On May 1, 2026, Microsoft shipped Agent 365 to general availability. It is $15 per user per month standalone, or bundled into the new Microsoft 365 E7 "Frontier" suite alongside E5 and Copilot. The headline is boring on purpose. The product underneath is not.
Agent 365 is Microsoft's bet that the next IT crisis will not be unmanaged laptops or unmanaged SaaS. It will be unmanaged agents — autonomous software that has its own identity, its own credentials, its own inbox, and a willingness to take action on behalf of humans who never read the prompt it was given. Look at your own org: you almost certainly have agents running in Copilot Studio, in Bedrock, in Vertex, in n8n, in some Slack bot a marketing intern shipped last Tuesday. Nobody has a list. Nobody can switch them off. That is the problem Agent 365 is built for.
What actually shipped on May 1
Microsoft frames Agent 365 around three verbs: observe, govern, secure. In practice, GA covers four concrete capabilities operators should care about now.
1. A unified agent registry
Every agent created or discovered in your tenant gets a row in a single registry — Copilot Studio agents, third-party agents, custom code agents using the Agent 365 SDK, and (in public preview) agents on AWS Bedrock and Google Cloud through registry sync. An admin can finally answer "how many agents do we have, who owns them, and what are they doing this week" without writing a script.
2. Agent identity in Microsoft Entra
This is the part most coverage skips and is the most interesting design decision. Each registered agent gets a real Entra identity — not a service principal hack, not a shared API key. It is granted access to specific knowledge sources, given its own email, calendar, OneDrive, and Teams account, and shows up in audit logs as a first-class actor.
Once agents are first-class identities, every other Entra control snaps into place: Conditional Access, risk-based sign-in, Privileged Identity Management. You stop reasoning about agents as "AI features" and start reasoning about them as employees with very narrow job descriptions — the only frame that scales.
3. Local agent and shadow-AI controls
Agent 365 extends Entra network controls down to local agents on user endpoints, including the new OpenClaw runtime. IT can identify unsanctioned AI usage, restrict outbound connections to approved destinations, filter risky file movement, and block prompt-injection attacks before they trigger an action. Shadow AI gets treated the way shadow SaaS finally was: as a governable inventory, not a cultural problem.
4. Multicloud lifecycle governance
The AWS Bedrock and Google Cloud connectors (public preview) let IT discover, inventory, and start/stop/delete agents on those platforms from the same console. That is a remarkable concession from a vendor whose default is to ignore the other clouds, and a quiet acknowledgement that no enterprise actually runs all its agents in one place.
Why this matters more than another Copilot release
Almost every AI program that has stalled in the enterprise has stalled for the same reason: nobody can answer the auditor's questions. Who can the agent talk to? What can it write to? Who approved that? What did it do at 02:14 last Tuesday and why?
If you cannot answer those, security eventually bans the tool, legal eventually blocks the deal, and the CFO eventually freezes the budget. Agent 365 is a serious attempt at the answer with a structural advantage: most of the agents it needs to govern are already built on Microsoft identity, email, files, and endpoints.
Two trends collide here. Anthropic's Model Context Protocol crossed 97 million installs in March 2026 and is now the industry's tool-and-context interoperability layer; Agent 365, Bedrock, and Vertex all support it. And every frontier vendor is shipping pre-configured agent bundles by vertical. The unit of delivery is no longer "an LLM API." It is "an agent that does a job." Agent 365 is the HR system for non-human workers, and Microsoft is the first vendor at GA scale to ship one.
The operations playbook for this quarter
Run agent discovery once. Connect Agent 365 to Copilot Studio, Bedrock, and Vertex. Almost every team finds at least one agent nobody remembers building.
Assign owners. Every agent needs a named human owner with sign-off authority. No owner, the agent gets paused.
Define blast-radius tiers. T1 read-only, T2 reversible writes, T3 external/money-moving. Different tiers, different Conditional Access, different review cadences.
Wire agent logs into your existing SIEM. Agent action logs are audit logs. They belong in Sentinel or Splunk, not a separate console nobody opens.
Consolidate one painful workflow. Onboarding, vendor intake, ticket triage — rebuild it with one governed agent instead of three half-finished bots. Measure cost-per-task. That is the number that wins budget conversations in 2026.
The honest caveats
Multicloud connectors are still preview, so do not architect a critical compliance control around them yet. Local-agent controls assume Intune-managed endpoints. And $15/user/month stacks fast on top of E5 and Copilot — the E7 bundle math is the only sane way to buy it at scale. The deeper caveat: Agent 365 makes it easier to govern agents you built well, and impossible to hide agents you built badly. If your AI projects lack evals, observability, and a defined off-switch, the registry will surface that fact in front of your CISO. Feature, not bug.
The bottom line
For three years the AI agent conversation has been about capability. May 1, 2026 quietly shifted it to control — what is observable, governable, reversible. That is the conversation that decides which AI programs survive their first audit and which get rolled back to a Copilot license. Agent 365 is not the only answer; it is the loudest one to arrive at GA. If you are building, buying, or auditing AI agents inside an enterprise this year, your operations stack just got a new default — and it will shape every architecture review and vendor questionnaire for the rest of 2026.
