Microsoft Agent 365 — The Unified Control Plane to Observe, Govern & Secure Every AI Agent at Enterprise Scale

Just as Entra manages human identities, Agent 365 gives every AI agent a first-class identity, lifecycle controls, access policies, and full observability — regardless of where the agent was built. It plugs into the same M365 Admin Center, Entra, Defender, and Purview that your IT and security teams already use.

What Is Microsoft Agent 365?

The Problem

Agents come from Copilot Studio, Agent Builder, Microsoft Foundry, third-party vendors, and ISVs. Each platform has its own governance story. Without a cross-platform view, IT can’t answer basic questions: How many agents exist? What data do they access? Who owns them? What happens when a creator leaves?

The Solution

Agent 365 is one control plane on top of your existing security stack — connecting M365 Admin, Entra, Defender, and Purview with agent-specific capabilities: unified registry, visual map, first-class agent identities, Conditional Access, threat detection, and governed MCP tool servers — across all four pillars below.

Who Benefits — and How

Agent 365 serves four distinct roles. Each gets answers to questions they can’t answer today.

🛡️ IT Admin / Global Admin

„How many agents does our org have? Who owns them? What data can they access?“

Agent Registry — unified inventory across all platforms
Agent Map — visual topology of all registered agents
Detect ownerless agents; reassign on offboarding
Allow/block Work IQ MCP servers tenant-wide
Approve or block agents before deployment

🔍 CISO / Security Analyst

„Are any agents being misused? Which ones are high-risk? Can I stop a compromised agent in real time?“

Defender XDR — risk indicators and severity alerts per agent
Threat detections: prompt injection, exfiltration, anomalies
Conditional Access policies targeting agent identities
Azure AI Content Safety Prompt Shield for runtime defense
Advanced Hunting via agent-specific action types in CloudAppEvents

📋 Compliance Officer / DPO

„Can I prove we’re compliant? What would I show in an audit? What data are agents touching?“

Purview Audit — logs all agent↔human, agent↔tool, agent↔agent interactions
DSPM for AI — data risk signals per agent
Insider Risk Management for agents (preview)
eDiscovery & retention on agent interaction data
Sensitivity label enforcement on accessed content

💻 Developer / Architect

„How do I make my agent enterprise-ready without rewriting everything or asking IT for raw Graph permissions?“

Agent 365 SDK — onboard any agent into the registry
Entra Agent ID — first-class identity with 2 auth flows
Work IQ MCP servers — governed access to M365 + D365 data
No custom Graph API wiring — governed tooling out of the box
Foundry agents auto-provision Entra Agent IDs

4 Capability Pillars

Agent 365 extends M365 Admin, Entra, Defender, and Purview with agent-specific capabilities — organized into four pillars.

Pillar 1: Observability → M365 Admin Center

Agent Registry — unified inventory across all platforms: publisher, owner, data access, security posture, status
Agent Map — interactive visual topology of all registered agents; clusters: Copilot Studio lite/full, Microsoft Corporation, M365 Agents Toolkit, Others
Shadow agent detection — surfaces unregistered third-party agents that exist only as app registrations
Ownerless agents — detect agents with no active owner; flag for reassignment
Approve / block / deploy agents to specific users or groups

Pillar 2: Governed Access → Entra + M365 Admin Center

Microsoft Entra Agent ID — 4 Entra object types (agent blueprint, blueprint principal, agent identity, agent user); two authentication flows: agent identity (autonomous/app-only) and on-behalf-of (OBO)
Sponsorship model — every agent has a human sponsor accountable for its lifecycle; auto-transfers to manager on offboarding
Access Packages — scoped Graph API permissions, group memberships, and Entra roles with built-in expiry
Conditional Access — risk-based policies targeting agent identities (same Zero Trust framework as users)
Work IQ MCP servers (preview) — governed, auditable access to Mail, Calendar, Teams, SharePoint, OneDrive, Word, User, Copilot, Dataverse/D365; admin allows or blocks each server centrally

Pillar 3: Data Protection → Microsoft Purview

DSPM for AI — data risk signals, agent activity insights, oversharing recommendations
Audit — all four interaction types logged: agent↔human, human↔agent, agent↔tools, agent↔agent
Insider Risk Management (preview) — extends insider risk protection to agents; detects risky agent interactions with sensitive data
Sensitivity Labels — enforced on content agents access; agent-generated content does not automatically inherit labels from source items
eDiscovery & Retention — search, hold, and export agent interaction data
Data Lifecycle Management — retention and deletion policies for prompts and agent-generated data
DLP — policies govern the locations agents operate in (Exchange, SharePoint, Teams)
Communication Compliance — detect and enable human oversight of risky AI communications

