What’s New in Agent 365: May 2026

By Alex Pozin, Samer Baroudi

As we celebrate the general availability of Agent 365, we’re sharing a closer look at the core capabilities that help organizations adopt agents at scale, responsibly and with speed. Agent 365 is built on three core value pillars: observe, govern, and secure, designed to give IT and security teams clear visibility, consistent controls, and enterprise-grade protection across your entire agent fleet. In this series, we’ll highlight new Agent 365 features and enhancements now and over the months ahead. Let’s dive deep into all the things you can do today.  

Observe: Monitor and manage agents in real time

Agent 365 overview dashboard

The Agent 365 overview dashboard is your starting point for Agent 365 in the Microsoft 365 admin center. With the overview dashboard you gain a clear, real-time view of your agents fleet by surfacing key metrics such as total registered agents, active users, growth trends, connected platforms, total runtime in hours, and emerging risk signals. At a glance, admins can understand the scale, adoption, and overall risk posture of their agent fleet, while recommended actions highlight where attention is needed most, such as reviewing pending agent requests, assigning owners to unclaimed agents, or addressing agents with exceptions (e.g. errors in conversation). Deeper analytics enable exploration of who is building agents, which platforms are gaining traction, how adoption is trending over time, and which agents are most heavily used, helping organizations move from basic visibility to informed, proactive governance as their agent ecosystem grows. As we continue to enrich the overview dashboard based on your needs, use this surface to quickly assess the scale, health, and risk posture of your agent environment, and take prioritized actions to stay in control as adoption grows.

An image showing the Agent 365 overview page with tile cards displaying key metrics, top actions and agent analytics.

Registry

As organizations scale their use of agents, having a single, authoritative system of record for agents becomes foundational to visibility, control, and trust. Agent 365 provides a centralized and unified registry that serves as the system of record for agents in the organization. Each agent¹, including those built by Microsoft, your organization, or ecosystem partners, is detailed with a complete record enriched with metadata like its name, description, publisher, platform, ownership, availability and deployment status, permissions from the Microsoft Graph, data and tools access, security and compliance details, certifications, usage activity, and more, giving IT and security teams a full view and eliminating blind spots.

An image displaying the Agent 365 registry, showing a list view of agents, tile cards for agent counts, and filter/search navigation elements.

Map

The agents map view provides a visual graph of the agent ecosystem, organizing agents by platform into clear clusters and surfacing agent counts so admins can quickly understand the scale and composition of their environment. As you zoom in, the map reveals individual agents and, for a selected agent, visualizes its connections to other agents, making dependencies and relationships explicit as agent usage grows across Microsoft and third-party platforms. Together, these views help IT and security teams move beyond static lists to spot patterns, understand how agents interact, and maintain visibility as their agent landscape becomes more complex.

An image showing the map view of all agents in the organization clustered by platform

Agent-level activity

Agent‑level activity metrics give admins operational visibility into how each agent is running and being used across the organization. Metrics such as usage sessions, engagement trends, and active users, help admins assess agent usage and validate adoption. Additionally, by correlating activity with users and policy signals, teams can quickly assess unusual behavior, exception alerts, or misconfigurations. Exportable activity data enables deeper analysis and reporting.

An image showing a fictitious agent named Zava Alerting agent selected in the registry and displaying agent activity details with metrics and charts for active users, sessions and agent responses.

Registry sync (Preview)

As agents are increasingly built and deployed across multiple platforms, organizations often lack a unified way to discover, inventory, and govern them. Registry sync enables AI admins to securely consent to and connect ecosystem partner agent platforms to Agent 365, bringing external agents and their metadata into the Agent 365 registry for a more unified view of your agent population. Where supported by the synced platform, you can also take agent-level governance actions directly from the Agent 365 registry, starting with agent deletion, to agents built on these platforms. The initial preview includes connections to AWS and Google Cloud, with additional partner platforms planned for future releases.

An image showing the registry sync detail view for the Amazon Bedrock connection showing options to sync, edit, and delete the connection, connection details, and a list of synced agents.

Shadow AI detection and blocking (Preview)

Local agents installed on company devices outside IT and security visibility is an emerging endpoint risk. These agents can read files, execute code, and act on a user’s behalf, enabling access to sensitive data or risky operations without touching managed cloud services. Agent 365 provides the control plane to register and manage approved agents across the environment.

A new Shadow AI page, enabled by Microsoft Defender and Microsoft Intune, helps identify local agent activity on Windows devices and apply endpoint controls. Initial support includes OpenClaw, with plans to expand to additional widely used agents over time. Admins get a centralized view of local agent usage and can take action to limit unsanctioned execution paths at the endpoint, helping reduce risk while supporting approved tools.

