Cookie Consent by Free Privacy Policy Generator
Agent365 Copilot Entra Purview Defender agents
17 min read

Microsoft Agent 365: The Control Plane for AI Agents Is Now Generally Available

Microsoft Agent 365 reached general availability on 1 May 2026. Here is what the service is, why it matters for organizations already using Microsoft 365 Copilot, what changes operationally, and how to take the first steps after acquiring a license.
Holger Imbery
Written by Holger Imbery
Microsoft Agent 365: The Control Plane for AI Agents Is Now Generally Available
Photo by JESHOOTS.COM on Unsplash

Table of Contents

  1. Introduction: Why a Control Plane for Agents Is Now a Necessity
  2. What Microsoft Agent 365 Actually Is
  3. The Five Pillars in Greater Detail
    1. Registry
    2. Access Control through Entra Agent ID
    3. Visualization
    4. Interoperability
    5. Security
  4. What Changes Operationally with Agent 365
  5. Licensing and Availability
  6. Taking Your First Steps After Acquiring a License
    1. 1. Confirm Roles and Licenses
    2. 2. Open the Agents Area in the Microsoft 365 Admin Center
    3. 3. Establish a Baseline Policy
    4. 4. Activate or Install Your First Agent
    5. 5. Process Activation and Approval Requests
    6. 6. Turn On Observability and Security
    7. 7. Use the Agent Map to Validate Reality Against Intent
    8. 8. Maintain Lifecycle Hygiene
  7. Practical Guidance for a Successful Rollout
  8. Caveats and What to Watch
  9. Conclusion: A Single, Coherent Place to Govern Agents
  10. Official Sources

Summary Lede
On 1 May 2026, Microsoft moved Agent 365 from preview into general availability, positioning it as the control plane that organizations need in order to observe, govern, and secure the rapidly growing population of AI agents working across their tenants. The service is licensed at fifteen US dollars per user per month as a standalone add-on, or as a component of the new Microsoft 365 E7 suite, and it integrates directly with the security and compliance products that most enterprises already operate, including Microsoft Entra, Microsoft Purview, and Microsoft Defender. Rather than introducing yet another place to build agents, Agent 365 sits above existing platforms and consolidates operational disciplines that have, until now, been distributed across many disconnected tools and dashboards.

Why read this: If your organization has begun deploying AI agents — whether built in Copilot Studio, embedded in third-party SaaS, developed in Microsoft Foundry, or installed by users on their own devices — you are facing a governance question that did not exist eighteen months ago. This article explains what Agent 365 actually is, what it changes in the operating model of an organization that has already invested in Microsoft 365 Copilot, and how to take the first practical steps after acquiring a license. It is intended to bring the moving parts into a single, coherent narrative you can use when you brief stakeholders, plan a pilot, or write your internal adoption proposal.

Introduction: Why a Control Plane for Agents Is Now a Necessity

AI agents are no longer a category of pilot project owned by a single innovation team. They are appearing inside Word, Excel, PowerPoint, Outlook, Teams, partner SaaS portals, custom-built applications, and, increasingly, on the local workstations of individual employees who have installed AI assistants on their own initiative. According to figures Microsoft cites from IDC, the worldwide population of AI agents is expected to reach approximately 1.3 billion by 2028.

Even at a small fraction of that figure, the implications for an enterprise tenant are significant. The questions IT leaders are being asked have outpaced the tools available to answer them: Which agents are running in our tenant today? Who owns each one? What data does each one touch, and on whose authority? Is it behaving as expected? If it has been compromised, when, by whom, and how would we know?

Microsoft now refers to this phenomenon openly as agent sprawl, and a newer category — the so-called shadow agent, meaning a local AI assistant installed on an endpoint without IT approval — has begun to appear on enterprise risk registers because it represents an identity-less, policy-less, telemetry-less actor with access to the same documents and chats as its human user. A control plane is the established architectural answer to this class of problem, and Agent 365 is, very deliberately, that control plane.

What Microsoft Agent 365 Actually Is

Agent 365 is a tenant-level service that gives administrators a single, authoritative view of every AI agent operating in the organization, together with the policy, identity, and security mechanisms required to manage them at scale. Microsoft summarizes its purpose using three verbs that recur throughout the official documentation: observe, govern, and secure.

  • To observe means that administrators have real-time visibility into the agents in their environment, what those agents are doing, and how they are performing.
  • To govern means that the lifecycle of each agent — from registration, through approval and assignment, to retirement — is controlled through consistent policies rather than ad-hoc decisions.
  • To secure means that the same enterprise-grade identity, data protection, and threat detection that already apply to users are extended, faithfully, to agents.

