AI agents are already in your environment. Not “coming soon”—already there, running on developer laptops, reaching into SharePoint, executing tasks against your cloud resources, doing exactly none of that through the governance workflows your security team controls.
Microsoft Agent 365 went generally available on May 1, 2026. The control plane assigns each AI agent its own Entra identity, runs it through Purview labels, surfaces it in Defender, and lets Intune apply the same device policies to agents on Windows endpoints that it already applies to users. It’s priced at $15 per user per month as a standalone add-on, or bundled into the new Microsoft 365 E7 Frontier Suite at $99. Either way, it’s now a real SKU you can purchase, not a roadmap promise.
This article covers what the GA release actually ships, what’s still behind a preview gate, and what a realistic onboarding workflow looks like for IT teams.
Why Agent Sprawl Became an IT Problem
The pattern looks familiar because it matches how SaaS adoption went a decade ago. A developer discovers OpenClaw, drops it on their Windows machine, wires it up to an Anthropic API key, and points it at their Outlook inbox to triage emails. They mention it to three colleagues. Within a month the tool is running on forty machines, touching customer data, making API calls to services the security team has never seen. No Entra identity. No DLP policy. No audit trail.
OpenClaw is the open-source autonomous agent built by Peter Steinberger. It works with Anthropic, OpenAI, or local models, runs on Mac, Windows, and Linux, and requires zero IT approval to install. Microsoft uses it as the canonical example in Agent 365 documentation for exactly that reason. GitHub Copilot CLI and Claude Code follow the same pattern: genuinely useful tools that operate at the boundary of what endpoint management has traditionally covered.
Microsoft’s bet with Agent 365 is that agent governance should look like device and identity governance rather than a separate category of tooling. If you already run Intune, Entra, and Defender, Agent 365 threads those investments together so that an AI agent lands in your existing admin surface instead of running parallel to it.
The Control Plane Architecture
Agent 365 doesn’t replace anything in your Microsoft security stack. It connects Entra, Purview, Intune, and Defender so each AI agent looks like a managed object to all four simultaneously.
Entra Agent ID. Each agent in the registry gets its own managed identity with least-privilege permissions defined at registration. Risk signals from Entra ID Protection flow into Agent 365 and can drive Conditional Access policies that block an agent if its risk score crosses a threshold. The same risk-based CA model you apply to users now applies to agents.
Microsoft Purview. Sensitivity labels you’ve already applied to documents become enforcement points for agents. Copilot and Agent 365 DLP policies can exclude items tagged “Highly Confidential” from being processed by an agent, and every blocked access gets logged as an incident. This is what closes the loop on the “agent read my sensitive file” scenario security leads worry about most.
Microsoft Intune. If the Windows machine running a local agent goes non-compliant (the user disabled BitLocker, say, or the device falls outside your OS version policy), Intune can restrict or shut down the agent on it. Posture enforcement that governs employees now extends to the agents those employees are running.
Microsoft Defender. Endpoint telemetry fires alerts when an agent spawns unexpected child processes, makes unusual network calls, or touches protected registry keys. Starting June 2026, Defender will generate a relationship map for each local agent showing the host device, configured MCP servers, associated identities, and cloud resources those identities can reach. Security teams get blast-radius context before an incident, not just after.
Network controls. This piece shipped in the GA release. Microsoft Entra network controls now extend to Copilot Studio agents and agents running on user endpoints. Admins can restrict agent connections to approved web destinations, filter risky file movement, and block prompt injection-style attacks at the network edge. It’s the first time Microsoft has shipped agent-specific network controls as a default Entra capability rather than a custom firewall configuration.
The admin experience lives in the Microsoft 365 admin center as its own workload. The overview dashboard surfaces total registered agents, growth trends, connected platforms, runtime hours, and risk signals—the same metrics IT teams already get for managed devices, now applied to agent fleets.
