Microsoft Agent 365 Is GA: The Defender Stack For Agents
TL;DR - Microsoft Agent 365 went generally available on 1 May 2026 at $15 per user per month, bundled inside the new Microsoft 365 E7 SKU. It is the first end-to-end enterprise governance and security layer for AI agents and supports agents built on Copilot Studio, Microsoft Foundry, AWS Bedrock and Google Vertex AI. The AI Security Dashboard at
ai.security.microsoft.comis GA and acts as the operational pane of glass. The Defender capabilities for AI agents (asset context mapping, policy controls, runtime blocking of rogue coding agents) hit public preview in June 2026. What you need to do: stand up Entra agent IDs, enable conditional access for agents, and start mapping your agent inventory against the OWASP Top 10 for Agentic Applications 2026 this week.
Agent 365 By The Numbers
| Capability | State at 1 May 2026 GA |
|---|---|
| Standalone price per user per month | $15 USD |
| Bundled SKU | Microsoft 365 E7 |
| Cross-platform agent support | Copilot Studio, Foundry, AWS Bedrock, Vertex AI |
| AI Security Dashboard portal | GA at ai.security.microsoft.com |
| Defender network controls for Copilot Studio + local agents | GA |
| Asset context mapping, policy controls, runtime blocking | Public preview from June 2026 |
| Gartner-style projection of agent-to-user ratio | ~80:1 |
| OWASP risks Microsoft Agent Governance Toolkit covers | All 10 |
🎙️ This blog unpacks the Agent 365 segment of Out of Band: A Microsoft Security Podcast, where Andrew O'Young (Microsoft MVP, Informotion), Anthony Porter (Canon Business Services) and I dig into what Microsoft just shipped for agentic AI security. If you'd rather hear Andrew explain why his Agent Camp 2025 slide deck had to change twenty-four hours before he presented, the full episode is on YouTube.
I have spent the last twelve months in conversations that start the same way. "We're building an agent." "We're piloting a Copilot Studio thing." "We're running this Foundry workflow that the data team set up." And every time, the next question is, "who governs that?"
For most of 2025 and the early months of 2026, the honest answer was nobody, properly. There were pieces. Defender for Cloud Apps had a real-time protection toggle hidden three menus deep. Purview's Data Security Posture Management had an AI tab. Conditional Access could be made to recognise agents, sort of, if you knew what to ask for. Each piece worked. Nothing worked together.
On 1 May 2026, Microsoft shipped Agent 365.
It is the first integrated layer that treats AI agents the way the rest of the stack treats users and devices: with identity, governance, observability and Defender-grade telemetry. It is not perfect. It is in some places still very new. But it is the first time the agent-security conversation has had a real answer rather than a list of partial controls.
Let me walk you through what's actually in the box, what landed at GA on 1 May, what's still public preview through to July, and what you should be doing this week if you have any agents in production.
What Agent 365 Actually Is
Agent 365 is sold as a per-user license, $15 USD per user per month, or bundled into the new Microsoft 365 E7 SKU. Note the licensing pattern: it's still priced against people, even though it governs agents. Microsoft is making a bet that the right metering unit is the human responsible for the agent, not the agent itself - a bet I think is correct but which is going to age strangely as the agent-to-user ratio climbs into the 80:1 range that Gartner and the broader industry now project.
The product is structured around three pillars Microsoft has been hammering since the early preview:
- Observe - know what agents exist, who owns them, what they connect to, what data they touch
- Govern - apply policies (data, identity, network, conditional access) consistently across every agent
- Secure - detect, block, and investigate malicious agent behaviour like any other Defender signal
The platform reach is the underrated part. Agent 365 supports agents built on:
- Microsoft Copilot Studio (the low/no-code path)
- Microsoft Foundry (the model + tools developer path)
- AWS Bedrock (in public preview registry sync)
- Google Vertex AI (in public preview registry sync)
Multi-cloud reach matters because, if you're honest, most organisations of any size are already running agents on at least two of those four platforms whether they have approved it or not.
The AI Security Dashboard Is GA
The operational front door for all of this is now live at ai.security.microsoft.com.
If you've used the AI tab inside Purview's Data Security Posture Management, the dashboard will feel familiar. The dashboard is GA as of the Agent 365 launch and pulls together signals from across Entra, Defender and Purview into a single view. The key blocks:
- AI inventory - every AI agent and model surface Microsoft can see in the tenant, including shadow AI Microsoft has flagged as not officially registered
- AI risks - a live posture view of misconfigurations, exposed secrets, weak conditional access scope, and so on
- Action recommendations - one-click handlers to deploy Entra ID protection, conditional access for agents, sensitivity labelling and other controls
This is the dashboard your CISO will ask for a screenshot of. It is also the single most useful exec-summary view we've had for agentic AI risk since the category became a thing.
A nuance worth flagging: the Security for AI section inside Defender's settings has now been separated out of Defender for Cloud Apps. Previously the Copilot Studio real-time protection toggle lived under Defender settings > Defender for Cloud Apps > Copilot agents > Copilot Studio. As of May 2026 it has its own top-level blade, Security for AI, with Copilot Studio as the first sub-item and (presumably) Foundry, Bedrock and Vertex sub-items to follow. If you've documented the old path in a runbook, update the runbook.