The service is built around five capabilities that Microsoft consistently identifies as the pillars of the offering:

Pillar Role in the control plane
Registry A unified inventory of every agent in the organization — including those issued an Entra Agent ID, those published in the Microsoft Teams or Agent Store, and shadow agents discovered on endpoints
Access Control Unique Entra Agent ID for every agent, with policy templates and adaptive, risk-based access decisions enforced by Microsoft Entra
Visualization Telemetry, dashboards, role-based reports for IT, security, and business audiences, plus an Agent Map of relationships between agents, users, and resources
Interoperability Governs agents built with Microsoft tools, with open-source frameworks, and with ecosystem partner platforms; agents can use the same Microsoft 365 context that users do
Security Integration with Microsoft Defender, Microsoft Entra, and Microsoft Purview for threat detection, identity protection, data loss prevention, and compliance

It is also worth being precise about what Agent 365 is not. It is not a new platform for building agents. Copilot Studio, Microsoft Foundry, and external frameworks remain the places where agents are designed, configured, and developed. Agent 365 is the layer above those platforms — the layer that ensures whatever you build, or whatever a partner ships into your tenant, becomes a managed, identified, observed, and governable entity within your organization.

The Five Pillars in Greater Detail

Registry

The Registry is, in many respects, the foundational capability, because every other discipline depends on having an authoritative inventory. Through the Registry, administrators see a unified list of agents that includes those issued an Entra Agent ID, those published in the Microsoft Teams Store or the Agent Store, and — as discovery functionality continues to roll out — shadow agents detected on managed Windows endpoints by Microsoft Defender and Microsoft Intune. From the Registry, administrators can install agents for selected audiences, block or unblock them across the organization, assign or reassign owners, publish requested agents to the store, reject submissions, or delete agents and their associated files.

Access Control through Entra Agent ID

Each agent is given a unique identity, the Entra Agent ID, which enables agents to be governed in the same identity-centric manner as human users. Administrators can apply policy templates that encode standard guardrails on day one, and Microsoft Entra enforces adaptive, risk-based access decisions that respond to real-time context, blocking agents that show signs of compromise from reaching organizational resources. The principle of least privilege, long established for human accounts and service principals, is now available in operation for agents.

Visualization

The visualization layer goes beyond conventional dashboards. In addition to Telemetry, alerts, and role-based reports tailored separately to IT, security, and business audiences, Agent 365 provides an Agent Map that displays the relationships between agents, the users on whose behalf they act, and the resources they connect to. This is particularly valuable for spotting unintended data flows or excessive privilege. Microsoft also references built-in performance measurement to help decision-makers assess return on investment. However, the granularity of those metrics will, in practice, depend on the specific agents and host applications involved.

Interoperability

The interoperability story is significant because it acknowledges that agents in a real enterprise are not all built on the same platform. Agent 365 governs agents created with Microsoft tools, with open-source frameworks, and with ecosystem partner platforms, with pre-integrated partner agents available to deploy directly from the Microsoft 365 admin center at general availability. Agents can access the same Microsoft 365 context that users do — Teams, calendars, mailboxes, SharePoint — and Microsoft has highlighted unified SDKs and consistent Model Context Protocol (MCP) interfaces for developers building agentic tools across Outlook, Teams, and SharePoint.

Security

The security pillar is delivered through tight integration with the existing Microsoft security stack rather than through a parallel set of agent-specific tools.

  • Microsoft Purview brings information protection, data loss prevention, sensitivity labels, eDiscovery, Insider Risk Management, and the data security posture management capability for AI (often referred to as DSPM for AI) into scope for agents.
  • Microsoft Defender XDR contributes agent inventory, real-time runtime protection, threat hunting, and security posture management.
  • Microsoft Entra contributes adaptive access enforcement and, as announced at RSAC 2026, network-level prompt-injection protection and explicit shadow-AI detection.

The cumulative effect is that agents become first-class citizens of your existing security operations rather than exceptions that need to be handled separately.

