Microsoft Agent 365 GA: Enterprise AI Governance Guide 2026

Microsoft Agent 365 reached general availability on May 1, 2026 — Microsoft's first dedicated AI agent governance platform, priced at $15 per user per month, gives enterprise IT and security teams a unified control plane to discover, govern, and secure every AI agent running across Windows endpoints, Azure, and multi-cloud environments including AWS Bedrock and Google Cloud. This is not an incremental Copilot update. Agent 365 is a standalone product built in response to the AI agent proliferation problem that has become enterprise IT's most acute pain point in 2026: organizations deploying dozens of agents across departments with no centralized visibility into what each agent does, what data it touches, or whether it is operating within policy. This guide covers what shipped in the GA release, the pricing structure including the new M365 E7 bundle, the three core capability pillars, cross-cloud connectivity, how to get started in the first 30 minutes, and what to expect when Intune and Defender integrations ship in June 2026.

Why AI Agent Governance Became Urgent in 2026

A year ago, most enterprises had a handful of AI pilots. Today, the median large organization runs more than 40 distinct AI agents across sales automation, customer support, code review, document processing, and finance workflows. Those agents span Microsoft Copilot extensions, Azure AI Foundry deployments, third-party tools on AWS Bedrock, and custom-built agents running on open-weight models. Each one touches sensitive data, calls external APIs, and takes actions that are difficult to audit retroactively.

The governance gap this creates is real and measurable. Security teams report that most AI agents in their environment were deployed without going through standard IT procurement or security review. Agents inherit broad permissions during setup — access to SharePoint, Outlook, Jira, Salesforce — and those permissions often remain long after the agent's original use case has changed or the team that deployed it has moved on. Compliance audits increasingly surface AI agent activity as an unresolved gap, because tooling for logging and attesting agent behavior at the same level of fidelity as human user activity has simply not existed until now.

Agent 365 is Microsoft's answer to that gap. The timing of the GA announcement aligns with enterprises beginning to treat agentic AI governance as a board-level concern rather than an IT configuration detail.

What Agent 365 Is — and What It Is Not

Agent 365 is a governance and security management platform for AI agents. It is not an AI agent builder, model inference service, or development tool. The product sits alongside Copilot and Azure AI Studio in Microsoft's AI stack, focused entirely on the operational layer: what agents exist, what they are doing, and whether they are doing it within the bounds your organization has defined.

The product is delivered as a SaaS service accessed through the Microsoft 365 admin center, integrated with Microsoft Entra ID for identity-linked agent attribution, and connected via read-only API connectors to AWS Bedrock and Google Cloud Vertex AI for cross-cloud discovery. IT administrators, security engineers, and compliance officers are the primary users. Access to Agent 365 data is role-gated through Entra ID, so end users see nothing unless specifically granted admin access.

The Three Core Pillars: Observe, Govern, Secure

Microsoft organized Agent 365 around three value pillars that reflect what enterprise teams need when governing an agentic environment at scale.

Observe

The observation layer provides real-time visibility into the agent fleet. Administrators see a unified inventory of every agent registered in the Microsoft 365 tenant, including agents deployed on Azure, agents synced from AWS Bedrock and Google Cloud, and agents running locally on managed Windows endpoints. For each agent, the platform surfaces: the deploying identity, creation date, last active timestamp, permission scopes, data connections accessed, and a risk score derived from permission breadth and recent activity patterns.

The activity feed shows what actions each agent has taken — API calls made, files read, emails sent, external service calls initiated — at a granularity comparable to the Azure Activity Log for human users. Administrators can filter by agent, by data source, by action type, or by time window. Anomaly detection runs against the activity feed and surfaces alerts when agent behavior deviates from its established baseline: a customer support agent that begins reading financial documents it has never accessed before, or a code review agent that starts merging pull requests rather than only commenting on them.

Govern

The governance layer provides policy-based control over what agents can do. In the GA release, this means lifecycle governance: administrators can approve, suspend, revoke, or archive agents directly from the Agent 365 console. Approval workflows can be configured so that any new agent deployment requires IT sign-off before the agent becomes active — creating a meaningful checkpoint equivalent to the procurement process enterprises use for SaaS software.

