Skip to content

Instantly share code, notes, and snippets.

@jenssgb

jenssgb/microsoft-agent-365-briefing-v2.html

Last active April 7, 2026 20:05
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jenssgb/8bc447956741d87505bebec974f84b2f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jenssgb/8bc447956741d87505bebec974f84b2f to your computer and use it in GitHub Desktop.
Download ZIP
Microsoft Agent 365 — Customer Briefing v2.1 (Apr 2026)
Raw
microsoft-agent-365-briefing-v2.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Microsoft Agent 365 — Customer Briefing v3.0</title>
<style>
*{margin:0;padding:0;box-sizing:border-box}
body{font-family:'Segoe UI Variable','Segoe UI',system-ui,sans-serif;color:#242424;line-height:1.7;background:#fff;-webkit-font-smoothing:antialiased}
:root{--blue:#0f6cbd;--dark:#1b1f3b;--muted:#616161;--border:#e0e0e0;--light:#f7f8fa;--green:#0e7a0d;--red:#c4314b;--orange:#da7600;--purple:#5b5fc7;--radius:8px}
/* Header */
header{background:var(--dark);color:#fff;padding:48px 32px 40px;text-align:center}
header h1{font-size:2.2em;font-weight:800;letter-spacing:-1px;margin-bottom:8px}
header p{opacity:.7;font-size:1em;max-width:560px;margin:0 auto 20px}
header .meta{display:flex;gap:16px;justify-content:center;flex-wrap:wrap;font-size:.82em;opacity:.6}
header .meta span{border:1px solid rgba(255,255,255,.2);border-radius:20px;padding:4px 14px}
/* Nav */
nav{background:#fff;border-bottom:1px solid var(--border);position:sticky;top:0;z-index:100}
nav .w{max-width:960px;margin:0 auto;display:flex;gap:4px;padding:10px 24px;flex-wrap:wrap;justify-content:center}
nav a{text-decoration:none;color:var(--muted);font-size:.8em;font-weight:600;padding:5px 12px;border-radius:6px;transition:.15s}
nav a:hover{background:var(--light);color:var(--blue)}
/* Layout */
.w{max-width:960px;margin:0 auto;padding:0 24px}
section{padding:48px 0}
section:nth-of-type(even){background:var(--light)}
h2{font-size:1.45em;font-weight:800;color:var(--dark);margin-bottom:6px}
h2 small{font-weight:400;font-size:.55em;color:var(--muted);display:block;margin-top:2px}
h3{font-size:1em;font-weight:700;color:var(--dark);margin-bottom:8px}
.intro{color:var(--muted);font-size:.92em;max-width:680px;margin-bottom:24px}
/* Callout boxes */
.box{border-radius:var(--radius);padding:16px 20px;margin:16px 0;font-size:.9em;line-height:1.6}
.box-blue{background:#f0f6ff;border-left:4px solid var(--blue)}
.box-green{background:#f0faf0;border-left:4px solid var(--green)}
.box-orange{background:#fef9f0;border-left:4px solid var(--orange)}
.box-red{background:#fef0f3;border-left:4px solid var(--red)}
.box b{display:inline}
/* Tables */
table{border-collapse:collapse;width:100%;margin:16px 0;font-size:.88em}
thead{background:var(--dark);color:#fff}
th{padding:10px 14px;text-align:left;font-weight:600}
td{padding:10px 14px;border-bottom:1px solid #eee;background:#fff}
tbody tr:nth-child(even) td{background:#fafbfc}
/* Scenario cards */
.scenario{border:1px solid var(--border);border-radius:var(--radius);margin:20px 0;background:#fff;overflow:hidden}
.scenario .sc-head{padding:14px 20px;font-weight:700;font-size:.92em;background:var(--light);border-bottom:1px solid var(--border);display:flex;align-items:center;gap:10px}
.scenario .sc-head .num{background:var(--dark);color:#fff;width:28px;height:28px;border-radius:50%;display:flex;align-items:center;justify-content:center;font-size:.78em;flex-shrink:0}
.scenario .sc-body{padding:20px}
.scenario .sc-body p{margin-bottom:10px;font-size:.9em}
/* Data flow strip */
.flow{display:flex;gap:6px;align-items:center;flex-wrap:wrap;margin:12px 0;font-size:.82em}
.flow .node{background:var(--light);border:1px solid var(--border);border-radius:6px;padding:6px 12px;font-weight:600}
.flow .node.danger{border-color:var(--red);color:var(--red);background:#fef0f3}
.flow .arrow{color:#ccc;font-size:.9em}
/* Gap/Fix grid */
.gf{display:grid;grid-template-columns:1fr 1fr;gap:12px;margin:14px 0}
.gf>div{border-radius:var(--radius);padding:14px 16px;font-size:.86em}
