Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Agent 365 is Microsoft's enterprise control plane for AI agents. It gives IT teams a single place to observe, govern, and secure every agent across an organization, regardless of where that agent was built or acquired. Microsoft Foundry agents integrate with Agent 365 so that organizations can apply consistent identity, security, and lifecycle management policies to agents built in Foundry.
This article explains what Agent 365 provides, how it connects to Foundry, and how data flows between the two platforms.
Agent 365 core capabilities
Agent 365 is built on five pillars:
| Capability | Description |
|---|---|
| Registry | Provides a complete inventory of all agents in the organization, including agents built in Foundry and Copilot Studio, agents registered by administrators, and shadow agents discovered in the tenant. |
| Access control | Brings agents under management and limits their access to only the resources they need by using Microsoft Entra ID-based controls and risk-based Conditional Access policies. |
| Visualization | Enables organizations to explore connections between agents, people, and data, and to monitor agent behavior and performance in real time. |
| Interoperability | Equips agents with access to Microsoft 365 apps and organizational data so they can participate in real workflows. Agents can also connect to Work IQ for organizational context. |
| Security | Protects agents from threats and vulnerabilities by integrating with Microsoft Defender, Microsoft Purview, and the broader Microsoft security stack. It also helps protect data agents create or use from oversharing, leaks, and risky behavior. |
For the full list of Agent 365 capabilities and prerequisites, see the Agent 365 overview.
How Foundry integrates with Agent 365
Foundry and Agent 365 connect in two ways:
Automatic registry sync — Published Foundry agents automatically appear in the Agent 365 registry when subscribed. This gives IT administrators a single pane of glass for agent inventory without manual registration.
Digital worker publishing — Foundry Hosted agents can be published as digital workers to Agent 365. A digital worker is an agent that acts autonomously on behalf of a user and receives its own Microsoft Entra Agent ID. After publishing and admin approval, the digital worker appears in the Agent 365 registry and can be connected to Microsoft Teams and other Microsoft 365 surfaces.
For step-by-step instructions on publishing a Foundry agent to Agent 365, see Publish an agent as a digital worker in Agent 365.
Supported agent types
Not all Foundry agent types support the full set of Agent 365 integration features. The following table summarizes current support:
| Agent type | Registry sync | Digital worker publishing | Activity data collection |
|---|---|---|---|
| Prompt agent | ✅ | ✅ | ✅ |
| Hosted agent | ✅ | ✅ | Supported using A365 SDK |
| Workflow agent | ✅ | ❌ | ❌ |
Enablement and data collection
Before Foundry can send agent activity data to Agent 365, your organization must complete two steps:
Obtain a license — Your tenant needs at least one Microsoft 365 Copilot license and enrollment in the Frontier preview program. For licensing details and enrollment FAQs, see Agent 365 prerequisites.
Enable Agent 365 and accept terms — A global administrator signs into the Microsoft 365 admin center, and selects which users or groups get access. The administrator is prompted to agree to the terms of service before Agent 365 is activated. For the full walkthrough, see Enable Agent 365.
Both steps are required before any data flows from Foundry to Agent 365, even if the Azure Resource Manager properties on a Foundry resource are set to enabled for A365.
After these steps are complete, agent activity data from Foundry is ingested into the Agent 365 control plane, powering the registry, analytics dashboards, and security features. Logging options are controlled per Foundry resource through the agent365Config resource provider configuration. For details on how logging works and how to opt out, see Configure Agent 365 data collection for Microsoft Foundry.
Note
Even if the logging property is set to enabled on a Foundry resource, no data is ingested unless your tenant has a valid Agent 365 license and the administrator has accepted the Agent 365 terms of service.
Data residency
Microsoft Foundry and Agent 365 follow different data residency models, hence data processing and storage may happen across geographical regions.
| Platform | Data residency model |
|---|---|
| Microsoft Foundry | Data residency follows the Azure region you select when creating the Foundry resource. All agent data, model deployments, and logs are stored in the resource region. |
| Microsoft Agent 365 | Data residency follows the storage location of the Microsoft Entra tenant. Agent inventory, analytics, and governance data are stored in the geography associated with the tenant. |
When agent activity data flows from Foundry into Agent 365, it moves from the Azure region-based residency model to the Entra tenant residency model. For workloads with specific data residency requirements, you can opt out individual Foundry resources from Agent 365 data collection while keeping other resources enabled.
This lets you restrict data flows where compliance regulations may require it. For details, see Configure Agent 365 data collection for Microsoft Foundry.