Registry sync with AWS Bedrock and Google Cloud ensures that agents deployed outside the Microsoft ecosystem are discoverable and subject to the same lifecycle policies as native Azure agents. Policy templates cover the most common governance requirements: least-privilege permission checks that flag agents with overly broad scopes, data residency policies that restrict agent operation to specific geographic regions, and time-bound access controls that automatically expire agent credentials after a configurable period.

Custom policies are defined in JSON using a schema that mirrors Microsoft Entra Conditional Access policy structure. Teams already familiar with Entra can extend their existing governance approach to AI agents without learning a new policy language:

{
  "policyName": "restrict-finance-data-access",
  "scope": {
    "agentTags": ["department:sales", "department:marketing"]
  },
  "conditions": {
    "dataClassification": ["Financial", "Confidential"]
  },
  "grantControls": {
    "operator": "AND",
    "builtInControls": ["block"]
  }
}

Secure

The security pillar connects Agent 365 to Microsoft's broader security infrastructure. In the GA release, runtime blocking runs server-side within the Microsoft tenant: administrators set rules that prevent an agent from executing an action if it matches a defined threat pattern — injecting prompts into conversations to exfiltrate credentials, calling known malicious external endpoints, or attempting to write to storage locations outside the agent's declared scope. These blocks apply even to agents built by third parties that call Microsoft APIs, because enforcement sits at the tenant API gateway rather than inside the agent's own code.

The deeper Intune and Defender integrations — context mapping, policy-based controls on managed endpoints, and runtime alerts surfaced in the Defender portal — are scheduled for public preview in June 2026. These will extend Agent 365's security coverage to agents running in isolated local environments on Windows devices: corporate-deployed Claude Code instances, Copilot Workspace, and local coding agents on Copilot+ PCs.

Pricing and Licensing: What You Actually Pay

Agent 365 is priced at $15 per user per month for commercial tenants. This is a per-user seat license, not a per-agent or per-API-call model — the same user can govern any number of agents without incremental cost, which matters for IT administrators overseeing large agent fleets.

Microsoft simultaneously launched Microsoft 365 E7, a new enterprise suite that bundles four products at $99 per user per month:

• Microsoft 365 E5 — productivity applications plus advanced security
• Microsoft Entra Suite — identity and access management, including Entra Permissions Management
• Microsoft 365 Copilot — AI assistant across M365 applications
• Agent 365 — AI agent governance control plane

Organizations currently paying for M365 E5 (~$57/user) and M365 Copilot ($30/user) separately spend $87/user/month unbundled. E7 at $99/user adds Agent 365 plus the full Entra Suite for $12/user more — effectively a discount on the governance layer for organizations that need the Entra Suite components regardless. The Entra Permissions Management piece is particularly relevant: it provides over-permissioned access detection for human identities, complementing Agent 365's risk scoring for agent identities and creating a unified least-privilege enforcement posture.

Standalone Agent 365 at $15/user makes sense for organizations that already hold M365 E5 and Copilot licenses and want to add governance without restructuring enterprise agreements. E7 is the cleaner path for organizations renewing agreements or making net-new enterprise deployments.

Cross-Cloud Agent Discovery: AWS Bedrock and Google Cloud

The most requested feature during the Agent 365 preview period was cross-cloud support, and it shipped in GA. Registry sync with AWS Bedrock and Google Cloud Vertex AI uses read-only API connectors authenticated via service accounts. Once connected, Agent 365 pulls agent metadata from Bedrock's agent catalog and the Vertex AI agent builder registry, surfacing those agents in the unified inventory alongside native Azure agents. The sync runs hourly by default with event-driven refresh available for near-real-time accuracy.

