AI agents are already running in your environment. Some you sanctioned. Most you didn’t.
That’s the uncomfortable reality Microsoft is addressing with Agent 365, which reached general availability on May 1, 2026. If you manage endpoints, identities, or compliance for your organization, Agent 365 is not just another M365 feature launch. It’s a fundamental shift in how enterprise AI infrastructure is governed, secured, and audited. And the clock is ticking on getting ahead of the agent sprawl problem.
This article breaks down what Agent 365 actually does, how it integrates with the tools you already run (Intune, Entra ID, Defender), what’s live today versus coming in June, and the practical steps to start using it now.
What Problem Agent 365 Is Solving
The problem is worth being specific about before getting into features.
When Microsoft 365 Copilot Wave 3 shipped on the same day as Agent 365 GA, it didn’t just add features. It fundamentally changed how easily agents get created and deployed. Developers can spin up Copilot Studio agents in minutes. Users can install Claude Code, GitHub Copilot CLI, and OpenClaw directly on their Windows devices with no IT involvement. SaaS products like Zendesk, Genspark, and Egnyte now ship their own agents that connect into your tenant.
Every one of those agents can invoke tools, access SharePoint data, read emails, write code, and interact with other agents. And until Agent 365, there was no single place to see all of them, let alone enforce consistent policies across them.
The framing Microsoft uses is “agent sprawl” — and it’s not hype. The gap isn’t that agents are dangerous by design. The gap is that they’re invisible. You can’t apply DLP policies to a local coding agent you don’t know exists. You can’t enforce least-privilege access on a SaaS agent that wasn’t registered anywhere.
Agent 365 is the answer to that visibility gap.
What Agent 365 Actually Controls
Agent 365 positions itself as the control plane across three categories of agents:
Delegated-access agents work on behalf of a user (think an inbox-organizing Copilot or a meeting-summarizing agent). These have been covered since the Frontier preview.
Own-access agents operate with their own credentials and scope, often running autonomously in the background: support ticket triagers, compliance monitoring agents, automated reporting pipelines. These also hit GA on May 1.
Team-workflow agents participate in multi-agent orchestration, acting as peers and delegating tasks to each other. These are in public preview now.
The key thing to understand is that Agent 365 surfaces all three categories in a single admin console in the Microsoft 365 admin center. From there, you can see what agents exist, who owns them, what permissions they hold, and what activity they’re generating.
How Intune and Defender Plug In
The most practical integration for endpoint admins is the local agent discovery capability, which uses Microsoft Defender and Intune together.
Here’s how it works today: if you have devices enrolled in Intune, Agent 365 can surface a Shadow AI page in both the M365 admin center and the Intune admin center. This page shows which local AI agents are running on managed Windows devices — currently focused on OpenClaw, with GitHub Copilot CLI and Claude Code support coming soon. You can see which devices are running these agents, and you can deploy Intune policies to block the common execution methods for unsanctioned agents.
This is meaningful for orgs running Defender for Endpoint, because you’re not just blocking an application. You can inspect agent behavior. Defender will map each discovered agent to the devices it runs on, the MCP servers it has configured, the identities associated with it, and the cloud resources those identities can reach. That context lets security teams assess the actual blast radius of a compromised or over-privileged local agent, not just flag its existence.
One important distinction: the richer context mapping (the relationship graph view in Defender) and policy-based runtime blocking are hitting public preview in June 2026, not today. What’s live right now is the discovery and basic inventory surfacing. Plan your rollout timeline accordingly.
Entra Network Controls for Agent Traffic
One of the more underappreciated capabilities in the GA release is how Agent 365 extends Microsoft Entra network controls to agent traffic.
AI agents can operate significantly faster than human users, which means they can also move sensitive data, reach risky web destinations, and process prompt injections faster than any manual review process could catch. The traditional approach, applying Conditional Access and SSPR policies, was designed for human sign-in flows, not autonomous agent execution.
Agent 365 now applies Entra’s internet access controls to Copilot Studio agents and to local agents running on user endpoint devices. Practically, this means:
- You can restrict agent connections to approved web destinations only
- You can filter risky file movement at the network layer
- You can identify unsanctioned AI service usage (agents calling external LLM APIs you didn’t approve)
- Malicious prompt-injection attempts that try to redirect agent behavior can be blocked before they result in harmful actions
The enforcement happens through the same network inspection infrastructure as Microsoft Entra Internet Access, so if you’re already running that, Agent 365 extends coverage without requiring a separate deployment.