Pillar 4: Threat Defense → Microsoft Defender XDR

Risk indicators — per-agent severity alerts, governance gap signals
Advanced Hunting (KQL) — agent-specific action types in CloudAppEvents table (InvokeAgent, InferenceCall, ExecuteToolBySDK, and more)
Out-of-the-box threat detections — prompt injection, data exfiltration, anomalous behavior (integrated with Purview Insider Risk)
Azure AI Content Safety Prompt Shield — jailbreak and indirect prompt injection defense, surfaced in Defender
Agent activity telemetry — Agent 365 SDK traces viewable in Defender for incident investigation
Agent-specific attack chain — incident view links agent identity, tools called, and data accessed

Work IQ MCP servers — The governed alternative to raw Microsoft Graph access. IT admins allow or block each server (Mail, Calendar, Teams, SharePoint, OneDrive, Word, Dataverse, and more) centrally in M365 Admin Center. When a server is blocked, it is blocked for every agent and every user — no exceptions. Every tool call is logged and auditable. Currently in preview; continues in preview after Agent 365 GA on May 1, 2026.

Admin Experience

Agent 365 doesn’t replace your existing admin centers — it extends each of them with agent-specific capabilities. Here’s how the responsibilities are distributed:

M365 Admin Center — IT Admin / Global Admin

Agent Registry — see every agent, across all platforms
Agent Map — visual topology, filter by platform/publisher
Approve/block agents, deploy to users/groups
Activate templates, assign licenses
MCP Tooling — allow/block Work IQ servers centrally
Ownerless agents — detect and reassign

Entra Admin Center — Identity Admin / Security Admin

Agent Identities — view/manage all Entra Agent IDs (4 object types: blueprint, blueprint principal, agent identity, agent user)
Sponsors & owners — assign, transfer, review; auto-transfer to manager on offboarding
Conditional Access — create policies targeting agent IDs
ID Protection — risky agent sign-ins, anomalous behavior
Access Packages — scoped Graph permissions, groups, Entra roles with expiry
Two auth flows — agent identity (autonomous/app-only) and on-behalf-of (OBO)

Defender XDR — Security Analyst / SOC

Agent overview — posture, risk, active incidents
Advanced Hunting (KQL) — agent-specific action types in CloudAppEvents for config, ownership, risk
Threat detections — prompt injection, exfiltration, anomalies (via Purview Insider Risk integration)
AI Prompt Shield — Azure AI Content Safety jailbreak/injection defense, surfaced in Defender
Agent activity logging — traces from Agent 365 SDK telemetry, viewable in Defender
Incident investigation — agent-specific attack chain

Purview — Compliance Admin / DPO

DSPM for AI — agent instances, data risks, recommendations
Audit — all interactions: agent↔human, agent↔tools, agent↔agent
DLP policies — protect locations where agents operate (Exchange, SharePoint, Teams)
Sensitivity Labels — enforce on agent content access
Insider Risk Management — extends insider risk protection to agents
eDiscovery & Retention — search/hold/export agent data

Key insight: Agent 365 automatically enables audit, data classification, and AI compliance assessments for every agent instance — zero configuration. For Insider Risk and CA, you target agent identities the same way you target users. DLP policies govern the locations agents interact with (Exchange, SharePoint, Teams).

Technical Setup — Agent Onboarding

Onboarding effort depends entirely on where an agent was built. Copilot Studio, Agent Builder, and Foundry agents published to Copilot Chat auto-register. Pro-code backend agents and external-org agents require deliberate steps from IT.

Prerequisite (today — Frontier preview): Sign in to Microsoft 365 admin center → Copilot → Settings → User access → Copilot Frontier → enable for users or groups. Requires at least one M365 Copilot license in the tenant. After enabling, an Agents entry appears in the M365 Admin Center left nav — this is your control plane. Source: Agent 365 Overview — Prerequisites

Copilot Studio — Maker submits, Admin approves

Maker: Copilot Studio → Channels → select Microsoft 365 Copilot & Microsoft Teams → confirm „Make agent available in Microsoft 365 Copilot“ → Save (submits for admin review)
Admin: M365 Admin Center → Agents → All Agents → Requests → select agent → activate, choose governance template (default or custom), review permissions, grant admin consent
Agent goes live in M365 Copilot Agent Store under Built by your org; users install from store, then access in Copilot Chat

Registry category: Published by your org. Agent 365 enrollment is automatic — Copilot Studio is natively integrated with Agent Registry. Agent receives a Microsoft Entra Agent ID and appears in Agent Map without extra steps. Source

