Skip to main content

Admin Setup Wizard

The Admin Setup Wizard guides you through provisioning a Personal Assistant for an employee. This is the first phase of PA setup, once you complete the wizard, the employee receives an email inviting them to personalize and activate their assistant.

Prerequisites

Before starting the setup wizard, ensure you have:

  • Administrator access to Control Bridge (requires users:write permission)
  • At least one LLM provider configured (navigate to Build > Governance > AI Providers)
  • A shared mailbox in Microsoft 365 for the PA to use as its email identity (or be ready to create one)
  • The employee's user account synced from Microsoft Entra ID

Assigning the PA User Role

  1. Sign in to Control Bridge
  2. Navigate to Manage > Team > Users
  3. Click on the employee you want to assign a PA to (or click Add User to create a new user)
  4. In the role selector, add the PA User role
  5. Click Save
info

The PA User role chip displays a small indicator icon showing that selecting this role triggers additional setup. A tooltip explains: "Assigning this role will open the Personal Assistant setup wizard after saving."

After saving, you are automatically redirected to the PA Admin Setup Wizard for that employee.

Returning to an Incomplete Setup

The wizard is mandatory but deferrable. If you need to leave before completing it, you can save your progress and return later:

  • Each wizard step has a Save & Exit button that preserves your progress
  • The user management page shows a PA Pending Setup badge next to users whose PA setup is incomplete
  • Click the badge or the user to open their profile, where a prominent Complete PA Setup banner links back to the wizard
  • Until you complete the wizard, the PA remains in the pending_admin_setup state

Wizard Step 1: Assign a Shared Mailbox

Select or create a shared mailbox that the PA will use as its email identity. This is the email address employees and external contacts will use to reach the PA.

Configuration

FieldDescription
Shared MailboxSelect from shared mailboxes in your Microsoft 365 organization that are not assigned to any other agent or PA
How to Create a Shared Mailbox

Option A: Microsoft 365 Exchange Admin Center

  1. Go to admin.microsoft.com > Exchange > Mailboxes
  2. Click "Add a shared mailbox"
  3. Enter a display name (e.g., "John Doe's Assistant")
  4. Enter an email address (e.g., john.doe.pa@company.com)
  5. Click "Save"

Option B: PowerShell

New-Mailbox -Shared -Name "John Doe PA" -PrimarySmtpAddress john.doe.pa@company.com

Recommended email formats: john.doe.pa@company.com or john.doe.assistant@company.com, but any address works.

Only shared mailboxes not currently assigned to any agent appear in the dropdown. The system checks both existing agents and PAs in pending states to avoid conflicts. If you just created a mailbox, click the Refresh button to update the list.

warning

Each shared mailbox can only be assigned to one agent or PA. If the mailbox you need is already in use, you must either choose a different mailbox or remove the mailbox from the other agent first.

Wizard Step 2: Select Available Tools

Choose which tools the employee will be allowed to assign to their PA. The employee selects from this approved pool during their own setup.

Configuration

FieldDescription
Available ToolsCheckboxes for each tool in your tenant (global and tenant-specific), grouped by category (Communication, Research, Data, etc.)

Tools are grouped by category with search and filter options. You can toggle all tools or select individually. Each tool displays its name and a brief description on hover.

info

If you later remove a tool from the available pool, it is automatically removed from the employee's PA if they had assigned it. The employee receives a notification specifying which tool was revoked.

Wizard Step 3: Select Allowed LLM Models

Choose which AI models the employee can use with their PA. Different models have different capabilities and costs.

Configuration

FieldDescription
Allowed ModelsCheckboxes for each model configured in your tenant's AI Providers settings

Only models that are configured and active in your tenant's LLM provider settings are shown. At least one model must be selected to proceed.

tip

If cost management is a priority, consider limiting the available models to efficient options like GPT-4o-mini or Claude Haiku. Employees can always request access to additional models through their administrator.

Wizard Step 4: Additional Settings

Configure working hours, escalation preferences, and execution limits. These settings establish boundaries for the PA. The employee can adjust their preferences within these boundaries during their own setup (for example, wake-up frequency within the working hours you define).

