Agent 365 AMA Decoded: 25 Questions, 25 Answers, and Zero Fluff

So. There we were. Tuesday evening, coffee number four, headphones on, watching Microsoft host another Ask Me Anything on Agent 365. And before you ask: yes, I took notes. Yes, far too many. And yes, I’m now turning them into the kind of blog post I would have wanted to read myself before sitting through ninety minutes of livestream.

Quick setup for the latecomers: Agent 365 is Microsoft’s control plane for agents. Think of it as the bouncer, the registry, the auditor, and the security officer for every agent running in your tenant — first-party, third-party, citizen-built, dev-built, or somewhere shady on an endpoint that nobody admitted to installing. It went GA on May 1, 2026, which means at the time of the AMA it was a grand twelve days old. A toddler with serious responsibilities.

The panel: Irina Nechaeva (GM, Microsoft Security), Paty Carlos (PM, Agent 365, demo lead), Neta Haiby (Security for AI lead), Caroline Stanford (Product Marketing, M365 Suites & Agent 365), and your host Samer Baroudi.

Below: the 25 questions and answers I think actually matter. Some are verbatim from the audience. Some I’ve teased apart from multi-part questions because the answers deserve their own oxygen. Some come from the demo, where Patti basically did a guided tour and accidentally answered five questions before anyone asked them.

Let’s go.

Licensing & commercial model

1. How is Agent 365 licensed?

Per user, per month. Caroline was very clear: every agent is fundamentally tied to a person. Either it works on behalf of a user (the famous “OBO” model), or it operates independently — in which case it still needs a human manager or sponsor accountable for it.

Both flavours are covered by the same Agent 365 user license. You can buy it standalone, or get it bundled in the new Microsoft 365 E7 SKU (which also packs in M365 E5, Copilot, and Entra Suite). E7 launched, like Agent 365 itself, on May 1, 2026.

2. So if I don’t license Agent 365, do my agents stop working?

No. And this was Caroline’s polite-but-firm clarification. Agent 365 is the management, governance, and security layer on top of agents. It’s not how you procure the agent itself. Your Copilot Studio agent still runs without Agent 365 — you just don’t get observability, governance templates, risk signals, or the registry view of its life and times.

3. What about autonomous agents — do they need Agent 365?

If you want to use the autonomous agent’s data — sessions, active users, traces, the whole observability column Patti showed in the demo — yes, that data lives behind the Agent 365 license. Without it, you’re flying with the autopilot on but the cockpit dark.

4. What are the three roles that need an Agent 365 license?

Three flavours of human, one license:

1. Users who interact with agents (the OBO scenario — “the agent does this for me”).
2. Managers of agents — accountable for day-to-day operations of an agent that runs on its own.
3. Sponsors of agents — the second pair of eyes asking the awkward questions: should this agent still exist? Does it have too much access? Could three agents be one?

Irina was insistent on the sponsor role. Even autonomous agents need a human in the loop. Otherwise, congratulations, you’ve built an unsupervised intern with API keys.

5. How does licensing work for MCP tools used by M365 Copilot agents?

If your agent lives inside Microsoft 365 Copilot surfaces (Word, PowerPoint, Excel, Outlook, chat — the lot), MCP access is already covered by your M365 Copilot license. No extra MCP meter ticking in the background.

6. And MCP tools used by custom agents (Copilot Studio, Foundry, etc.)?

That’s the Work IQ API territory, first teased at Ignite. Per user, consumption-based, with both the data layer and the skills layer (i.e. the MCPs). Microsoft hasn’t published the price point yet — Caroline was careful with that. Watch the next few weeks.

7. Will MCP remote-server usage be bundled into Copilot, or separately billed?

Same answer as #6, just from the other angle. Inside M365 Copilot — bundled. Outside, in your custom agent estate — Work IQ API. There is no third path.

8. Can devs submit their own MCP servers for IT approval?

Yes — and this is part of the Agent 365 license itself. Patti added it as a postscript and it deserves more attention than it got: developers can submit a custom MCP server, IT approves it, and then it shows up in Copilot Studio (and other surfaces) for citizen builders to wire into their own agents. Bring-your-own-MCP, governed end-to-end. Best practice: insist on this workflow before someone curls a random MCP server from a Reddit thread.

