One of the biggest announcements at the Ignite conference last week was Agent 365. It's at once exciting, necessary, not really here yet, and a very confusing sum of parts that are unfamiliar to everyone but the small group of people who have been working with Microsoft in their early development. So how do I make sense of what is largely a set of stuff in flux, that I can only see in part?
First, it's important to be clear that Agent 365 is only available as part of an early access programme, which I haven't yet been able to join successfully. However, some of the breakout sessions at Ignite added some clarity that was missing from the Keynote, so I wanted to share a current understanding (with the proviso that this is what best endeavours to separate marketing from architecture looks like).
It's not especially clear yet that is there is any unique capability in Agent 365, or if it is just a single pane of glass into Entra, Defender, Purview and more. What is clear is that it is at least mostly comprised of those underlying capabilities. This becomes especially confusing since most of the net new functionality in Agent 365 is from the Previews of Entra Agent ID and the new Defender for Cloud Apps agent security functionality. So let's unpack what we get there, since I can be clearer about that. The best content I've seen on Agent ID so far was this Ignite breakout session: Secure access for AI agents with Microsoft Entra. Here's what we get:
- Agent Inventory: this seems to come from a few sources:
- Copilot Studio Agents
- Azure AI Foundry Agents
- I believe Defender for Cloud Apps will detect SaaS Agents via the Cloud Discovery capability, and you can then sanction/unsanction those apps as you would any other Cloud App. My current understanding is based on another demo I saw last week, but this has not been a part of the new Defender for Cloud Apps agent Public Preview, which has been all about Copilot Studio to-date. However, the demo in Agent ID showed an interface that was identical to a Defender for Cloud Apps interface, so that's my provisional conclusion.
- There is also a Defender for Cloud CSPM capability for Azure AI Foundry that was demo'd in a vague way, but this does not appear to exist yet in anything I can see, and I'm unclear why it's necessary, because both Copilot Studio and Azure AI Foundry agents automatically get an Agent ID from Entra. One session suggested Security Copilot, Teams and LinkedIn will also be automatically given an Agent ID, but I'm less clear on when/where.
- Although it isn't 100% clear in anything that I saw demo'd, I can only assume that M365 Copilot agents will also be present.
- Agent Registry: assume for the moment that your Agent Inventory will include some stuff that doesn't already have an Agent ID (such as SaaS agents, or other public, third-party agents). The Agent Registry provides a mechanism for seeing which agents in your inventory haven't got an Agent ID yet.
- Agent ID: this is really the heart of all the new capability. Honestly, it's taken some time for me to accept this need. In one sense, an agent is just an app, and we already have OAuth for that, so why do we need Agent ID? In a word, risk. The risks are different. The growth is likely to be exceptional, and we need visibility of all these total impacts. Ultimately, quite a lot of our control is indistinct from OAuth. Two of the three Agent ID scenarios are founded in OAuth delegation - either User on Behalf Of or App-based delegation, but the third scenario is new. You can now grant user-level permissions to an Agent ID, for instance in a SharePoint Document Library or even a single file. OAuth grants are scoped at a much more coarse grain. So whether an Agent functions as a traditional app, on behalf of a user to do things that they can already do, or with complete autonomy, we have the control we need. We gain visibility of these permissions, we know who owns or sponsors the agent, and agents can now be wrapped in Entra ID Governance capabilities like Access Reviews. This means their access can be time-bound in a safer way. This also gives us the foundations we need to detect anomalous behaviour, and to control permission with Conditional Access. We can block risky behaviour from Agent IDs in our normal control plane, and even provide access based on Custom Security Attributes, which can align with Agent ID Blueprints (templates for Agent ID attributes). We will eventually be able to alert on meaningful configuration drift as well.
So as you can see, even though we don't understand everything about Agent 365 yet, Agent ID is in Public Preview, and I'd encourage you to start getting familiar with it now What is Microsoft agent identity platform - Microsoft Entra Agent ID | Microsoft Learn. It's one of the more important Agent 365 foundations, and there's no barrier to wrapping your head around it now. Microsoft have already begun work with the wider vendor ecosystem to encourage use of Agent ID, which seems to be getting strong engagement. This means Agents in Stores will come with their Agent IDs ready to go. And the Defender for Cloud Apps security capabilities are equally worth your time right now, since citizen developer governance and protections are more important now than ever. Protect your Microsoft Copilot Studio AI agents (Preview) - Microsoft Defender for Cloud Apps | Microsoft Learn