Entra Agent ID + Conditional Access For Agents
Agent 365's identity story is built around Entra agent ID. Every agent registered into the tenant gets its own identity, separate from any human identity it acts on behalf of. The implications:
- Conditional Access policies can target agents directly. You can scope a CA policy to "all agents", "agents matching a tag", or a specific agent ID, in the same way you can today for users and devices.
- Sign-in logs are agent-aware. Every agent invocation lands in the sign-in log with the agent's identity, the on-behalf-of human, the resource accessed and the result.
- Network controls travel with the agent identity. The May 2026 GA includes network controls extended to Copilot Studio agents and local on-device agents (including the OpenClaw runtime), so policies that say "this agent can only talk to these destinations" actually enforce at the network layer.
If you've been quietly hoping the entire "what is the principal here, the user or the agent?" problem would resolve itself, it has not. Agent 365 gives you the primitives to solve it cleanly, but you still have to design the policy posture. Microsoft's published Conditional Access for agents templates are a sensible starting point.
The Defender Capabilities That Hit Public Preview In June
The Defender layer of Agent 365 is rolling in stages. The May 2026 GA shipped:
- Network controls extended to Copilot Studio agents
- Network controls extended to local on-device agents (including OpenClaw)
Public preview from June 2026 adds:
- Asset context mapping for agents - the devices they run on, the MCP servers they connect to, the identities they assume, the cloud resources those identities can reach
- Policy-based controls - initial support targeting OpenClaw via Intune, with the same enforcement layer expanding to other runtimes
- Runtime blocking of coding agents exhibiting malicious patterns - the agent-behavioural equivalent of EDR
- Rich incident alerts for investigation and response - first-class alert types for agent compromise
For threat hunting, the AIAgentInfo table is now part of advanced hunting in the unified Defender portal. The schema covers agent identity, last activity, owner, runtime, connected MCP servers and so on - the exact substrate you need to write KQL like "show me every agent in the tenant whose MCP server is on HTTP rather than HTTPS" or "show me every agent owned by a leaver who hasn't been deprovisioned".
Anthony's threat-hunting test in the podcast surfaced the obvious near-term win: most enterprises already have agents whose MCP knowledge sources are misconfigured, over-permissioned, or running on insecure transports. The AIAgentInfo table lets you find them in a few minutes. Until Agent 365 shipped, that visibility didn't exist.
OWASP Top 10 For Agentic Applications: The Map
The other piece of news that landed quietly in the same window is the OWASP Top 10 for Agentic Applications 2026, released in December 2025 and developed with input from over 100 industry experts. Microsoft AI Red Team members Pete Bryan and Daniel Jones sat on the OWASP review board.
The ten risks (ASI01 through ASI10) cover:
- Agent goal hijacking
- Tool misuse
- Identity and privilege abuse
- Supply chain vulnerabilities
- Unexpected code execution
- Memory poisoning
- Insecure inter-agent communication
- Cascading failures
- Human-agent trust exploitation
- Rogue agents
Microsoft has published a direct mapping from each OWASP risk to Copilot Studio controls and Microsoft Security layers, and the open-source Microsoft Agent Governance Toolkit addresses all ten with deterministic, sub-millisecond policy enforcement.
The practical move: treat the OWASP Agentic Top 10 as your scoring framework when you audit any internal agent. Map each agent's current posture against ASI01-ASI10, decide which gaps you can close with Agent 365 controls today, and which need application-layer changes. The mapping is the work product. Doing it for one agent takes an afternoon. Doing it for ten will probably surface the agent that nobody owns, which is the one you actually needed to find.
What To Stand Up This Week
For an organisation already running agents in any form, the realistic week-one work:
- License up. Confirm Agent 365 entitlement in your tenant. If you're on M365 E5 plus add-ons, decide whether Agent 365 standalone or the E7 SKU is the right commercial path.
- Open the AI Security Dashboard.
ai.security.microsoft.com. Walk through the AI inventory. Expect surprises. - Enable Entra ID protection and conditional access for agents. The dashboard makes this a single-click action. Do it before you do anything else, because every other control downstream depends on agents having proper identities.
- Audit your highest-risk agent against OWASP ASI01-ASI10. Pick the agent with the broadest scope, the most data access or the most external tool integrations. Score each risk. Identify the top three gaps.
- Subscribe to the Defender capability public preview. The June 2026 wave brings the asset context mapping and runtime blocking. You want that in your hands the day it ships.
- Read the Microsoft + OWASP mapping doc. The Addressing the OWASP Top 10 Risks in Agentic AI with Microsoft Copilot Studio blog post is the single best operational reference Microsoft has published on agent security in 2026.
Key Takeaways
- Agent 365 is GA from 1 May 2026. $15/user/month standalone or bundled in M365 E7. Cross-cloud support for Copilot Studio, Foundry, AWS Bedrock and Google Vertex AI.
- The AI Security Dashboard at ai.security.microsoft.com is now your operational pane of glass. AI inventory, AI risk posture, one-click remediation hooks.