Governance policies set in Agent 365 apply to cross-cloud agents through a notification and indirect enforcement model. The platform cannot directly block an AWS Bedrock agent from executing an action — that operation occurs outside the Microsoft tenant — but it can trigger an alert, revoke the agent's access to Microsoft 365 resources the agent calls, and create an Entra ID conditional access block that prevents the agent's service principal from authenticating against Microsoft APIs. This indirect enforcement covers the majority of enterprise cross-cloud governance scenarios, where the data being protected lives in Microsoft 365 or Azure even when the agent compute runs in another cloud.

Getting Started: First 30 Minutes

For organizations with M365 E5 or E7 licensing, Agent 365 activation happens in the Microsoft 365 admin center under the new AI Governance section. The setup wizard covers four steps: license assignment, Entra ID permission grant for the Agent 365 service principal, an initial discovery scan to build the agent inventory, and notification routing to your security team's preferred alert channel (email, Teams, or Microsoft Sentinel).

The initial discovery scan typically completes in 10–20 minutes for tenants with up to 500 agents. Larger enterprise tenants should expect 30–45 minutes for the first full scan; incremental updates after that are near-real-time via event subscription.

For AWS Bedrock connectivity, the connector requires an IAM role with bedrock:ListAgents and bedrock:GetAgent permissions in the target AWS account. The Google Cloud connector uses a service account with aiplatform.agents.list and aiplatform.agents.get IAM roles. Both connectors are configured entirely through the Agent 365 admin portal — no CLI or Terraform work required for basic discovery.

What the GA Release Does Not Include

Several capabilities previewed earlier in 2026 are still on the roadmap. The most significant gaps for enterprise security teams to plan around:

• Defender portal integration: Runtime alerts surfaced in the Microsoft Defender portal are in public preview starting June 2026, not in GA today. Organizations using Defender as their primary SOC tooling will use the Agent 365 native alert interface in the meantime.
• Intune-managed endpoint agents: Context mapping and policy enforcement for agents running locally on Windows managed devices ships as the June 2026 Intune integration.
• Advanced behavior analytics dashboard: The ML-based anomaly scoring is available in GA. Historical trend views and peer comparison analytics are planned for Q3 2026.
• Automated remediation workflows: Policy violations currently trigger alerts and support manual revocation. Auto-suspend and auto-permission-reduction workflows are planned for H2 2026.

Where Agent 365 Fits the Broader Enterprise AI Stack

Agent 365 occupies the governance layer of what is becoming a three-tier enterprise AI stack: build (Azure AI Foundry, AWS Bedrock, Google Vertex AI), assist (Microsoft 365 Copilot, Google Workspace AI, AWS Q Business), and govern. Agent 365 occupies that third tier as a managed service, supplemented by tools like the Microsoft open-source Agent Governance Toolkit for teams needing custom policy engines beyond the out-of-box capabilities.

For enterprises tracking the agentic AI sprawl problem, the Agent 365 GA is a meaningful inflection point. It moves governance from a project teams must build themselves — custom logging, custom policy engines, custom audit trails — to a managed service with SLAs, Microsoft support, and integration into the compliance frameworks enterprises already use. The $15/user pricing and E7 bundle signal that Microsoft intends Agent 365 to become table-stakes infrastructure, not a premium add-on for security-mature organizations only.

The practical implication for enterprise architects is that agent deployment strategies built in 2025 on the assumption that governance tooling would remain DIY need to be revisited. Agent 365 makes centralized governance achievable without a dedicated engineering team, which changes the risk calculus for organizations that have been deferring broader agent deployment pending an enterprise-grade governance solution.

Bottom Line

Microsoft Agent 365 GA on May 1, 2026 delivers the enterprise AI governance control plane the industry has been waiting for. The observe-govern-secure model, cross-cloud registry sync with AWS Bedrock and Google Cloud, and per-user pricing make it the most practical starting point for organizations trying to get ahead of agent sprawl rather than respond to it after an incident. The June 2026 Intune and Defender integrations will close the remaining gaps for endpoint agents and SOC-integrated alerting. For enterprises renewing M365 agreements now, the E7 bundle at $99/user is worth modeling against existing M365 E5 plus Copilot licensing — the $12/user delta buys both Agent 365 and the full Entra Suite, which together address identity governance and AI agent governance as a unified least-privilege posture.