Configuration

SettingDescriptionDefault
Working Hours (optional)The PA only performs scheduled work during these hours (e.g., 9:00 AM - 5:00 PM). Leave blank to allow the PA to work at any time. Scheduled wake-ups are evenly distributed within this window.Unrestricted
TimezoneTimezone for interpreting working hours and resetting daily limitsTenant timezone
Escalation BehaviorThree-tier system controlling when the PA acts autonomously vs. asks the employee (Tier 1, 2, or 3)Tier 2: Act on low-risk, ask on high-risk
Maximum Daily ExecutionsHard limit on how many times the PA can wake up per day (includes scheduled, email-triggered, chat-triggered, and manual "Wake Up Now" requests)10
info

The daily execution limit resets at midnight in the specified timezone. This counter includes all wake-up types: scheduled, email-triggered, chat-triggered, and manual. Real-time email responses are processed even if the limit is reached, but they trigger a notification that the daily limit has been exceeded.

Escalation Behavior Options

The PA uses three escalation tiers that control when it asks the employee for approval versus acting autonomously:

TierOptionBehavior
Tier 3Always askPA pauses and asks the employee before acting on any task. All operations require explicit approval. Use for highly sensitive environments.
Tier 2Act on low-risk, ask on high-risk (recommended)PA acts independently on routine tasks (drafting emails, updating projects), asks for guidance on significant actions (escalations, large financial decisions, external communications). Balances efficiency and control.
Tier 1Act independentlyPA handles everything autonomously; employee reviews outcomes later in Activity log. Best for trusted employees who want maximum efficiency.

The tier is set at the organization level during setup but can be adjusted by the admin after activation. At Tier 3, the send_message_to_boss tool always prompts the employee first.

Completing the Wizard

Click Complete on the final step to finish the admin setup. This triggers the following actions:

  1. The PA status transitions from pending_admin_setup to pending_employee_setup
  2. The employee receives a setup email sent from the PA's shared mailbox (the mailbox you selected in Step 1)
  3. The employee's account shows "PA Ready for Setup" in the user management list

Setup Email

The employee receives an email containing:

  • Confirmation that they have been assigned a PA, including who assigned it
  • The PA's email address (shared mailbox)
  • A direct link to the PA Hub where they can complete their setup
  • A brief overview of what the setup process involves (about 5 minutes)
  • Instructions to contact their administrator with questions

Privacy Policy Configuration

The PA privacy policy is a tenant-level setting that applies uniformly to all PAs in your organization. It controls what administrators can see about PA activity but does not restrict what the PA itself can do.

Navigate to the PA configuration area in Control Bridge to select the privacy level:

LevelWhat Admins SeeBest For
PrivateOnly PA existence, status, name, and activation dateHigh-trust organizations prioritizing employee autonomy
Metadata Only (default)Plus execution count, token usage, cost, tool usage stats, goal titles (not descriptions), last activeOrganizations needing cost visibility and usage monitoring
Full VisibilityPlus full goal/project/task details, activity log, chat history, custom instructions, employee profile dataRegulated industries, high-security environments, or required administrative oversight
warning

Changing the privacy policy takes effect immediately for all PAs in your organization. All PA users receive a notification about the change. Consider communicating the reasons to your team proactively.

Post-Setup Configuration

After the employee activates their PA, you can modify settings at any time using the dedicated PA Admin Configuration page. Navigate to Manage > Team > Users, select the user, and click PA Settings to open the management interface.