- Security for AI is now a top-level blade, separated out of Defender for Cloud Apps. Update your runbooks.
- Entra agent ID + Conditional Access for agents is the identity story. Use it. The whole governance stack stands on it.
- Defender capabilities for agents reach public preview in June 2026 with asset context mapping, policy controls and runtime blocking of rogue coding agents.
- OWASP Top 10 for Agentic Applications 2026 is the framework. Score every agent against ASI01-ASI10. Microsoft has published the mapping.
FAQ
When did Microsoft Agent 365 become generally available?
Microsoft Agent 365 went generally available on 1 May 2026. It is sold at $15 USD per user per month standalone or bundled into the Microsoft 365 E7 SKU. It is the first end-to-end enterprise security and governance layer specifically for AI agents.
Which agent platforms does Agent 365 support?
Agent 365 supports agents built on Microsoft Copilot Studio, Microsoft Foundry, AWS Bedrock and Google Cloud Vertex AI. Bedrock and Vertex AI integration via registry sync is in public preview at GA.
What is the AI Security Dashboard?
The AI Security Dashboard is the integrated operational portal for Agent 365 at ai.security.microsoft.com. It pulls together AI agent inventory, AI risk posture, and remediation actions from Entra, Defender and Purview into a single view. It is generally available as part of Agent 365.
Where did the Copilot Studio security settings move?
Previously, the Copilot Studio real-time protection settings lived under Defender settings > Defender for Cloud Apps > Copilot agents > Copilot Studio. As of the Agent 365 launch in May 2026, Microsoft has separated these into a dedicated Security for AI blade, with Copilot Studio as the first sub-item. Existing settings are migrated; the path is the change.
What is the OWASP Top 10 for Agentic Applications 2026?
A globally peer-reviewed framework for the ten highest-impact security risks facing autonomous AI agents, released in December 2025. The risks (ASI01-ASI10) cover goal hijacking, tool misuse, identity abuse, supply chain, unexpected code execution, memory poisoning, inter-agent communication, cascading failures, human-agent trust exploitation, and rogue agents. Microsoft has published a direct mapping to Copilot Studio controls and ships the open-source Agent Governance Toolkit addressing all ten.
Is Defender for AI agents GA today?
Network controls for Copilot Studio agents and on-device local agents are GA from 1 May 2026. The richer Defender capabilities (asset context mapping, policy controls via Intune for runtimes like OpenClaw, runtime blocking of malicious coding agents, and rich incident alerts) hit public preview from June 2026.
My Take
The pattern I keep seeing in customer conversations is that the agent-governance conversation has been at the wrong level. CIOs and CISOs have been debating "should we allow Copilot?" while teams two layers down have already shipped a half-dozen agents through Power Platform that nobody's tracking. Agent 365 doesn't fix the political conversation. It does fix the visibility one. From 1 May 2026, you can know what you have. From there, the rest of the work is real work, but at least it's real work on a known surface.
The cross-cloud reach is the part I want to flag. Most security blogs are going to lead with the Copilot Studio integration. The more interesting story is that Microsoft has registered Bedrock and Vertex AI agents into the same governance fabric. If you are an enterprise running agents across multiple cloud vendors (and most are), this is the first credible single-pane-of-glass for AI agent governance any major vendor has shipped. Google has nothing equivalent at this level of operational maturity. AWS has fragments. Microsoft is selling the integrated story.
The cost of doing nothing is rising fast. The OWASP Top 10 for Agentic Applications exists because the failures are real, not theoretical. Agent goal hijacking and tool misuse incidents are happening to real organisations right now and not being reported because there is no clear regulatory trigger yet. That changes the moment one of these compromises lands a major brand on the front page, and the regulatory environment then moves at the usual speed: too fast for the underprepared, too slow for the well-prepared. The underprepared lose.
If you do one thing this week: open ai.security.microsoft.com. The list of agents Microsoft already knows about in your tenant will be your week-two backlog. That alone is worth the licensing conversation.
Mathew Clark
Founder, SecureInSeconds
Currently: trying not to think about how many of my own shadow agents I'm about to discover when I open ai.security.microsoft.com.
Further Reading
- Microsoft Agent 365, now generally available, expands capabilities and integrations - the official launch announcement
- Microsoft Agent 365 overview - Microsoft Learn product documentation
- Microsoft 365 E7 and Agent 365 are now generally available - the licensing and SKU bundle context
- Addressing the OWASP Top 10 Risks in Agentic AI with Microsoft Copilot Studio - the canonical Microsoft mapping to Copilot Studio controls
- OWASP Top 10 for Agentic Applications 2026 - the OWASP project page
- Introducing the Agent Governance Toolkit - Microsoft's open-source runtime security project addressing all ten OWASP risks
- Microsoft MDASH: An AI Just Found 16 Critical Windows Bugs - the offensive side of the same AI shift
- Your Copilot Rollout Is A Security Disaster - the long-form companion piece on Copilot in the enterprise
- Out of Band: A Microsoft Security Podcast - May 2026 Episode - the full conversation
