Microsoft Agent 365 is GA: govern your agent identities now

🚨 The Signal: Microsoft Agent 365 reached general availability on 1 May 2026. It is the control plane to discover, govern and secure AI agents across your tenant. Every autonomous agent is now a non-human identity you must inventory, scope and monitor, or accept unmanaged agent sprawl.

The Impact

Entra and security admins inherit a new identity class -- agent identities -- that act independently and reach data at machine speed.

• Entra admins: agents are non-human identities that need least-privilege scoping and lifecycle control.
• Security teams: unmanaged shadow agents (Claude Code, Copilot CLI) expand the attack surface.
• Data owners: agents acting on a user's behalf can overshare unless their access is bounded.
• Risk: ungoverned agent credentials become standing, unmonitored access paths.

The Action

1. Open the Microsoft 365 admin center Shadow AI / Agents page and review the Agent 365 Registry inventory.
2. Apply an Intune policy to detect and block unmanaged agents on managed devices.
3. Scope every agent identity in Microsoft Entra to least privilege; remove standing permissions.
4. Extend Entra network controls to restrict agent connections to approved destinations only.
5. Build Microsoft Defender runtime agent protection (preview from June 2026) into your monitoring plan.

Domain: Agentic-AI · Impact: high · Workload: Entra ID · Essential Eight: Restrict Administrative Privileges