What Changes Operationally with Agent 365

For organizations that have been running Microsoft 365 Copilot for some time, the introduction of Agent 365 changes several aspects of day-to-day operations in concrete ways:

Area Before Agent 365 With Agent 365
Identity Agents represented by shared service accounts or app registrations Every agent receives a unique Entra Agent ID and is governed individually
Inventory Scattered across Teams Store, Copilot Studio, partner portals Single Agent Registry view in the Microsoft 365 admin center
Access control Per-agent manual permission grants Policy-template-driven, adaptive, risk-based enforcement through Microsoft Entra
Observability Vendor-specific dashboards Unified telemetry, role-based reports, and an Agent Map of relationships
Security and compliance Reaching into agent behaviour required significant effort Native coverage through the same Defender, Entra, and Purview controls used today

The new shadow-AI dimension is also worth highlighting. Until now, an unsanctioned local AI assistant on an employee’s laptop has been more or less invisible to IT. With Agent 365, Defender, and Intune, surface those agents in the Registry so administrators can quarantine them, block them from accessing organizational resources, or, where appropriate, formally onboard them under policy. This is one of the more visibly novel capabilities of the GA release.

Licensing and Availability

Microsoft Agent 365 is licensed on a per-user basis:

  • Standalone price: fifteen US dollars per user per month.
  • Bundled option: included in the new Microsoft 365 E7 suite, which combines Microsoft 365 E5, Microsoft 365 Copilot, the Microsoft Entra Suite, and Agent 365 into a single offering aimed at enterprises that want to standardize on a fully integrated identity, productivity, and agent-governance platform.
  • Availability segment: Commercial cloud at general availability. Microsoft’s documentation also notes that Microsoft 365 for Government Community Cloud High and Government Community Cloud Moderate environments support agent publishing scenarios.

There are no strict product prerequisites to enable Agent 365. Still, Microsoft recommends that customers hold Microsoft Entra P1, Entra P2, or the Entra Suite, alongside Microsoft Purview Data Loss Prevention, to make full use of the governance and security benefits. A Microsoft 365 Copilot license remains necessary to use Copilot-based agents. Pricing details should always be validated with your account team, since regional adjustments, channel offers, and bundle economics can materially change the total cost of ownership.

Taking Your First Steps After Acquiring a License

One of the most pragmatic aspects of Agent 365 is that there is no infrastructure to deploy. The service is activated via licensing and configured in the Microsoft 365 admin center, so the initial steps are administrative rather than technical. The following sequence reflects the recommended path from the Microsoft Learn documentation, organized as most teams will execute it in practice.

1. Confirm Roles and Licenses

Begin by ensuring that the right people hold the right roles. Please assign the Global Administrator role and any other agent-administration roles required for your organization, in line with your least-privilege practices. At the same time, confirm that the audiences for which you intend to enable agents have appropriate licenses in place — Microsoft 365 Copilot in particular, but also any Entra and Purview SKUs that you plan to rely on for governance and protection.

2. Open the Agents Area in the Microsoft 365 Admin Center

Sign in to the Microsoft 365 admin center, expand … Show all in the left navigation, select Agents, and open All agents. This view, with Registry selected, is the canonical inventory of every agent known in your tenant. It is worth spending time here before making any operational decisions; many organizations are surprised by what already exists in their environment once it is presented in a single list.

3. Establish a Baseline Policy

Before approving anything broadly, define and apply an Agent Policy Template that captures your organization’s standards. The template determines, among other things, which connectors and data sources agents may use, what sensitivity-label boundaries apply, and which Conditional Access conditions Entra should enforce. Treat this template as a living governance artifact, deliberately version it, and review it with your security and data-protection stakeholders before it becomes the default for new approvals.

4. Activate or Install Your First Agent

To install an agent for users:

  • Select the agent from the Registry list.
  • Choose Install in the agent details pane.
  • Decide whether the deployment scope should be the entire organization or specific users and groups, and select Next.
  • Review the requested permissions, and select Grant admin consent.
  • Accept the requested permissions, and select Next.
  • Select Finish deployment.

The agent will subsequently appear in the relevant host product — Copilot, Teams, Outlook, or another Microsoft 365 surface — for the chosen audience.

5. Process Activation and Approval Requests

End users can request agents from the Microsoft Teams Store or the Agent Store, and those requests surface to administrators for review. Each request can be approved and activated, or rejected with a rationale. From a governance perspective, formally approving or rejecting requests is at least as important as installing approved agents, because it creates the decision trail that auditors and risk reviewers will look for in 12 months.

6. Turn On Observability and Security

The full value of Agent 365 only emerges when its companion services are correctly configured:

  • In Microsoft Purview, enable the data security posture management capability for AI, configure DLP policies that include agent identities, and bring agent interactions into your retention and eDiscovery scope.
  • In Microsoft Defender XDR, review the agent inventory, switch on real-time runtime protection for agents, and integrate agent telemetry into your existing threat-hunting workflows.
  • In Microsoft Entra, define the adaptive access policies that should apply to agent identities, and decide explicitly whether and how external parties may interact with your agents — by default, agents behave as internal identities and external access is constrained by administrative policy.

