Uncategorized – James Westall

Microsoft Agent 365: The Control Plane Your AI Agents Have Been Missing

Every organisation I’ve spoken to over the last few months has hit the same wall. They’ve built agents on Foundry, spun up a few in Copilot Studio, maybe even got a custom Python agent running somewhere on a VM that nobody quite remembers deploying. And now the questions are rolling in: how many agents do we actually have? What data can they access? Who’s responsible for them? Is anyone monitoring what they’re doing?

The agent sprawl is real, and Microsoft Agent 365 is Microsoft’s answer. Going GA on May 1 at $15 per user per month, it’s a unified control plane that treats AI agents like digital users, with the same governance, compliance, and security tooling you already use for your human workforce. Let’s dive in!

In English Please?

Agent 365 sits above your agent platforms. It doesn’t build or host agents. That’s what Foundry, Copilot Studio, and your own code are for. Instead, it provides a single pane of glass for discovering, governing, securing, and monitoring every agent in your tenant, regardless of where it was built or where it runs.

Think of it as the equivalent of what Entra ID does for human identities, but for AI agents. Every agent gets registered, policies are applied, compliance is enforced, and IT has full visibility. Whether you have 5 agents or 500, Agent 365 ensures they all follow the same rules.

The platform is organised around five pillars:

Registry: a centralised inventory of every agent in your tenant
Access Control: identity, conditional access, and lifecycle management via Entra Agent ID
Visualization: dashboards, agent maps, and usage analytics
Interoperability: governed access to M365 workloads via MCP servers
Security: threat protection via Defender, data security via Purview

If you’ve read my previous post on Entra Agent ID, Agent 365 is the governance layer that sits on top of it. Entra gives agents their identity; Agent 365 tells them what they’re allowed to do and watches what they actually do.

The Registry: Finding Your Shadow Agents

First cab off the rank, the Agent Registry. This is accessible from the Microsoft 365 Admin Center under Agents > All Agents, and it’s genuinely eye-opening.

The registry surfaces every agent in your tenant: Microsoft-built, partner-built, organisation-built, and critically, agents that nobody seems to own. For each agent you get:

Status and availability
Usage metrics (sessions, active users)
Exception rates
Last updated date
A Risks column that aggregates high-severity alerts from Entra, Purview, and Defender

That last column is gold. At a glance, you can see which agents are generating security alerts and need immediate attention.

There are a few admin capabilities I want to highlight:

Ownerless agent detection identifies agents whose creator has left the organisation. I’ve heard this from multiple customers. Agents still running months after their creator moved on, with nobody sure what they do or what data they access. Agent 365 flags these automatically and lets you reassign ownership or retire them.

Rules-based lifecycle policies let you automatically expire agents unused for 90 days, flag ownerless agents, or block agents marked as risky. Set it and forget it.

Export to Excel is simple, but critical for audit and compliance reporting. When your auditor asks “show me every AI agent in your environment,” you can hand them a spreadsheet in about three clicks.

The registry is also accessible programmatically via the Microsoft Graph API (currently in preview), using GET packages and GET package details endpoints. If you want to build your own dashboards or integrate agent inventory into your CMDB, that’s your path.

A word of caution though. As Jared Matfess from AvePoint noted after hands-on testing, the registry currently only surfaces published agents. In his tenant, Agent 365 showed 2 agents while the Power Platform admin center listed 47 in development. That’s a significant visibility gap for governance purposes. Third-party agent discovery is also manual; there’s no auto-discovery for agents running outside the Microsoft ecosystem. The vision is a complete inventory; the reality today is a partial one. Worth keeping in mind as you evaluate.

Governance with Purview: DLP, Retention, and the Risky Agents Template

This is where Agent 365 gets seriously interesting for compliance teams. It integrates directly with Microsoft Purview, and the coverage is comprehensive:

Purview Capability	Supported
Data Loss Prevention (DLP)	Yes
Sensitivity Labels	Yes
Insider Risk Management	Yes
Communication Compliance	Yes
eDiscovery	Yes
Data Lifecycle Management (retention)	Yes
DSPM for AI (preview)	Yes
Compliance Manager	Yes
Auditing	Yes

A few things that stand out:

DLP for agents: You can include agent instances in DLP policies just like users. Blocks and audits apply to agent-to-human and human-to-agent interactions across Teams, OneDrive/SharePoint, and email. If an agent tries to share a document marked “Highly Confidential” with an external user, DLP catches it. Same rules you already have for your human users, now applied to your AI agents.