Multi-Cloud Registry Sync
Enterprise environments don’t run exclusively on Azure. Agent 365 now includes a public preview of registry sync with AWS Bedrock and Google Cloud (the Gemini Enterprise Agent Platform, formerly Vertex AI).
When you connect these providers to Agent 365, the registry automatically discovers agents running in those environments: what models they’re built on, what resources they’re accessing. That inventory surfaces in the M365 admin center alongside your Microsoft-hosted agents. Basic lifecycle governance (start, stop, delete) is coming to the registry sync feature soon.
This matters for organizations where different engineering teams independently chose different cloud AI providers. You get a single pane of glass for agent inventory across clouds without requiring each team to integrate separately.
Practical Workflow: Getting Started with Agent 365
Here’s a reasonable sequence for an IT admin who wants to move from zero to operational governance in the next few weeks:
Step 1: Licensing check. Agent 365 is included in Microsoft 365 E7 (GA as of May 1) or available standalone at $15/user/month. Confirm your tenant has the right SKU before anything else. The license covers the person managing or sponsoring agents, not each agent itself.
Step 2: Enable the Shadow AI page. Navigate to the Microsoft 365 admin center > Agents > Shadow AI. This requires Intune enrollment for your Windows devices. If you’re already managing devices through Intune, the discovery data will start populating within 24-48 hours.
Step 3: Audit your Copilot Studio agents. Pull the inventory of agents built in your tenant through Copilot Studio. Check for authentication gaps (the updated authoring experience now surfaces these directly). Pay attention to agents with broad SharePoint or Exchange permissions that were deployed during pilot programs and never cleaned up.
Step 4: Connect your cloud registries. If your organization runs agents on AWS Bedrock or Google Cloud, configure the registry sync connections under Agent 365 settings. Even if you don’t plan to govern those agents yet, getting visibility now is worth the 15-minute setup.
Step 5: Set Entra network policies for agent traffic. Work with your network/identity team to configure internet access policies through Entra that apply to agent identities. Start with monitoring-only mode before blocking anything. You’ll likely discover agents calling destinations you weren’t aware of.
Step 6: Plan for June. The context mapping in Defender and runtime blocking of local agents hits public preview next month. Start identifying which Defender for Endpoint policies you’ll want to extend, and get your runbooks updated for agent-specific incidents.
Limitations and Real Caveats
A few things to keep in mind before assuming Agent 365 solves everything:
Local agent coverage is narrow today. OpenClaw is the primary local agent supported for discovery and blocking right now. GitHub Copilot CLI and Claude Code are “coming soon,” but no firm date has been given beyond the June preview window. If your developers are primarily running other local agents, your coverage gap is real until that list expands.
Registry sync doesn’t cover all cloud platforms. AWS Bedrock and Google Cloud connections are in preview. Azure-hosted agents through Microsoft Foundry are covered. But if your teams are running agents through OpenAI’s platform directly, Hugging Face Inference Endpoints, or other providers, there’s no registry sync yet.
Governance requires E7 or standalone licensing. Some visibility features surface in Defender and Intune regardless of Agent 365 licensing, but the full governance control plane (policies, lifecycle management, and the Shadow AI page) requires the Agent 365 SKU. If you’re in a budget-constrained environment, build the business case before assuming broad availability.
MCP server visibility is coming, not here. The Defender relationship map that shows which MCP servers are configured for each local agent is part of the June preview. If your developers are running local agents with broad MCP server configurations, that specific attack surface isn’t yet fully visible through Agent 365.
Why This Matters Now
The speed of agent adoption makes the governance gap worse every week you wait. Copilot Studio lowered the floor for building agents. Wave 3 lowered it further. Developers and power users are deploying agents into production workflows without security review, and many of those agents have access to sensitive data that would trigger compliance requirements if a human accessed it the same way.
Agent 365 gives IT and security teams the tooling to catch up — the local agent coverage is still maturing, multi-cloud support has real gaps, and the most powerful Defender integrations won’t be fully available until June. But the inventory and policy foundation is available today. Waiting until everything is complete means your agent estate grows larger and harder to audit in the meantime.
Start with discovery. Build the inventory. Then use the June preview window to layer in runtime controls.