Microsoft Agent 365 went GA on May 1, 2026 as a unified control plane to observe, govern, and secure AI agents across Microsoft and rival clouds. Here is what it actually does.
What is Microsoft Agent 365?
Microsoft Agent 365 is a control plane that lets organizations observe, govern, and secure every AI agent they run — including agents built on Microsoft tooling and agents from ecosystem partners — from a single place. It reached general availability for commercial customers on May 1, 2026, and is licensed per user at $15 per user per month standalone, or bundled into the Microsoft 365 E7 license.
The simplest way to think about Microsoft Agent 365 is by analogy: if Copilot Studio and Microsoft Foundry are how you build agents, Agent 365 is how you manage the fleet after they exist. Microsoft frames it as doing for AI agents roughly what enterprise mobility management did for employee devices — a layer that sits on top of everything, regardless of how each agent was created.
That framing matters because agents have multiplied faster than the controls around them. A modern enterprise can have agents from Copilot Studio, agents hand-built on LangChain or the OpenAI Agents SDK, vendor agents from SAP or Zendesk, and ad-hoc local agents running on employees’ laptops. Before a control plane, each of those lived in its own silo with its own logging, permissions, and lifecycle. Agent 365 is Microsoft’s attempt to put one registry, one identity model, and one set of guardrails over all of them.
Microsoft Agent 365 is GENERALLY AVAILABLE for commercial customers as of May 1, 2026. Its cross-cloud registry sync with AWS Bedrock, Google Vertex AI, Salesforce Agentforce, and Databricks Genie is in PUBLIC PREVIEW. Discovery of local ‘shadow AI’ agents on Windows via Defender and Intune is rolling out, with deeper Defender asset context starting June 2026.
What does the Agent 365 control plane actually do?
The Microsoft Agent 365 control plane is organized around three pillars — observe, govern, and secure — that together give IT and security teams visibility, lifecycle control, and enterprise-grade protection over their entire agent fleet. Each pillar maps to concrete surfaces in the Microsoft 365 admin center, Microsoft Entra, Microsoft Purview, and Microsoft Defender rather than being a marketing abstraction.
Observe is the visibility layer. A centralized agent registry gives admins a unified view of agent adoption, activity, and health, while an Agent Map visualizes how agents connect to data, tools, and one another. Role-specific oversight extends those insights to security and business leaders so the right stakeholders see risk and value within their domain.
Govern is lifecycle and policy. Through the Agent 365 registry, Microsoft Entra, and Microsoft Purview, admins can intentionally manage an agent’s lifecycle — provisioning, permissions, access reviews, and retirement — while keeping the organization audit-ready and aligned with policy.
Secure extends Microsoft’s existing enterprise defenses to agents. Entra enforces risk-based access controls for users and the agents acting on their behalf; Purview adds information protection, DLP, and data-risk safeguards; and Defender adds continuous threat detection and real-time runtime protection to block unsafe or malicious agent behavior.
| Pillar | What it delivers | Underlying Microsoft services |
|---|---|---|
| Observe | Unified agent registry, Agent Map, adoption and health insights, role-based oversight | Microsoft 365 admin center (Agent registry, Agent Map) |
| Govern | Lifecycle management, access control, access reviews, compliance and audit readiness | Agent 365 registry, Microsoft Entra, Microsoft Purview |
| Secure | Risk-based access, DLP and information protection, runtime threat detection | Microsoft Entra, Microsoft Purview, Microsoft Defender |
How is Agent 365 different from Copilot?
Copilot and Copilot Studio build and run agents; Microsoft Agent 365 governs them — they solve different problems at different points in the agent lifecycle. Confusing the two is the most common mistake in early coverage, so it is worth being precise about where each one sits.
Copilot Studio is a low-code environment for designing agents: defining instructions, connecting knowledge sources, attaching actions, and publishing across channels. It sits alongside Microsoft Foundry, the Microsoft 365 Agents SDK, and the Agents Toolkit as one of several ways to create an agent. In Microsoft’s own analogy, Copilot Studio is to agents what an IDE is to applications.
Agent 365 is the enterprise governance layer that sits on top of every agent the organization runs, regardless of how it was built. It does not replace Copilot or Copilot Studio — it wraps them, plus everything else, in identity, observability, and policy. Critically, the Agent 365 SDK can enhance agents built on many platforms: Microsoft Agent Framework, the Microsoft 365 Agents SDK, the OpenAI Agents SDK, the Claude Code SDK, and LangChain. So a team can keep building wherever it likes and still land those agents under one control plane.
The practical takeaway: you do not choose Agent 365 instead of Copilot. If you run Microsoft 365 Copilot or Copilot Studio agents at any scale, Agent 365 is the layer that makes that fleet visible, permissioned, and auditable.
“Copilot Studio is to agents what an IDE is to applications. Agent 365 is to agents what enterprise mobility management is to employee devices.”
Microsoft’s positioning for Agent 365
How does Agent 365 use Entra Agent ID for identity?
