Microsoft Agent 365 launched on May 1, 2026 with bold promises around agent governance, security, and observability. And many of those promises are real. But if you’re an IT or security leader evaluating Agent 365 for your organization, there’s a side of the story that rarely makes it into the marketing slide deck: the limitations.

Here’s what Agent 365 cannot do today (8th of May 2026):

Does Agent 365 cover all agent types at General Availability?

No — and this is the single most important limitation to understand. At GA on May 1, Agent 365 only covers OBO agents (On-Behalf-Of agents) — agents that act in the context of a specific user. Autonomous agents — those that run independently without a tied human user, including Agent-to-Agent (A2A) and Agent-to-Tool (A2T) scenarios — remain in Frontier Preview only. The licensing model for autonomous agents is still being defined. You will not be charged for autonomous agent capabilities until they reach GA, but you also cannot fully govern or secure them today.

Can a single licensed admin cover the whole organization?

No, and attempting this creates a compliance violation. Agent 365 is a per-user license that covers users who benefit from premium capabilities. Multiplexing — pooling a single license to reduce the total count — is explicitly prohibited under Microsoft’s Universal License Terms, consistent with how Microsoft 365 E5 enforcement works. If unlicensed users benefit from Agent 365 premium capabilities, the organization is out of compliance.

Does Agent 365 automatically govern shadow agents?

No. Discovery does not equal governance. Agent 365 can detect shadow agents — unauthorized or unregistered agents running in your environment — through Microsoft Defender and Entra security signals. But detected shadow agents are not automatically enrolled in the Agent 365 management framework. An admin must explicitly onboard each one. There is currently no automated conversion process from “discovered” to “governed.”

Can existing Copilot Studio agents be retroactively upgraded to Agent 365?

No. Entra Agent IDs are provisioned at the time an agent is created on supported Microsoft platforms. Agents built before General Availability do not automatically inherit the new identity primitives. There is currently no retroactive process or bulk migration option. Existing agents must be rebuilt or republished to receive an Entra Agent ID. This has direct implications for organizations that have already deployed a significant number of Copilot Studio agents.

Does Agent 365 cover agents built outside Microsoft tools?

Only partially. Third-party agents from platforms like ChatGPT Enterprise, AWS Bedrock, or GCP can be governed by Agent 365 — but only if they are explicitly onboarded via the Agent 365 SDK. Agents that are not integrated through the SDK cannot be governed at the agent identity level. They may be visible as shadow activity through Defender signals, but full governance requires explicit registration. Additionally, third-party agents require both an Agent 365 license and their own native platform licensing. Agent 365 does not replace vendor licensing.

Can organizations register and govern custom MCP servers in Agent 365?

No — not today. Agent 365 currently supports Microsoft-provided MCP servers with limited enable/disable controls only. Custom MCP registration and governance are not available at GA. For custom MCP endpoints, AI Gateway provides network-level enforcement as a separate layer. A dedicated MCP registry is on the roadmap but not yet available.

Does an Agent 365 license upgrade security capabilities on E3 plans?

No. This is a critical misconception worth addressing directly. An Agent 365 license does not grant E5-level Purview or Defender capabilities. It adds no additional user-level security entitlements. For example, Conditional Access for OBO agents requires M365 E3 per user. Identity Protection for OBO agents requires M365 E5 per user. Identity Governance for OBO agents requires Identity Governance standalone or Entra Suite. Agent 365 extends existing security investments to agents — it does not replace or upgrade them.

Does Agent 365 automatically clean up unused or expired agents?

Not yet. Policy-based lifecycle automation — such as automatic expiration warnings or inactivity-based cleanup — is planned and will roll out incrementally. Today, lifecycle management is primarily manual: admins must assign sponsors, suspend agents, and retire agents through deliberate actions. Organizations that want automated governance rules should treat this as a gap to plan around.

What’s the practical takeaway for IT and security leaders?

Agent 365 is a strong foundation for enterprise agent governance — but it is not a complete solution today. If your organization is deploying autonomous agents at scale, relying heavily on pre-GA Copilot Studio agents, or expecting Agent 365 to automatically secure everything it discovers, you will run into these walls quickly.

The honest approach: deploy Agent 365 for what it does well today — OBO agent governance, identity management, and centralized registry visibility — while maintaining a clear roadmap for the gaps. Know where autonomous agents, shadow agents, and pre-existing Copilot Studio agents sit outside the current governance perimeter.

Governance doesn’t start when a product reaches GA. It starts when you know exactly what you’re governing — and what you’re not.

Sources:

• Microsoft Agent 365 Licensing FAQs (April 2026)
• Microsoft Learn documentation (May 2026)
• Microsoft Agent 365 Partner Launch FAQ (March 2026)
• My Blogpost “Microsoft Agent 365 FAQ: What You Need to Know Before May 1st”
• Microsoft Purview vs Agent 365: Understanding Agentic AI Governance

The post Microsoft Agent 365: What It Can’t Do (Yet) — Limitations You Need to Know first appeared on Ragnar Heil (MVP): Empowering M365 with AI.

Original Post https://ragnarheil.de/microsoft-agent-365-what-it-cant-do-yet-limitations-you-need-to-know/