• Detect — one view of local agents across the environment with Agent 365
• Block — Intune policies that help stop unsanctioned agent execution at the endpoint
• Protect at scale — guardrails expand with your estate as coverage extends beyond OpenClaw to GitHub Copilot CLI, Claude Code, and more.

These capabilities help reduce Shadow AI exposure and bring local agents into a governed, secure endpoint posture.

An image showing the new Shadow AI page in Agent 365 in the Microsoft 365 admin center, with a list of devices that OpenClaw agents are running on.

 

An image showing the new Shadow AI page of Agent 365 in the Microsoft 365 admin center, where Intune policies are being applied

Govern: Establish guardrails for agents and users

Agent-level lifecycle and governance actions

AI admins can install, publish, block, unblock, delete, assign new owner for agents - all directly from the Agent 365 registry. Centralized lifecycle and governance actions remove friction, reduce delays, and enable fast response as agents are created, shared, and retired.

An image showing the agent-level governance actions in the Agent 365 registry

Agent distribution and availability controls

Agent distribution and availability controls ensure the right agents reach the right users without overexposure or risk. You can install an agent and precisely control where it’s available across the organization, choosing to make it available to no users, all users, or specific users and groups. This foundational control is critical as it can help enable safe and intentional rollout of agents aligned to roles, readiness, and business need.

An image displaying the Zava Alerting agent selected in the registry showing installation and availability controls, making it available to only the Agent 365 AI admin and Security Admin user groups

Admin approval and publication flow for requested agents

The agent approval and publication flow gives admins a centralized control point to review agents before they reach users. Assess each requested agent’s capabilities, data access, permissions, and security and compliance posture in the Agent 365 registry, then choose to publish or reject it from a single workflow. This prevents agent sprawl, reduces over‑privileged access, and ensures agents are onboarded with the right governance across Copilot Studio, Microsoft Foundry, and expanding agent platforms.

An image displaying requested agents showing the fictitious Staffing Agent selected with options to either publish to store or reject submission

Agent management rules

To help scale governance as adoption grows, Agent 365 automates routine management jobs with rules that act when conditions are met such as expiring inactive agents or blocking agents flagged as risky. Initially, rules-based governance will include standard rules for auto-deployment of Microsoft-built agents as well as auto-reassignment of ownerless agents (starting with agents built with Agent Builder).

An image displaying agent management rules in Agent 365 settings displaying the standard rule for reassigning ownerless agents.

Policy templates

Policy templates address the challenge of applying consistent security, compliance, and access controls as agent adoption scales across the organization. By grouping existing policies from services like Microsoft Entra, Microsoft Purview, Microsoft Defender, and Microsoft SharePoint into reusable templates, admins can apply standardized settings and guardrails to agents during approval or onboarding. This ensures consistent governance without configuring individual policies per agent, and is distinct from rules based automation, which manages lifecycle actions after deployment.

An image displaying policy templates in Agent 365 settings showing a specific policy template detail view including policies from Microsoft Entra, Purview, Defender, and SharePoint

Tools management

Tools are the resources and services an agent uses to take action and get work done within approved boundaries; for example, an agent can use the Microsoft Teams MCP to schedule a meeting, summarize a conversation, and post updates back to a Teams channel for the group. As agents are built with more capabilities taking more actions across Microsoft 365 and beyond, unmanaged tools introduce security, compliance, and operational risk. Tools management in Agent 365 gives AI admins a centralized control point to view, allow, or block the tools agents can use, such as Microsoft MCP servers, across the tenant. By enforcing consistent, admin-approved tooling policies, organizations ensure agents operate only within approved boundaries and permissions, reducing risk without slowing innovation or requiring per-agent configuration.

An image displaying the Tools management pane in Agent 365 displaying a list view of MCP servers

Identity governance for agents

High-impact agents often rely on access to a wide range of organizational resources to perform their tasks, making it critical to manage permissions with precision and control. Microsoft Entra ID Governance for agents brings agents into the same identity governance model used for people. Access packages help define and manage agent permissions with appropriate scope and control, while sponsor lifecycle workflows ensure each agent identity has an assigned user responsible for overseeing access, maintaining accountability, and keeping access aligned with organizational policies over time. Together, these capabilities help organizations keep agent access visible, intentional, and manageable as agents evolve, enabling consistent governance and control at scale as agent adoption grows.