.gf .gap{background:#fef0f3;border:1px solid #f5c6ce}
.gf .gap h4{color:var(--red);font-size:.88em;margin-bottom:6px}
.gf .fix{background:#f0faf0;border:1px solid #c8ecc8}
.gf .fix h4{color:var(--green);font-size:.88em;margin-bottom:6px}
.gf ul{padding-left:16px;margin:0}.gf li{margin:3px 0}
/* Two-col */
.cols{display:grid;grid-template-columns:1fr 1fr;gap:16px;margin:16px 0}
@media(max-width:700px){.cols,.gf{grid-template-columns:1fr}}
/* Steps */
.steps{display:flex;gap:12px;flex-wrap:wrap;margin:16px 0}
.step{background:var(--light);border:1px solid var(--border);border-radius:var(--radius);padding:14px 16px;flex:1;min-width:150px;text-align:center}
.step .num{font-size:1.4em;font-weight:800;color:var(--blue)}
.step p{font-size:.78em;color:var(--dark);margin-top:4px;font-weight:500}
/* Sources */
.sources{columns:2;column-gap:32px;font-size:.8em;margin-top:12px}
.sources a{display:block;color:var(--blue);text-decoration:none;margin:4px 0;break-inside:avoid}
.sources a:hover{text-decoration:underline}
@media(max-width:700px){.sources{columns:1}}
footer{background:var(--dark);color:rgba(255,255,255,.5);text-align:center;padding:20px;font-size:.8em}
footer b{color:rgba(255,255,255,.8)}
/* Deployment diagram */
.deploy{margin:14px 0;padding:14px 16px;background:#f7f8fa;border:1px solid var(--border);border-radius:var(--radius);font-size:.82em}
.deploy .d-title{font-weight:700;font-size:.78em;color:var(--muted);text-transform:uppercase;letter-spacing:.5px;margin-bottom:8px}
.deploy .d-row{display:flex;align-items:center;gap:6px;flex-wrap:wrap;margin:4px 0}
.deploy .d-node{background:#fff;border:1px solid var(--border);border-radius:6px;padding:5px 12px;font-weight:600;font-size:.92em}
.deploy .d-node.d-ext{border-color:var(--orange);color:var(--orange);background:#fef9f0}
.deploy .d-node.d-ms{border-color:var(--blue);color:var(--blue);background:#f0f6ff}
.deploy .d-node.d-sec{border-color:var(--green);color:var(--green);background:#f0faf0}
.deploy .d-node.d-risk{border-color:var(--red);color:var(--red);background:#fef0f3}
.deploy .d-arr{color:#bbb;font-size:.85em;font-weight:700}
</style>
</head>
<body>
<header>
<h1>Microsoft Agent 365</h1>
<p>The Unified Control Plane to Observe, Govern &amp; Secure Every AI Agent at Enterprise Scale</p>
<div class="meta">
<span>GA May 1, 2026</span>
<span>Standalone $15/user/mo</span>
<span>Included in M365 E7</span>
<span>Briefing v3.1</span>
</div>
</header>
<nav><div class="w">
<a href="#what">What Is It?</a>
<a href="#how">How It Works</a>
<a href="#scenarios">5 Scenarios</a>
<a href="#gap">Why Not Just PP?</a>
<a href="#purview">Purview</a>
<a href="#lic">Licensing</a>
<a href="#src">Sources</a>
</div></nav>
<!-- ===== WHAT IS IT ===== -->
<section id="what">
<div class="w">
<h2>What Is Microsoft Agent 365?<small>One sentence: "Entra ID, but for AI agents."</small></h2>
<p class="intro">Just as Entra manages human identities, Agent 365 gives every AI agent — regardless of where it was built — a first-class identity, lifecycle controls, access policies, and observability. Everything is managed in the same M365 Admin Center and security tools your IT team already uses.</p>
<div class="cols">
<div>
<h3>The Problem</h3>
<p style="font-size:.9em">Organizations are deploying agents from Copilot Studio, Azure AI Foundry, third-party vendors, and no-code Agent Builder. Each runs in a different environment with different governance. IT has no unified view of which agents exist, what data they access, or who owns them. Shadow agents proliferate. Orphaned agents keep running after creators leave.</p>
</div>
<div>
<h3>The Solution</h3>
<p style="font-size:.9em">Agent 365 adds a cross-platform control plane on top of your existing security stack. It provides a single Agent Registry, visual Agent Map, Entra Agent IDs with lifecycle governance, Conditional Access for agents, Defender threat detection, Purview DLP/compliance, and governed MCP tool servers — all from the M365 Admin Center.</p>
</div>
</div>
</div>
</section>
<!-- ===== HOW IT WORKS ===== -->
