Microsoft Agent 365 Review: AI Agent Control Plane
Microsoft's enterprise control plane for AI agents ships with strong M365 integration and real security muscle - but critical features are still in preview, and the licensing model is a puzzle.
9 min read
Microsoft launched Agent 365 to general availability on May 1, naming it the "control plane" for AI agents across the enterprise. The pitch is clear enough: you've deployed Copilot Studio agents, bought third-party agents, and watched developers quietly install OpenClaw on their work laptops - and now none of it's visible, governed, or secured. Agent 365 is Microsoft's answer to that sprawl. At $15 per user per month (or bundled in the $99 M365 E7 "Frontier Suite"), it lands squarely in the "essential infrastructure" category for large M365 shops, with caveats that smaller teams and autonomous-agent buyers should understand before signing.
TL;DR
- 7.2/10 - the strongest enterprise agent governance platform available today, built for organizations already invested in M365 E5 security
- Deep integration with Defender, Purview, and Entra gives security teams a single pane of glass for agent threats
- Runtime threat blocking and autonomous agent coverage are both still in public preview at GA - critical gaps for buyers
- Buy now if you're running 50+ users with active Copilot Studio deployments; wait until Q4 2026 if autonomous agents are your primary use case
What Agent 365 Actually Does
Agent 365 doesn't create agents or run them. That distinction is important and we'll return to it. What it does is give IT and security teams a registry, a governance layer, and a security integration point for every agent running in a Microsoft 365 environment - and increasingly, agents running outside it.
Agent Discovery and the Registry
The Agent 365 overview dashboard in the Microsoft 365 admin center is the starting point. It surfaces a running count of registered agents, active users, growth trends, and risk signals, with a breakdown by publisher and platform. In a demo environment shown at Microsoft Ignite 2025, the dashboard displayed 26,350 total agents with 58,293 unique active users - a number that shows how quickly agent sprawl accumulates once Copilot Studio access is broadly available. Admins can filter agents by platform, owner, and risk level, and flag agents missing an assigned owner for remediation.
Registry sync extends visibility to agents running on AWS Bedrock and Google Cloud through public preview connectors. At this stage the integration is mostly read-heavy: you can see external agents and their metadata, and sometimes delete them directly from Agent 365 without switching consoles. Full cross-cloud policy enforcement isn't here yet.
Shadow AI Detection
Shadow AI - agents running without IT knowledge or approval - is one of Agent 365's most concrete and directly useful features. Defender and Intune detect unmanaged coding agents on enrolled Windows devices, starting with OpenClaw at GA. GitHub Copilot CLI and Claude Code are on the expansion list for June 2026, with 18 total agent types targeted.
The mechanics work at the Intune policy level: once a device is enrolled, admins see which shadow agents are running, apply block policies, and configure alerts. For enterprises where developers install third-party agents outside the approved stack - and our reporting confirms this is far more common than CISOs expect - the detection is operationally significant.
The Security Layer
Agent 365 is built on three existing Microsoft security pillars rather than being a standalone security product. That architecture means you need the underlying products to get the full agent-specific value.
Defender and Runtime Blocking
Microsoft Defender gains agent-specific detection through Agent 365. In runtime, Defender assesses agent behavior using webhooks and can block suspicious activity before execution completes. The case from Microsoft's early-access program is instructive: a misconfigured healthcare scheduling agent attempted to forward patient data to an external email address, and Defender blocked the outbound call, then triggered an incident alert in the Defender portal for investigation. The kind of breach that used to require post-mortem forensics now generates a real-time interrupt.
Runtime threat protection is in public preview at GA, not fully released. This is the most significant disclosure in Microsoft's launch notes - governance software with its security enforcement capability still in preview is a product that's partly finished.
Context mapping - which builds a relationship graph showing each agent's device, configured MCP servers, associated identities, and reachable cloud resources - arrives in June 2026.
Purview for Data Governance
Microsoft Purview's Communication Compliance capabilities extend to agent interactions through Agent 365. DLP policies and retention policies apply to human-to-agent and agent-to-human exchanges, meaning the same compliance controls already governing employee email now cover agent conversations. For financial services and healthcare organizations already running Purview, this is a natural extension rather than a new procurement decision.
Entra Network Controls
Microsoft Entra provides identity-aware network controls through what Microsoft calls Secure Access Service Edge for agents. This layer handles prompt injection protection and web filtering for Copilot Studio agents and local endpoint devices - blocking requests to known-bad destinations and flagging unusual traffic patterns before they reach the agent runtime.
The Agent 365 overview dashboard gives admins a real-time count of registered agents, platform distribution, and risk signals. In this screenshot the registry shows 26,350 total agents across an organization.
Source: admindroid.com
Multi-Cloud and MCP Visibility
The registry sync connectors for AWS Bedrock and Google Cloud are a meaningful concession from Microsoft: not every enterprise agent lives in M365. At GA the connectors are in public preview, but the direction is clear. Enterprises can consent to connecting external platforms, pull external agent metadata into the Agent 365 registry, and take limited lifecycle actions like deletion directly from the Microsoft console.
The MCP server visibility story is more forward-looking. The context mapping feature arriving June 2026 will map the relationship between each agent and every MCP server it's configured to use. Given how quickly MCP adoption has grown and the security consequences of agents with unconstrained tool access, this is among the features practitioners will actually rely on day-to-day. It isn't here yet.