Microsoft Agent 365 is built on Entra Agent ID, which gives every agent a first-class directory identity so the same controls that protect users — Conditional Access, identity protection, and network controls — apply to agents too. Entra Agent ID reached general availability in April 2026, ahead of Agent 365’s GA, and is the identity backbone that makes the rest of the control plane coherent.
Each agent identity has an object ID, a display name, credentials, and a sponsor — a responsible human or owning team. Unlike human accounts, agents do not use passwords, passkeys, or authenticator apps; they authenticate using federated identity credentials issued by an agent identity blueprint. Those blueprints act as templates with parent-child relationships, so an organization can apply consistent security policy across thousands of agents instead of configuring each one by hand.
The Entra agent registry is the central store that ties this together: agent identities, their user accounts, blueprints, and identity attributes, plus an Agent Card manifest used for discovery and collaboration. Because this is real directory identity rather than a bolt-on, agents inherit the network controls and access policies enterprises already trust for workload identities. In GA, Microsoft extended those Entra network controls to Copilot Studio agents and to agents running on user endpoint devices, including local agents such as OpenClaw.
Almost every Agent 365 capability — DLP, Conditional Access, audit logging, lifecycle actions — depends on each agent having a durable, sponsored identity. If you are building agents today, give them externalized identity and a named owner from the start; that single decision is what later makes them governable instead of shadow AI.
How does Agent 365 registry sync work with AWS Bedrock and Google Cloud?
Agent 365 registry sync, in public preview, lets a Microsoft 365 admin securely connect external agent platforms — AWS Bedrock, Google Vertex AI, Salesforce Agentforce, and Databricks Genie — and pull their agents into the Agent 365 registry for centralized visibility and governance. This is the cross-cloud feature most coverage glosses over, and it is the clearest signal that Microsoft wants to be the neutral inventory for agents, not just its own.
An admin creates a connection from the Registry sync page in the Microsoft 365 admin center: name the connection, choose the platform and region, decide whether to import agents automatically, then supply and validate credentials. For Amazon Bedrock that means an IAM user with scoped permissions such as bedrock:ListAgents, bedrock:GetAgent, and bedrock:DeleteAgent; for Google Vertex AI it is a service account with reasoning-engine list, get, and delete permissions; Agentforce uses an OAuth connected app; and Databricks uses a service principal.
Once connected, the admin can trigger a sync to import agents, view last-run status and synced-agent counts, review errors, and delete connections. Today the agent management actions available are whatever each platform’s own APIs expose — sync is read-heavy and inventory-first. Microsoft says automatically scheduled syncs are coming in a future release, and the GA security blog describes the roadmap as letting teams ‘automatically discover, inventory, and, soon, perform basic lifecycle governance — for example, start, stop, delete agents’ across these connections. In other words: discovery and inventory now, deeper cross-cloud lifecycle control next.
There is a real limitation worth naming. Registry sync depends on rival clouds keeping their list, get, and delete APIs open, and a Bedrock or Gemini shop that deliberately avoided Microsoft has little incentive to crown Microsoft its cross-vendor control plane. The feature is most compelling for organizations where Entra is already the identity backbone and the other clouds are the exception rather than the strategy.
| External platform | Auth method | Key permissions |
|---|---|---|
| Amazon Bedrock | IAM access key + secret | bedrock:ListAgents, GetAgent, DeleteAgent, InvokeAgent |
| Google Vertex AI | Service account secret key | aiplatform.reasoningEngines.list / get / delete |
| Salesforce Agentforce | OAuth connected app (client credentials) | chatbot_api, sfap_api, api, refresh_token |
| Databricks Genie | Service principal | Client ID + secret, workspace admin access |
How does Agent 365 handle shadow AI agents?
Agent 365 turns shadow AI into a discoverable, governable asset class by using Microsoft Defender and Intune to surface unmanaged AI agents — including ones running locally on Windows PCs — and apply policy actions up to and including blocking them. This is the part most security teams will feel first, because it targets the agents employees already run quietly, not the ones IT provisioned.
Discovery surfaces in a dedicated Shadow AI page in the Microsoft 365 admin center. At GA, Defender and Intune began discovering local agents starting with OpenClaw, with discovery expanding to GitHub Copilot CLI and Claude Code. Administrators can apply Intune policies to detect and block unmanaged local agents on Windows devices — so an agent installed on a laptop without approval becomes visible and controllable rather than invisible.
Starting June 2026, Microsoft Defender adds asset-context mapping for these agents: showing device locations, MCP server configurations, the identities associated with an agent, and which cloud resources it can reach. That context is what converts a raw list of discovered agents into an actual risk picture — you can see not just that an agent exists, but what it can touch.
Pros
Cons
Who should adopt Microsoft Agent 365 — and when?
