Skip to content
May 24, 2026 Mid-Level (3-5 years) Deep Dive

Microsoft Agent 365: Taking Control of AI Agent Sprawl in the Enterprise

Agent 365 is now generally available. Here's what IT and security teams need to know about discovering shadow AI, governing local agents via Intune, and actually using the new control plane in practice.

Microsoft Agent 365: Taking Control of AI Agent Sprawl in the Enterprise

AI agents are already running in your organization whether you know it or not. Developers have Claude Code installed on their laptops. Sales teams are using SaaS agents connected to your CRM. Someone in engineering is running OpenClaw to automate code reviews. None of them filed a ticket. None of them went through procurement.

That’s the reality Microsoft is responding to with Agent 365, which went generally available on May 1, 2026. It’s positioned as the control plane for enterprise AI agents: a single layer through which IT and security teams can discover, govern, and enforce policy across agents regardless of where they were built or where they run.

This piece breaks down what Agent 365 actually does, how Intune and Defender fit into the picture, what the practical setup workflow looks like, and where the product is still rough around the edges.

What Agent 365 Is (and What It Is Not)

Agent 365 isn’t an AI agent itself. It’s a management and governance layer, conceptually similar to what Mobile Device Management is for endpoints, but applied to the sprawling ecosystem of AI agents operating across your tenant.

Microsoft organizes the product around three functions: observe, govern, and secure. Observe means a unified registry of all agents active in the environment, including who deployed them, what they have access to, and where they’re running. Govern means lifecycle management, access controls, and compliance policies enforced through tools your team already operates: the M365 admin center, Entra, and Purview. Secure means integrating with Defender to detect anomalous agent behavior and block unapproved agents at runtime. It also provides tools to map the blast radius if something goes sideways.

Agent 365 is licensed per user at $15/month standalone, or bundled in the new Microsoft 365 E7 SKU. The license applies to users who manage agents, sponsor agents, or whose work is being done by agents. That’s an important distinction when sizing a deployment: you’re licensing the humans in the governance chain, not the number of agents running.

What it is not, at least today, is a replacement for purpose-built security tooling. It extends Defender and Purview rather than replacing them. Teams already running those products will get the most out of it.

The Shadow AI Problem Agent 365 Actually Solves

“Shadow IT” has existed for decades. Shadow AI is the same concept with higher stakes. An unmanaged agent isn’t just a compliance gap. It’s an autonomous process that can read email and query databases without an audit trail. It can also interact with other agents, multiplying the exposure.

Agent 365 addresses this directly with a Shadow AI page in both the Microsoft 365 admin center and the Intune admin center. The initial capability targets OpenClaw agents (currently in Frontier program preview), with GitHub Copilot CLI and Claude Code on the near-term roadmap. Here’s what the discovery workflow looks like in practice:

When Microsoft Defender for Endpoint is deployed on Windows devices, it starts reporting local agent activity up through the Agent 365 registry. IT admins can see which devices have OpenClaw installed, which users are running it, and what version. From there, you can apply Intune policy to block the common execution paths for that agent across your managed fleet. No manual intervention on each device required.

This is a meaningful operational step forward. Previously, detecting a tool like this required either endpoint DLP rules (blunt and brittle), application control lists (high maintenance), or user self-reporting (optimistic). The registry-based approach gives you continuous inventory instead of point-in-time snapshots.

Starting June 2026, Defender adds asset context mapping. For each discovered agent, you’ll see the MCP servers it’s configured to use, the identities tied to it, and which cloud resources those identities can reach. That’s the data you actually need to assess exposure. Not just “this agent exists.” The question is whether it has access to your Salesforce OAuth token and can reach your production S3 bucket.

Intune’s Role: Policy Enforcement at the Endpoint

Intune has traditionally been the enforcement layer for device configuration and compliance. With Agent 365, that role extends to AI agent behavior on those devices.

The initial integration is specific: Intune policies can block the common run methods for OpenClaw on managed Windows devices. That sounds narrow, but the pattern it establishes is what matters. As the agent registry expands to cover more local agents and third-party SaaS products, the same Intune policy framework will apply.

For teams already using Intune for device management, getting started requires no new infrastructure. You’ll need three things in place:

  1. Defender for Endpoint deployed and enrolled (this is what reports agent activity back to the registry)
  2. Agent 365 license assigned to at least one admin user to enable the control plane
  3. Enrollment in the Frontier program if you want the OpenClaw shadow AI preview today (GA capabilities exclude this specific flow; it’s still in controlled preview)

The policy workflow in the admin center is straightforward. Navigate to the Shadow AI page, review the discovered agents and device counts, select a policy action (monitor vs. block), and push via Intune. The block policy targets executable paths and process names, so technically sophisticated users could potentially work around it, but for the average enterprise environment, it holds.