The “Risky Agents” template: Insider Risk Management now has a dedicated policy template for AI agents. It detects agents exposed to risky prompts, agents generating sensitive responses, accessing priority SharePoint files, accessing risky websites, sharing files outside the organisation, and anomalous activity patterns. In my opinion, this is one of the most practical features in the entire platform. It takes the insider risk framework you already know and extends it to agents.

eDiscovery for agent interactions: Agent instances are searchable as mailbox sources. If legal needs to produce agent conversations for a matter, it works the same way as eDiscovering a user’s mailbox. This sounds boring until your legal team asks for it and you’re glad it exists.

Retention policies: Automatic retain-or-delete policies for agent interactions. Set your retention period, and Agent 365 handles it. Critical for organisations operating under regulatory retention requirements.

Threat Protection: Defender Integration

On the security side, Agent 365 integrates with Microsoft Defender for centralised threat detection and response. This goes beyond what we covered in the Content Safety post. This is runtime monitoring at the platform level.

What you get:

Out-of-the-box threat detections: alerts on risky agent activities surfaced in Defender XDR
Advanced hunting via KQL on the CloudAppEvents table, so your SOC team can query agent activity alongside all your other security signals
Security posture management: understand agent attack paths and remediate misconfigurations
Runtime defence: AI-powered blocking of prompt injection attacks and data exfiltration attempts in real time

Here’s a quick KQL example for hunting agent activity in Defender:

CloudAppEvents
| where ActionType in (
    "InvokeAgent",
    "InferenceCall",
    "ExecuteToolBySDK",
    "ExecuteToolByGateway",
    "ExecuteToolByMCPServer"
)
| summarize count() by ActionType, bin(Timestamp, 1h)
| order by Timestamp desc

If you’re already running Defender XDR, this is essentially free visibility into your agent estate. No new portal to learn.

The Developer Experience: SDK, CLI, and Blueprints

For developers building agents that need to play nicely with Agent 365 governance, Microsoft has shipped an SDK and CLI that adds enterprise capabilities to your existing agents.

Be warned: The SDK and CLI are currently in preview (you’ll need the --prerelease flag). But the developer experience is already pretty polished.

The CLI installs as a .NET global tool:

# Install the CLI
dotnet tool install --global Microsoft.Agents.A365.DevTools.Cli --prerelease

# Initialise configuration
a365 config init

# Full setup (registers blueprint, configures governance)
a365 setup all

# Deploy to Azure
a365 deploy

# Publish agent package to Agent 365
a365 publish

The SDK itself is available across .NET, Python, and JavaScript. Here’s how you’d add Agent 365 observability to an existing .NET agent using Semantic Kernel:

using Microsoft.Agents.A365.Observability;
using Microsoft.Agents.A365.Observability.Extensions.SemanticKernel;

var builder = WebApplication.CreateBuilder(args);

// Add Agent 365 tracing (OpenTelemetry-based)
builder.Services.AddAgenticTracingExporter();

// Auto-instrument Semantic Kernel
builder.Services.AddTracing(config => config.WithSemanticKernel());

The key concept for developers is Agent Blueprints. A blueprint is an IT-approved, pre-configured agent type definition that specifies capabilities, MCP tool access, security constraints, audit requirements, and linked governance policies (DLP, external access restrictions, logging rules). Think of it as a template that ensures every agent instance inherits consistent governance.

The workflow is: IT creates blueprints with approved configurations. Developers build agents from those blueprints. Every instance inherits the blueprint’s governance rules automatically. This gives developers the freedom to build while giving IT the guardrails they need. No more rogue agents with unrestricted access.

What Does It Cost?

The licensing model is worth understanding because it’s different from what you might expect:

$15 per user per month (standalone)
Included in Microsoft 365 E7 ($99/user/month), which bundles M365 E5 + Copilot + Entra Suite + Agent 365

The important bit: licensing is per user, not per agent. All agents acting on behalf of a licensed user are covered. So if you have 100 licensed users and 50 agents serving them, you pay for 100 user licenses, not 50 agent licenses. For organisations running lots of agents, this is a much more predictable cost model than per-agent pricing would have been.