A credible control plane for Microsoft-centric agent fleets — preview features still need to land
Microsoft Agent 365 is the most compelling for organizations already standardized on Microsoft 365 and Entra that are now running agents across multiple builders and want one place to see, secure, and retire them. If that describes you, the control plane converts a sprawling, unauditable agent fleet into a managed asset class with comparatively little new tooling.
There are no hard product prerequisites to switch Agent 365 on, but Microsoft recommends Entra P1, P2, or Entra Suite plus Purview Data Loss Prevention to use the full set of benefits, and at least one qualifying Agent 365 license per tenant to enable it. Budget accordingly: the governance value is real, but it stacks on top of an already Microsoft-centric estate.
The honest timing call is to separate what is GA from what is preview. Identity (Entra Agent ID), the registry, the Agent Map, and the observe/govern/secure controls are generally available and production-ready today. Cross-cloud registry sync and the deeper local-agent asset context are still maturing — preview and rolling out through June 2026 — so treat them as direction-of-travel you can pilot, not load-bearing infrastructure yet. Teams whose agents live mostly outside Microsoft should watch the cross-cloud lifecycle roadmap before betting on Agent 365 as their single control plane.
Builder’s take
I run the agent stack at Cyntr and Loomfeed, so I read Agent 365 less as a product launch and more as Microsoft drawing the boundary of where agent governance lives. A few things stand out to me:
- The center of gravity is identity, not the model. Agent 365 is built on Entra Agent ID, and once every agent has a real directory identity with a sponsor, Conditional Access and Purview DLP just apply. That is the unlock most teams underprice when they roll their own per-framework controls.
- Registry sync is the genuinely interesting move and also the most fragile. Pulling Bedrock, Vertex AI, Agentforce, and Databricks agents into one inventory via each platform’s own list/get APIs is exactly the cross-cloud visibility I want. But it is read-heavy today: real lifecycle control (start/stop/delete) is ‘soon,’ and it depends on rivals keeping those APIs open.
- The shadow-AI angle is the part teams will feel first. Defender and Intune surfacing OpenClaw, and soon Claude Code and GitHub Copilot CLI, on Windows endpoints means the laptop-side agents people already run quietly become governable assets. That is a bigger cultural shift than the cloud connectors.
- Be honest about lock-in math. A Bedrock or Gemini shop that chose those stacks to stay off Microsoft is unlikely to anoint Microsoft as its cross-vendor control plane. Agent 365 is strongest where Entra is already the identity backbone.
- If you are building agents yourself, the lesson is to externalize identity and audit from day one. Whether you adopt Agent 365 or not, agents without a durable identity and a sponsor are the ones that become tomorrow’s shadow-AI cleanup.
Frequently asked questions
Microsoft Agent 365 is a control plane, generally available since May 1, 2026, that lets organizations observe, govern, and secure AI agents across Microsoft and partner ecosystems from one place. It is built on Entra Agent ID and is licensed at $15 per user per month standalone or included in Microsoft 365 E7.
No. Copilot and Copilot Studio build and run agents; Agent 365 governs them. Copilot Studio is a low-code environment to design agents, while Agent 365 is the enterprise governance layer that sits on top of every agent you run, regardless of how it was built. You use them together, not instead of each other.
Registry sync, in public preview, connects external agent platforms — AWS Bedrock, Google Vertex AI, Salesforce Agentforce, and Databricks Genie — and imports their agents into the Agent 365 registry for centralized visibility. Today it focuses on discovery and inventory; Microsoft says start/stop/delete lifecycle actions across these clouds are coming soon.
Agent 365 uses Microsoft Defender and Intune to discover unmanaged AI agents, including ones running locally on Windows PCs, and surfaces them on a Shadow AI page in the Microsoft 365 admin center. Discovery started with OpenClaw and is expanding to GitHub Copilot CLI and Claude Code, with Defender asset-context mapping arriving in June 2026.
Entra Agent ID, generally available since April 2026, gives each AI agent a first-class directory identity with an object ID, credentials, and a human sponsor. Agent 365 is built on it, so agents inherit Conditional Access, identity protection, network controls, and Purview DLP — the same controls enterprises already use for workload identities.
Microsoft Agent 365 is licensed per user at $15 per user per month as a standalone offering, and is also included in the Microsoft 365 E7 license. It has no strict prerequisites, but Microsoft recommends Entra P1, P2, or Entra Suite plus Purview Data Loss Prevention to use its full capabilities.
Primary sources
- Microsoft Agent 365, now generally available, expands capabilities and integrations — Microsoft Security Blog
- Microsoft Agent 365 overview — Microsoft Learn
- Registry sync in the Microsoft 365 agent registry (preview) — Microsoft Learn
- Overview of agent identities in Microsoft Entra — Microsoft Learn
- Microsoft Agent 365 Hits General Availability With Local AI Agent Controls — WinBuzzer
- Agent 365 vs. Copilot Studio: Which One Does What — Valorem Reply
- Microsoft Agent 365 SDK and CLI — Microsoft Learn
Last updated: June 2, 2026. Related: Governance.
