Source: VentureBeat

Microsoft Announces General Availability of Agent 365 and Microsoft 365 Enterprise 7
May 1 – Wave 3 of Microsoft 365 Copilot launches with expanded AI capabilities and model diversity from OpenAI and Anthropic.

---

Overview

• Agent 365 – $15 per user / month

  • Described as the “control plane for agents.”
  • Centralized system for IT, security, and business teams to observe, govern, and secure AI agents across an enterprise.

• Microsoft 365 Enterprise 7 – $99 per user / month

  • Marketed as the “Frontier Worker Suite.”
  • Bundles Agent 365, Microsoft 365 Copilot, and Microsoft’s most advanced security stack.

“These agents are no longer experimental. We’re seeing them deeply embedded in organizations… the visibility gap creates business risk.” – Vasu Jakkal, Corporate Vice President, Microsoft Security (VentureBeat exclusive)

---

Why Now?

AI agents have moved from experimental prototypes to operational infrastructure, yet monitoring tools lag behind. Microsoft aims to close that gap before adversaries exploit it.

Adoption Statistics

---

The “Double Agent” Threat

Microsoft coined “double agents” to describe AI agents that are hijacked—via prompt injection, model poisoning, or other techniques—to act against the organization’s interests.

• Research status: No large‑scale real‑world incidents yet, but Microsoft’s AI Red Team has demonstrated successful manipulations in testbeds.
• Analogy: Similar to insider‑risk concerns for human employees; agents now need the same level of vigilance.

Notable Attack Vectors

1. Prompt Injection / Model Poisoning – Directly manipulates an agent’s behavior.
2. AI Recommendation Poisoning – Embeds hidden instructions in “Summarize with AI” buttons; over 50 unique poisoning prompts found across 31 companies in 14 industries (Feb 2025 Defender Security Research).
3. Sleeper Agents – Backdoored language models that act benignly until triggered by specific inputs (Microsoft research on detection).

---

Extending Zero‑Trust to Autonomous AI

Agent 365 builds on Microsoft’s existing zero‑trust pillars—Defender, Entra, and Purview—and applies them to non‑human entities.

Three Core Pillars

---

What This Means for Enterprises

• Unified Control Plane: One console to manage both human users and AI agents.
• Risk Reduction: Early detection of compromised or unsanctioned agents before they cause damage.
• Compliance Alignment: Agent activities are subject to the same data‑security and governance policies as traditional workloads.

---

Sources

• Microsoft announcement (May 1, 2026)
• VentureBeat interview with Vasu Jakkal
• Microsoft Cyber Pulse report (Feb 2026)
• IDC forecast (2028)
• Microsoft Defender Security Research (Feb 2025)
• Statements from Judson Althoff, CEO, Microsoft Commercial Business

---

Prepared for internal distribution – keep confidential.

Microsoft 365 Agent 365 & E7 “Frontier Suite” – A Clean‑up of the Recent Announcement

---

1. Agent 365 Security – Zero‑Trust for AI

“We think about security for agents very similar to security for people,” said Jakkal.
“You have to protect these agents against threats. You have to secure the data that they’re accessing. You have to secure their access and identity. So extending zero‑trust to zero‑trust for AI.”

• Sensitivity‑label inheritance – agents automatically receive the same labels as the data they touch.
• PII blocking – personally identifiable information is filtered out before it reaches prompts.
• Insider‑risk monitoring – suspicious agent behavior is flagged in the same way as user risk.
• Audit & eDiscovery – agents are now first‑class auditable entities alongside users and applications.

---

2. Real‑Time Intervention

“If there’s a risk, if it’s a risky agent, then you can, of course, block it as well,” Jakkal added.

• Two‑mode operation – Agent 365 can observe post‑event and intervene in real time.
• Risk surface – anomalous behavior appears as risk flags in the Defender portal.
• Remediation – security teams can block or quarantine a risky agent directly from the portal.