<section id="how">
<div class="w">
<h2>How It Works — 6 Building Blocks</h2>
<table>
<thead><tr><th>Component</th><th>What It Does</th><th>Why It Matters</th></tr></thead>
<tbody>
<tr><td><b>Agent Registry</b></td><td>Complete inventory of every agent — name, publisher, platform, owner, data access, security posture. Discovers shadow agents you didn't know existed.</td><td>You can't secure what you can't see.</td></tr>
<tr><td><b>Agent Map</b></td><td>Interactive visual topology in M365 Admin Center. Clusters by platform (Studio lite/full, Foundry, Toolkit, Others). Supports up to 800 agents.</td><td>See the full picture at a glance — instead of checking 3 admin consoles.</td></tr>
<tr><td><b>Entra Agent ID</b></td><td>Every agent gets a real Entra identity. Two auth flows: Agent Identity (autonomous) and On-Behalf-Of (delegated). Sponsors, lifecycle workflows, automatic permission revocation.</td><td>Agents become governable entities — like users — with owners, access reviews, and decommissioning.</td></tr>
<tr><td><b>Conditional Access</b></td><td>Apply risk-based access policies to agents: device compliance, location, risk level. Block or allow based on context.</td><td>Same Zero Trust framework you use for humans, extended to agents.</td></tr>
<tr><td><b>Defender Integration</b></td><td>Security posture scoring, out-of-the-box threat detections, advanced KQL hunting (InvokeAgent, ExecuteTool, Inference scopes), AI Prompt Shield for runtime defense.</td><td>Detect prompt injection, data exfiltration, and anomalous agent behavior — in real time.</td></tr>
<tr><td><b>Work IQ Tooling Gateway</b></td><td>Pre-certified MCP servers for Mail, Calendar, Teams, SharePoint, OneDrive, Word, User, Copilot, Dataverse/D365. Admin can allow/block servers centrally. Scoped permissions per agent.</td><td>Agents use governed APIs instead of raw Graph access — every tool call is auditable.</td></tr>
</tbody>
</table>
</div>
</section>
<!-- ===== 5 SCENARIOS ===== -->
<section id="scenarios">
<div class="w">
<h2>5 Real-World Scenarios<small>For each: what the agent does, which tenant data it touches, what the risk is, and how Agent 365 helps.</small></h2>
<!-- Scenario 1 -->
<div class="scenario">
<div class="sc-head"><span class="num">1</span> IT Helpdesk Agent — Copilot Studio</div>
<div class="sc-body">
<p><b>What it does:</b> Employees ask the agent to reset passwords, check device compliance, look up IT policies, and create support tickets in ServiceNow. Built by the IT team in Copilot Studio (full), deployed in Teams.</p>
<div class="deploy">
<div class="d-title">Deployment Path — How the agent enters M365</div>
<div class="d-row">
<span class="d-node d-ms">IT Maker builds in Copilot Studio</span>
<span class="d-arr"></span>
<span class="d-node d-ms">Publishes to Teams &amp; M365 Copilot channel</span>
<span class="d-arr"></span>
<span class="d-node d-ms">Admin approves in M365 Admin Center</span>
<span class="d-arr"></span>
<span class="d-node">User chats in Teams</span>
</div>
<div class="d-row" style="margin-top:6px">
<span class="d-node">Runs on: Power Platform infrastructure</span>
<span class="d-arr">|</span>
<span class="d-node">Auth: Entra ID (automatic for Teams)</span>
<span class="d-arr">|</span>
<span class="d-node d-ext">Outbound: ServiceNow connector</span>
</div>
</div>
<p><b>Tenant data accessed:</b></p>
<div class="flow">
<span class="node">Entra ID (user profiles, group memberships)</span><span class="arrow"></span>
<span class="node">SharePoint (IT policy docs)</span><span class="arrow"></span>
<span class="node danger">Intune (device compliance status)</span><span class="arrow"></span>
<span class="node danger">ServiceNow (ticket creation via connector)</span>
</div>
<p><b>Why this is sensitive:</b> The agent can see device compliance status and trigger password resets — actions that, if exploited via prompt injection, could lock out users or expose compliance data. The ServiceNow connector creates an outbound data path that Power Platform DLP doesn't fully trace.</p>