Identity, OBO, and “what counts as an agent”

9. If an agent doesn’t have an Entra Agent ID, does it appear in Agent 365?

Yes. It will show up in the registry. You’ll get observability. You can extend some protections. What you don’t get is the granular access control and policy enforcement that Entra Agent ID unlocks. The registry doesn’t discriminate at the door — but the VIP lounge has a guest list.

10. Can I use Agent 365 centrally without giving every employee a per-user license?

This was the sneaky question hidden inside the previous one. Short version: discovery and registry don’t require a per-user license for every interacting employee. Depth requires licensing. The deeper you want to go — restrict permissions, enforce runtime protections, full activity attribution — the more the per-user model matters. Important note: discovering locally-run agents on endpoints requires Defender for Endpoint as a technical dependency.

11. What about agents from Microsoft platforms that execute as the user and never get an Entra Agent ID?

Irina’s polite-but-firm-take-two: Microsoft’s perspective is that every agent should have its own identity. Even when an agent is just executing as the user, you and your auditors will eventually want to answer the question: Did Sabine do that, or did Sabine’s agent do that? Without an agent identity, you can’t.

The recommendation: register every agent with Agent ID, then choose the access pattern (OBO or independent) consciously.

12. What observability and governance features apply to non-OBO agents without Agent IDs?

You get registry visibility and basic observability. You lose granular permissions control, conditional-access enforcement against the agent identity, and a clean audit trail separating user actions from agent actions. Functional, but not best practice.

Third-party platforms & registry sync

13. Can I monitor agents built in Google ADK / Gemini Enterprise from Agent 365?

Yes, two ways:

• The Agent 365 Observability SDK — integrate your agent directly. Full access control, observability, data security. Treats your Google-built agent like a first-class citizen. Docs are live.
• Registry Sync — for lighter-touch onboarding straight from the M365 Admin Center. Currently supports Amazon Bedrock, Google Vertex AI, Databricks, and Salesforce Agent Force, with more on the way.

14. What’s the difference between SDK integration and Registry Sync?

Registry Sync = quick visibility, light governance. Your imported agent appears as “unmanaged” in the registry (Patti showed exactly this with a Google Vertex AI agent called “support help”).

To turn it into a fully governed agent — observable, policy-enforced, the works — register it via the Agent 365 SDK. The SDK is the door from “I see you” to “I manage you.”

15. Which third-party platforms are supported today for Registry Sync?

As of this AMA: Amazon Bedrock, Google Vertex AI, Databricks Genie, Salesforce Agent Force. Microsoft confirmed more are in flight.

Observability, risk & blocking

16. What rules define a “risky” agent?

Risk is layered and comes from the underlying systems already doing the work:

• Identity risk — surfaced from Entra (risky sign-ins, compromised accounts).
• Data security risk — surfaced from Purview (sensitivity interactions, data exfiltration patterns).
• Threat protection risk — surfaced from Defender.

Agent 365 aggregates these signals and tags the agent. You then see it under “Agents at risk” in the All Agents view.

17. If an agent shows risk activity, do I have to block it to investigate?

No. Blocking is optional and human-driven for most cases. Some high-risk patterns (compromised account, risky sign-in) will be auto-blocked by Entra Conditional Access — which, as Netta gently put it, is helpful when this happens at 3am while you’re asleep. But reviewing risk does not require blocking. Block, investigate, then unblock — or investigate first. Your call.

18. How big is the delta between monitoring an agent and controlling an agent?

Netta’s framing here was the best line of the AMA: “What you can’t discover, you can’t monitor, and you can’t secure.”

So the order is always: discover → observe → decide → control. Not every monitored agent needs to be controlled. Shadow AI agents you’ll likely block. Sanctioned agents you’ll enable, then control access, permissions, and data scope. It’s not 1:1, and that’s the point.

Shadow AI

19. How does Agent 365 detect Shadow AI?

Through the new Shadow AI experience, currently in early preview in Frontier. It uses Intune-managed device signals to surface unauthorised agent platforms running on endpoints. At GA: detection of OpenAI, Claude, Cursor, and a growing list. Today’s enforcement action: block. Finer-grained controls (allow with conditions, restrict to certain users, etc.) are on the roadmap and arriving over the summer.

