Microsoft Agent 365: The Tenant-Level Control Plane for AI Agents

Microsoft Agent 365 reached general availability on May 1, 2026, per Microsoft’s Security Blog announcement. The product is Microsoft’s answer to a problem that emerged quietly across 2024–2025: organizations that adopted AI agents (in Copilot Studio, in Microsoft 365 Copilot, through Power Platform, or through partner-ecosystem agents) ended up with dozens of agents, no consistent way to know which agents were doing what, and audit trails that were difficult to assemble at the tenant level. Agent 365 is Microsoft’s tenant-wide control plane built to solve exactly that.

This post unpacks what Agent 365 actually is, the three pillars Microsoft built it around (observe, govern, secure), the pricing, and where it fits relative to Copilot Studio, Microsoft 365 Copilot, and the rest of the Microsoft AI stack. For background on the platform Agent 365 sits next to, see our Microsoft Copilot Studio April 2026 recap. For the underlying AI-agent capability shift, our AI Agents pillar covers the broader context.

What Microsoft Agent 365 actually is

Agent 365 is the centralized control plane for managing AI agents across a Microsoft tenant. Per Microsoft Learn’s overview, it provides a single registry of every agent operating in the tenant, regardless of where that agent was built or deployed: agents authored in Microsoft Copilot Studio, agents shipped as part of Microsoft 365 Copilot, agents from third-party partners in the Microsoft Agent Store, and agents built on Microsoft’s broader Agent Framework.

The product brings together four things that previously lived in separate admin surfaces or didn’t exist at all:

• Agent inventory: a centralized registry of every agent in the tenant, with metadata on who owns it, what it can do, what resources it accesses, and how it’s been used.
• Permissions and identity: agents get first-class identity through Microsoft Entra Agent ID. Access control follows the same patterns IT teams already use for human users (conditional access, risk-based policies, least-privilege).
• Activity and behavior monitoring: real-time visibility into what each agent is doing, with risk and performance signals surfaced to admins before issues impact the business.
• Lifecycle management: IT-controlled onboarding (activate), runtime control (suspend an agent that’s misbehaving), and retirement (decommission agents that are no longer needed).

The framing is deliberately operational rather than developer-facing. Agent 365 is not where you build agents; that’s still Copilot Studio (for low-code), the Microsoft Agent Framework (for code-first), or the Microsoft 365 Copilot agent surface. Agent 365 is where IT and security teams see, govern, and manage agents once they exist.

The three pillars: observe, govern, secure

Microsoft built the product around three explicit pillars, and the pillar framing is genuinely useful for understanding what’s in the box.

Observe. Real-time visibility into the agentic environment. Admins see all agents in a single centralized registry showing adoption metrics, activity patterns, performance signals, and agent health. The point is that "what AI agents do we actually have in this tenant" is a question that should have a defensible answer at any moment, and Agent 365 makes the answer queryable. This addresses the sprawl problem that defined enterprise AI agent adoption in 2024–2025.

Govern. Policy enforcement through Entra Agent ID. Lifecycle controls (activate, suspend, retire) are IT-driven, not user-driven. Ownership controls clarify who is responsible for each agent. Built-in compliance templates aligned with standards like GDPR and ISO 27001 give security and compliance teams something to point at when answering "do we have appropriate governance over AI use." Enterprises can set policies for AI decision-making (what agents can do autonomously vs. what requires human approval), enforcing both ethical use and traceability.

Secure. End-to-end protection by extending Microsoft’s enterprise-grade identity, data, and threat-defense stack to AI agents:

• Microsoft Entra enforces consistent, risk-based access controls for both users and the agents acting on their behalf.
• Microsoft Purview provides data risk visibility with information protection, DLP (data loss prevention), and risk safeguards extending to agent operations.
• Microsoft Defender adds continuous threat detection and real-time protection to block unsafe behaviors and malicious activity at the agent layer.

The pillar approach matters because each pillar maps to a different stakeholder. Observe is for operations teams; govern is for compliance and risk; secure is for the CISO organization. A single product that gives all three constituencies a defensible answer to their respective questions is the value proposition.