Agent Builder — Auto-visible, no maker submission

End user opens Copilot Chat at microsoft365.com/chat → creates agent in Agent Builder — no IT involvement, no submission required
Agent auto-appears in Agent Registry under Shared by creator — immediately visible to admins in M365 Admin Center → Agents
Admin (recommended): deploy to specific groups, apply governance template, assign a sponsor, or block the agent from the Registry

Registry category: Shared by creator. ⚠ Agent Builder agents shared via link are accessible in Copilot Chat only — three sharing options: specific users (up to 98 named users/groups), anyone in your organization, or only you. No formal approval flow, but admins can restrict sharing at org level (all users / specific groups / no users). To deploy in Teams or Outlook, the agent must be published via Copilot Studio (requires admin approval) or sideloaded via ZIP package. This is the primary source of shadow-agent sprawl. Source

Azure AI Foundry — Published to Copilot Chat / Teams

Developer: build custom engine agent in Foundry, publish to the Microsoft 365 Copilot channel — generates a Teams / M365 app package
Admin: M365 Admin Center → Agents → Requests → approve, assign users or groups, apply governance template, grant consent
Agent available in Copilot Chat agent list and Teams app store under Built for your org

Registry category: Published by your org. Azure AI Foundry is natively integrated with Agent Registry — publishing to an M365 channel auto-registers the agent instance and agent card. No extra CLI steps. Source

Foundry / Pro-Code — Backend service, Agent 365 CLI required

Prerequisites: Azure Contributor access · Global Admin (for consent grants) · .NET 8+ · Azure CLI
Install CLI: dotnet tool install --global Microsoft.Agents.A365.DevTools.Cli --prerelease
Configure: create a365.config.json (tenant, subscription, messaging endpoint) — via AI-guided setup or manually
Provision: a365 setup all → creates agent blueprint, Microsoft Entra Agent ID, MCP permission grants
Deploy: a365 deploy → builds and pushes code to Azure
Publish: a365 publish → uploads manifest; admin activates in M365 Admin Center → Agents → Requests

Registry category: Agents registered by your org. Shortcut: use GitHub Copilot in agent mode with a365-setup-instructions.md to automate steps 1–6. AI-guided setup docs

External / Third-Party / Other Organization

Path A — Agent is in the Microsoft Store (AppSource / Teams Store):

User finds agent in M365 Copilot Agent Store or Teams App Store and requests it
Admin: M365 Admin Center → Agents → Requests → activate, apply governance template (default or custom), review and grant admin consent
Agent deployed to assigned users; appears in Copilot Chat agent list

Registry category: External partner-built agents

Path B — Agent is not in any store (custom ISV, partner org, self-built external):

Prerequisites: Entra Agent Registry Administrator role · access token with AgentInstance.ReadWrite.All scope
Register agent instance via Graph API: POST /beta/agentRegistry/agentInstances (endpoint URL, owner, originating platform)
Register agent card manifest: POST /beta/agentRegistry/agentInstances/{id}/agentCardManifest (name, skills, capabilities)
Admin assigns sponsor, applies CA + governance policies in Entra Admin Center / M365 Admin Center

Registry category: Agents registered by your org. Shadow agents (Entra app registrations that were never formally registered) are surfaced automatically in the Registry — but remain ungoverned until an admin claims and sponsors them. Source: Self-serve registration

6 Real-World Scenarios

Each starts with a real pain point — what triggered the agent, what goes wrong today, and exactly what Agent 365 changes.

① IT Helpdesk Agent — Copilot Studio

Relevant for: IT Admin, CISO

Pain point: IT support handles 250+ routine tickets per week — password resets, device compliance checks, policy lookups. Each takes a trained technician 15–20 minutes even though the answer always follows the same script. Productive time lost: ~80 person-hours per week.

Lisa builds a Copilot Studio helpdesk agent — password resets, compliance checks, policy lookups in under 2 min via Copilot Chat
Lisa changes teams six months later; agent keeps running with her original Intune + SharePoint permissions, no review triggered
A contractor crafts a prompt that leaks device compliance details of other users — no injection detection, no audit trail

❌ Without Agent 365	✅ With Agent 365
Copilot Studio agents have Entra app registrations — CA for workload identities is possible (requires Entra Workload ID Premium), but without Agent 365 there’s no first-class Agent ID, no sponsorship model, and no lifecycle governance	Entra Agent ID + CA policy: block agent when risk level is medium or high — ID Protection detects anomalous sign-ins, unfamiliar resource access, and failed access attempts automatically
Power Platform DLP governs connector-level policies; Purview Insider Risk „Risky AI usage“ policy template (preview) detects suspicious agent behavior — but without Agent 365’s unified telemetry, cross-platform visibility is limited	Defender — Azure AI Content Safety Prompt Shield detects injection attempts
Lisa leaves → no automatic sponsor transfer, agent keeps running	Lisa leaves → sponsorship auto-transfers to her manager; agent flagged for review

② Multi-Agent Customer Service Chain — Copilot Studio + Foundry

Relevant for: Customer Service, CISO, IT Admin

Pain point: The customer service team handles 4,000 inquiries per month at an average of 12 minutes each. 60% involve a product question, a refund check, and a CRM update — three steps an agent chain could execute in seconds if the right data were instantly available.

