Microsoft Agent 365 shipped to general availability on May 1, 2026. If you manage endpoints, run Intune policies, or own your organization’s security posture, this one lands squarely on your plate. It’s not a Copilot upgrade. It’s a new control plane for every AI agent running in your environment — including the ones you don’t know about yet.
This article explains what Agent 365 actually does, what’s already available versus what’s still in preview, and how IT admins should start thinking about it today.
What Problem Agent 365 Is Solving
The core issue is straightforward: AI agents are proliferating faster than governance can keep up. Your developers have GitHub Copilot CLI. Your power users installed OpenClaw. Someone on the security team is running Claude Code. Meanwhile, SaaS vendors are shipping agentic features with access to your data, and your IT org has no consistent inventory of any of it.
Agents are different from traditional software in one critical way: they act. They can invoke tools, reach out to APIs, read files, and interact with other agents — often with more permissions than necessary, and often without audit trails your security team can follow. The attack surface is not just “can someone exploit this agent?” It’s also “what can this agent be tricked into doing, and what data can it touch?”
Microsoft’s framing is “shadow AI,” and it’s an apt description. This isn’t shadow IT from 2012 where someone installed Dropbox on a company laptop. These agents can autonomously execute tasks, modify code, and access confidential resources. The blast radius from one misconfigured or compromised agent is much larger than a rogue SaaS subscription.
Agent 365 is Microsoft’s answer: a single control plane to observe, govern, and secure AI agents regardless of where they run.
What’s Generally Available Right Now
The GA release of Agent 365 covers two categories of agents: those that act on behalf of users (delegated access, like an agent that organizes your inbox), and those that operate with their own credentials (own access, like an autonomous support ticket triage agent).
For agents built within the Microsoft ecosystem (Copilot Studio agents, Microsoft 365 Copilot extensions, agents running in Teams), governance is already live. You can see them in the Microsoft 365 admin center, assign ownership, review permissions, and set lifecycle policies.
The network control capability is also GA today. Agent 365 extends Microsoft Entra network controls to Microsoft Copilot Studio agents and to local agents running on user endpoint devices. This means you can restrict which web destinations agents can reach, filter risky file movement, and block malicious prompt-injection attempts at the network layer. These controls apply to OpenClaw agents running on managed Windows devices right now.
Licensing is straightforward: Agent 365 is included in Microsoft 365 E7, or available standalone at $15 per user per month. The license covers individuals who manage agents, sponsor them, or use agents that work on their behalf.
Discovering and Managing Local Agents Through Intune
This is where it gets operationally interesting for endpoint teams.
Users install local AI agents on their devices constantly. OpenClaw, GitHub Copilot CLI, Claude Code: these run on the device itself, not in a cloud sandbox. They have filesystem access, can spawn processes, and often have API keys with broad permissions configured locally. Until now, there was no practical way to inventory them through standard Intune tooling.
Agent 365 changes that. Organizations enrolled in the Microsoft Frontier program can see in the Microsoft 365 admin center and the Intune admin center whether OpenClaw agents are running in their environment, which devices they’re on, and can apply Intune policies to block the common execution paths.
The workflow in practice:
- Navigate to the new Shadow AI page in the Microsoft 365 admin center or Intune admin center.
- Review the discovered local agent inventory surfaced from Defender telemetry.
- Evaluate each agent type: is it managed, is it an approved tool, who owns it?
- Apply Intune configuration policies to block unauthorized execution methods for flagged agents.
- Monitor alerts for agents exhibiting anomalous behaviors (this capability lands in June).
June 2026 is when the full picture completes. Microsoft Defender will add asset context mapping for each local agent: which devices it runs on, which MCP servers are configured, which identities are associated with it, and which cloud resources those identities can reach. For a security team, this is the data needed to assess actual exposure and prioritize response. Context mapping enables custom detection rules and gives you the relationship graph to trace a potential compromise path end-to-end.
The June preview also ships runtime blocking. If a managed agent exhibits behavior consistent with data exfiltration (accessing sensitive files unexpectedly, making unusual network calls), Defender can block the agent in runtime and generate an incident with full context for investigation.
Coverage is starting with OpenClaw and expanding to GitHub Copilot CLI and Claude Code. Expect additional agent types to be added throughout the rest of 2026.
Cloud Agent Governance: AWS Bedrock and Google Cloud
Local agent discovery is one dimension. The other is cloud-hosted agents built on non-Microsoft platforms.
With Agent 365 registry sync, now in public preview, IT teams can connect AWS Bedrock and Google Cloud (formerly Google Vertex AI) to the Agent 365 inventory. Once connected, agents deployed on those platforms are automatically discovered and catalogued in the Microsoft 365 admin center.