Local Agents on Windows Endpoints
The headline addition between the November 2025 Frontier preview and the May 1 GA is local agent management on Windows. Through Defender and Intune integration, organizations can now discover and manage AI agents running directly on Windows devices.
For the GA release, inventory starts with OpenClaw. Customers enrolled in the Frontier program can see which devices have it installed, review its MCP server configurations, and use Intune policies to block its common installation paths on managed machines. The Shadow AI page in the Microsoft 365 admin center surfaces all discovered local agents in one place.
GitHub Copilot CLI and Claude Code are listed as “coming soon” in the GA documentation, with no firm date published. The architecture is identical to OpenClaw’s integration path. When those connectors land, the same Defender relationship map and Intune policy controls will apply.
For IT teams, the immediate practical question is what to do right now. The GA discovery capability tells you which devices have OpenClaw installed, which MCP servers those agents are configured to use, and which cloud identities they’re operating under. Running discovery-only mode for a few weeks before writing block policies gives you a real picture of your environment rather than a guess.
Multicloud Registry Sync
Agent 365’s multicloud registry sync went into public preview on the same day the core product went GA. Organizations can connect AWS Bedrock and Google Cloud Gemini Enterprise (formerly Vertex AI) to the Microsoft 365 admin center and import agents running on those platforms into the Agent 365 registry.
The scope is registry-level for now: discover, inventory, and perform basic lifecycle operations (start, stop, delete). Full runtime policy enforcement on third-party clouds isn’t in scope for this preview. That said, the inventory capability matters. A single admin dashboard with visibility across Azure, AWS, and Google Cloud agents means a CISO isn’t stitching together multiple portals to answer basic questions about what’s running and who owns it.
Adobe, Zendesk, Genspark, and Kore.ai are named as launch partners whose agents are built to plug directly into Agent 365’s management layer. Those agents show up in the registry fully configured, with no integration work required from IT. They fall under the same Defender and Intune oversight as first-party tooling from day one.
A Practical Onboarding Workflow
Week 1: Discovery only. Enable Agent 365 in the Microsoft 365 admin center and connect it to your existing Intune and Defender deployments. Don’t write block policies yet. Use the Shadow AI page to build an inventory of local agents, cloud agents registered in Copilot Studio, and SaaS agents connected to your tenant. Run this for at least two weeks before taking enforcement action.
Weeks 2 and 3: Identity audit. Review which agents have Entra identities and which are operating without them. OBO agents (those acting on behalf of a specific user) should all show an Entra Agent ID in the registry. Agents without identities are the highest-priority governance gap. Register the ones you want to sanction; flag the rest for the block list.
Week 4: Network controls first. Start enforcement with Entra network policy. Restricting agent connections to approved web destinations applies immediately to all covered agents without per-agent configuration. Once that baseline is in place, work through Purview label policies for the data classifications that matter most to your organization.
Ongoing: Defender alert tuning. Set up alert rules for agent behaviors most likely to indicate compromise: unexpected child processes, network calls to uncategorized destinations, access to files above a defined sensitivity label threshold. The relationship maps shipping in June 2026 will make this easier by giving you a static baseline for each agent’s expected behavior profile.
What’s Still in Preview
The GA release is a strong observability and identity layer. It isn’t yet a full policy DSL for agent behavior.
Policy-based action controls—granular RBAC for what an agent is actually permitted to do at runtime—are planned for June 2026. Until those land, enforcement relies on network controls, Purview DLP, and Intune device posture rather than direct restrictions on agent actions.
The developer SDK and agent identity authentication for autonomous agents remain in Frontier preview. So do agentic user capabilities: agents that operate as their own first-class identities rather than acting on behalf of a human. Microsoft is being deliberate about this sequencing. The OBO model maps onto existing enterprise IAM patterns cleanly. Autonomous agent identity is a harder governance problem that requires audit and compliance frameworks that aren’t fully worked out yet industry-wide.