Note: You need at least one Microsoft 365 Copilot license to access Agent 365, even in the standalone plan. This is a prerequisite, not a bundle.

Currently in Frontier preview, with GA on May 1, 2026. Frontier participants get 25 free licenses valid through December 2026.

I want to be transparent here: the community reaction to the pricing has been mixed. Gartner called Agent 365 “a work in progress with limited net new functionality to justify its $15 pupm price point.” Paul Robichaux at Office 365 IT Pros cautioned against rushing into the E7 bundle, noting that only about 3% of the M365 installed base currently uses Copilot. And a recurring question on the Tech Community forums is whether Agent 365 delivers genuinely new functionality or bundles existing Purview, Defender, and Entra capabilities under a new SKU.

My take? It’s a bit of both. The individual capabilities (DLP, Insider Risk, Conditional Access) already exist. What Agent 365 adds is the agent-aware glue: the registry, the blueprints, the lifecycle policies, and the agent-specific policy templates. Whether that’s worth $15/user/month depends on how many agents you’re running and how seriously your compliance team takes AI governance. For organisations with a handful of agents, it might be premature. For enterprises with dozens of agents across multiple platforms, the centralised visibility alone starts to justify it.

The Elephant in the Room: Is It Actually Unified?

I’d be doing you a disservice if I didn’t mention this. Despite being marketed as a “unified control plane,” the admin experience today still involves bouncing between the M365 Admin Center, Entra ID, Purview, and SharePoint Advanced Management. AvePoint’s assessment described it as a “swivel-chair” experience, and I think that’s fair. Agent 365 provides the policy framework and data model that ties everything together, but the day-to-day admin UX is still distributed across multiple portals.

Microsoft is clearly working towards a single-pane experience, and the M365 Admin Center’s Agents section is the starting point. But if you’re expecting a single console that handles everything from agent discovery to DLP policy authoring to threat investigation, that’s not quite where we are yet. Think of it as the control plane that connects existing admin surfaces, not (yet) one that replaces them.

As Precio Fishbone put it, Agent 365 is “an overlay, not a replacement.” I think that’s the right mental model.

Wrapping Up

Agent 365 fills what was, in my opinion, the biggest gap in Microsoft’s agentic story: governance at scale. We’ve had the tools to build agents (Foundry, Copilot Studio), secure their identities (Entra Agent ID), protect their interactions (Content Safety), and evaluate their behaviour (Foundry Evaluators). What we didn’t have was a single place to discover, govern, and monitor all of them. Now we do.

If you’re running more than a handful of agents in production, or planning to, I’d strongly recommend getting into the Frontier preview before GA hits in May. The registry alone is worth the effort, and the Purview integration means you can extend your existing compliance posture to cover AI agents without building anything new.

As always, feel free to reach out with any questions or comments!

Until next time, stay cloudy!

Azure Spring Clean – 5 Tips to help you align to Enterprise Scale

Azure Spring clean. Easily one of my favourite Azure events of each year. I spend a lot of my year helping organisations clean up their Azure tenancies, so even though I’m writing this as Australia enters autumn, I’m super pumped to take you through my contribution for 2022. 5 Tips for how you can start your own Enterprise Scale journey, today.

For those who haven’t heard of Enterprise Scale Landing Zones (ES) before – It’s a bloody straight forward concept. Microsoft has developed several Azure best practices through the years, with these being reflected in the Cloud Adoption and Well Architected Frameworks. Enterprise Scale is guidance on how best to use these techniques in your environment.

This article will take you through five tips for customers who already have an Azure deployment, albeit not really aligned to the ES reference architectures. Microsoft also provides guidance on this process here. Let’s dive right in!

1. Understand the right reference architecture for you!

While Enterprise Scale (ES) is generic in implementation, every organisation is unique. As such, Microsoft has provided multiple options for organisations considering ES. Factors such as your size, growth plans or team structure will all influence your design choices. The first tip is pretty simple – Understand where you currently are, compared to the available architectures.

The four reference architectures that Microsoft provides for ES are:

Each Enterprise Scale pattern builds in capability

Note: The ES reference architectures that Microsoft provides here aren’t the only options; Cloud Adoption Framework clearly allows for “Partner Led” implementations which are often similar or a little more opinionated. Shameless Plug 😉 Arinco does this with our Azure Done Right offering.