---

3. E7 “Frontier Suite” – Pricing & Components

*All prices are per‑seat, per‑month.

Althoff (Microsoft) framed the bundle as a direct response to customer demand: “Customers have told us E5 alone is no longer enough; they do not want multiple tools stitched together, they want one trusted solution.”

---

4. Market & Strategic Context

• TechRadar (early March) first reported Microsoft’s work on an E7 tier.
• Computerworld – Steven Vaughan‑Nichols: Microsoft now wants organizations to “hire” AI agents, licensing each like a human employee.
• SiliconANGLE – notes the per‑seat subscription model for non‑human entities creates a powerful, scalable revenue stream that can grow even as agents replace some human headcount.

---

5. Copilot Model Diversity – Wave 3

• Claude (Anthropic) is now available in the mainline Copilot chat.
• The latest OpenAI models are also included.
• Copilot Cowork (research preview, built with Anthropic) enables long‑running, multi‑step work inside Microsoft 365.

---

6. Anthropic Partnership & Geopolitical Weight

• CNBC (Mar 6): The U.S. Department of Defense labeled Anthropic a supply‑chain risk after Anthropic refused Pentagon‑requested terms of use.
• Google, Microsoft, Amazon all pledged to keep offering Anthropic tech for non‑defense workloads.
• WIRED reported the Pentagon’s earlier experiments with Azure OpenAI before OpenAI lifted its military‑use prohibition in Jan 2024.

Microsoft’s positioning: “We want to be the vendor that makes AI safe for enterprise deployment, regardless of which underlying models customers choose.”

---

7. Copilot Business – The Adoption Engine

• 15 million paid Copilot seats (160 % YoY growth).
• Daily active usage up 10×.
• Large‑scale deployments (≥ 35 k seats) have tripled YoY.

• 90 % of Fortune 500 companies now use Copilot (Microsoft claim).

---

8. Avanade Endorsement

“Avanade has real visibility into agent activity, the ability to govern agent sprawl, control resource usage, and manage agents as identity‑aware digital entities in Microsoft Entra,” said CTO Aaron Reich.
“This significantly reduces operational and security risk.”

---

9. Competitive Landscape & SDK

• Competitors: Palo Alto Networks, CrowdStrike are building their own agentic AI security layers.
• Microsoft’s advantage: Deep integration across the Microsoft 365 stack.

“It’s not just this tool, and this tool, and this tool put together in a SKU — it’s more like this tool and this tool and this tool work together,” Jakkal explained.

• Third‑party frameworks (LangChain, CrewAI, other open‑source tools) can leverage the Agent 365 SDK, which offers varying levels of integration.

---

10. General Availability & Preview Roadmap

• GA date: May 1, 2024 (Agent 365 & E7).
• Public preview at launch: Defender & Purview risk signals, security‑posture management for Foundry and Copilot Studio agents.
• Upcoming preview (April): Runtime Threat Protection feature.

Jakkal observed that many organizations are already testing these capabilities to stay ahead of attackers, raising the core question: Will enterprises pay to govern AI fast enough to stay ahead of threats?

---

All information reflects the content provided in the original announcement and has been reformatted for clearer markdown presentation while preserving the original structure and meaning.

The push toward agentic AI as a catalyst for long‑overdue security improvements

“I’m seeing organizations use this as an opportunity to say, ‘We have to fix our foundations,’” she said.
“They’re using the AI transformation and agentic transformation to go back and say, we are going to do a security transformation.”

Whether the market moves fast enough remains the open question. The tools to build agents are freely available and require no security expertise. The tools to govern them require budget approval, implementation cycles, and organizational alignment across IT, security, and business teams. That asymmetry — between the speed of agent creation and the speed of agent governance — is the gap Microsoft is trying to close.

“The future of work isn’t just about smarter agents,” Jakkal said. “It’s about trusted agents.”

For the 29 percent of enterprise agents already operating without any oversight at all, trust is not a product roadmap — it’s a race against the clock.