Skip to Content
TutorialsAgent Skills for Claude

Agent Skills for Claude

TL;DR: You will author an open SKILL.md Agent Skill that packages Microsoft 365 governance expertise into a portable, version-controlled bundle Claude loads on demand, so agents follow your policies and controls instead of improvising.

What you will learn

  • How the open SKILL.md format structures a skill: YAML frontmatter, instructions, and bundled resources.
  • How to write progressive-disclosure instructions so Claude loads only what a task needs.
  • How to package supporting files (reference docs, scripts, templates) into a self-contained skill folder.
  • How to load and invoke a skill in Claude or Cowork, the same format this library publishes.
  • How to apply governance controls to skill authorship: least-privilege knowledge, data minimisation, and audit trails.

Prerequisites

  • Familiarity with Microsoft 365 governance concepts: sensitivity labels, DLP, Purview audit, and Microsoft Entra ID roles.
  • A Claude account with Agent Skills enabled, or access to Cowork, for loading and testing the skill.
  • A text editor and Git, since skills are plain folders that belong in version control.
  • Comfort writing Markdown and YAML frontmatter.
  • Recommended: complete the earlier track tutorials on building and governing agents before this advanced one.

Understand the SKILL.md anatomy

A skill is just a folder. At its root sits a single SKILL.md file, optionally accompanied by reference documents, scripts, and templates the skill can draw on. Claude reads the frontmatter to decide when a skill is relevant, then loads the body only when a matching task arrives. This is progressive disclosure: minimal tokens until the skill is actually needed.

Step 1: Lay out the folder

  1. Create a dedicated folder named after the skill, for example m365-label-governance.
  2. Place a SKILL.md file at its root.
  3. Add subfolders such as references/, scripts/, and templates/ only for material the skill genuinely needs.

A typical layout looks like this:

m365-label-governance/
  SKILL.md
  references/
    sensitivity-labels.md
    dlp-policy-catalogue.md
  scripts/
    export-label-coverage.ps1
  templates/
    label-review.md

Step 2: Write the frontmatter

The YAML frontmatter is the part Claude scans to match a skill to a task, so the description must be specific and outcome-focused. Keep it tight.

---
name: m365-label-governance
description: Review and remediate Microsoft 365 sensitivity label and DLP coverage. Use when auditing label scope, classifying data, or checking policy gaps.
---

Write the description in the third person and lead with what the skill does, then when to use it. Vague descriptions cause Claude to skip a relevant skill or load an irrelevant one.

Write the instruction body

Below the frontmatter, the Markdown body is the operating manual Claude follows. Treat it as a procedure a careful practitioner would hand to a capable colleague, concrete steps, named tools, and explicit guardrails.

Step 3: Structure the procedure

  1. Open with a one-line statement of the skill’s purpose and scope.
  2. List the concrete steps the agent should take, in order.
  3. Point to bundled resources by relative path so Claude opens them only when required.
  4. State the boundaries: what the skill must not do, and when to stop and ask a human.

A trimmed body might read like this:

## Purpose
 
Audit Microsoft 365 sensitivity label and DLP coverage and propose
least-privilege remediations. Scope is read-and-recommend only.
 
## Procedure
 
1. Read references/sensitivity-labels.md for the approved label taxonomy.
2. Run scripts/export-label-coverage.ps1 to gather current coverage.
3. Compare coverage against the taxonomy and flag unlabelled or
   over-permissioned content.
4. Draft findings using templates/label-review.md.
 
## Boundaries
 
- Never change labels or policies. Recommend only.
- Do not export or quote document contents in findings.
- Escalate any Confidential-or-higher gap to a human reviewer.

Step 4: Bundle resources for progressive disclosure

  1. Move long reference material out of SKILL.md and into the references/ folder, so the main file stays scannable.
  2. Reference each file by relative path in the procedure, never paste its full contents inline.
  3. Keep scripts small, single-purpose, and free of embedded secrets or tenant identifiers.
  4. Use templates to standardise the agent’s output, which makes results reviewable and auditable.

Load and run the skill

Step 5: Install the skill in Claude or Cowork

  1. Place the skill folder where your Claude or Cowork environment discovers skills, following your tenant’s deployment guidance.
  2. Confirm the skill appears in the available-skills list.
  3. Start a task whose intent matches the description, for example asking Claude to audit label coverage.
  4. Verify Claude announces it is using the skill, then watch that it opens only the bundled files the task needs.

Step 6: Iterate and version

  1. Treat the skill folder as code: commit it to Git and review changes through pull requests.
  2. Tighten the description whenever Claude loads the skill at the wrong time, or misses it when it should fire.
  3. Add a CHANGELOG entry for material changes so reviewers can track what the agent’s behaviour now permits.

Governance call-outs

  • Data minimisation: a skill is knowledge that travels. Never embed tenant data, document contents, secrets, or connection strings in SKILL.md or bundled files. Reference data sources; do not copy them in.
  • Least-privilege knowledge: scope each skill narrowly and prefer read-and-recommend procedures over autonomous change. Make destructive actions an explicit human escalation, not a default.
  • Identity and access: skills inherit the permissions of the agent that runs them. Confirm the agent’s Microsoft Entra ID identity holds only the roles its skills require, and review those grants under your P2 access-review cadence.
  • Compliance gates: route skill authorship through the same review pipeline as code, with pull requests, named approvers, and a CHANGELOG, so a skill cannot silently expand what an agent is allowed to do.
  • Audit trails: log when skills load and what bundled files and scripts they touch, and reconcile that against Microsoft Purview audit so you can answer who-did-what when an agent acts.

Next step

You have completed the track — browse the skills library to put it into practice.

Sources

Licensed under CC BY 4.0  by Educ4te .

Last updated on
Agent 365 SDK