Understanding Agent 365: Governance for AI Agents

Albert Hoitingh's avatarPosted by

Reading time: 10 minutes approx.

Digital network map showing AI Core Alpha, AI Core Gamma, Secure Hub 03 nodes connected by glowing lines

When doing engagements with customers, my normal storyline is to go from the “frontier worker” (Copilot in the workplace) to the “agentic frontier”. Within Microsoft we see organizations moving towards this agentic frontier in three phases.

In the first phase (Human with assistant) we see that every employee has an AI assistant (Copilot) that helps him/her work better and faster. The second phase (Human-led agents) sees AI agents join teams as “digital colleagues,” or “AI Teammates” taking on specific tasks at human direction. The last phase (Human-led, agent-operated) we as humans set the direction and agents run entire business processes and workflows, checking in as needed.

Three phases of frontier agentic

But without governance, AI agents risk becoming shadow IT/AI at scale:

  • Lack of visibility into agent activity
  • Inconsistent access control
  • Data security risks
  • Difficulty ensuring compliance

And as more organizations start developing and/or using AI agents, one big question comes up:

How do you manage, secure, and govern them at scale?

Our answer is Agent 365 – which became general available on May 1st 2026. And in this article I want to focus on the components of this platform and the drive home the fact that Agent 365 is a platform and single control plane itself. So, what is Agent 365?

Agent 365

To start: yes, there are some aspects to Agent 365 that might need additional work. As with every platform, new and enhanced features will be released soon. I’m thinking of an even better integration with Microsoft Purview, for example.

Which brings me to an important point: we need to view Agent 365 as a platform that integrates and extends specific Microsoft solutions to Observe | Govern | Secure; The Agent 365 Agent Registry uses new signals to surface unmanaged agents across endpoints, while Microsoft Defender, Microsoft Entra, Microsoft Intune, and Microsoft Purview work together to enforce policy, detect risk, and protect sensitive data.

Agent 365

For this article, I need to start at the Govern part – as this contains some of the important Agent 365 settings.


Govern

Although you can govern your agents from the registry (see below), there are some important (general) settings, that will allow you to:

  • Govern which AI agents are available
  • Control deployment and access
  • Manage security and compliance posture
  • Configure how agents interact with organizational data
  • Enable or disable specific Copilot and agent capabilities
Agent 365 Settings

Let’s look at these in some more detail.

Agent Management Rules sets permissions for your agent administrators. Allowed Agent Types sets guardrails on which types of agents (Microsoft 1st party, your organization or external publishers) users can install. The Sharing option manages who can share (Agent Builder) agents with anyone in the organization. The User access option manages which users or groups can use agents.

Agent policy templates

These options are relatively straight forward. The Policy template needs some more context. By default, every tenant has two default agent policies templates scoped to the controls of Microsoft Entra, Microsoft Purview, SharePoint Online and Microsoft Defender. When an agent is assigned the policy template, these controls come into effect (when configured).

The two default templates are called:

  • Default agent template for all agents except AI teammates.
  • Default agent template for AI teammates in Frontier.

You will notice that both templates reference “AI teammates” – so let’s look at that concept.

AI Teammates

As AI agents are evolving into collaborative digital coworkers rather than simple chatbots, we need to approach these as we do our “real” coworkers. And for our coworkers we normally apply Zero Trust principles and governance patterns. And for this, any AI teammate will need to have an Entra ID identity, with a proper life cycle. Permissions to resources and data need to be carefully managed. And access to these resources follow conditional access rules.

These concepts are provided by the platforms I named earlier, and agent policy templates provide a standard way of applying these to agents.

Agent policy templates

In you tenant, you will find two default agent templates: one for agents that work like AI teammates and one for all others. Both are based on one “master” default template.

Default agent policy templates

Please note that both Shadow AI detection (see below) and the AI teammates only work in Frontier tenants

For AI teammates, the policy template includes the option to set licensing for the consumption/Power Platform capacity. Also, this template includes real time protection (Microsoft Defender) and restricting content discovery in SharePoint sites (needs to be configured beforehand).

For all other agents (not AI teammates), these additional settings apply; Restricting external sharing of sites, control for sites and OneDrive and permissions. All of these work in SharePoint Online and OneDrive.

The complete list of template components can be found here. When an agent has been assigned a policy template, Agent 365 automatically enables some policies. Other policies, like those in SharePoint Online, will require more configuration. When you activate an agent, a dropdown menu displays both Microsoft default templates and custom templates. Select the desired template to apply its policies to the agent.

Custom templates are possible but are limited (at this moment) to specific policies for Microsoft Entra (Conditional access, Access packages and Custom security attribute). You cannot edit the default templates.