20. Can I mark a Shadow AI experience as authorised? E.g. I actually want my devs to use Claude CLI.

Honest answer from Patti: the team is actively designing this right now. The mechanism for declaring “this is sanctioned, treat it differently in the UX” is not finalised. They are explicitly soliciting feedback. So if you have a strong opinion on how authorised-but-third-party AI tools should be treated in the registry — now is the moment to file it.

MCP, Work IQ, and tool governance

21. Can admins centrally manage which MCP tools agents can access?

Yes. This was a recurring theme. Agent 365 gives admins central visibility and control over MCP tool usage across agents — first-party Microsoft tools today, with a growing surface across third-party MCPs. Combined with the dev-submission flow (#8), you get a real governed marketplace of tools rather than the wild-west MCP catalog people were quietly worrying about six months ago.

Lifecycle, templates, and rules

22. Can agent management rules be scheduled, or is it manual-only?

Today: manual execution. Patti showed exactly this — running the “Reassign owners for ownerless Agent Builder agents to manager” rule on demand. Scheduled / recurring rules are coming by summer 2026. This matters more than it sounds: if you’ve got tens of thousands of agents, manual-only rule runs do not scale.

23. What templates ship out of the box?

A default agent template with Microsoft’s recommended baseline policies across Entra, Purview, Defender, and SharePoint. You can clone, modify, or build entirely new templates — for example, a “Custom Copilot Studio agents” template that blocks high-risk agents and applies a stricter SharePoint policy on top of the default. Templates are containers of policies, applied consistently at publish-time.

Best practice: start with the default. Resist the urge to build seventeen templates on day one. Add specialised templates only when your audit logs prove you need them.

24. How do I deal with ownerless agents?

Two routes:

• One-by-one reassignment in the All Agents view (fine for a handful).
• Agent Management Rules under Settings (essential at scale). The three shipping rules: reassign ownerless agents in bulk by criteria, auto-install Microsoft agents, and block compromised agents. Combine with the upcoming scheduling and you have a self-healing agent estate.

MSPs & getting started

25. What does Agent 365 offer Managed Service Providers managing multi-customer environments?

Today: Graph API access for basic observability and registry data. That’s the immediate hook for MSPs to build their own multi-tenant tooling.

In flight: a multi-tenant management experience inside the M365 Admin Center, focused on registry visibility and observability across tenants. Preview later in summer 2026, GA expected late summer. Security policy management across tenants is a separately tracked piece — Patti was explicit that they are still working through it. So: visibility first, multi-tenant policy authoring later.

Three things I’m taking away

1. Licensing is per user, scoped to interaction. Stop thinking “per agent.” Start thinking “who interacts with, manages, or sponsors agents.”
2. Identity is the unlock. Without Entra Agent ID, you’re in the registry but not in the policy game. Push every platform you build on toward proper agent identities.
3. The roadmap is honest. Scheduled rules, multi-tenant management, finer Shadow AI controls, more registry-sync partners — all openly dated to “summer 2026” or “later this summer.” That’s a refreshing change from vendor vapour.

To dig deeper, the official starting line is aka.ms/agent365 — step-by-step guide, technical docs, the Security for AI assessment, and role-specific resource bundles for M365 admins, Defender admins, Entra admins, and Purview / SecOps folks.

Right. That’s twenty-five. Ping me if you want me to go deeper on any of them — especially Work IQ pricing, which is the conversation I expect we’ll all be having for the next three months.

Read more about Microsoft Agent 365:

• Microsoft Agent 365: What It Can’t Do (Yet) — Limitations You Need to Know
• My Blogpost “Microsoft Agent 365 FAQ: What You Need to Know Before May 1st”
• Microsoft Purview vs Agent 365: Understanding Agentic AI Governance

PS: Ready to implement proper AI agent governance? Contact me, Ragnar Heil, for a consultation on Agent 365, SharePoint Advanced Management, Microsoft Purview (Information Protection, Data Loss Prevention Policies, DSPM for AI), Rencore Governance, EasyLife365 Collaboration, ShareGate Protect, Data&More or Agent 365 deployment strategies tailored to your organization’s needs. Find my calendar here at our HanseVision Governance Landing Page.

The post Agent 365 AMA Decoded: 25 Questions, 25 Answers, and Zero Fluff first appeared on Ragnar Heil (MVP): Empowering M365 with AI.

Original Post https://ragnarheil.de/agent-365-ama-decoded-25-questions-25-answers-and-zero-fluff/