What Agent 365 is. Microsoft Agent 365 is the new enterprise control plane for AI agents, launched on 1 May 2026. It provides governance, identity, network controls, and security for agents built with Copilot Studio and other agent platforms. List price: $15 per user per month on annual term, also included in the new E7 Frontier Suite at $99/user.
Who needs it now. Organisations actively building or deploying AI agents at enterprise scale — multiple business units, multiple deployment scenarios, production agents acting on behalf of users. Without governance infrastructure, agent deployment creates real compliance, security, and audit exposure that mature security teams will not accept.
Who can wait. Organisations not yet building agents at scale. The need will arrive within 12–18 months for most enterprises as agent deployment matures, but immediate licensing is not required. The right action for these organisations is to model Agent 365 into the 2027 or 2028 budget rather than the current renewal.
What Agent 365 actually is
The growth of AI agents in the enterprise has created a real governance problem. Agents built with Microsoft Copilot Studio, Power Platform, and the broader Microsoft agent ecosystem can take actions on behalf of users — reading data, calling APIs, executing transactions, communicating externally. Without governance infrastructure, the agents proliferate uncontrollably, security teams cannot audit what they are doing, identity boundaries get blurred, and compliance exposure grows quickly.
Agent 365 is Microsoft’s answer to that problem. The product is positioned as a “control plane” sitting alongside agent development tools, providing four categories of capability: identity governance (each agent has a managed identity, access controls, lifecycle), network controls (prompt injection protection, threat intelligence filtering for agent traffic, shadow AI detection, URL filtering, file filtering), observability (audit logs, activity monitoring, anomaly detection), and lifecycle management (access packages, sponsor maintenance, deprovisioning).
The Microsoft announcement on 9 March 2026 described Agent 365 as “the missing governance layer” for enterprise AI agents. The framing is accurate. Most enterprises building agents in 2025 have been doing so without dedicated governance tooling, treating agents as either applications (using application identity governance, which fits poorly) or as user accounts (using user identity governance, which fits worse). Agent 365 provides agent-specific infrastructure.
What Agent 365 includes in detail
Agent identity and access governance
Each agent gets a managed identity with explicit access scope, lifecycle controls, and sponsor accountability. The components map roughly to Entra Identity Governance for users but adapted for the agent context: access packages defining what an agent can access, lifecycle workflows for agent creation and deprovisioning, and explicit sponsor relationships tying agents to human owners accountable for their behaviour. Without this layer, agents typically inherit broad application permissions or share user credentials, both of which fail security review at scale.
Network controls for agent traffic
Agent 365 includes four categories of network-level protection: prompt injection protection (detecting malicious instructions embedded in content an agent processes), threat intelligence filtering (blocking agent traffic to known malicious domains), shadow AI detection (identifying unauthorised agent or AI tool deployment), and URL and file content filtering. The network controls operate at the agent layer rather than the user layer, recognising that agents have different traffic patterns and threat profiles than human users.
Audit and observability
Every agent action is logged with sufficient detail for security investigation and compliance reporting. The audit infrastructure integrates with Microsoft Purview and Sentinel, so security teams can investigate agent behaviour using the same tooling they use for user behaviour. For regulated industries this is a hard requirement — agents without audit trails fail compliance reviews automatically.
Lifecycle management
Agents need to be created, owned, reviewed, and eventually deprovisioned. Agent 365 provides workflows for each stage. The lifecycle management component is particularly valuable for organisations that have already seen agent proliferation — the “who owns this agent?” problem is real and Agent 365 forces explicit answers at creation time.
Who genuinely needs Agent 365 in 2026
Three customer profiles need Agent 365 today, not in the future. Identifying whether your organisation matches one of these profiles is the central decision.
Profile A: Active agent builders at scale
Organisations actively building agents through Copilot Studio or other platforms, with multiple business units involved, dozens or hundreds of agents in production, and a roadmap for continued deployment. This profile correlates with mature digital transformation programmes, established Microsoft 365 deployments, and explicit AI strategy at the executive level.
For Profile A organisations, Agent 365 is essentially mandatory infrastructure. The governance gap without it is a compliance and security exposure that the next audit will surface. Deploying agents at scale without Agent 365 is structurally similar to running production application infrastructure without identity management — possible briefly but not defensible.
Profile B: Regulated industries with agent ambitions
Financial services, healthcare, pharma, defence, and other regulated industries face audit and compliance requirements that make agent governance non-optional regardless of deployment scale. For these organisations, even modest agent deployment (5–20 agents) triggers the need for Agent 365 because the audit framework requires explicit governance for any automated decision-making system handling regulated data.
Profile C: Organisations completing AI strategy in 2026
Organisations that are finalising their enterprise AI strategy in 2026, with agent deployment as a core component, should license Agent 365 as part of the strategy rather than after deployment. Retrofitting governance onto an existing agent estate is harder than building it in from the start. For these organisations, Agent 365 commitment in 2026 is forward-looking but structurally correct.