<div class="gf">
<div class="gap"><h4>❌ Gap Without Agent 365</h4><ul>
<li>No Conditional Access — agent works from any device/location</li>
<li>No prompt injection detection (PP DLP checks data types, not attack patterns)</li>
<li>Creator leaves → agent keeps running with full permissions</li>
<li>Invisible to M365 admin if focus is on PP Admin only</li>
</ul></div>
<div class="fix"><h4>✅ With Agent 365</h4><ul>
<li>Entra Agent ID + CA: "only allow resets from compliant devices"</li>
<li>Defender detects prompt injection attempts in real time</li>
<li>Sponsor lifecycle: agent flagged as ownerless when creator leaves</li>
<li>Unified registry alongside Foundry and third-party agents</li>
</ul></div>
</div>
</div>
</div>
<!-- Scenario 2 -->
<div class="scenario">
<div class="sc-head"><span class="num">2</span> Sales Development Agent — Agent 365 Template</div>
<div class="sc-body">
<p><b>What it does:</b> Qualifies leads, drafts outreach emails, schedules meetings, and updates Dynamics 365 pipeline. Deployed via a pre-built template in the Agent Store, runs in Teams &amp; Copilot Chat.</p>
<div class="deploy">
<div class="d-title">Deployment Path — How the agent enters M365</div>
<div class="d-row">
<span class="d-node d-ms">Microsoft-built template in Agent Store</span>
<span class="d-arr"></span>
<span class="d-node d-ms">Sales rep requests activation</span>
<span class="d-arr"></span>
<span class="d-node d-ms">Admin approves in M365 Admin Center</span>
<span class="d-arr"></span>
<span class="d-node">Agent gets Entra Agent ID</span>
</div>
<div class="d-row" style="margin-top:6px">
<span class="d-node">Runs on: Microsoft infrastructure</span>
<span class="d-arr">|</span>
<span class="d-node">Surfaces in: Teams &amp; Copilot Chat</span>
<span class="d-arr">|</span>
<span class="d-node">Tools: Work IQ Mail, Calendar, Dataverse MCP</span>
</div>
</div>
<p><b>Tenant data accessed:</b></p>
<div class="flow">
<span class="node danger">Outlook Mail (reads &amp; sends emails on behalf of rep)</span><span class="arrow"></span>
<span class="node">Calendar (schedules meetings)</span><span class="arrow"></span>
<span class="node danger">Dynamics 365 / Dataverse (reads &amp; writes CRM records)</span><span class="arrow"></span>
<span class="node">Teams (posts in channels)</span>
</div>
<p><b>Why this is sensitive:</b> The agent sends emails on behalf of a person and writes to CRM. A compromised or misconfigured agent could send bulk phishing emails from a legitimate mailbox, or corrupt pipeline data. Without identity, there's no audit trail separating "the human sent this" from "the agent sent this."</p>
<div class="gf">
<div class="gap"><h4>❌ Gap Without Agent 365</h4><ul>
<li>No distinct identity — agent actions look like user actions in audit logs</li>
<li>No rate limiting on agent email sends</li>
<li>If rep leaves, agent keeps sending emails from their mailbox</li>
<li>CRM writes not traceable to agent vs. human</li>
</ul></div>
<div class="fix"><h4>✅ With Agent 365</h4><ul>
<li>Entra Agent ID: separate, auditable identity with sponsor</li>
<li>Defender flags suspicious bulk sending patterns</li>
<li>Lifecycle governance: agent auto-disabled when sponsor departs</li>
<li>Tooling Gateway: scoped MCP access to Mail + Calendar + Dataverse only</li>
</ul></div>
</div>
</div>
</div>
<!-- Scenario 3 -->
<div class="scenario">
<div class="sc-head"><span class="num">3</span> ServiceNow ITSM Agent — Third-Party</div>
<div class="sc-body">
<p><b>What it does:</b> ServiceNow deploys an AI agent that auto-resolves tickets by reading Teams messages, looking up employees in Entra, and attaching documents from SharePoint. It runs on ServiceNow's cloud and accesses your tenant via Graph APIs.</p>
<div class="deploy">
<div class="d-title">Deployment Path — How the agent enters M365</div>
<div class="d-row">
<span class="d-node d-ext">ServiceNow builds agent on their cloud</span>
<span class="d-arr"></span>
<span class="d-node d-risk">Entra App Registration (Graph API permissions)</span>