2. Implement Management Groups & Azure Policy

Once you have selected a reference architecture, you then need to begin aligning. This can be challenging, as you’re more than likely already using Azure in anger. As such you want to make a change with minimal effort, but a high return on investment. Management Groups & Policy are without a doubt the clear winner here, even for single subscription deployments.

Starting simple with Management groups is pretty easy, and allows you to segment subscriptions as you grow and align. Importantly, Management Groups will help you to target Azure Policy deployments.

A simple structure here is all you need to get going, Production/Development as an easy line to draw, but it’s really up to you. In the below plan, I’ve segmented Prod and Dev, Platform and Landing Zone and finally individual products. Use your own judgement as required. A word from the wise; Don’t go too crazy, you can continue to segregate with subscriptions and resource groups.

Once you’ve set up Management Groups, it’s time to limit any future re-work and minimise effort for changes. Azure Policy is perfect for this, and you should create a Policy initiative which enforces your standards quickly. Some examples of where you might apply policy are;

If you haven’t spent much time with Azure Policy, the AWESOME-Azure-Policy repository maintained by Jesse Loudon has become an amazing source for anything you would want to know here!

3. Develop repeatable landing zones to grow in.

The third tip I have is probably the most important for existing deployments. Most commonly, non ES organisations operate in a few monolithic subscriptions, sometimes with a few resource groups to separate workloads. In the same way that microservices allow development teams to iterate on applications faster, Landing Zones allow you to develop capability on Azure faster.

A Landing Zone design is always slightly different by organisation, depending on what Azure architecture you selected and your business requirements.

Some things to keep in mind for your LZ design pattern are:

How will you network each LZ?
What security and monitoring settings are you deploying?
How will you segment resources in a LZ? Single Resource Group or Multiple?
What cost controls do you need to apply?
What applications will be deployed into each LZ?

There’s one common consideration on the above list that I’ve intentionally left off the above list;

How will you deploy a LZ?

The answer for this should be Always as Code. Using ARM Templates, Bicep, Terraform, Pulumi or any IaC allows you to quickly deploy a new LZ in a standardised pattern. Microsoft provides some excellent reference ARM templates here or Terraform here to demonstrate exactly this process!

4. Uplift security with Privileged Identity Management (PIM)

I love PIM. It’s without a doubt, my favourite service on Azure. If you haven’t heard of PIM before (how?), PIM focuses on applying approved administrative access within a time-boxed period. This works by automatically removing administrative access when not required, and requiring approval with strong authentication to re-activate the access. You can’t abuse an administrator account that has no admin privileges.

While the Enterprise Scale documentation doesn’t harp on the benefits of PIM, the IAM documentation makes it clear that you should be considering your design choices and that’s why using PIM is my fourth tip.

I won’t deep dive into the process of using PIM, the 8 steps you need here are already documented. What I will say is, spend the time to onboard each of your newly minted landing zones, and then begin to align your existing subscriptions. This process will give you a decent baseline of access which you can compare to when minimising ongoing production access.

5. Minimise cost by sharing platform services

Cost is always something to be conscious of when operating on any cloud provider and my final tip focuses on the hip pocket for that reason. Once you are factoring in things like reserved instances, right sizing or charge back models into your landing zones, this final tip is something which can really allow you to eek the most out of a limited cloud spend. That being said, this tip also requires a high degree of maturity within your operating model you must have a strong understanding of how your teams are operating and deploying to Azure.

Within Azure, there is a core set of services which provide a base capability you can deploy on top of. Key items which come to mind here are:

AKS Clusters
App Service Plans
API Management instances
Application Gateways

Once you have a decent landing zone model and Enterprise Scale alignment, now you can begin to share certain services. Take the below diagram as an example. Rather than build a single plan per app service or function, a dedicated plan helps to reduce the operating cost of all the resources. In the same way, a platform team might use the APIM DevOps Toolkit to provide a shared APIM instance.

Note that multiple different functions are using the same app service plan here.

Considering this capability model when you develop your alignment is an easy way which you can minimise work required to move resources to a new Enterprise Scale deployment. In my opinion, consolidating Kubernetes pods or APIM API’s is a lot easier than moving clusters or Azure resources between landing zones.