IT builds a multi-agent chain for Anna: Copilot Studio orchestrator delegates to three Foundry sub-agents — product queries, refund approvals (D365), CRM logging; handling time drops 60%
A misconfigured prompt update causes the Refunds Agent to approve every request automatically
Marcus pulls the audit log — all he sees is „D365 updated by service account“; no orchestrator context, no agent chain, no way to scope the damage

❌ Without Agent 365	✅ With Agent 365
Sub-agents are independent app registrations — no chain topology visible	Agent Map — visualizes orchestrator + sub-agent topology end-to-end
Purview shows D365 writes, but no agent-to-agent chain context	Purview audits all agent↔agent interactions: full chain-of-custody
No anomaly detection on approval rate or sub-agent behavior	Defender detects anomalous approval spike; Insider Risk Management flags risky agent behavior
	CA policy on orchestrator identity: block when risk is elevated; sub-agents that depend on orchestrator tokens are also stopped

③ AI Ticket Resolver — ServiceNow Add-On (Third-Party ISV)

Relevant for: IT Operations, CISO, IT Admin

Pain point: Kai’s team closes 1,200 Level-1 tickets per month. 960 of them (80%) are password resets and access requests that follow a fixed resolution script — no expert judgment required, yet each still takes a technician 15 minutes to process.

Kai activates an AI Ticket Resolver add-on from their ServiceNow contract — reads Teams chat, Entra user data, SharePoint docs; ticket volume drops 40%
ServiceNow discloses a security breach; Stefan asks „What M365 data did that agent have access to?“
IT finds one Entra app registration with Chat.Read, User.Read.All, Sites.Read.All — consented months ago, owner unknown

❌ Without Agent 365	✅ With Agent 365
Only visible as an app registration — no agent context (purpose, owner, data scope)	Registry — surfaces under „External partner-built agents“ with full metadata and ownership
No per-server scoping: it’s all-or-nothing on Graph permissions	Work IQ MCP: allow Teams + Mail servers, block SharePoint server — per MCP server
Breach at ServiceNow = attacker inherits all three Graph permission scopes	Defender — risk severity indicators + exfiltration pattern detection; CA can block on breach signal

④ Invoice Processing Agent — Foundry (Autonomous Backend)

Relevant for: Finance, IT Admin, Compliance

Pain point: Finance processes 800 supplier invoices per month. Manual 3-way matching takes 3 days end-to-end and produces ~120 exceptions per month requiring follow-up — a predictable, rules-based workflow with heavy compliance obligations and no tolerance for audit gaps.

A nightly Foundry agent reads supplier invoices, validates amounts in D365, writes exception reports to SharePoint — finance team saves hours weekly
Elena hits an ISO audit question: „Provide an audit trail for every AI system processing financial data“
M365 Admin Center: nothing. Purview: nothing. Agent runs as a scheduled Azure App Service, never registered in M365 — Elena’s answer to the auditor: unknown

❌ Without Agent 365	✅ With Agent 365
Not published to Copilot Chat → not in Agent Registry → no M365 governance	Onboard via Agent 365 CLI (`a365 setup all` → `a365 deploy` → `a365 publish`) or register via Graph API (`POST /beta/agentRegistry/agentInstances`) → listed under „Agents registered by your org“
App registration only — broad Graph permissions, no agent context (purpose, owner, data scope)	Work IQ MCP servers replace raw Graph calls — every action logged and auditable
PII in Outlook invoices: no Purview audit, no sensitivity label enforcement	Purview audit covers Outlook + SharePoint interactions; sensitivity labels enforced

⑤ Marketing Content Agent — Agent Builder (No-Code Sprawl)

Relevant for: IT Admin, Compliance

Pain point: Sales asks Marketing the same questions every week: current pricing, margin floors, competitive positioning. The SharePoint wiki is updated monthly — by the time a rep finds the right document, the numbers may already be stale. Every mispriced deal is a direct margin hit.

