Shadow AI has a new address in the Microsoft 365 admin center, and it finally has teeth. On May 1, 2026, Microsoft shipped Agent 365 as a generally available product — a control plane designed to let IT and security teams observe, govern, and secure AI agents across the enterprise. The timing matters: AI agents like OpenClaw and Claude Code are already running on managed Windows devices in your org, often without IT’s knowledge or approval.
This article walks through what Agent 365 actually is, how its Shadow AI discovery feature works with Intune, and a practical workflow you can follow today to start getting a handle on unauthorized agents in your environment.
What Is Microsoft Agent 365?
Agent 365 is Microsoft’s answer to a problem that has been building for two years: agents proliferate fast, span apps and endpoints, and increasingly operate outside the visibility of the teams accountable for risk. A local AI coding assistant like OpenClaw can access your file system, invoke external tools, and interact with cloud resources. None of it appears in any traditional software inventory or MDM report.
The platform is built around three core functions: observe (find every agent in a single registry), govern (apply policy controls), and secure (block malicious behavior and enforce network guardrails). It integrates with Microsoft Defender, Intune, Entra, and Purview, so you’re working with admin tooling you already manage rather than standing up a net-new platform.
Pricing is $15 per user per month, or included with the new Microsoft 365 E7 license. The per-user model covers individuals who manage or sponsor agents, or use agents to do work on their behalf.
What changed at GA isn’t just the support SLA. Microsoft also shipped several new capabilities alongside the launch:
- Shadow AI discovery for local agents (OpenClaw in preview today, with GitHub Copilot CLI and Claude Code expanding in June 2026)
- Registry sync with AWS Bedrock and Google Cloud for multi-cloud agent inventory
- Network controls via Entra to inspect and restrict agent traffic to approved destinations
- Windows 365 for Agents, a purpose-built Cloud PC environment for running agents in policy-controlled conditions
For most IT admins, the most immediately actionable piece is Shadow AI discovery through Intune.
Understanding Shadow AI: What’s the Actual Risk?
Shadow AI in the context of Agent 365 refers to AI agents users are running locally or via SaaS platforms without IT approval. This differs from shadow IT in the classic sense because AI agents take autonomous actions on behalf of users.
Consider a concrete scenario: an employee installs OpenClaw on their Windows laptop to help automate code reviews. OpenClaw has access to local files, can call configured MCP servers, and may interact with cloud services tied to the user’s Microsoft identity. None of this shows up in Intune’s software inventory, and there’s no DLP policy covering its behavior. If the agent is misconfigured, it can exfiltrate sensitive files or connect to unapproved external services without any visibility on your end.
The Microsoft Defender context mapping arriving in June 2026 will show exactly which MCP servers are configured per agent, which identity is tied to the agent, and which cloud resources that identity can reach. But you don’t need to wait for that to start detecting and blocking unauthorized agents today.
Prerequisites Before You Start
Before using Shadow AI governance in Agent 365, confirm the following are in place:
License requirements. Microsoft 365 E3 is the minimum to view Shadow AI agents. E5, E7, or standalone Agent 365 licensing gives you the full governance feature set including blocking capabilities.
Intune enrollment. Managed Windows devices must be enrolled in Microsoft Intune. Devices that are not Intune-enrolled won’t appear in detected device lists. If you’re running a hybrid environment with co-managed devices (Configuration Manager plus Intune), only devices with the Device Configuration or Endpoint Protection workloads pointed to Intune will receive the detection and blocking policies. Test this in a pilot ring before broad rollout.
Frontier program opt-in. Shadow AI is currently a Frontier preview capability. You need to explicitly opt your tenant into the Frontier preview program in the Microsoft 365 admin center before the Shadow AI page becomes visible.
Admin role. Security Administrator, Intune Administrator, and AI Administrator can apply policies. Security Reader, Reports Reader, and Global Reader can view inventory without making changes. Assign roles based on whether the person needs read-only visibility or the ability to enforce controls.
Step-by-Step: Detecting Shadow AI Agents with Intune
Once prerequisites are satisfied, this is the workflow to get Shadow AI detection running.
Step 1: Navigate to the Shadow AI page. Sign in to the Microsoft 365 admin center at admin.microsoft.com. In the left navigation bar, select Show all, then expand Agents. Select Shadow AI (Frontier). You’ll see a list of agents Microsoft currently supports detection for. As of May 2026, OpenClaw is the primary supported agent.
Step 2: Review agent details. Click on OpenClaw to open the details pane. The Details tab shows the last scan timestamp and whether any Intune security policies are currently applied to your tenant. If you’re seeing this page for the first time, the policy status will be empty.
Step 3: Enable detection. In the details pane, select the Security policies tab. Enable Continuously detect managed devices and select Apply policies. This tells Intune to start scanning enrolled Windows devices for evidence of the agent being installed or running.
Detection doesn’t propagate instantly. After Intune receives the policy, device inventory can take anywhere from 15 minutes to 8 hours to fully sync, depending on your Intune check-in configuration and the number of devices in scope. Don’t evaluate results within the first hour.
