Skip to content

Instantly share code, notes, and snippets.

@jenssgb

jenssgb/GUIDE-Onboard-Agent-into-Agent365.md

Last active April 10, 2026 12:08
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jenssgb/2cf6cdcc83d245a3da9264062f01041a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jenssgb/2cf6cdcc83d245a3da9264062f01041a to your computer and use it in GitHub Desktop.
Download ZIP
Step-by-step guide: Onboard an AI Agent into Microsoft Agent 365 (Frontier Preview)
Raw
GUIDE-Onboard-Agent-into-Agent365.md

πŸ›‘οΈ Onboard an AI Agent into Microsoft Agent 365

Agent 365 Verified Docker

Deploy a Foundry-hosted AI agent and onboard it into Microsoft Agent 365 with full enterprise governance β€” own Entra identity, license, audit trail, and threat protection.

⏱️ ~15 minutes end-to-end | 🐳 No Docker required | βœ… Verified April 10, 2026

πŸ”‘ What is Agent 365?

Agent 365 is Microsoft's enterprise governance layer for AI agents. It doesn't build agents β€” it governs them.

graph LR
    A[πŸ€– Your Agent] --> B[πŸ›‘οΈ Agent 365 Governance]
    B --> C[πŸ†” Entra Agent ID]
    B --> D[πŸ“‹ Admin Center Registry]
    B --> E[πŸ” Purview Audit]
    B --> F[πŸ›‘οΈ Defender Threat Protection]
    style B fill:#0078D4,color:#fff
Loading

Every onboarded agent gets:

πŸ›οΈ Governance Pillar Platform What it does
πŸ†” Identity Entra ID Own Agent ID, Conditional Access, Lifecycle Management
πŸ“‹ Observability M365 Admin Center Registry, Agent Map, Ownerless Detection
πŸ” Data Protection Purview Audit trail, Sensitivity Labels, DLP
πŸ›‘οΈ Threat Defense Defender Risk Detection, Prompt Shield, Advanced Hunting

Prerequisites

1. Licenses

License Purpose Minimum
Microsoft 365 (Business Standard/Premium, E3, or E5) Base plan 1
Microsoft 365 Copilot (add-on or bundle) Enables Frontier access 1
Agent 365 Frontier Trial (25 licenses) Assigned per agent instance Activated in Step 1 below

A Business Standard + Copilot bundle is sufficient. E-licenses are not required.

2. Azure Subscription

Requirement Details
Subscription type Pay-As-You-Go or Enterprise Agreement
Required role Owner on the subscription
Region Resources must be in North Central US (only region supporting Hosted Agents)

Estimated Azure Costs

Resource SKU Estimated Cost
AI Services (Foundry Account) S0 Pay-per-use (GPT-4o: ~$2.50/1M input tokens)
Container Registry Basic ~$5/month
Bot Service F0 (Free) $0
Hosted Agent Container Managed by Foundry Included in AI Services
Total (idle/demo) ~$5-10/month + token usage

For a demo or pilot with light usage, expect under $20/month. The main cost driver is GPT-4o token consumption.

3. Tenant Permissions

Permission Who needs it Why
Global Administrator (or Copilot Administrator) Person running the setup Enable Frontier, approve blueprints, manage licenses
Azure Subscription Owner Person running azd provision Create Azure resources
Teams Administrator (optional) Same or different person Configure Teams Developer Portal

For a pilot, one person with Global Admin + Subscription Owner can do everything.

4. Tools (install once)

winget install Microsoft.AzureCLI          # Azure CLI
winget install Microsoft.Azd               # Azure Developer CLI
winget install Microsoft.DotNet.SDK.9      # .NET 9.0 SDK

Docker Desktop is NOT required. The deployment uses Azure Container Registry remote build.

5. Frontier Program Enrollment

Your tenant must be enrolled in the Frontier preview program. Frontier is available to all Microsoft 365 customers with a Copilot license.

βš™οΈ Step 1: Prepare Your Tenant (~3 min)

1.1 Enable Frontier

  1. Open the M365 Admin Center
  2. Go to Copilot β†’ Settings β†’ User access
  3. Under Copilot Frontier β†’ select All users β†’ Save

1.2 Activate the Agent 365 Trial

Important

This step is easily missed. Without it, you get 0 licenses and agent creation will fail.

  1. In the Admin Center, go to Agents β†’ Overview
  2. Look for the banner: "Do more with the Frontier Program"
  3. Click "Try Now"
  4. Verify: Go to Billing β†’ Licenses β†’ You should see 25 Γ— Microsoft Agent 365 Frontier

1.3 Verify Agent Settings

Admin Center β†’ Agents β†’ Settings:

  • β˜‘ Allow apps and agents built by your organization
  • User access: All users

πŸš€ Step 2: Deploy the Agent (~6 min)

2.1 Sign In

# Sign in to Azure CLI (device code flow recommended)
az login --use-device-code --tenant YOUR-TENANT-DOMAIN

# Sign in to Azure Developer CLI
azd auth login --tenant-id YOUR-TENANT-ID

Use --use-device-code if you have multiple browser profiles or accounts.

2.2 Clone the Sample

git clone https://github.com/microsoft-foundry/foundry-samples.git
cd foundry-samples/samples/csharp/FoundryA365

2.3 Clear the MCP Tools Configuration

Caution

This step is critical! The default sample includes MCP tools (OneDrive, Word) that require a KeyVault certificate. Without clearing this, the agent will crash silently when receiving messages.

