AI agents are already running in your environment. The question isn’t whether your organization has adopted them. It’s whether your IT team can see them, control them, and contain them when something goes wrong.
Microsoft Agent 365 went generally available on May 1, 2026, and it’s the most significant development in enterprise endpoint governance since the early Intune rollouts. It’s not just another admin console feature. It’s a dedicated control plane built specifically to give IT, endpoint, and security teams visibility into the growing population of agents operating across their tenants, including agents nobody sanctioned.
This article breaks down what Agent 365 does, how it connects to the tools you already manage (Intune, Entra, Defender), and what to configure first.
The Problem Agent 365 Is Trying to Solve
Shadow IT used to mean unsanctioned SaaS apps. In 2026, it means autonomous agents that can read email, write code, access SharePoint, and call external APIs, all without a ticket, a CAB approval, or a line in your SIEM.
Your developers are running OpenClaw and Claude Code locally. Someone in marketing has connected a Copilot Studio agent to the company’s Salesforce instance. A new SaaS tool the sales team bought last quarter ships with its own built-in AI agent that has read access to your CRM data. None of these things went through IT procurement.
The problem is compounded by how fast agents can act. A misconfigured agent can exfiltrate data or make destructive API calls orders of magnitude faster than a human user doing the same thing accidentally. Traditional DLP and access controls were designed around human activity patterns. Agents don’t behave like humans.
Agent 365 is Microsoft’s answer to this. The platform gives admins a unified registry of every agent operating in the tenant, policy controls to block or restrict specific agents, network-layer inspection for agent traffic, and integration points with Defender for runtime threat detection.
The Three Pillars: Observe, Govern, Secure
Microsoft organized Agent 365 around three capabilities that map to the workflow an IT team actually runs when managing any new asset class.
Observe is the foundation. Before you can govern or secure agents, you need to see them. Agent 365 provides a centralized registry in the Microsoft 365 admin center that surfaces all agents in the tenant, including those built with Copilot Studio, deployed from Microsoft 365 Copilot, or discovered running on managed endpoints. Starting in June 2026, the registry will also sync with AWS Bedrock and Google Cloud, so teams running multi-cloud agent workloads get a consolidated view across platforms.
Govern handles lifecycle management and access controls. Through the registry, admins can manage which agents are active, review the permissions those agents hold, and enforce policies around how they operate. Microsoft Purview plugs in here for DLP coverage, so data governance policies extend to agent activity the same way they apply to user activity.
Secure is where Defender and Entra come in. Entra extends network controls to agents running on managed endpoints and in Copilot Studio, giving security teams the ability to restrict which web destinations an agent can reach, filter risky file movement, and block prompt injection attempts at the network layer. Defender handles runtime detection, with asset context mapping coming in June 2026 that will show which MCP servers an agent is configured for, which identities it uses, and which cloud resources those identities can access.
Shadow AI Discovery: Local Agents on Managed Devices
This is the piece that will matter most to endpoint managers. Microsoft is rolling out the ability to discover local AI agents running on Windows devices, starting with OpenClaw. GitHub Copilot CLI and Claude Code are listed as coming soon.
The discovery workflow runs through a new Shadow AI page in the Agent 365 section of the Microsoft 365 admin center. When an agent is detected on managed devices, admins can see which specific machines it’s running on and apply Intune policies to block the common execution paths for that agent.
What this actually means in practice:
- Enrollment in the Microsoft Frontier program is currently required to access Shadow AI discovery for local agents
- Blocking happens via Intune policy pushed to managed Windows devices
- The blocked methods target the common ways these agents run (process execution paths, startup entries), not a comprehensive sandbox
- MAC devices are also covered, as shown in Microsoft’s own screenshots from the GA announcement
The important caveat here is that this feature is detection-and-block, not sandboxing. A determined user with admin rights on their own machine can work around Intune restrictions. The controls are most effective on corporate-managed devices where users don’t have local admin. For BYOD scenarios, coverage is limited to what Intune MDM can reach.
Starting June 2026, Defender will add an agent relationship map that shows the full context of a detected local agent: what devices it runs on, what MCP servers are configured for it, what identities are associated with it, and what cloud resources those identities can reach. This gives security teams an actual blast radius assessment rather than just a flag that something is running.
Entra Network Controls for Agents
One of the GA capabilities is the extension of Microsoft Entra network controls to cover agent traffic. This applies to two categories:
- Copilot Studio agents running in your tenant
- Local agents running on managed endpoint devices
The controls work at the network layer, which means they apply regardless of what the agent itself is doing at the application layer. Admins can restrict agents to approved web destinations only, which is the most impactful setting for most organizations. It prevents agents from calling out to unsanctioned AI APIs, exfiltrating data to arbitrary endpoints, or being manipulated through prompt injection that redirects them to attacker-controlled URLs.
For organizations already running Entra Private Access or using Conditional Access policies, the mental model is similar. You’re defining what the “user” (in this case, the agent) is allowed to reach. The implementation is through the Microsoft 365 admin center under the Agent 365 network settings section, not the classic Entra admin center. Update your runbooks accordingly.