An image displaying ID Governance access package policy being applied to a policy template in Agent 365

Data Lifecycle Management for agents and interactions

As agents reason over and generate content, organizations need clear controls over how long agent interactions are retained and when they’re removed. Microsoft Purview Data Lifecycle Management enables admins to define retention and deletion policies for human‑to‑agent and agent‑to‑human interactions, scoped by users, agents, or groups, with custom retention periods and post‑retention actions. By extending proven Purview controls to agent interactions, organizations can reduce data exposure and scale agent adoption with consistent, auditable data governance.

An image displaying a data lifecycle management retention policy in Microsoft Purview

 

Communication compliance for agents

As agents interact with people at scale, organizations need visibility and controls to detect unethical, inappropriate, or non-compliant behavior. Microsoft Purview Communication Compliance in Agent 365 enables you to define and apply policies to human-to-agent and agent-to-human interactions, enabling centralized detection, review, and investigation of risky behavior. By bringing AI interactions into existing compliance operations, organizations can promote responsible agent use, protect employees, and scale agent adoption with built-in oversight and accountability.

An image displaying a communication compliance policy in Microsoft Purview

eDiscovery for agent activity

Agents generate and act on organizational data, and legal and compliance teams need a way to preserve, search, and review agent activity with the same rigor as human communications. Purview eDiscovery lets organizations place agent interactions under legal hold, search agent‑to‑human and human‑to‑agent interactions across all agents, and review both agent outputs and the documents accessed during execution runtime, all within Microsoft Purview. This delivers a defensible, end‑to‑end discovery experience for agent activity using familiar legal and compliance workflows, enabling confident adoption while meeting regulatory and litigation obligations.

An image displaying an eDiscovery query in Microsoft Purview

Secure: Protect agents comprehensively

Risk flags in Agent 365 registry and overview

Agent 365 brings IT and Security teams together to create a connected experience for governing AI agents. Agent 365 surfaces agent‑level security and compliance risk flags, powered by first‑party signals from Microsoft Defender, Entra, and Purview, giving AI admins a unified view of risky agents directly in the Microsoft 365 admin center. From the Agent 365 overview or registry, admins can take actions like block agents or restrict access, and escalate to security teams to quickly responds and reduce risk. By bringing IT and Security signals together in a single management surface, Agent 365 enables stronger cross‑team collaboration, making agent management a shared responsibility where IT and Security teams work together to assess risk, take action, and govern agents securely and at scale.

An image displaying the security details for a fictitious Comms agent showing two risk flags identified by Microsoft Purview

Conditional Access for agents

Agents acting on behalf of users can introduce new access risks, especially when interacting with organizational resources. Microsoft Entra Conditional Access enforces dynamic, granular access policies for agents that operate independently, and extends existing user policies to agents acting on behalf of users. It applies the same Zero Trust principles to ensure agent actions are consistently evaluated based on real-time context and risk. This helps organizations reduce the risk of unauthorized or unsafe access by enforcing adaptive, risk-based access controls without introducing a new policy model. Note that Conditional Access for agents is generally available for delegated access agents (agents that act on behalf of the user) and is in public preview for own access agents (agents that operate with their own identity, not tied to a user session).

An image showing the creation of a new conditional access policy for agents in Microsoft Entra admin center

 

Identity protection for agents

Agents, whether they are acting on behalf of users or operate independently, can introduce new access risks when elevated agent risk, user risk or sign-in risk is present. Microsoft Entra ID Protection prevents compromise with dynamic evaluation of agent and user identity compromise risk. These risk signals can then be used by Conditional Access policies to block or constrain access to prevent compromise with risk-based Conditional access for agents that act independently and extending risk-based conditional access from users to agents for agents that work on behalf of users. Similar to Conditional Access, Identity protection for agents is generally available for delegated access agents (agents that act on behalf of the user) and is in Public preview for own access agents (agents that operate with their own identity, not tied to a user session).

An image displaying a Conditional Access policy for agents in the Microsoft Entra admin center

Secure Access Service Edge for agents

Secure Access Service Edge (SASE) for agents extends identity-aware, network-level security controls to agent traffic. For Microsoft Copilot Studio agents and agents running on local endpoint devices with Global Secure Access client installed, it provides prompt injection protection, threat intelligence filtering, web and URL filtering, and network file filtering to help reduce exposure to malicious destinations and unsafe transfers. Together, these capabilities help organizations extend consistent network protections to agent traffic and support safer agent adoption at scale.