Step 4: View detected devices. Once detection policies have had time to run, return to the agent details pane and select the Detected devices tab. You’ll see a list of device names, device types (Desktop, Laptop, VM, Server), OS versions, and the last Intune scan timestamp per device.
This inventory is your baseline. Before enabling blocking, spend time with this list. Are these developer machines in a legitimate test workflow? Are there devices in sensitive departments where blocking is a priority? The detected devices view gives you the context to make that call.
Step 5: Block the agent (if warranted). If you decide to enforce a block, go back to Security policies and select Block AI agents from OpenClaw. This creates a new Intune configuration policy named A365 - Block OpenClaw and pushes it automatically to all managed Windows devices enrolled in Intune.
The policy blocks common installation and execution paths for OpenClaw. It does not remove existing data the agent may have processed, and in some configurations it won’t uninstall the application, but it prevents the agent from running.
You can view and edit the policy directly in the Intune admin center by searching for A365 - Block OpenClaw under device configuration policies. If you need to scope the block to specific device groups rather than all managed devices, that customization must happen in Intune. The admin center doesn’t expose group scoping controls for these auto-created policies yet.
What About Cloud and SaaS Agents?
The Shadow AI page covers local agents on Intune-managed Windows devices. For cloud-hosted and SaaS agents, the Agent 365 registry in the Microsoft 365 admin center is the relevant surface.
The registry sync with AWS Bedrock and Google Cloud (public preview as of May 2026) pulls agent inventories from those platforms into a central view. For third-party SaaS agents from partners like Zendesk, Genspark, and Zensai, Microsoft has pre-built the integration so they surface in the registry without any custom connector work.
The governance workflow for cloud agents is less mature than the Intune-based workflow for local agents. Registry sync gives you visibility, and basic lifecycle actions (start, stop, delete agents) are on the near-term roadmap. For now, cloud agent governance via Agent 365 is primarily observability, not enforcement.
Network Controls: Restricting What Agents Can Reach
One underappreciated capability in the GA release is Entra network controls for agents. Agent 365 extends Microsoft Entra’s existing network access policies to cover Microsoft Copilot Studio agents and agents running on endpoint devices, including local agents like OpenClaw.
In practical terms, this means you can apply the same internet access filtering and tenant restriction policies to agent traffic that you already apply to user traffic. You can restrict agents to only approved web destinations, filter risky file transfer behavior, and block prompt injection attempts before they result in data exfiltration.
This is particularly relevant for organizations that have already deployed Microsoft Entra Internet Access or Global Secure Access. If those controls are in place, extending them to agent traffic is a configuration change, not an architectural lift.
Current Limitations Worth Knowing
Shadow AI governance via Agent 365 is early-stage technology. A few constraints to plan around:
Detection scope is Windows-only. macOS, Linux, iOS, and Android are not supported for local agent detection today. Developer populations that skew macOS won’t be fully covered by the Intune-based workflow.
Frontier opt-in affects your update cadence. The Frontier program puts your tenant on a faster-moving feature track. Preview features are more subject to change. Evaluate whether this is appropriate for your production tenant or limit Frontier enrollment to a dedicated test tenant.
Blocking targets all Intune-enrolled Windows devices by default. The auto-created block policy doesn’t scope to device groups. If you need department-level or role-based blocking, plan to modify the policy in Intune immediately after creation.
The Shadow AI page is not a full software inventory. Agent 365 tracks AI agents specifically. Browser extensions with AI capabilities, AI plugins bundled in other software, and agents not yet in Microsoft’s detection library won’t appear.
Licensing math matters. At $15/user/month standalone, Agent 365 costs $75,000/month for a 5,000-user org. The business case is stronger at E7 license levels where it’s included. Run a cost analysis before committing, and consider whether a read-only E3 deployment for detection alone addresses your immediate needs.
What’s Coming in June 2026
Microsoft has published specific commitments for June 2026, which makes it easier to plan your governance roadmap:
- Expansion of local agent detection to GitHub Copilot CLI and Claude Code, with a target of 18 different agent types by end of the month
- Defender context mapping: per-agent relationship graphs showing configured MCP servers, associated identities, and reachable cloud resources
- Runtime blocking and alerts for agents through Intune and Defender (currently in public preview in June)
- Policy-based controls for local agent behavior beyond installation blocking
The architecture decisions you make in May matter here. Clean Intune enrollment, correct admin role assignments, and a documented agent approval process will be much easier to extend to 18 agent types than starting from scratch in June.
A Practical Starting Point
If you’re running Microsoft 365 E3 or above, have Intune managing Windows devices, and haven’t looked at Agent 365 yet, the lowest-effort starting point is enabling detection only for OpenClaw. You’ll get a real inventory of local AI agents across your Intune-enrolled endpoints without changing any user behavior. That data tells you the actual scope of the problem before you decide whether blocking is warranted.
The larger Agent 365 investment — licensing, registry sync, Defender integration — makes the most sense for organizations already running Copilot Studio agents, building custom agentic workflows, or operating in regulated industries where AI activity needs an audit trail.
For everyone else: detection first. Block when the data gives you a reason.
Sources: Microsoft Security Blog — Agent 365 GA, Microsoft Learn — Shadow AI in M365 Admin Center, Microsoft Agent 365 Overview