Note: While technically possible, try to avoid sharing IaaS virtual machines. This does save cost, but encourages using the most expensive Azure compute. You want to push engineering teams towards cheaper and easier PaaS capabilities where possible.

Final Thoughts

Hopefully you have found some value in this post and my tips for Enterprise Scale alignment. I’m really looking forward to seeing some of the community generated content. Until next time, stay cloudy!

Enabling Password-less in Azure AD with Feitian security keys!

Recently I was lucky to receive some evaluation security keys from Feitian – One of the select companies currently providing Microsoft tested FIDO2 hardware. I’ve always been passionate about enabling Windows Hello for business, so the chance to get even more password-less was something I leaped at.

If you haven’t used a FIDO key before, the first things you will want to know are, what are they? how do I enable usage and how do I use them? Thankfully, the answer to these questions is pretty simple.

My new FEITIAN K40 and K26 security keys

What is a FIDO2 Key?

Most people reading this post will currently maintain some form of password. The key detail being, this is generally a single password, maybe with a few permutations (hats off to the 1 in every 5 people using a password manager). These passwords are never very good – Hard to remember, simple to steal, easy to brute force and allowing massive re-use when stolen. FIDO is a solution to this nightmare.

FIDO as a concept is pretty easy to understand – You own a cryptographically verifiable key and this is used to authenticate on your services. Because FIDO allows you to physically own something with your security info, organisations can generate long & complex data, without you having to memorise it. Most importantly, this security data stays with you (sometimes even locked by your biometrics). Possession is nine tenths of the law and using FIDO it is much harder for malicious entities or hackers to break into your accounts.

As a protocol, FIDO has a fair bit of minutiae to understand. Microsoft provides an excellent summary within their existing password-less documentation. If you really enjoy long boring technical documents, the Technical Specs for FIDO2 from the FIDO alliance and W3C can be found here.

Enabling security key usage in Azure AD

Enabling authentication within Azure AD is a pretty straight forward process. If you have an older AAD Tenant, you want to make sure that Combined Security registration is enabled. (On by default from August 15th 2020)

To do so, navigate to Azure AD user settings, and ensure the combined option is set to all users.

Enable the combined security info experience for users

Next to enable security keys, navigate to Security > Authentication Methods

By selecting FIDO2 Security Key you can enable this authentication method for a select group or all users. There isn’t any major penalty for enabling this on all users, however if completing this task under a dedicated rollout, you may want to consider who should have a key OR if you wanted to configure allowed AAGUIDs using data provided from your manufacturer.

Setting up and using a key

Now that we’ve enabled the service, it’s time for the part we are all keen for – actually using a key! To do so, plug your security key into your pc. Next, I would recommend installing the relevant configuration software for your device. This allows you to configure any settings available in your key.

In the case of my FEITIAN K26 key, I have an option to configure an extra biometric – My Fingerprint. This is great, as I’m now protecting the access that this key grants with my unique properties!

Once you’ve configured your key settings, it’s time to connect this to Azure AD. Complete a login into the MyApps portal. From here, you can use the security settings page to add the FIDO key for use.

The Security Info Page – Select Add Method, then Security Key

Follow the Bouncing Ball to configure your key.

Once setup, your next login should have the option to login with a security key!

A few weeks with my keys

After spending some time using these security keys, I’m thoroughly enjoying the change. They simplify login and provide me with a degree of confidence in my account security. As far as product feedback goes, I have had no issues with the FEITIAN keys – Just personal nigglings which will vary between users. The build quality is great, with the inbuilt loops letting me easily attach to my keys for on the go use. I accepted two USB C devices, which I surprisingly found challenging. As a Mac user, Apple has pushed a lot of my devices to USB-C. I thought I was all done with USB 2.0, but didn’t really think of my corporate devices, meaning I wasn’t able to use the keys there. Form factor wise, the devices could be a bit smaller, with the larger keys being a little bit concerning when moving my laptop around. I was really worried I would snap one off. FEITIAN offers the K21, K28 keys with a slimline build, so next time I might grab a pair of those!

A big Thank you to Della @ FEITIAN for the opportunity to test these keys, until next time – Stay cloudy!

A painful lesson – Create your Emergency Accounts!