An image showing Global Secure Access for agents and traffic details in Microsoft Entra

 

Threat detection and blocking for agents (Preview)

Agent adoption brings new threats, such as prompt attacks and tool misuse. Microsoft Defender enables security teams to detect, block, and investigate agent threats in runtime. For example, when an agent abuses its permissions to an email MCP server, exhibiting suspicious behaviors that may cause security incidents, Microsoft Defender can block the email invocation to reduce the incident's impact and trigger incident alerts in the Defender portal for investigation and response. This capability enables security teams to effectively defend agents against the evolving AI threat landscape.

An image showing how a security team can detect, block, and investigate agent threats such as prompt attack and tool misuse in the Microsoft Defender portal

Threat hunting and investigation for agents (Preview)

Beyond threat detection and blocking, security teams can use the unified observability logs in Agent 365 for Advanced Hunting to proactively search for threats, vulnerabilities, and potential exposures in their organization's agentic environment. For example, security teams can identify risky configurations, such as agents with MCP tools using maker credentials. These permissions allow MCP tools to operate as the maker, potentially leading to privilege escalation and exposure. Security teams can run queries in Advanced Hunting to generate a list of agents that present this risk, then collaborate across teams to remediate these risks before they turn into incidents.

Security team can proactively identify vulnerabilities and exposure leveraging Advanced Hunting capabilities in Microsoft Defender

Agent security posture management (Preview)

As organizations deploy more agents, security teams need continuous insight into which agents are over‑privileged, misconfigured, or exposed to attack. Microsoft Defender provides agent security posture management by assessing the security posture of Foundry and Copilot Studio agents, identifying vulnerabilities such as excessive permissions and misconfigurations, and surfacing prioritized security recommendations, risk context, and attack path analysis to AI agents. This enables teams to focus remediation where risk is highest, reduce exposure early, and ensure agents are built, deployed, and operated securely across their lifecycle.

An image showing the fictitious agent Zava Assist in Microsoft Defender

Data Security Posture Management (DSPM) AI Observability for agents

Organizations lack clear visibility into how AI agents access and expose sensitive data, increasing the risk of oversharing and unintended data leakage. Microsoft Purview AI Observability in DSPM provides unified visibility into all agents operating across your environment, Microsoft and non‑Microsoft, and continuously assesses agent data risk posture. This enables security teams to identify sensitive data exposure early, make informed decisions, and proactively reduce risk before it becomes an incident.

An image showing AI observability within Data Security Posture Management (DSPM) in Microsoft Purview

Insider Risk Management for agents

As organizations scale AI agents, they lack visibility into whether agents are accessing, generating, or exposing sensitive data in risky ways. Microsoft Purview Insider Risk Management for agents evaluated insider risk for agents by treating them as first‑class identities, enabling detection of risky agent behaviors such as anomalous data access or sensitive content in outputs. This allows security teams to intervene early and confidently scale AI agents while maintaining security, accountability, and compliance.

An image showing an alert spotting an agent attempt at sensitive file exfiltration within Microsoft Purview

Data loss prevention for agents

As agent adoption scales, confidential information can be unintentionally included in agent interactions, increasing the risk of data exposure across the organization. Microsoft Purview Data Loss Prevention (DLP) extends the same protections organizations use for people - such as to prevent data exfiltration and oversharing - to AI agents, for example by blocking an agent from emailing a confidential file to an external recipient.

Also, DLP controls for grounding data protect the data agents rely on to reason and respond to interactions. It leverages DLP and labeling policies directly to the data sources used for grounding, preventing agents from accessing or using sensitive content that shouldn’t inform AI decisions or outputs. This gives organizations confidence that advanced AI agents can be deployed without increasing data exposure or compliance risk, even as agents operate across multiple data systems.

An image displaying a conversation with fictitious agent Zava Procurement Agent showing a DLP-protected document cannot be summarized

Conclusion

As agents become a core part of everyday work, organizations need a way to extend the controls they already trust, from managing people, devices, apps, and data, to managing agents. With Agent 365, Microsoft brings agents into the same, familiar identity, security, and compliance frameworks customers already rely on today. These GA capabilities lay the foundation for scaling agent adoption with confidence, enabling organizations to unlock innovation and productivity while ensuring agents remain governed, secure, and aligned with your organization's needs.

Next steps:

• Read the announcement of new public preview capabilities
• Register for our upcoming Agent 365 live AMA
• Learn via AI Skills Navigator for Agent 365
• Get started with Agent 365 in the Microsoft 365 admin center
• Learn more about Agent 365 on MS Learn

Footnotes

1. Agent metadata available in the Agent 365 registry differs based on the agent’s source platform, as well as factors such as how the agent was built, integrated, and registered. As a result, some agents may expose richer or more standardized metadata, while others may only provide a subset of fields.