Pricing and licensing

Per Microsoft’s published pricing, Agent 365 is available two ways:

• Standalone: $15 per user per month.
• Bundled in Microsoft 365 E7: included in the E7 enterprise suite at $99 per user per month, alongside the rest of the enterprise-tier Microsoft 365 capabilities.

The licensing model is per user, not per agent. One licensed user’s $15/month covers all agents that act on that user’s behalf, with no per-agent fees and no consumption charges for the governance layer. The model is deliberately structured so that adding more agents to your tenant doesn’t increase Agent 365’s cost; only adding more licensed users does.

For organizations already on Microsoft 365 E5, the standalone Agent 365 add-on is the most direct upgrade path. For organizations evaluating Microsoft 365 E7 fresh, Agent 365 inclusion is a meaningful part of the value calculation, especially in regulated industries where governance maturity is a board-level concern.

The per-user model has a subtle implication: governance cost scales with the size of the user base, not the agent footprint. An organization that runs ten agents per user pays the same as an organization that runs one agent per user. That’s the correct posture for a governance product; it makes governance non-punishing as agent adoption deepens.

Where it fits with Copilot Studio and the rest of the Microsoft stack

Agent 365 doesn’t replace any of Microsoft’s agent-building or agent-execution products. It sits next to them and provides the cross-cutting control plane.

The mental model:

• Build layer: Microsoft Copilot Studio (low-code, business-user-friendly), Microsoft Agent Framework (code-first for developers), Microsoft 365 Copilot agent authoring surface, partner agent builders.
• Runtime layer: Microsoft 365 Copilot Chat, Teams, Outlook, mobile apps, voice channels, WhatsApp, custom embedding via the Client SDK.
• Governance layer (Agent 365): tenant-wide inventory, identity, lifecycle, policy, observability, security.

The build and runtime layers existed throughout 2024 and 2025 in various forms. The governance layer was the gap, and Agent 365 fills it. An organization can keep using Copilot Studio for building, keep using Microsoft 365 Copilot for end-user access, and now also use Agent 365 to manage the resulting fleet at the tenant level. The three layers are deliberately complementary.

This composition matters for buyers evaluating Microsoft against alternatives like building agents in CrewAI or LangGraph and managing them through custom infrastructure. Microsoft’s pitch in 2026 is "build, run, and govern in one consistent stack." The pitch from open-source agent frameworks (covered in our AI agent frameworks comparison) is "more flexibility, more freedom, more integration work to do yourself." Both positions are defensible. The Microsoft path is more turnkey; the open-source path is more flexible.

What it means for IT and security teams

For an organization that has already deployed Copilot Studio agents or is using Microsoft 365 Copilot at any meaningful scale, Agent 365 is the operational backbone you’ve probably been missing without realizing it. Three practical reads:

Discover what you actually have. The first thing most organizations find when they turn on Agent 365 is more agents than they expected. The centralized registry surfaces agents that were built by business users in Copilot Studio without IT involvement, agents installed from the Microsoft Agent Store, and partner agents activated through individual user accounts. The inventory itself is often the most valuable single output in the first 30 days.

Get the lifecycle controls IT teams have been asking for. Activate, suspend, and retire workflows give IT a real say in agent operations. Agents that misbehave can be paused without uninstalling them; agents that are no longer needed can be retired with the same discipline as any other corporate resource. This solves the "shadow AI" problem that emerged across 2024–2025 as ad-hoc agent adoption outpaced governance.

Align the agent layer with the compliance posture you already maintain. The Entra/Purview/Defender integration means AI agents become subject to the same security and compliance controls your organization already runs for users and data. For organizations with formal compliance obligations (GDPR, HIPAA, SOC 2, ISO 27001), this is what makes broader agent deployment defensible.

The deployment posture for organizations already on Microsoft 365 E5 is: pilot Agent 365 in a single business unit for 30 days, build a clean inventory, identify the agents that need lifecycle attention, then expand tenant-wide. For organizations evaluating E7 upgrade, treat Agent 365 as one of the named E7 capabilities to factor into the upgrade decision.

Frequently Asked Questions