One caveat worth flagging: the policies apply to managed devices only. BYOD scenarios, contractor machines outside your Intune enrollment, and personal devices with corporate accounts are not covered by the endpoint enforcement layer. You’ll need Entra Conditional Access and Global Secure Access network controls to address those paths.

Cross-Cloud Visibility: AWS and Google Cloud

Agent 365 isn’t limited to what’s running on your Windows fleet or inside Microsoft’s own services. In public preview now, the registry sync feature connects to AWS Bedrock and Google Cloud, letting IT teams discover and inventory cloud agents built on those platforms.

This matters for organizations running hybrid AI workloads. A team might build an agent using Bedrock’s Claude API, deploy it to AWS Lambda, and connect it to Salesforce, all without touching a Microsoft product. With registry sync enabled, that agent shows up in the Agent 365 admin center with model metadata, resource connections, and basic lifecycle controls. The ability to start, stop, or delete those agents is coming in the next update.

Setup requires creating a connection in the M365 admin center and granting the appropriate read permissions to Agent 365’s service principal in AWS or GCP. Microsoft’s documentation on this is still thin, but the concept follows the same pattern as Microsoft Defender for Cloud’s multi-cloud integrations, which most enterprise environments have already navigated.

Practical Workflow: Getting a New Deployment Off the Ground

For an IT team starting fresh with Agent 365, here’s a reasonable sequencing:

Week 1 — Baselining. Enable the agent registry and spend a week in observe-only mode. Don’t push policy yet. The goal is to understand the existing agent landscape: what’s running, who deployed it, and what it has access to. You will find things you didn’t know about.

Week 2 — Governance review. Take the registry output and map it against your existing software approval process. Agents deployed through sanctioned channels get documented and monitored. Agents with no approval trail go into a review queue.

Week 3 — Policy decisions. For clearly unapproved local agents on managed devices, start applying block policies through Intune. For SaaS agents connected to Microsoft 365 data, use Purview DLP to scope what data they can access. For agents with legitimate business use but no governance, create a sponsorship process: someone has to own it and be accountable for its behavior.

Week 4 onward — Continuous operation. Agent 365’s value compounds over time. New agents get discovered and triaged against policy. The June Defender integration adds runtime blocking for anomalous behavior. Registry sync keeps multi-cloud inventory current.

The biggest operational investment is the governance review in week 2. Most organizations will discover more agents than expected, and many of them will have been deployed by well-intentioned people who didn’t know they needed to ask permission. Treat it as an educational moment rather than a punitive one.

Limitations and Caveats

Local agent support is still narrow. OpenClaw discovery is in Frontier preview. Claude Code and GitHub Copilot CLI are on the roadmap but not available yet. If your developers primarily use tools other than OpenClaw, the shadow AI discovery feature won’t give you full visibility at launch.

The June features aren’t here yet. Context mapping, runtime blocking, and rich Defender alerts are public preview starting June 2026. If you’re evaluating Agent 365 today, you’re evaluating a subset of the eventual product.

Licensing adds up quickly. At $15/user/month standalone, Agent 365 is a meaningful line item for large organizations. The E7 bundle makes more sense for enterprises already on E5 who are looking to consolidate. If you’re on E3 or below, the licensing math may not work until you’re managing enough agents to justify the cost.

BYOD and unmanaged devices remain a gap. Endpoint-based enforcement only applies to Intune-enrolled devices. Network-level controls via Global Secure Access help, but that’s an additional configuration layer and separate licensing.

Third-party SaaS agent coverage depends on partner integrations. Agents fully configured for Agent 365 management include Genspark, Zendesk, and Egnyte, plus a handful of agent-factory platforms. If your critical SaaS agents aren’t in that list, governance through Agent 365 will be partial until those integrations ship.

Why This Matters for IT and Security Teams

The honest framing: Agent 365 doesn’t solve every problem, but it does solve the specific problem of having no systematic way to know what agents are running in your environment. That’s been the biggest gap.

Every organization with active AI adoption has agents operating outside governance. Some are harmless. Some have access to sensitive data. A few probably have permissions they shouldn’t. Agent 365 gives you the inventory and the levers to act on it through workflows your team already knows.

The Shadow AI page in Intune is where most IT practitioners will spend their time. It’s familiar territory: same console, same policy model, same deployment mechanism. The new part is just what you’re governing.

For security teams, the June Defender integration is the more compelling milestone. When you can see an agent’s identity associations, the MCP servers it communicates with, and the cloud resources within reach, with the ability to block it in runtime if it starts doing something unexpected, that’s a materially different security posture than where most enterprises sit today.

Agent 365 is available now at microsoft.com/microsoft-agent-365. The Shadow AI preview is available through the Frontier program for eligible Microsoft 365 tenants.

#Microsoft Agent 365 #Shadow AI #Microsoft Intune #Microsoft Defender #AI governance #endpoint management #enterprise AI
Was this helpful?

Comments

Comments are coming soon. Have feedback? Reach out via the About page.