In one of my favourite movies Gerard Butler utters the line “lessons not learned in blood are soon forgotten”. That is certainly how I felt last week while attempting to regain access to my cloud accounts.
Ok, Ok – Maybe a movie about a jail-bound revenge obsessed serial killer isn’t the best analogy for a nerd playing god in a cloud lab.

Whenever playing with a cloud service that manages provisioning & activations for your cloud users, it’s important to be alert and understand what actions you are taking. How was I reminded of this? I broke my own setup!
While deleting a bunch of users in a fit of rage at an inconvenient Lab setup last week, I was neither alert, nor understanding. Have a look at the below screenshots and have a guess at what happened.

Yep – Thats right. james@xellolabs.com. Deprovisioned. Deleted. Gone.

The importance of this account? It was my Google Cloud Super admin.

Here is the part where you say – It’s alright James, use your emergency account. Your rainy day account. The forgot my password account. The one you keep spare for when you get hit by a bus.

Bummer for me – I didn’t configure one.

Ok, fair enough, There’s an account recovery process right?
The problem? Account recovery doesn’t work for a disabled account.

Next. Maybe I can re-enable the account using Okta? Remember that fit of rage I was talking about? I also deleted the Okta Application.

Yep. I’m a bonehead.

Ok, next option? Google support. Surely they should be able to help me!

Case: #21249639
Subject: Okta Deleted/Disabled my organisation Super Administrator

Evening Google, 

I was testing some Okta configuration for google cloud configuration late at night. Unfortunately I deleted an okta account that matched the GCP account, and it disabled/deleted the corresponding account: james@xellolabs.com which is the super administrator for my GCP test organisation. I am no longer able to log into the google cloud console or admin.google.com to configure IAM or any extra users.

I can provide proof of ownership for the DNS zone xellolabs.com

I can also provide information as to how the organisation is configured, likely how it is billed (Can't remember the exact credit card)

Apologies for this boneheaded error, I will setup an emergency account in future.

Cheers,

James

You can see where this is going right?
Google Response 1 (Paraphrased for length)

Dear James,
That certainly is boneheaded of you. Please refer to our support article here for admin password reset. https://support.google.com/a/answer/33561?hl=en

Thanks 

Google Support.

No thank-you google – I need some actual help here.

Morning Google,

Unfortunately this does not solve my problem. As I mentioned in the original ticket, Okta has disabled the Super Administrator for my google organisation. I cannot log in to admin.google.com to create new accounts or modify users. I can also not recover the account as it is disabled. 

When I log into the google console, I receive the following username:

fe0b6545633f422e8501f62c8d3ca20aJames@xellolabs.com

I believe it should be just james@xellolabs.com

If you could assist with activating the account I can log in, as I definitely have working credentials

Cheers,

James

Google Response 2 (Paraphrased for length)

Dear James,

I understand you have a problem. It looks like you are having an account ownership dispute. Unfortunately google cannot adjudicate these disputes, please reach out to the  super admin for access. Should you like, I can contact the super admin and ask them to contact you. 
If none of this works, we can completely delete your organisation and you build your lab again.

Thanks,

Google Support.

FFS Guys! It’s me! I swear!
At this point I requested that google contact my super admin. After all, this lab had a population of 3. Me, Myself and I. Surely they would flick a message to one of my many emails?

Outlook? Gmail? Work? Hotmail? Custom Email?

Zilch. Nada. Nothing. All in all a frustrating experience with Google support. Not something I would recommend on the best of days.

Finally I realised that I had configured a service account for Azure-> GCP integration. I had credentials for this thankfully. I could check who was in my google org & who I was supposed to be contacting!

One quick login to admin.google.com:

Even better news? This was the account I needed! In a past life I had been a lazy bastard and not configured the minimum RBAC!

Account Recovered!

Ok so what did we learn today?

Configure a break glass account. Store it offline & test it regularly.
Don’t rely on support to recover your account. Contextual information like a service account names will be overlooked & you may get the runaround.
Don’t add your break glass accounts to automated deprovisioning flows. You are asking for trouble.
Document the level of access you grant to service accounts. You never know when this information might come in handy!
Have a tested BCDR strategy, using off cloud backup or IaC to restore.

Most importantly, I learnt my lesson in blood. Don’t be a bonehead and hopefully you won’t run into this problem yourself!