Admin Configuration Page

The PA Admin Configuration page provides a centralized interface for managing an active employee's PA. It displays:

  • PA status with Pause, Resume, and Deactivate controls
  • PA name, shared mailbox email, activation date, and last active timestamp
  • Usage metrics (visible at Metadata Only and Full Visibility privacy levels): execution count, token usage, and estimated cost
  • Available tools and models with inline editing capability
  • Working hours, daily execution limit, and escalation behavior settings (Tier 1, 2, or 3)

What Admins Can Change

SettingEffectEmployee Notified?
Available toolsAdd or remove tools from the employee's approved poolYes (with specific tool names if removed)
Allowed modelsAdd or remove LLM modelsYes
Working hoursPA respects new hours on the next cycleYes
Escalation behaviorUpdated for the next executionYes
Daily execution limitEnforced immediatelyYes
Pause (admin-initiated)Immediately stops PA execution; employee cannot resume without admin resuming firstYes
ResumeRestarts PA execution and calculates next wake-up; employee can resume their own pausesYes
DeactivateStops all PA activity; requires full re-setup to reactivateYes
Privacy policyApplies immediately to all PAs in the organizationYes (all PA users notified)
info

When you make changes, the employee receives an in-app notification (and optionally an email) describing what changed. If you remove a tool that the employee had actively assigned to their PA, the notification specifically names the revoked tool.

What Admins Cannot Change

Even with full administrative access, you cannot modify employee-owned settings:

  • PA name, avatar, communication style, or custom instructions
  • Employee's goals, projects, or tasks
  • Employee's data access permissions (primary mailbox, calendar, contacts, files)
  • Employee's wake-up frequency or summary preferences
  • Employee's tool assignments (you control the approved pool; employee selects from it)
  • Employee's preferred LLM model (you control approved models; employee selects their preference)

These settings are controlled by the employee within the boundaries you define. This boundary-based model ensures the PA remains personalized while maintaining organizational oversight. See Privacy & Governance for the full governance model.

Key Features & Limits

Daily Execution Counter

The PA counts every wake-up toward the daily execution limit, which resets at midnight in the configured timezone:

  • Scheduled wake-ups - Count against the limit
  • Email triggers - Count against the limit
  • Chat messages - Count against the limit
  • Manual "Wake Up Now" - Count against the limit

When the limit is reached, the PA pauses and displays a notification: "Daily execution limit reached. You can still receive real-time email responses, but scheduled work is paused until [time]." The employee can request manual pauses or resume via the PA Hub.

EscalationBehavior Tiers

The escalation tier determines autonomy for uncertain situations:

  • Tier 1 (Act independently) - PA makes decisions on all tasks; minimal prompting
  • Tier 2 (Act on low-risk, ask on high-risk) - PA handles routine work autonomously, asks for approval on significant actions
  • Tier 3 (Always ask) - PA pauses before any action requiring judgment; employee approves all operations

Troubleshooting

Shared Mailbox Not Listed

If your mailbox does not appear in the selection:

  1. Verify the mailbox is synced in your Microsoft 365 organization
  2. Ensure the mailbox is a shared mailbox (not a user mailbox)
  3. Check that the mailbox is not already assigned to another agent or another PA
  4. Click Refresh to reload the mailbox list

If you just created the mailbox, wait a few minutes for it to sync before refreshing.

Employee Did Not Receive Setup Email

If the employee reports they did not receive the setup email:

  1. Check the employee's spam or junk folder
  2. Verify the employee's email address is correct in their user profile
  3. Confirm that the PA's shared mailbox has proper send permissions (it should be able to send as itself)
  4. The employee can also access the PA Hub directly by navigating to the PA section in Control Bridge (they will be redirected to the setup wizard automatically)

Role Assignment Fails

If the PA User role cannot be assigned:

  1. Verify you have administrator permissions (users:write)
  2. Ensure the employee's user account is active and synced from Microsoft Entra
  3. Check that the employee does not already have a PA (each user can only have one)
  4. Verify the employee's mailbox is active and reachable

PA Paused by Admin - Employee Cannot Resume

This is intentional. If the admin pauses a PA (e.g., for policy enforcement), the employee cannot resume it. The employee sees: "Paused by your administrator. Contact them to resume." The admin must resume the PA from the PA Admin Configuration page.

Next Steps

After completing the admin setup:

  1. Inform the employee to check their email for the setup invitation
  2. Review Employee Setup Wizard to understand what the employee will configure
  3. Learn about Privacy & Governance to understand your ongoing management options