<span class="d-arr"></span>
<span class="d-node d-risk">Admin grants consent (broad permissions)</span>
<span class="d-arr"></span>
<span class="d-node d-risk">Agent calls Graph API from external cloud</span>
</div>
<div class="d-row" style="margin-top:6px">
<span class="d-node d-ext">Runs on: ServiceNow cloud (not your infra)</span>
<span class="d-arr">|</span>
<span class="d-node d-risk">Access: Graph API — Mail.Read, User.Read, Sites.Read, Chat.Read</span>
<span class="d-arr">|</span>
<span class="d-node d-risk">Not visible in PP Admin or M365 Agent inventory</span>
</div>
</div>
<p><b>Tenant data accessed:</b></p>
<div class="flow">
<span class="node danger">Teams messages (reads conversation history)</span><span class="arrow"></span>
<span class="node danger">Entra ID (employee profiles, managers)</span><span class="arrow"></span>
<span class="node danger">SharePoint (IT docs, SOP documents)</span><span class="arrow"></span>
<span class="node danger">Outlook (sends resolution notifications)</span>
</div>
<p><b>Why this is sensitive:</b> This agent runs entirely outside your infrastructure, on ServiceNow's cloud — but reads Teams conversations, employee data, and SharePoint documents. If ServiceNow is breached, the attacker inherits all permissions this agent has in your tenant. Today, your M365 admin sees this only as a "connected app" — not as an autonomous AI agent with broad data access.</p>
<div class="box box-red"><b>This is the strongest argument for Agent 365:</b> No existing M365 or Power Platform governance tool sees this agent. It's a complete blind spot.</div>
<div class="gf">
<div class="gap"><h4>❌ Gap Without Agent 365</h4><ul>
<li>Invisible to M365 Admin Center and PP Admin</li>
<li>No Entra Agent ID — just an app registration with broad Graph permissions</li>
<li>No way to limit "read Teams but not SharePoint"</li>
<li>If ServiceNow is breached: full data exfiltration path</li>
<li>No Defender monitoring of agent behavior</li>
</ul></div>
<div class="fix"><h4>✅ With Agent 365</h4><ul>
<li>Shadow discovery: appears in Registry under "Others"</li>
<li>Entra Agent ID with sponsor and lifecycle governance</li>
<li>MCP Tooling Gateway: grant Teams + Mail only, block SharePoint</li>
<li>Defender threat detection for data exfiltration patterns</li>
<li>Purview DLP on agent interactions: block PII leaving tenant</li>
</ul></div>
</div>
</div>
</div>
<!-- Scenario 4 -->
<div class="scenario">
<div class="sc-head"><span class="num">4</span> Custom Finance Agent — Microsoft Foundry (Azure)</div>
<div class="sc-body">
<p><b>What it does:</b> A .NET/Semantic Kernel agent that reconciles invoices by reading Outlook attachments, cross-referencing with Dynamics 365 records, and generating exception reports in SharePoint. Built by the dev team, hosted in your Azure subscription.</p>
<div class="deploy">
<div class="d-title">Deployment Path — How the agent enters M365</div>
<div class="d-row">
<span class="d-node d-ms">Dev team builds with Semantic Kernel / Agent 365 SDK</span>
<span class="d-arr"></span>
<span class="d-node">Deploys to Azure (App Service / Container App)</span>
<span class="d-arr"></span>
<span class="d-node d-risk">Calls Graph API for Mail, D365, SharePoint</span>
</div>
<div class="d-row" style="margin-top:6px">
<span class="d-node">Runs on: Your Azure subscription</span>
<span class="d-arr">|</span>
<span class="d-node d-risk">Without Agent 365: raw Graph API, no M365 visibility</span>
</div>
<div class="d-row" style="margin-top:6px">
<span class="d-node d-sec">With Agent 365 SDK: registers via CLI → Entra Agent ID → MCP Tooling → Defender traces</span>
</div>
</div>
<p><b>Tenant data accessed:</b></p>
<div class="flow">
<span class="node danger">Outlook Mail (reads invoice attachments with financial data)</span><span class="arrow"></span>
<span class="node danger">Dynamics 365 (reads &amp; writes financial records)</span><span class="arrow"></span>
<span class="node danger">SharePoint (writes exception reports with PII/financial data)</span>
</div>
<p><b>Why this is sensitive:</b> This agent processes financial documents with PII (names, bank details, invoice amounts) — data classified as confidential. It runs in Azure, completely invisible to the M365 admin. PP admin can't see it either. But it reads emails, writes to D365, and creates documents in SharePoint. A prompt injection in an invoice PDF could exfiltrate financial data or corrupt D365 records.</p>
<div class="box box-red"><b>The biggest blind spot:</b> Runs in Azure. Accesses M365 data. No existing M365 tool governs this. Agent 365 is non-negotiable here.</div>
<div class="gf">
<div class="gap"><h4>❌ Gap Without Agent 365</h4><ul>
<li>M365 admin can't see it exists</li>
<li>No audit trail in M365 — logs only in Azure</li>
<li>Uses raw Graph API — no scoped tool control</li>
<li>No runtime defense against prompt injection in documents</li>
<li>Sensitivity labels on SharePoint files not enforced during agent access</li>
</ul></div>
<div class="fix"><h4>✅ With Agent 365</h4><ul>
<li>Appears in Registry under "Foundry" — visible to M365 admin</li>
<li>Tooling Gateway: governed MCP servers replace raw Graph APIs</li>
<li>Observability SDK: OpenTelemetry traces to Defender</li>
<li>AI Prompt Shield: blocks prompt injection in real time</li>
<li>Purview DLP: blocks processing of sensitive financial data types</li>
</ul></div>
</div>
</div>
</div>
<!-- Scenario 5 -->
<div class="scenario">
<div class="sc-head"><span class="num">5</span> Marketing Content Agent — Agent Builder (No-Code)</div>
<div class="sc-body">
<p><b>What it does:</b> A marketing manager creates a no-code agent in Agent Builder that answers questions about brand guidelines, campaign calendars, and competitor analysis. Knowledge sources: 15 SharePoint files with product roadmaps and pricing strategies. Shared with the entire marketing team via link.</p>
<div class="deploy">
<div class="d-title">Deployment Path — How the agent enters M365</div>
<div class="d-row">
<span class="d-node d-ext">Marketing Manager (no IT involved)</span>
<span class="d-arr"></span>
<span class="d-node d-ms">Creates agent in Agent Builder (m365copilot.com)</span>
<span class="d-arr"></span>
<span class="d-node d-risk">Adds 15 SharePoint files as knowledge</span>
<span class="d-arr"></span>
<span class="d-node d-risk">Shares link with team</span>
</div>
<div class="d-row" style="margin-top:6px">
<span class="d-node">Runs on: M365 infrastructure (NOT Power Platform)</span>
<span class="d-arr">|</span>
<span class="d-node d-risk">Files stored in SP Embedded container</span>
<span class="d-arr">|</span>
<span class="d-node d-risk">No admin approval required for creation</span>
</div>
</div>
<p><b>Tenant data accessed:</b></p>
<div class="flow">
<span class="node danger">SharePoint (product roadmaps — confidential)</span><span class="arrow"></span>
<span class="node danger">SharePoint (pricing strategies — highly confidential)</span><span class="arrow"></span>
<span class="node">Uploaded files (brand guidelines)</span>
</div>
<p><b>Why this is sensitive:</b> The agent has access to confidential product roadmaps and pricing data. Anyone with the shared link can query this data — potentially including employees who shouldn't see pricing details. The agent was built without IT involvement. Files are stored in SharePoint Embedded containers. If the creator leaves, nobody knows it exists or what data it exposes.</p>
<div class="box box-orange"><b>The "agent sprawl" problem:</b> Agent Builder agents are NOT Power Platform agents. They don't show in PP Admin Center. They don't use Dataverse. With 200+ such agents across the org, this becomes a governance risk.</div>
<div class="gf">
<div class="gap"><h4>❌ Gap Without Agent 365</h4><ul>
<li>Invisible in PP Admin — it's an M365-native agent</li>
<li>No inventory of how many Agent Builder agents exist</li>
<li>Sensitivity labels on source files may not be enforced</li>
<li>Creator leaves → agent keeps serving confidential data</li>
<li>No access review or lifecycle policy</li>
</ul></div>
<div class="fix"><h4>✅ With Agent 365</h4><ul>
<li>Agent Map: visualize all lightweight agents at scale</li>
<li>Ownerless detection: creator leaves → agent flagged</li>
<li>Registry: full inventory with data sources listed</li>
<li>Purview sensitivity labels enforced on embedded content</li>
<li>DLP policies block sharing of confidential pricing data</li>
</ul></div>
</div>
</div>
</div>
</div>
</section>
<!-- ===== WHY NOT JUST PP ===== -->
<section id="gap">
<div class="w">
<h2>"But I Already Have Power Platform Governance!"</h2>
<p class="intro">If all your agents are in Copilot Studio and you never plan to use Foundry, third-party, or ISV agents — Power Platform governance covers a lot. But the moment you have agents from multiple platforms, you hit the ceiling. Agent 365 is not a replacement — it's the cross-platform layer on top.</p>
<table>
<thead><tr><th>Agent Source</th><th>Runs Where?</th><th>Governed Today By?</th><th>Gap Without Agent 365</th></tr></thead>
<tbody>
<tr><td><b>Agent Builder</b> (Studio Lite)</td><td>M365 infrastructure</td><td>M365 Admin (CCS)</td><td>No Entra Agent ID, no CA, no Defender</td></tr>
<tr><td><b>Copilot Studio</b> (Full)</td><td>Power Platform</td><td>PP Admin + M365 Admin + Purview</td><td>No agent identity, no cross-platform view</td></tr>
<tr><td><b>Microsoft Foundry</b></td><td>Azure (your subscription)</td><td>Azure Portal only</td><td style="color:var(--red);font-weight:700">Complete blind spot for M365</td></tr>
<tr><td><b>Third-Party / ISV</b></td><td>Vendor infrastructure</td><td>Vendor portal only</td><td style="color:var(--red);font-weight:700">Biggest blind spot — shadow agents</td></tr>
<tr><td><b>Microsoft 1st-Party</b></td><td>Microsoft infrastructure</td><td>Entra Admin (basic)</td><td>No lifecycle governance</td></tr>
</tbody>
</table>
<div class="box box-blue"><b>Tipping points:</b> (A) One Foundry agent → M365 admin can't see it. (B) One third-party ITSM agent → completely invisible. (C) 50+ agents across platforms → no unified registry = security risk. (D) Even Copilot Studio–only: you still miss Agent ID, Conditional Access, and Defender threat detection.</div>
</div>
</section>
<!-- ===== PURVIEW ===== -->
<section id="purview">
<div class="w">
<h2>Purview &amp; Compliance</h2>
<p class="intro">When you create an agent instance in Agent 365, it's automatically enabled for audit, sensitive data detection, and AI compliance assessments — zero configuration required.</p>
<table>
<thead><tr><th>Purview Capability</th><th>What It Does for Agents</th></tr></thead>
<tbody>
<tr><td><b>DSPM for AI</b></td><td>AI observability page — lists agent instances, surfaces sensitive data risks, remediation recommendations</td></tr>
<tr><td><b>Auditing</b></td><td>All interactions: agent↔human, agent↔tools, agent↔agent — searchable in Purview portal</td></tr>
<tr><td><b>Sensitivity Labels</b></td><td>Labels on agent interactions — file labels captured in audit trail. Agent must have EXTRACT rights.</td></tr>
<tr><td><b>DLP</b></td><td>Block PII, credit cards, custom types in agent prompts. Agent instances can be added to DLP policies like users.</td></tr>
<tr><td><b>Insider Risk</b></td><td>Risky AI usage template — detects prompt injection, exfiltration, unusual patterns</td></tr>
<tr><td><b>Communication Compliance</b></td><td>Detects inappropriate content in agent interactions (Teams &amp; email)</td></tr>
<tr><td><b>eDiscovery</b></td><td>Search, hold, export agent interaction data for legal matters</td></tr>
<tr><td><b>Retention</b></td><td>Retention policies apply to agent interaction data</td></tr>
<tr><td><b>Compliance Manager</b></td><td>AI regulation assessments automatically include agent instances</td></tr>
</tbody>
</table>
</div>
</section>
<!-- ===== LICENSING ===== -->
<section id="lic">
<div class="w">
<h2>Licensing &amp; Getting Started</h2>
<table>
<thead><tr><th>Option</th><th>Includes</th><th>Price</th><th>Availability</th></tr></thead>
<tbody>
<tr><td><b>Microsoft 365 E7</b></td><td>M365 E5 + Entra Suite + Copilot + Agent 365</td><td><b>$99</b>/user/mo</td><td>GA May 1, 2026</td></tr>
