Microsoft Agent 365 - Getting Ahead of Agent Sprawl Before It Gets Ahead of You
Here's a question I've started asking in discovery workshops with Australian executives: "How many AI agents are running in your organisation right now?" Nobody knows. Not roughly, not within an order of magnitude. Someone in finance built one in Copilot Studio. A developer wired up a LangChain agent that reads a shared mailbox. Marketing is trialling something a vendor sold them that has delegated access to SharePoint. Each one made sense on its own. Collectively, nobody is watching them.
If that sounds familiar, it's because we've all lived this movie before. It's SaaS sprawl from 2015, except the software doesn't just sit there waiting for a user to log in - it acts. It sends emails, updates records, and makes decisions at two in the morning while your security team sleeps. That's the problem Microsoft Agent 365 exists to solve, and the extensibility documentation is worth reading whether you build agents or just have to answer for them.
What Agent 365 actually is
The shortest accurate description: Agent 365 is a control plane for AI agents, the same way Microsoft 365 admin tooling is a control plane for users and devices. Microsoft's bet is that agents are becoming a new class of worker in your organisation, and a new class of worker needs the boring things every worker needs - an identity, an access policy, a manager who can see what they're doing, and a way to be offboarded when they're no longer wanted.
The capabilities cluster around a few ideas.
A registry. One inventory of the agents operating in your tenant - the sanctioned ones you built deliberately and, importantly, the unsanctioned ones people spun up without telling anyone. If you've ever run a cloud app discovery exercise and watched the CISO's face when the number came back, you know why this matters. The shadow agent problem is going to be worse than shadow SaaS, because agents are cheaper to create and they hold delegated permissions.
Identity and access control. Agents get proper identities through Entra, which means the access machinery you already run for humans - conditional access, least privilege, lifecycle management - extends to agents. This is the piece I care about most. An agent with a real identity can be scoped, audited, and revoked. An agent running on a shared service account with a password in a config file is a breach report waiting for a timestamp.
Visibility. Dashboards showing what agents exist, what they're doing, and what they're touching. Mundane sounding, genuinely hard to retrofit later.
Interoperability. Registered agents can plug into the Microsoft 365 fabric of work - email, calendars, documents, the context of how your organisation actually operates. An agent that can see the same work context a human colleague sees is dramatically more useful than one operating blind through a narrow API.
Security and compliance. Defender and Purview extend their coverage to agents, so data loss prevention and threat protection apply to agent behaviour, not just human behaviour.
The part that surprised me, in a good way: this isn't just for agents built on Microsoft's own stack. The design intent is that agents built with third-party and open-source frameworks can register and be governed alongside Copilot Studio and Azure AI Foundry agents. Given how many of the agents we build for clients sit on open frameworks, a governance layer that only covered Microsoft-built agents would have been close to useless. Microsoft seems to have understood that.
Why this matters more in Australia than the marketing suggests
Australian organisations have a specific flavour of this problem. Our regulators have been unusually direct about AI accountability - APRA-regulated entities already field questions about automated decision-making, and the privacy reforms have boards asking pointed questions about where data flows. When an agent with access to customer records does something unexpected, "we didn't know it existed" is not an answer any director wants to give.
At the same time, agent adoption here is fast and bottom-up. The organisations we work with through our Microsoft AI consulting practice almost never have a top-down agent program. They have enthusiastic pockets. A team in operations automated invoice triage. Someone in HR built a leave-policy answer bot. Some of these are genuinely excellent. None of them appear on any register, and most run with more access than they need because scoping permissions properly was harder than clicking "allow."
So the honest pitch for Agent 365 isn't "unlock the future of work." It's "get a list of what's running, give each item an identity, and apply the controls you already trust." Unglamorous. Necessary.
What we've seen work
We've been building and governing agents for Australian clients for a while now, and a few patterns hold up regardless of tooling.
Treat agents like employees in your processes, not like software in your CMDB. The organisations coping best have an onboarding path for agents - who owns it, what it can access, what its blast radius is if it misbehaves, and a named human accountable for its output. Agent 365 gives you the technical substrate for this, but the process is yours to design. Tooling without process just gives you a well-organised inventory of chaos.
Start the registry before you think you need it. If you have five agents, registering them takes an afternoon. If you wait until you have eighty, you have an archaeology project. We've done the archaeology version with clients on the enterprise agent side, and it's slower and more political than anyone expects, because discovering an agent also means discovering who built it without asking.
Least privilege actually matters here. Human users mostly don't exploit excess permissions because they don't know they have them. Agents will happily use every permission they hold, because a language model given a tool will eventually call it. Scoping agent access tightly isn't paranoia, it's just understanding the failure mode.
What's still rough
I'll be straight about the current state, because the announcements read better than the lived experience.
This is early. Access has been rolling out gradually, and capability depth varies a lot depending on where an agent was built. The experience for a Copilot Studio agent is well ahead of what you get registering something built on an open framework, where you'll do more work to get equivalent telemetry. The direction is right; the ground being covered is uneven.
Licensing and pricing questions come up in every conversation we have about it, and the answers keep evolving. Budget-holders hate that, fairly. My advice has been to treat the governance capability as the thing you're evaluating and assume the commercial model will settle, because the alternative - building your own agent registry and identity plumbing - is far more expensive than any plausible licence fee.
And there's a deeper wrinkle: a control plane can only govern what registers with it. The genuinely rogue agent, running on a laptop with a personal API key, doesn't show up. Agent 365 shrinks the shadow dramatically because most shadow agents are built by well-meaning staff using tenant resources, and those are discoverable. But it's a mitigation, not a forcefield, and anyone who tells you their agent estate is fully mapped is guessing.
Where to start
If your organisation is anywhere on the agent adoption curve - and if people have Copilot licences, you're on the curve whether you've decided to be or not - the sequencing we recommend is simple. Inventory first, even manually. Identity second, so every agent runs as something revocable. Policy third, once you can see what you're governing. The tooling supports all three, but doing them in the wrong order wastes months.
Most organisations we talk to are somewhere between "we have no idea what's running" and "we know, but it's held together with goodwill." Both are fixable, and both are much cheaper to fix now than after an incident. If you want help working out where you stand and what an agent governance program looks like for your organisation, our AI strategy team does exactly this, and the first conversation is just a conversation.
Agents are the most useful thing to happen to enterprise software in a decade. They're also the fastest-multiplying thing in your tenant. Agent 365 is Microsoft acknowledging both halves of that sentence, and on balance, it's the acknowledgement I've been waiting for them to make.