Windows 365 for Agents (purpose-built Cloud PCs for agentic workloads, managed through Intune with elastic warm and cold pool scaling) is in public preview, US only for now.
| Capability | Status — May 2026 |
|---|---|
| OBO agent control plane | Generally available |
| Local agent discovery (OpenClaw on Windows) | Generally available |
| Local agent discovery (GitHub Copilot CLI, Claude Code) | Coming soon |
| Multicloud registry sync (AWS Bedrock, Google Gemini Enterprise) | Public preview |
| Windows 365 for Agents | Public preview (US only) |
| Policy-based action controls | Planned June 2026 |
| Developer SDK + agentic user identity | Frontier preview |
Limitations Worth Knowing
Agent 365 assumes your agent footprint overlaps significantly with Microsoft’s own ecosystem. Organizations running agents primarily on LangGraph, CrewAI, or open-source AutoGen frameworks on Linux infrastructure will find the local agent discovery and Intune integration doesn’t cover them. Those paths are Windows-focused and Microsoft-partner-integrated for now.
The multicloud registry sync is passive inventory. AWS and Google Cloud agents appear in your dashboard but can’t be policy-controlled through Agent 365 the way a Copilot Studio agent can. For teams comparing Agent 365 against standalone agent observability platforms, that gap is real and worth including in the evaluation.
Licensing is additive. If you’re on Microsoft 365 E3, getting Agent 365 means buying the $15 standalone add-on or upgrading to E7 at $99 per user. That’s a significant per-seat jump. Organizations already on E5 plus a Copilot license are closer to the point where E7 math works in their favor. SAMexpert estimates the bundle saves up to 15% versus purchasing components separately.
What This Means for Teams Shipping Agents
If you build agents that go into Microsoft-shop enterprise customers, the practical implication of Agent 365 GA is direct: design for Entra Agent IDs from the start. Agents built for Agent 365 get a path into the Agent Showcase and the SDC launch partner directory. Agents not built for it show up on your customers’ Shadow AI page and may get blocked by Intune policy before they reach end users.
The MCP connection matters too. Agent 365’s Defender relationship map surfaces the MCP servers a local agent has configured alongside the agent’s identity and cloud resource access. If your agent uses MCP servers that aren’t recognized or approved by an enterprise customer’s policy, that’s a visible flag in their security dashboard from the moment your agent is discovered.
For IT and endpoint management teams, Agent 365 GA means the governance conversation about AI agents is now the same conversation as device and identity governance. It’s not a separate workstream. The tooling is already in your admin center. What changed is that the agents your users are running are finally visible to it.
Where This Is Heading
Agent 365 going GA is less about any single feature than about the shape it signals for enterprise AI infrastructure. Microsoft is positioning agent governance as an extension of the IAM, DLP, EDR, and MDM stack you already operate. Not a new category running alongside it.
The multicloud registry reach shows how far that bet extends. AWS Bedrock agents appearing in the Microsoft 365 admin center is the same move Intune made when it added iOS and Android device management. Customers who ran their device fleet through Microsoft tooling didn’t think twice about managing non-Windows devices there. The question for enterprise IT is whether they want a Microsoft-centric view of their entire agent fleet or whether they’ll run agent governance through a platform-neutral tool.
For organizations already deep in the Microsoft stack, the answer is probably the same one they gave about device management a decade ago.
The June policy-based controls and the local agent expansions for GitHub Copilot CLI and Claude Code will be the real test of whether Agent 365 delivers on its full promise. Right now it’s the most comprehensive agent governance plane available to enterprise IT. The gaps are documented. But the foundation—Entra identity, Purview labels, Intune posture, Defender telemetry—is one that enterprise security teams already know how to run.
Agent 365 pricing: $15/user/month standalone or included in Microsoft 365 E7 at $99/user/month. Generally available as of May 1, 2026 for commercial customers. Sources: Microsoft Security Blog, Nerd Level Tech, M365 Admin.