Initial functionality is read-only inventory, with basic lifecycle governance (start, stop, delete) coming soon. The goal is a unified view regardless of which AI builder platform your developers used. For organizations running multi-cloud environments, this is the missing piece that lets security teams ask “what agents do we have and what can they do?” with confidence.
It’s worth being precise about what this is and isn’t. Registry sync gives you visibility and inventory. It does not enforce Entra Conditional Access policies on AWS Bedrock agents or apply Intune configuration profiles to them. The governance available from the Microsoft control plane is currently limited to inventory and lifecycle operations for non-Microsoft platforms.
Windows 365 for Agents: A Managed Compute Environment
A separate but related announcement is Windows 365 for Agents, now in public preview in the United States. This is a new class of Cloud PCs purpose-built for agentic workloads.
The design rationale is sensible: if an AI agent needs to interact with desktop applications, browse the web, or execute tasks that require a full Windows environment, you want that to happen in a managed, policy-controlled Cloud PC rather than on a user’s primary device. Windows 365 for Agents instances are managed through Intune like any other Cloud PC, carry the same identity and security controls, and are surfaced in Agent 365 so you can see which agents are running on which instances.
This is primarily relevant for organizations deploying autonomous agents in production. It is not the right tool for managing Copilot features that end users access through M365 apps. If you’re running agents that need a persistent Windows environment to do their work, this is the right compute substrate.
What IT Admins Should Do This Week
The GA announcement and the June preview timeline give you a clear prioritization window.
Now: Get familiar with the Shadow AI page in the M365 admin center. Even if you haven’t enrolled in Frontier, start building your mental model of what local agents are in your environment. Survey your endpoint managers and help desk about what tools they’re seeing users install. OpenClaw in particular has been growing quickly.
Before June: Decide on a policy posture for local AI agents. You need answers to a few questions before you’re ready to act on the Intune controls: What’s the approval process for a local agent to be considered managed? Do you have an existing workflow for endpoint privilege review that agents should go through? Who owns the security review for an agent’s MCP server configurations?
When June preview ships: Enroll in the Defender context mapping preview. The relationship graph (agent to MCP server to identity to cloud resource) is the analysis that separates reactive incident response from proactive risk management. You want security teams hands-on with that data early.
Ongoing: Plan your Agent 365 licensing alongside any M365 E7 discussions. The standalone SKU at $15/user/month gives you flexibility to start with the team that manages agents rather than licensing the entire organization upfront.
Caveats and Limitations
A few things to keep grounded on.
The Shadow AI page and local agent discovery are currently Frontier program features. General availability for the broader customer base is expected in June 2026 alongside the full context mapping and runtime blocking capabilities. If you’re not enrolled in Frontier, you don’t have these controls yet.
The local agent coverage list starts with OpenClaw and expands over time. If your organization has deployed other agent types (custom MCP-based agents, locally hosted language models, or third-party CLI agents), those won’t appear in the inventory initially. Build your own discovery baseline using Defender telemetry and software inventory in parallel.
Registry sync with AWS Bedrock and Google Cloud is public preview, which means it may change before GA. Don’t build critical governance workflows on top of preview APIs without a plan for schema or behavior changes.
Windows 365 for Agents is United States only in preview. Global availability has no committed date yet.
What This Means for the Shape of Endpoint Management
For the past decade, endpoint management meant managing the device and the user. Intune gave IT organizations policy control over what applications ran, how devices were configured, and what network resources they could reach.
Agent 365 extends that model upward. The new primitive isn’t a device or an app — it’s an agent: an entity with credentials, permissions, and the ability to act autonomously. The governance questions (who owns this, what can it do, where can it go, what happens when it misbehaves) are the same governance questions IT teams have always answered, applied to a new class of actor.
If you’ve done the work to build a mature Intune and Defender deployment, the underlying muscle memory transfers. The investigation workflows, the policy authoring patterns, the incident response runbooks: they map onto agents without a complete redesign. What changes is the scope of what you’re tracking and the speed at which new entities appear.
That last point is the practical challenge. Devices get enrolled through a controlled process. Agents get installed in a terminal in 30 seconds. The inventory problem is fundamentally harder, and Agent 365 is Microsoft’s bet that integrating discovery into the security stack is the right approach rather than trying to add controls at the edge.
Whether that bet pays off depends heavily on the quality of the Defender telemetry and the coverage of the local agent detection list. June’s preview will be the first real test.
Microsoft Agent 365 technical documentation is available on Microsoft Learn. The Shadow AI page in the M365 admin center requires Frontier program enrollment for early access to local agent discovery.