Who can wait on Agent 365
Most enterprises in 2026 are not yet in Profile A, B, or C. For organisations without active agent deployment and without immediate plans for it, Agent 365 is governance infrastructure that does not yet have anything to govern. The right action is to model Agent 365 into the next 12–24 months of budget rather than committing immediately.
Three signals indicate that Agent 365 should be deferred. First, no active Copilot Studio deployment beyond pilot. Second, no dedicated AI or agent governance leader in the organisation. Third, no explicit roadmap for agent production deployment over the EA term. Organisations matching all three signals will not realise value from Agent 365 in the current renewal cycle; the licensing capital is better deployed elsewhere.
Licensing as standalone vs through E7
Agent 365 is available two ways. Standalone at $15/user/month, or as part of the M365 E7 Frontier Suite at $99/user/month (bundling E5 + Copilot + Agent 365 + Entra Suite). The choice between the two routes depends on whether the other E7 components also fit the organisation.
For organisations where E7 is the right SKU (matching the framework in the E7 pillar guide), Agent 365 comes “free” in the bundle. The bundle math allocates roughly $7–$8/user/month of E7 value to Agent 365, against the $15 standalone list price — meaning the bundle saves money on Agent 365 when the other E7 components are also justified.
For organisations where E7 is not the right SKU, standalone Agent 365 at $15 is the cleaner architecture. Buying E7 to capture “bundled” Agent 365 when E5 and selective Copilot are the right shape elsewhere overprovisions across multiple components to get the one that actually fits. The standalone path costs more per Agent 365 user but less in total.
Scope of licensing: per user, not per agent
Agent 365 is licensed per user, not per agent. The licence covers each user interacting with agents in the tenant — whether the user is building agents, using agents, or being acted on by agents. This pricing structure has two important implications.
First, the licence cost scales with user population rather than agent population. An organisation with 10 production agents serving 10,000 users pays for 10,000 Agent 365 licences. An organisation with 100 production agents serving 1,000 users pays for 1,000 Agent 365 licences. The structure favours organisations with concentrated agent usage in smaller user populations.
Second, the licensing requirement applies to the entire interacting user population, not just direct users of agents. Users whose data is read by agents, whose workflows include agents, or who are acted on by agents all count. For most enterprise deployments, the practical interpretation is “every knowledge worker who uses Microsoft 365” needs Agent 365 once any meaningful agent deployment is active.
Negotiation considerations for Agent 365
Agent 365 is brand new and Microsoft is positioning it as core strategic infrastructure. Three negotiation considerations apply.
First, Microsoft has limited flexibility to discount Agent 365 individually in 2026. Account teams have specific attach quotas on Agent 365 (it is a key 2026 commercial metric for Microsoft) and negotiated discount on standalone Agent 365 is typically modest — 3–7% achievable, rarely more. The product is too new and too strategic to Microsoft for aggressive concession.
Second, Agent 365 can be used as a negotiation lever for other components. Microsoft account teams will offer favourable Agent 365 terms in exchange for broader commitments — E7 attach, multi-year EA commitment, Azure consumption co-commit. The standalone Agent 365 discount may be small, but the value as a relationship lever for other line items is meaningful.
Third, the scope of users included in Agent 365 licensing is sometimes negotiable. The default position is universal coverage of the user population. For organisations with clearly delineated agent-using populations (specific business units, specific user roles), scoped Agent 365 licensing covering only those users is sometimes achievable, with the rest of the population on E3 or E5 base.
When to buy: timing matrix
The combination of current agent activity and future agent trajectory determines the right Agent 365 timing.
| Current activity | Future trajectory | Right action |
|---|---|---|
| Active agents in production | Continued growth | License now (Profile A) |
| Active pilots, regulated industry | Compliance-driven scaling | License now (Profile B) |
| No active agents | 2027 agent strategy | Plan for 2027 — model into next renewal |
| No active agents | No defined strategy | Wait — revisit annually |
| Pilots, non-regulated | Selective scaling | License selectively — cover the affected users only |
Action plan
- Inventory current agent activity. Document existing agents in Copilot Studio and other platforms. The count is often higher than central IT realises — business units build agents without central tracking.
- Classify your organisation against Profile A, B, or C. Use the criteria above. The classification produces the right timing answer in most cases.
- If licensing now, decide standalone vs E7. Standalone for organisations where E7 doesn’t fit elsewhere. E7 for organisations matching the broader E7 framework.
- If deferring, document the deferral decision. Set a review trigger — either calendar (annual review) or event-based (when active agent count reaches a threshold).
- Engage independent advisory. Agent 365 is brand new and the right answer is not always obvious. Book a scoping call.