery

APIs fail. Purview throttles. Humans panic. Instead of joining them, enclose HTTP actions in Scope containers with retry logic—three attempts, exponential backoff. If all else fails, log the time, Flow Run ID, and message into a SharePoint list or Dataverse table called “Automation Health.” Congratulations, you’re now documenting failure faster than most teams document success.

Anecdote for humility: during early testing, many find “zero issues” in their first run. Often that’s not utopia—it’s misconfigured permissions. The service account without the Audit Logs Reader role sees nothing and therefore concludes perfection. The machine isn’t lazy; it’s obediently blind.

Logging and Audit Trail

End each run with an Append to file or Create item action summarizing totals, risk categories, runtime, and flow version. Post summaries to a Teams channel. The next time auditors ask, you won’t defend memory; you’ll open folders of evidence.

Finally, stamp each output with a Run ID and version tag. Governance loves traceability, and now even your automation has version control. Once you reach this point, your agent no longer depends on humans clicking buttons—it wakes itself, analyzes behavior, and records truth on schedule.

That’s a brain. Not a creative one, but a reliable one—which is exactly what compliance requires.

Section 3: Giving the Agent a Brain — Power Automate Logic

Power Automate isn’t “AI.” It doesn’t dream, speculate, or hallucinate compliance risks. What it does is something most humans can’t sustain—obedience. It never forgets a step, never improvises, and never claims “it should’ve worked.” That predictable rigidity is exactly what autonomy requires.

The logic layer of your GRC Agent starts with structure. The flow must trigger itself, query Purview reliably, interpret what it finds, and decide when events cross the thresholds you define. Picture a chain reaction: the recurrence trigger goes off → a call hits Purview → data gets sanitized → patterns are tallied → risk categories are assigned. No drama, just execution.

Start with a Recurrence trigger. A well‑timed recurrence is civilization’s answer to human forgetfulness. Configure it for the timezone your auditors live in. Whether daily or weekly, that schedule means the flow begins its ritual unprompted—precisely how “autonomous” systems stay alive.

Immediately follow that with an initialization block — environment variables, counters, arrays. These provide the cognitive scaffolding the agent will use later. Variables like TotalEvents, HighRiskCount, and ReportDate become its working memory.

Once triggered, the flow invokes the Purview Audit Logs connector or the HTTP API. Then comes reality: raw responses include static noise, system heartbeats, or completely irrelevant events. Insert a Filter Array step to remove the junk. Common pattern: ignore any record where UserType = ServicePrincipal and keep only Operation types linked to data governance or policy change. This trimming is what keeps your agent analytic instead of anxious.

Given Microsoft’s love for redundancy, many log streams repeat identical events. Drop duplicates using a simple Union() expression or loop comparison. What’s left is signal — a truthful subset worth classifying.

Here’s where the script earns its “brain” label. Add a Compose or Select action that groups remaining records by UserPrincipalName and Operation. Then feed the counts into Apply to each loops that total each category. At the end, your agent holds a snapshot: who did what, how often, and whether it hit predefined risk boundaries.

The secret to autonomy is letting the system infer risk levels from thresholds you define. For example:- If PrivilegeEscalations > 3, set RiskLevel = “High”- If ExternalShares > 1, set RiskLevel = “Medium”- Otherwise, “Normal”

This logic doesn’t invent meaning—it enforces it. By codifying what “too many” looks like, you’ve replaced human hunches with numeric clarity.

Use nested Condition actions. When RiskLevel = High, append that user’s information to a HighRiskArray. When Medium, perhaps queue for review. When nothing unusual appears, log a “no findings” message rather than returning silence. The distinction between missing data and no data is sacred in compliance.

After thresholds fire, optionally call a Copilot Studio endpoint for narrative summarization—“Two users exceeded risk thresholds.” But that language step belongs in the next section; here, the purpose is qualification, not composition.

Errors happen. Purview’s API throttles or hiccups more often than its marketing implies. Wrap all HTTP calls in a Scope container with retry policy enabled: 3 attempts, exponential backoff. In the Failure branch, log the error message, timestamp, and flow run ID to a SharePoint list or a Dataverse table named “AutomationHealth.”

On first deployment, expect comedy. When I first tested this build, the agent proudly reported zero issues. Perfect compliance, I thought—until I realized the service account lacked the Audit Logs Reader role. The robot wasn’t lazy; it was obediently blind. A reminder that automation enforces exactly what you give it—and nothing more.

Every flow run writes evidence of execution. Insert a final Append to file or Create item action that saves summary metrics: total events processed, highest risk user, runtime duration. Stream those results to a Teams channel or governing SharePoint library. When audit season arrives, you won’t defend recollections—you’ll display artifacts.

Add one extra safeguard: include a “Run ID” and “Flow Version.” If your thresholds change later, auditors still trace which logic produced which outcome. Governance of the machine equals governance by machine.

At this point the automation can classify, count, and decide. It knows when risk levels breach policy yet says nothing about them. To humans, that silence feels eerie—so the next layer will provide words. Or as we might put it: now that it can think, it needs to speak—and in English, preferably.

Section 4: Teaching It to Write — Copilot Studio Integration

Up until now, your agent has been the strong, silent type—efficient but mute. Copilot Studio is what gives it speech, an interpreter that translates data into diplomacy. Picture it as the multilingual negotiator trapped between code and committee meetings: a system that doesn’t invent stories, it rewrites reality in sentences humans can parse. Its talent lies in turning the JSON swamp Power Automate produces—your neat digest of user actions, risk counts, and event records—into paragraphs polite enough for executives and precise enough for auditors. It bridges syntax and politics, ensuring what was once raw machine data now reads like reasoned judgment instead of spreadsheet gibberish.