7. Use the Agent Map to Validate Reality Against Intent

Once a small number of agents are running under the new policies, open the Agent Map to inspect the relationships between agents, users, and data sources. This is the single most effective way to detect unintended privilege, unexpected agent-to-agent connections, or data flows that violate your sensitivity-label model. The Map is intended to make excessive privilege visually obvious, and it should become a regular part of your operational review cadence.

8. Maintain Lifecycle Hygiene

Agent 365 supports a comprehensive set of lifecycle actions through the Microsoft 365 admin center, including install, uninstall, block, unblock, assign a new owner, publish to the store, reject a submission, and delete. Schedule a recurring review — quarterly is a reasonable starting point — to identify orphaned, unused, or stale agents and retire them deliberately.

Practical Guidance for a Successful Rollout

A few principles consistently distinguish successful rollouts from those that struggle:

1. Begin with discovery rather than deployment. The first weeks should be spent observing what already exists in your tenant before approving anything new, because the inventory you uncover will materially shape your governance design.

**2. Please assign an Agent Owner to each agent. Agents without accountable human owners tend, over time, to drift outside policy. Make ownership explicit at registration and revisit it quarterly.

3. Treat the initial Agent 365 program as a security and compliance project at least as much as a productivity project. The most defensible early wins are reducing shadow-AI exposure and producing a credible audit trail. Productivity outcomes follow naturally once stakeholders trust the guardrails.

4. Be honest about the operational overhead. A control plane only delivers value if someone is operating it. Plan for a small but explicit team responsible for policy templates, request triage, agent reviews, and lifecycle hygiene, and make sure that the team has the authority to say no when an agent does not meet your standards.

**5. Evaluate the Microsoft 365 E7 bundle carefully if you are already an E5 customer. The bundle economics can become attractive once Microsoft 365 Copilot, the Entra Suite, and Agent 365 are all in scope. Still, the decision should be evaluated through a deliberate commercial analysis rather than a reflex.

Caveats and What to Watch

Several aspects of the service deserve a measured note:

  • Shadow-agent detection is described in Microsoft’s announcement materials as a capability that will continue to expand over time, which suggests that initial coverage will improve as the service matures.
  • Performance and ROI metrics are real. Still, their granularity in any given environment will depend on the specific agents and host applications you operate, so it is wise to validate them against your own reporting needs early.
  • End-to-end value depends on companion services. Because Agent 365 spans several Microsoft products, the value you obtain will depend on how thoroughly Entra, Purview, and Defender are configured in your tenant — partial deployments will yield partial value.

Conclusion: A Single, Coherent Place to Govern Agents

The general availability of Microsoft Agent 365 is a significant milestone, less because it introduces dramatic new capabilities than because it consolidates a set of operational disciplines that enterprises have urgently needed. Organizations have been building, buying, and deploying AI agents for some time. The absence of a unified control plane has become increasingly difficult to defend against in front of security committees, auditors, and regulators. Agent 365 closes that gap by extending the same identity, governance, and security model that already underpins your users to the agents that increasingly act alongside them.

For most Microsoft 365 customers, the practical implication is straightforward. The infrastructure question is settled, the licensing path is clear, the integration with the existing Entra, Purview, and Defender stack is real, and the first steps are administrative rather than technical. What remains is the work that always determines the success of a governance program: defining sensible policy, assigning accountable owners, observing what is happening in your tenant, and acting on what you learn. Agent 365 will not do that work for you, but it now provides — for the first time — a single, coherent place in which to do it.

If you are considering when to begin, the answer is almost certainly now. The agents are already there. The control plane is finally here.

Official Sources

Holger Imbery
Written by

Holger Imbery

Start the conversation

Related

See all Agent365
microsoft365copilot cowork agents

What Is Next: E7, Agent 365, and the Researcher

Where Cowork fits in Microsoft's broader agent strategy — M365 E7, Agent 365, the Researcher with Critique, and what to plan for next.

Holger Imbery
Written by Holger Imbery
copilotstudio agents billing costmanagement

Copilot Studio Billing – A Short Answer to a Frequent Question

A frequent question around Microsoft Copilot Studio is: 'How does billing actually work, and where can I see what my agents consume?' The short answer is: Copilot Studio billing is usage-based and fully transparent through the built‑in Analytics experience.

Holger Imbery
Written by Holger Imbery
microsoft365copilot cowork agents

Cowork's Limits and Known Constraints

The honest list of what Cowork cannot do today — by design or by current state — so you can plan rollouts without mid-pilot surprises.

Holger Imbery
Written by Holger Imbery