Microsoft's open-source Agent Governance Toolkit, released in April, gave developers a framework-agnostic policy enforcement layer that works independently of M365. Agent 365 is the enterprise-licensed counterpart: managed infrastructure rather than self-hosted tooling, with support contracts rather than GitHub issues.
What's Still Preview
The gap between what's advertised and what's fully shipped at GA deserves a direct accounting:
- Runtime threat blocking - public preview. The Defender webhook approach works in early access testing but hasn't cleared Microsoft's GA bar.
- Autonomous agents - Frontier Preview only. Agent 365 GA covers OBO (on-behalf-of) agents that act in a specific user's context. Agents that run independently - including A2A and A2T scenarios - remain preview-only, with their licensing model still being defined.
- Security posture management for Azure AI Foundry - public preview.
- Context mapping for MCP servers - shipping June 2026.
The OBO-only scope is the most significant limitation for forward-looking buyers. Many of the enterprise use cases attracting serious investment right now involve agents that run autonomously on schedules, respond to events without user prompts, and chain across systems without a human user attached. Agent 365 can't fully govern those yet.
Pricing: $15 Well Spent, or Licensing Maze?
| Option | Price | What's Included |
|---|---|---|
| Agent 365 standalone | $15/user/month | Agent 365 governance layer only |
| Microsoft 365 E7 | $99/user/month | M365 E5 + M365 Copilot + Entra Suite + Agent 365 |
| Components bought separately | ~$117/user/month | M365 E5 ($60) + Copilot ($30) + Entra ($12) + Agent 365 ($15) |
The E7 bundle saves about 15% over buying each product separately. The more important number is what you're actually paying for: Agent 365 doesn't grant Defender or Purview capabilities by itself. It extends the capabilities you already have to cover agents. An organization without E5-level security investments gets far less value from Agent 365 than one running the full Defender and Purview stack.
Agent 365 extends the security capabilities you already have to agents. Without an existing E5 security investment, the $15 per user buys far less than the marketing implies.
The licensing definition problem also remains open. Microsoft hasn't published a clear line between what qualifies as an "agent" requiring an Agent 365 seat and what is a standard Copilot Studio workflow. Licensing analysts at SAMexpert note that different Microsoft product teams don't agree on the definition internally. For enterprise procurement, that ambiguity carries real financial risk until Microsoft closes it - and there's no published timeline for that.
How It Compares
Google launched its Gemini Enterprise Agent Platform at Cloud Next 2026 with Agent Identity, Agent Registry, and Agent Gateway - broadly similar capabilities built around Google Cloud infrastructure rather than M365. AWS is taking a more modular approach, emphasizing data sovereignty through VPC-Confined Models and native Bedrock governance.
Kore.ai launched a dedicated Agent Management Platform in March 2026 targeted at cross-framework governance for organizations running agents on multiple clouds. For shops with no strong vendor alignment, it's worth assessing with Agent 365.
The AI agent governance market is growing rapidly - analysts put it at $3.4 billion in 2026 - and several competing products have shipped in the past six months. We also reviewed OpenAI's Workspace Agents earlier this year: a different product category focused on agent creation rather than governance, but worth reading alongside this for the full picture of what the major labs are shipping for enterprise.
For M365-centric organizations with existing E5 security, Agent 365 has no real competition at this price point. For multi-cloud shops or teams building fully autonomous agents, the evaluation is less obvious until the GA-preview gap closes.
Strengths and Weaknesses
Strengths:
- Native integration with Defender, Purview, and Entra - no new security stack required
- Shadow AI detection for unmanaged coding agents is genuinely useful and working today
- Multi-cloud registry sync brings AWS and Google Cloud agents into the same governance view
- The E7 bundle pricing is competitive for organizations already buying Copilot
Weaknesses:
- Runtime threat blocking is still in public preview at GA
- Autonomous agent coverage (A2A, A2T) is Frontier Preview only
- Agent 365 doesn't include agent creation - Copilot Studio is a separate cost
- Licensing definitions are unclear, creating real procurement risk
- MCP context mapping, arguably the most security-critical feature, ships in June 2026
Verdict
Agent 365 is real, working software that fills a genuine enterprise gap. The Defender integration catches agent misbehavior in runtime. Purview brings DLP and retention policies to agent conversations. Shadow AI detection identifies and blocks unmanaged coding agents on Windows devices. None of that's vapor.
The score of 7.2/10 reflects what shipped on May 1, not the roadmap. Three of the most consequential features are either in public preview or weeks away. An enterprise buying Agent 365 today is partly paying for a product that's being finished in public. For large M365 shops running Copilot Studio at scale, that tradeoff makes sense - the governance gap is real and waiting has its own cost. For everyone else, the Q4 2026 evaluation window is when the full product actually exists.
Sources
- Microsoft Agent 365 now generally available - Microsoft Security Blog
- What's New in Agent 365: May 2026 - Microsoft Community Hub
- Microsoft Agent 365 overview - Microsoft Learn
- Microsoft Agent 365: A Licensing Puzzle - SAMexpert
- Microsoft 365 E7: $99 Bundle Breakdown - SAMexpert
- Microsoft takes Agent 365 out of preview - VentureBeat
- Microsoft Agent 365 Turns Shadow AI Into a Governed Asset Class - Futurum
- What Does Agent 365 Miss About Shadow AI - LayerX Security