Observe

This component of Agent 365 provides you with insights into your AI agents, any Shadow AI and MCP servers used. Shadow AI discovery is limited to OpenClaw, but I suspect our Microsoft Scout will be added soon.  This new form of Shadow AI is discovered via Microsoft Defender signals, Microsoft Intune endpoint signals and/or network/activity-based detection. Agent 365 allows you to block these types of AI on managed devices.

Agent 365 will not detect any non-agent generative AI, as the name suggest. For this you use Microsoft Purview, for example: Data Loss Prevention, Insider Risk Management and Data Security Posture Management

Tools

MCP servers are visible using the Tools option in Agent 365. It allows you to block any unwanted MCP connections. When you register your own MCP server (using the Agent 365 CLI), this request is managed by Agent 365.

MCP Server registry

Agent Registry

As the name suggests, this is your overview of all agents in the organization. Agents show up in Agent 365 as soon as they are created and are detectable through one of its discovery signals.

  • Agents created in Agent Builder and Copilot Studio will typically appear (almost) immediately in the Agent Registry because they are already tied into Microsoft Entra ID and Microsoft services and APIs.
  • Agents built in Microsoft Foundry, the Agent Framework or custom enterprise setups will show up when the agent is registered (identity created) or it starts interacting with enterprise resources (Microsoft Graph, APIs, Microsoft 365 data).
  • The last category contains agents from non-Microsoft (external) environments. These can be pre-defined agents (from Microsoft Partners like Adobe) or using the registry sync option. This synchronization works for the agent environments in Amazon Bedrock | Google Vertex AI | Salesforce Agentforce | Databricks Genie.
Registry sync option

The agents in your environment will show up either in a list or (fancy!) in the form of a web overview. You have some options to filter these agenda, for example by publisher. When you select an agent, you will be shown the details. These will vary based on the type of agent.

Agent registry web view

And here is the more traditional list view – filtered by Microsoft 1st party agents.

Agent registry list view
Agent details

Two important options I do want to focus on here. The first is to set an owner for the agent. In Microsoft Entra ID, every new agent will receive an identity. Part of this identity are the owners and sponsors.

Microsoft Entra ID – agent identity

Existing agents without such an owner can be modified either in Entra ID or in Agent 365.

Microsoft Entra ID – assign agent owner

The second option is the ability to review agents before these are published to your users. When an agent is create/published from Agent Builder, Copilot Studio and Microsoft Foundry, it will show up in Agent 365. Here, the administrator can decide to publish the agent (and for which users).

Review agent before publishing

Security

As you’ve read earlier, Agent 365 integrates with Microsoft Entra, Microsoft Purview, Microsoft Defender, but also with Microsoft Intune.

In Agent 365 this is represented on different levels. From Microsoft Entra ID we now work with identities for our agents. These identities are associated with so-called blueprints. Because an agent has an identity, we can also work with:

  • Access reviews & workflows
  • Access control
  • Conditional access rules
  • Microsoft Graph permissions
  • Entra ID protection (sign-in risks)
  • Insider Risk Management

Agent 365 also surfaces Data Security Posture Management signals from Microsoft Purview. It shows any specific Microsoft Purview information protection and data loss prevention policies. Insider Risk Management can be targeted specifically to agents. Threat protection works from Microsoft Defender and allows for (amongst others) runtime protection.

This information is shown when you select a specific agent.

Agent security details, including alerts from Purview Insider Risk Management

The Data and tools part of the agent details shows you the Microsoft Graph access an AI agent requires. As an administrator, you can grant these permissions from Microsoft Entra ID and the agent’s identity.

Example from 3rd party agent’s access to tenant data

MS Build 2026 – Agent 365 SDK

Announced during MS Build 2026, the Agent 365 SDK connects custom-built agents to the broader governance, identity, and security capabilities of Agent 365. Through the SDK, agents can:

  • Integrate with Microsoft Entra ID for identity and access control
  • Enforce Purview policies for data protection and compliance
  • Connect to Microsoft Defender signals for threat detection and monitoring
  • Expose telemetry and activity data for full observability

This implies that the Agent 365 SDK makes agents aware of policies, respect permissions, and operate within defined boundaries by design.

In closing

Ultimately, Agent 365 should be understood not as a single feature, but as the control plane for the next era of agentic AI. By bringing together governance, observability, security, and identity across Microsoft’s existing platforms, it gives organizations a practical way to scale AI agents without losing visibility, control, or trust.

As agents become embedded in daily work and business processes, that combination of innovation and guardrails will be essential—and that is exactly where Agent 365 delivers its value.

However…..

Agent 365 is not a configuration platform. You still have to design and configure your Zero Trust, data security and compliance components. This allows Agent 365 become that centralized control panel.

Leave a Reply