Sarah builds a no-code pricing assistant in Agent Builder, adds 15 SharePoint files including next year’s roadmap and margin floors, shares the link with her 50-person team — no IT approval needed
Sarah changes roles three months later; agent keeps running with her SharePoint access
An intern asks „What are our profit margins per product?“ and gets a detailed answer from confidential data

❌ Without Agent 365	✅ With Agent 365
Visible in M365 Admin Center (Integrated Apps), but no centralized agent inventory at scale	Agent Map — visualize all lightweight agents across the org at scale
No lifecycle governance — Sarah leaves, agent keeps serving sensitive data indefinitely	Ownerless detection: Sarah leaves → agent flagged; sponsorship transferred to her manager
SharePoint knowledge sources: sensitivity labels without encryption configured do not block agent access — visual-only labels provide no protection here	Purview Insider Risk Management detects agents surfacing confidential content

⑥ AI Deal Coach — Subscribed SaaS Agent (n8n backend)

Relevant for: IT Admin, CISO, Compliance

Pain point: Win rate sits at 34%. Internal analysis shows deals with 3+ structured follow-up touchpoints close at 2× the rate — but coaching is inconsistent. Top performers know exactly when and how to follow up; everyone else improvises. The gap costs millions in pipeline every quarter.

Florian signs up for „DealSense AI“ in 3 minutes — grants Mail.Read + Calendars.Read + D365 access via personal OAuth; win rates improve, eight colleagues follow
Each user signs up individually: 9 OAuth grants, no admin consent, no IT visibility; n8n polls every inbox every 15 min from vendor cloud
DealSense is acquired by a competitor six months later — IT finds out only when a sales rep mentions it in an unrelated support ticket

❌ Without Agent 365	✅ With Agent 365
9 personal OAuth grants — invisible as agents, no central inventory anywhere	Registry surfaces the 9 ungoverned registrations — IT sees them as unsponsored agents immediately
No sponsored identity, no risk indicators, no registry entry for any of them	Admins revoke consent for all 9 grants centrally; restrict user consent settings so new unauthorized apps require admin approval
Data leaves the tenant to vendor cloud — no DLP coverage, no audit trail	When DealSense changes ownership, IT revokes all related consents centrally — no user action required

Governance Coverage by Agent Source

If all your agents are in Copilot Studio and you never plan to use Foundry, third-party, or ISV agents — Power Platform governance covers a lot. As soon as you cross into other platforms, Agent 365 becomes the only unified layer.

Agent Source	Runs Where?	Governed Today By	What Agent 365 Adds
Agent Builder	Copilot Chat (shared); Teams, Outlook (published/sideloaded)	M365 Admin (Integrated Apps)	Agent ID, Conditional Access, Defender, lifecycle governance
Copilot Studio	Power Platform	PP Admin + M365 Admin + Purview	Agent ID, CA, Defender, cross-platform registry view
Foundry (published to Teams)	Azure → Teams	M365 Admin (after approval)	Work IQ MCP servers, Defender, lifecycle governance
Foundry (autonomous backend)	Azure (no Teams bot)	⚠️ Azure Portal only — invisible to M365	🔴 Agent 365 SDK onboarding — only way to reach M365 governance
Third-Party / ISV	Vendor cloud	⚠️ Vendor portal only — Entra app reg only	🔴 Registry discovery, Entra Agent ID, per-server MCP scoping
SaaS / n8n (user OAuth)	Vendor cloud	⚠️ Invisible — personal OAuth, no admin consent flow	🔴 Registry flags ungoverned app registrations; admins restrict user consent & revoke centrally
Multi-Agent chains	Mixed	⚠️ No orchestrator-to-sub-agent visibility	🔴 Agent Map topology, end-to-end A2A audit, orchestrator-level CA

Licensing & Getting Started

Option	Includes	Price	Availability
Microsoft 365 E7	M365 E5 + Entra Suite + M365 Copilot + Agent 365	$99/user/mo	GA May 1, 2026
Agent 365 Standalone	Registry + Agent Map + Entra Agent ID + CA + Work IQ MCP	$15/user/mo	GA May 1, 2026
Frontier Preview	25 licenses with any M365 Copilot license	Included	Now

Licensing model (GA): Per user — all agents acting on behalf of (OBO) a licensed user are covered. Agents do NOT need their own license.

Important: Agent 365 Standalone ($15/user) includes the control plane: Observability (Registry + Map), Governed Access (Entra Agent ID + CA + Work IQ MCP). The Defender (Threat Defense) and Purview (Data Protection) capabilities activate if those licenses are already present. Microsoft 365 E7 ($99/user) bundles everything — Defender + Purview + Entra Suite + Copilot + Agent 365 — in one SKU.