Start by defining what sort of communication you want. There are usually three: an executive summary, a technical appendix, and recommendations. Each serves a different intelligence level. Management wants one paragraph. Auditors need evidence trails. IT staff want every field because they inoculate themselves with data. You’ll create a single Copilot experience in Studio but scaffold multiple prompts inside it. Each prompt molds tone, format, and verbosity. Example: “Summarize the top risks using plain English, limit to five bullet points, and suggest a remediation for each.” The next might be, “Produce a technical appendix listing every high‑risk event in table form.”

To connect Power Automate with Copilot Studio, use an HTTP action inside your flow that posts the structured JSON payload to the Copilot’s endpoint URL. The Copilot interprets that payload using the system prompt you’ve defined. Microsoft’s authentication makes this secure; you authenticate the call through Azure AD so only your flow can access it. Congratulations—you’ve just taught your bot to send structured thoughts to a writing machine. The result returned is text, not numbers. That text is your report.

Feed that into Copilot with instructions such as, “Summarize these results in a short compliance report, categorize by severity, recommend one action per finding, and close with overall trend.” Copilot returns something resembling an analyst’s memo:“Two users exhibited elevated risk behavior yesterday. Adele Vance performed three privilege escalations exceeding the allowable threshold—recommend immediate review of admin roles. Megan B. attempted external sharing once; remind user of external data policy. No other anomalies detected. Overall trend compared to baseline: stable.”

See? That’s not generative guessing; that’s formatted synthesis following deterministic prompts. Humans call it writing. Machines call it output. The secret is your control of both data structure and language structure. Copilot isn’t roaming free; it’s narrating statistics.

Now decide distribution. Ordinary mortals shouldn’t log into the Dataverse to find reports, so use Power Automate’s connectors again. Work from two branches of the same flow: one that posts Copilot’s summary straight into a Teams channel, another that logs a full HTML version to SharePoint. Management reads the Teams post; auditors open the archive for documentation. Both arrive automatically, time‑stamped, with identical phrasing. That’s consistency—a virtue unknown to most human writers.

Let’s talk about prompt engineering discipline. You’ll want guardrails. Specify the exact headings Copilot should use: Overview, Key Findings, Recommendations. If left unspecified, Copilot will try to impress you with narrative flair or emojis—an audit report with emojis is marketable only to chaos. Embed directives like “Use professional, neutral tone; avoid speculative language; include quantifiable metrics.” The tighter your instructions, the more reproducible your output. Compliance thrives on reproducibility, not personality.

There’s beauty in the mundane mechanics. Copilot Studio allows context variables; you can embed dynamic data like report date or run duration directly inside the output. Use placeholders—{{date}}, {{recordCount}}. When the flow calls the Copilot, those variables resolve automatically. The result reads: “Generated on  March 15,  563 audit events analyzed.” That meta‑context satisfies auditors faster than a GIF ever could.

Accuracy demands one final pass—validation. Insert a Power Automate condition checking that Copilot’s response isn’t empty. If it is, save the failure to your log and recurse once. You’ve already taught your agent self‑awareness in logic; now you combine it with linguistic sanity checks. The finished flow looks like this: extract → analyze → summarize → narrate → publish. Every arrow represents accountability.

A final refinement: version the Copilot’s system prompt. Each time compliance criteria change, tag your update (v1., v1.1, etc.) and record which prompt version produced which report. Future audits can reference not only what happened but how the narrative model was instructed at the time. It’s meta‑compliance—the governance of governance writing itself. Bureaucracy finally achieves recursion.

Once Copilot Studio writes its report, your human role becomes mercifully optional. The agent crafts a narrative, attaches evidence, posts the files, archives prior versions, and shuts down until its next awake cycle. It doesn’t email you for approval, because you explicitly designed it not to need affirmation. It’s quietly proud—if you’ll permit anthropomorphism—of its linguistic precision. This is where autonomy ceases to be metaphor and becomes a workflow reality. The machine not only processes compliance data; it explains compliance back to humans on schedule, without the emotional turbulence of “running late.”

And yes, if you want whimsy, you could give it a closing signature like, “Report compiled autonomously by Copilot GRC Agent.” Nothing discourages management micromanagement like a robot signing its own work. Now that the agent can articulate findings, you can stop writing GRC reports forever—or at least until someone disables your connectors.

Section 5: The Result — Autonomous GRC in Action

At this stage, the cycle completes itself. Purview collects, Power Automate interprets, Copilot summarizes, and you, astonishingly, have weekends back. A daily ritual of drudgery morphs into a single workflow that speaks fluent compliance. The results appear in Teams at precisely the same time, every interval—clear text, consistent terminology, auditable provenance.

The subtle benefit isn’t speed; it’s standardization. Each report sounds the same, uses the same thresholds, and logs identical metadata. Auditors no longer waste hours validating format; they evaluate substance. Risk patterns become narratives traced across time instead of spreadsheet chaos.

You’ve turned compliance from documentation into orchestration—an always‑on system that monitors, interprets, and reports with courtroom precision. Manual GRC reports are typewriters. This agent is the word processor—automated proofreading included. Deploy it before the next audit season, and the phrase “manual compliance report” will soon sound as outdated as “fax me the logs.” Next up? Extending this intelligence to data‑privacy enforcement. You’ve already built the brain; now let it police.

This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit m365.show/subscribe