Recommended starting configuration for most tenants:
- Enable network controls for Copilot Studio agents first, since those are the easiest to inventory and the most commonly deployed in governed environments
- Set allowed destinations to your known SaaS list plus Microsoft’s CDN ranges
- Enable file movement filtering to block agents from uploading to unsanctioned destinations
- Review Defender alerts for prompt injection attempts weekly until you have a baseline
Windows 365 for Agents
Microsoft announced Windows 365 for Agents in public preview alongside the Agent 365 GA. This is a new class of Cloud PC designed specifically to host agent workloads.
The practical use case is for organizations that want agents to operate in a fully managed, policy-controlled environment rather than on user devices or in a SaaS platform. An agent running on Windows 365 for Agents has the same identity, security, and Intune management controls applied to it as a user Cloud PC. It shows up in the Agent 365 admin center so you can see what agents are connected to the compute instance.
Currently in public preview and US-only. Worth monitoring if you’re building internal agents that need to interact with Windows applications or desktop workflows, since that’s the specific scenario this infrastructure targets.
A Practical Onboarding Workflow
If you’re an IT or endpoint admin looking at Agent 365 for the first time, here’s a reasonable sequence for the first 30 days:
Week 1: Inventory Open the Agent 365 registry in the Microsoft 365 admin center. Run the discovery report. What you’ll find typically breaks into three categories: Microsoft-built agents (Copilot agents, Teams agents), admin-sanctioned Copilot Studio agents, and surprises. Focus on the surprises first.
Week 2: Classify and assess For every agent in the registry, determine: Does IT know about this? Does it have more permissions than it needs? Is it connected to sensitive data repositories? Flag anything with SharePoint, Exchange, or HR system access that wasn’t formally procured.
Week 3: Apply baseline controls Enable Entra network controls for Copilot Studio agents. Set allowed destinations. Turn on the Shadow AI discovery page if your organization is in the Frontier program. Deploy the Intune policy to block OpenClaw if that’s relevant to your environment.
Week 4: Build process Establish an agent procurement process that mirrors your SaaS procurement process. Any new agent deployment should go through a review that checks: What data does it access? What identities does it use? What can it call externally? Document this in your runbook before agent sprawl outpaces your current inventory effort.
Licensing and Prerequisites
Agent 365 is available in Microsoft 365 E7 (which went GA the same day) or as a standalone add-on at USD 15 per user per month. The licensing model is per user, where “user” means the person who manages, sponsors, or actively uses agents in their workflow.
For the full feature set, Microsoft recommends:
- Entra ID P1 or P2 (for conditional access and network controls)
- Microsoft Purview DLP (for data governance on agent activity)
- Microsoft Defender for Endpoint (for local agent discovery and runtime protection)
Without Defender for Endpoint, you won’t have access to the local agent discovery features or the June 2026 asset context mapping. Without Entra P1 at minimum, the network controls are limited. If your organization is on Microsoft 365 E3, you’ll need add-ons before Agent 365 is useful beyond basic registry visibility.
What to Watch For
The local agent discovery feature is genuinely new territory and the current implementation has edges. Blocking agents via Intune works by targeting the known execution paths, which means Microsoft has to add specific support for each agent. OpenClaw is first. Claude Code and GitHub Copilot CLI are confirmed as coming soon. But developers are creative, and agents built on less common frameworks won’t appear in Shadow AI discovery until Microsoft adds support for them.
The registry sync with AWS Bedrock and Google Cloud is currently in public preview, which means the data it surfaces is useful for awareness but shouldn’t be treated as a complete inventory. Multi-cloud agent governance is genuinely hard and this feature reflects where the tooling is today, not where it needs to be.
Prompt injection is listed as one of the threats the network controls can help block. That’s true at the network layer for redirects to known malicious destinations. It doesn’t address in-context prompt injection in the data an agent processes. Defense at that layer still requires prompt hardening at the agent level and Purview sensitivity labels on the data sources agents can reach.
Where This Fits in Your Security Posture
Agent 365 isn’t a replacement for anything you already have. It’s an extension layer over Intune, Entra, Defender, and Purview that applies those controls to a new actor type: the AI agent.
If your organization already has mature endpoint management through Intune, solid Conditional Access policies in Entra, and Defender for Endpoint coverage across your device fleet, Agent 365 will feel like a natural extension. The admin workflows map to what you’re already doing. The difference is that you’re now applying those workflows to agents instead of users.
If your organization is earlier in the Intune or Entra maturity curve, start there before investing in Agent 365. The platform’s value multiplies on top of existing Microsoft security tooling. Without that foundation, you’ll have registry visibility but limited enforcement capability.
The agents are already there. Agent 365 is how you start managing them like IT assets instead of accepting them as an uncontrolled background process.
Sources: Microsoft Agent 365 GA Announcement · Microsoft Agent 365 Overview (Learn) · Security Copilot Agents in Intune (Learn) · Microsoft 365 E7 GA Blog