# Replace the ToolingManifest with an empty configuration:
'{"mcpServers":[]}' | Set-Content src/hello_world_a365_agent/ToolingManifest.json

You can add MCP tools back later once KeyVault is configured.

2.4 Deploy β€” One Command

azd provision

You'll be prompted for:

Prompt What to enter
Subscription Select your Azure subscription
Environment name e.g. myagent (becomes the prefix for all resources)
Location northcentralus ⚠️ Required β€” only supported region
Resource group Select "Create a new resource group"

Note

That's it. This single command automatically:

  • βœ… Creates the Foundry Project, Container Registry, and Bot Service
  • βœ… Builds the container image remotely (no local Docker needed)
  • βœ… Creates the Agent Blueprint and starts the hosted container
  • βœ… Submits a Digital Worker request to the M365 Admin Center
  • βœ… Configures OAuth2 grants for the Blueprint

Duration: ~6 minutes.

2.5 Note Your Blueprint ID

azd env get-values

Copy the value of AGENT_IDENTITY_BLUEPRINT_ID β€” you'll need it in the next step.

βœ… Step 3: Approve and Configure (~3 min)

3.1 Approve the Agent Blueprint

  1. Open: Admin Center β†’ Agents β†’ Requests
  2. Find your agent (name = your environment name from Step 2.4)
  3. Click "Approve request and activate"
  4. Select template: "Default template for allowing instances"
  5. Publish to: All users β†’ Activate for: All users
  6. Accept the permissions β†’ Click Finish

3.2 Configure Teams Developer Portal

Warning

The agent will NOT receive messages in Teams without this step!

  1. Open: https://dev.teams.microsoft.com/tools/agent-blueprint/YOUR-BLUEPRINT-ID/configuration

    (Replace YOUR-BLUEPRINT-ID with the value from Step 2.5)

  2. Set Agent Type: Bot Based

  3. Set Bot ID: = your Blueprint ID (same value!)

  4. Click Save

Tip

If your blueprint doesn't appear in the portal list (it only shows 100), open any blueprint and replace the ID in the browser URL with yours.

πŸŽ‰ Step 4: Create an Agent Instance and Test (~2 min)

  1. Open Microsoft Teams
  2. Go to Apps β†’ search for your agent (environment name)
  3. Under "Agents for your team" β†’ click your agent
  4. Click "Create agent" β†’ enter a name (e.g. "My AI Assistant") β†’ Create
  5. Wait for the notification (~1-2 minutes)
  6. Open the chat with your agent β†’ type "Hello!"

βœ… The agent responds!

Note

The agent will only respond in Microsoft Teams. DirectLine/WebChat testing is not supported for Foundry Hosted Agents.

At this point, your agent has:

  • Has its own Entra Agent ID
  • Has an Agent 365 license assigned (1 of 25)
  • Is visible in the Admin Center Agent Registry
  • Has Purview audit logging active
  • Is monitored by Defender for Identity
  • Is reachable via @mention in Teams

πŸ”Ž What You Can Show in a Governance Demo

Governance Area Where to Show It
Agent Registry Admin Center β†’ Agents β†’ All
Agent Map (visual overview) Admin Center β†’ Agents β†’ Frontier tab
License Usage Admin Center β†’ Billing β†’ Licenses
Security Assessment Agent detail page β†’ Security tab
Entra Agent Identity Entra Admin Center β†’ Agent Identities
Audit Trail Purview β†’ Audit
Threat Detection Defender β†’ Identities

πŸ”§ Troubleshooting

Issue Cause Fix
"0 of 0 licenses available" when creating instance "Agent 365 Tools" Service Principal missing in tenant Run: Install-Module Microsoft.Graph; Connect-MgGraph -Scopes "Application.ReadWrite.All"; New-MgServicePrincipal -AppId "ea9ffc3e-8a23-4a7d-836d-234d7c7565c1"
Agent not found in Teams Apps Blueprint not yet approved or Dev Portal not configured Complete Steps 3.1 and 3.2, wait 2 minutes
Agent doesn't respond in Teams Container not running or ToolingManifest has MCP tools without KeyVault Check Foundry Portal; set ToolingManifest to {"mcpServers":[]} before deploy
Blueprint not visible in Dev Portal Portal only shows first 100 blueprints Manually enter the blueprint URL with your ID
azd provision fails with region error Wrong region selected Must use northcentralus
Frontier not visible in Admin Center No Copilot license Purchase at least 1 Microsoft 365 Copilot license

🧹 Clean Up

To remove all Azure resources when done:

cd foundry-samples/samples/csharp/FoundryA365
azd down

This deletes the resource group and all resources. The Admin Center entries and Entra identity will be cleaned up automatically over time.

πŸ“š References

Topic Link
Official Guide (MS Learn) Publish a Foundry agent to Agent 365
GitHub Sample FoundryA365 on GitHub
Agent 365 Overview Agent 365 Documentation
Frontier Program Frontier Enrollment
Agent 365 Licensing (GA) Security Blog: Agent 365

Verified end-to-end on April 10, 2026. Agent responded in Teams after a clean azd provision in under 8 minutes β€” no Docker required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment