What's Changing
On May 1, 2026, Microsoft officially moved Agent 365 to General Availability for commercial customers. This is Microsoft's unified control plane for observing, governing, and securing AI agents across enterprise environments — covering local agents, cloud-hosted agents, and SaaS agents under a single administrative surface that integrates with Microsoft Defender, Microsoft Intune, Microsoft Entra, and Windows 365.
Alongside GA, Microsoft announced Public Preview of several capabilities that materially expand the scope of what IT and security teams need to manage: cross-cloud registry sync with AWS Bedrock and Google Cloud, shadow AI discovery for OpenClaw agents on Windows endpoints, and Windows 365 for Agents (US-only). Context mapping and runtime blocking in Microsoft Defender are targeting a June 2026 preview rollout.
The official announcement is available on the Microsoft Security Blog.
Who's Affected & When
Agent 365 GA applies to commercial tenants with a Microsoft 365 Copilot license or equivalent SKU. This is not auto-enabled for all tenants — you need to actively navigate to the Agent 365 node in the Microsoft 365 Admin Center to begin using it. Additional prerequisites stack depending on which features you want:
- Shadow AI discovery (OpenClaw): Requires Intune MDM enrollment, Defender for Endpoint Plan 2 onboarded and reporting, and — critically — Frontier program enrollment. This is not available to all commercial tenants automatically at GA. Enroll via Microsoft 365 Admin Center → Settings → Microsoft 365 Insider.
- Network controls for agent traffic: GA as of May 1, 2026. Requires Microsoft Entra ID P1/P2 for Conditional Access, plus Global Secure Access (GSA) client deployment on endpoints for local agent traffic inspection. If GSA isn't deployed, network controls for local agents will not function.
- AWS Bedrock / Google Cloud registry sync: Public Preview now. No production lifecycle governance actions (start/stop/delete) yet — those are listed as coming soon.
- Windows 365 for Agents: Public Preview, US-only. Global organizations cannot use this feature during the preview period. Requires Windows 365 licensing and Intune enrollment — this is managed through Intune, not Azure Virtual Desktop.
- Defender context mapping + runtime blocking: Public Preview rolling out in June 2026.
- Team workflow agent governance (multi-agent orchestration): Public Preview only. Do not build business-critical workflows depending on Agent 365 governance for this access model until GA promotion.
Ecosystem partner agents — Genspark, Zensai, Egnyte, Zendesk, Kasisto, Kore.ai, and n8n — are GA with no IT integration work required on your side. Enabling them through the Agent 365 → Agent Showcase surfaces them directly in the registry with pre-configured governance metadata.
What This Means for Your Environment
The practical implication of Agent 365 GA is that Microsoft is now treating AI agents as a first-class management object — equivalent to devices, users, and apps. If your organization has been deploying Copilot Studio agents, allowing developer tools like OpenClaw or Claude Code, or consuming SaaS AI agents from third parties, you now have a centralized control plane to govern them. The question is whether your prerequisites are in place to actually use it.
The Intune Enrollment Gap Is Real
Shadow AI discovery is entirely blind to unmanaged devices. If developers are running OpenClaw or similar local agents on BYOD or non-Intune-enrolled machines, Agent 365 will not surface them. This is not a limitation that Agent 365 overcomes — it relies on Defender for Endpoint telemetry and Intune MDM state. Enforce enrollment first, or accept the blind spot.
Delegated Access Agents Inherit User Permissions
Agents operating on behalf of users use OAuth delegated access — meaning an overprivileged user produces an overprivileged agent. This is already a problem in most tenants where OAuth consent grants haven't been audited in years. With agents now acting autonomously on that delegated access, the blast radius of a compromised or misconfigured agent is significantly larger. Go to Microsoft Entra Admin Center → Enterprise Applications and filter for third-party agent application registrations. Look hard at any consent grants with Mail.ReadWrite, Files.ReadWrite.All, or Calendars.ReadWrite scopes.
MCP Servers Are Your New Attack Surface
Agent 365 context maps (coming in the June 2026 Defender preview) will surface MCP (Model Context Protocol) server configurations per agent. Each MCP server is a potential lateral movement path — it defines what tools and resources an agent can reach at runtime. Start auditing what MCP servers your developers have configured now, before the Defender visibility lands. Treat each MCP server endpoint the same way you'd treat a firewall rule: does this need to exist, and is it scoped to the minimum required access?
Custom Detections — Interim Approach
Full agent process context in DeviceFileEvents and DeviceNetworkEvents tables in Defender advanced hunting isn't available until the June 2026 context mapping preview. In the meantime, use InitiatingProcessFileName or InitiatingProcessCommandLine to hunt for known agent executables. For example, hunting for OpenClaw activity before the native Agent 365 integration is fully live:
// Advanced Hunting — OpenClaw process activity (interim, pre-June 2026 context mapping)
DeviceNetworkEvents
| where InitiatingProcessFileName has_any ("openclaw", "openclaw.exe")
or InitiatingProcessCommandLine has "openclaw"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName
| order by Timestamp descAction Items
- Verify Frontier program enrollment if you want OpenClaw shadow AI discovery now. Navigate to Microsoft 365 Admin Center → Settings → Microsoft 365 Insider and confirm enrollment status.
- Audit Intune enrollment coverage on all Windows endpoints. Any device not enrolled is invisible to Agent 365 shadow AI discovery. Use Intune → Devices → Monitor → Enrollment Failures to identify gaps.
- Deploy the Global Secure Access client via Intune before enabling agent network controls. Without it, Entra network policies for local agents will not inspect traffic as expected.
- Review OAuth consent grants in Entra Enterprise Applications — filter for agent-related app registrations and audit delegated permission scopes, especially high-risk ones like
Mail.ReadWriteandFiles.ReadWrite.All. - Audit MCP server configurations in your developer environments today, ahead of the June 2026 Defender context mapping rollout. Document what each MCP server exposes and whether that exposure is intentional.
- Write a Shadow AI response playbook before you enable blocking policies via Intune. Unexpected blocks on developer tooling without prior communication will generate noise and push shadow AI further underground.
- Do not move multi-agent orchestration workflows to production under Agent 365 governance yet — team workflow agent governance remains in Public Preview only and is not production-ready.
- Check AWS Bedrock / Google Cloud sync latency expectations with your cloud teams. The cross-cloud registry pull is not real-time. Supplement with AWS CloudTrail and Google Cloud Audit Logs until sync frequency is documented by Microsoft.
- For non-US regions, do not plan Windows 365 for Agents deployments during the current Public Preview. Use standard Windows 365 Cloud PCs with Intune configuration policies as the interim governance model.
The Agent 365 GA is not a "turn it on and you're covered" moment. It's a framework that only delivers value when your underlying device management, identity, and endpoint security foundations are solid. Audit those first, then layer Agent 365 on top.