<tr><td><b>Agent 365 Standalone</b></td><td>Control plane + Entra Agent ID + security</td><td><b>$15</b>/user/mo</td><td>GA May 1, 2026</td></tr>
<tr><td><b>Frontier Preview</b></td><td>25 licenses with any M365 Copilot license</td><td>Included</td><td>Now</td></tr>
</tbody>
</table>
<div class="box box-green"><b>Licensing model:</b> Per user — all agents acting on behalf of a licensed user are covered. Agents do NOT need their own license. One license covers all a user's agents.</div>
<div class="cols">
<div>
<h3>CSP Promos (May–Dec 2026)</h3>
<ul style="font-size:.88em;padding-left:18px">
<li><b>10% off</b> E7 annual (10–9,999 seats)</li>
<li><b>15% off</b> E7 annual (100–9,999 seats)</li>
<li><b>15% off</b> E7 triennial (300–9,999 seats)</li>
</ul>
</div>
<div>
<h3>How to Get Started</h3>
<div class="steps">
<div class="step"><div class="num"></div><p>Have ≥1 M365 Copilot license</p></div>
<div class="step"><div class="num"></div><p>Admin Center → Copilot → Settings → Frontier</p></div>
<div class="step"><div class="num"></div><p>Navigate to Agents → Accept Terms</p></div>
<div class="step"><div class="num"></div><p>Explore Overview, Map, Registry</p></div>
</div>
</div>
</div>
</div>
</section>
<!-- ===== SOURCES ===== -->
<section id="src">
<div class="w">
<h2>Sources &amp; Further Reading</h2>
<div class="sources">
<a href="https://learn.microsoft.com/microsoft-agent-365/overview">1. Overview of Microsoft Agent 365</a>
<a href="https://learn.microsoft.com/security/security-for-ai/agent-365-security">2. Secure AI Agents at Scale — Microsoft Security</a>
<a href="https://learn.microsoft.com/microsoft-365/admin/manage/agent-365-overview">3. Agent 365 Overview — M365 Admin Center</a>
<a href="https://learn.microsoft.com/microsoft-365/admin/manage/agent-registry">4. Agent Registry — M365 Admin Center</a>
<a href="https://learn.microsoft.com/microsoft-365/admin/manage/agent-map">5. Agent Map — M365 Admin Center</a>
<a href="https://learn.microsoft.com/entra/agent-id/identity-platform/what-is-agent-id-platform">6. Microsoft Entra Agent ID Platform</a>
<a href="https://learn.microsoft.com/entra/agent-id/identity-platform/what-are-agent-identities">7. What Are Agent Identities — Entra</a>
<a href="https://learn.microsoft.com/entra/id-governance/agent-id-governance-overview">8. Governing Agent Identities</a>
<a href="https://learn.microsoft.com/microsoft-agent-365/tooling-servers-overview">9. Work IQ MCP Overview</a>
<a href="https://learn.microsoft.com/microsoft-agent-365/admin/monitor-agents">10. Observability — Agent 365</a>
<a href="https://learn.microsoft.com/microsoft-agent-365/admin/threat-protection">11. Threat Protection — Defender</a>
<a href="https://learn.microsoft.com/microsoft-agent-365/admin/data-security">12. Data Security — Agent 365</a>
<a href="https://learn.microsoft.com/purview/ai-agent-365">13. Purview for Agent 365</a>
<a href="https://learn.microsoft.com/microsoft-agent-365/developer/agent-365-sdk">14. Agent 365 SDK Overview</a>
<a href="https://learn.microsoft.com/microsoft-agent-365/developer/identity">15. Agent 365 Identity &amp; Auth Flows</a>
<a href="https://learn.microsoft.com/microsoft-agent-365/onboard">16. Discover, Create, Onboard an Agent</a>
<a href="https://www.microsoft.com/security/blog/2026/03/09/secure-agentic-ai-for-your-frontier-transformation/">17. Security Blog — Frontier (Mar 9, 2026)</a>
<a href="https://www.microsoft.com/security/blog/2026/03/20/secure-agentic-ai-end-to-end/">18. Security Blog — RSAC (Mar 20, 2026)</a>
<a href="https://learn.microsoft.com/partner-center/announcements/2026-march">19. Partner Center — E7 Announcement</a>
<a href="https://learn.microsoft.com/partner-center/announcements/2026-april">20. Partner Center — CSP SKUs</a>
</div>
</div>
</section>
<footer><b>Microsoft Agent 365</b> — Customer Briefing · v3.1 · All facts from official Microsoft Learn documentation · April 7, 2026</footer>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment