Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
The May 2026 Frontier preview of Microsoft Agent 365 focuses on delivering a secure and transparent foundation for agents with their own user identities. This foundation includes adherence to existing enterprise security solutions such as Conditional Access, Information Barriers, and sensitivity labels.
These capabilities reflect Microsoft’s current product posture and are designed to support safe, policy-aligned collaboration with AI agents. The Frontier preview helps organizations evaluate these agents in real-world scenarios while maintaining control over content access and sharing.
As the preview progresses, Microsoft continues to gather feedback and refine guidance to ensure all agents meet the needs of enterprise customers, balancing innovation with trust and compliance.
AI agents act, use tools, and interact with content using different permission models. In Microsoft 365, three access patterns define how an agent does so: 1) acting on behalf of a user, 2) acting as an application, and 3) acting with its own user identity. These modes determine the scope, control, and governance of agent access to tooling, actions as well as content. AI agents that operate with their own identity can be added to collaboration surfaces like Teams, Outlook, Office documents, SharePoint, and OneDrive. In these product surfaces, they participate using their own assigned identity.
| Agent access type | Details |
|---|---|
| Acting on behalf of users (Delegated access) | Ephemeral/request-time |
| App agent | Scoped via permissions |
| Agent user identity (Own access) | Persistent, accumulative access |
An agent operating with its own identity unlocks powerful new workflows but also introduces new considerations for content access and sharing. This document outlines Microsoft’s current approach to ensuring an agent operating in its own identity adheres to existing data security policies without compromising enterprise governance. This features focus is on enabling these agents to drive meaningful productivity gains for users, while maintaining transparency, user control, and alignment with platform policies. The goal is to empower organizations to benefit from these agents, balancing risk without introducing unnecessary friction or over-governing agent behavior.
Key principles
The following capabilities describe the key principles with Agent 365:
- Agents operating in their own user identities use existing identity frameworks (Entra ID and OAuth). They are governed by the same enterprise policy mechanisms as users, including conditional access, information barriers, and sensitivity labels.
- Microsoft doesn't impose how these agents are built for third party partners. Specifically, Agent 365 is platform-agnostic and doesn't enforce runtime behavior. Instead, it provides identity, policy, and observability guardrails that can be set up in the Microsoft 365 admin center.
- Microsoft’s first party agent-building platforms, such as Copilot Studio, Foundry, and Agent Builder, provide guidance and their own controls to help developers implement safe agent building and content sharing practices.
- If an agent doesn't support required Agent 365 controls, IT can disable it. This approach creates the right tension for deeper integration without enforcing a one-size-fits-all model.
Content access behavior
Agents operating in their own identities differ from traditional delegated access agents in one key way: they operate with their own identity and access scope. This means the following with Agent 365 agents:
- Agents only have access to the content and resources that are shared with them.
- Agents might have access to content that not all participants in a conversation are authorized to see.
- Anyone who can interact with these agents might receive responses based on the agent’s full access—unless guardrails are in place.
- Any user can share content with these agents, such as uploading a file or forwarding an email, which might later be referenced in responses to others.
How access is governed
To mitigate these risks, Microsoft applies a layered strategy:
- Identity and policy enforcement: These agents are governed by the same identity and access policies as users, evaluating permissions, labels, and policies. For example, Agent 365 agents use information barriers and conditional access.
- Context filtering: For out of the box agents like Microsoft’s Sales Development Agent, context is trimmed outside the model to ensure that only relevant and appropriate information is used in responses. For example, when responding to a customer, the agent’s context is filtered to exclude unrelated or sensitive deal data.
Platform protection levels
| Platform or tool | Guardrail approach | Details |
|---|---|---|
| Microsoft Entra ID | Identity and access | Provides the underlying identity framework (agent identities, authentication, conditional access) that governs how agents access resources. |
| Microsoft Purview | Data protection and compliance enforcement | Enables sensitivity labels, data loss prevention (DLP), and information barriers. These policy signals are evaluated when agents access and share content. |
| Agent 365 | Identity, policy, and observability | Wraps agents with governance but doesn't control internal behavior. |
| Copilot Studio | Secure-by-design templates | Includes HITL, label awareness, and safe sharing patterns. |
| Work IQ | Guidance plus runtime enforcement (where feasible) | Offers APIs and centralized guardrails for agents using this runtime. |
| Microsoft-built agents | Runtime enforcement | Microsoft agents attempt to enforce access checks at runtime. |
Non-Microsoft agents are expected to follow Microsoft’s guidance and best practices. If a non-Microsoft agent doesn't support the required Agent 365 controls, the agent can be blocked by IT in the Microsoft 365 admin center. Microsoft provides platform signals (label metadata) to support safe behavior, but doesn't enforce runtime behavior for non-Microsoft agents.
Getting started
Here are tips to help you get started with Agent 365:
- If you're interested in using an agent with its own user identity, consult your IT or admin about what agents are available and approved in your organization.
- Review internal guidelines or training your organization provides on AI and data handling.
- Start with low-risk interactions. For example, have the agent work with publicly shareable or nonsensitive content to get comfortable with its behavior before trusting it with more sensitive tasks.