Microsoft Agent 365: What It Can’t Do (Yet) — Limitations You Need to Know
Microsoft Agent 365 launched on May 1, 2026 with bold promises around agent governance, security, and observability. And many of those promises are real. But if you’re an IT or security leader evaluating Agent 365 for your organization, there’s a side of the story that rarely makes it into the marketing slide deck: the limitations.
Here’s what Agent 365 cannot do today (8th of May 2026):
Does Agent 365 cover all agent types at General Availability?
No — and this is the single most important limitation to understand. At GA on May 1, Agent 365 only covers OBO agents (On-Behalf-Of agents) — agents that act in the context of a specific user. Autonomous agents — those that run independently without a tied human user, including Agent-to-Agent (A2A) and Agent-to-Tool (A2T) scenarios — remain in Frontier Preview only. The licensing model for autonomous agents is still being defined. You will not be charged for autonomous agent capabilities until they reach GA, but you also cannot fully govern or secure them today.
Can a single licensed admin cover the whole organization?
No, and attempting this creates a compliance violation. Agent 365 is a per-user license that covers users who benefit from premium capabilities. Multiplexing — pooling a single license to reduce the total count — is explicitly prohibited under Microsoft’s Universal License Terms, consistent with how Microsoft 365 E5 enforcement works. If unlicensed users benefit from Agent 365 premium capabilities, the organization is out of compliance.
Does Agent 365 automatically govern shadow agents?
No. Discovery does not equal governance. Agent 365 can detect shadow agents — unauthorized or unregistered agents running in your environment — through Microsoft Defender and Entra security signals. But detected shadow agents are not automatically enrolled in the Agent 365 management framework. An admin must explicitly onboard each one. There is currently no automated conversion process from “discovered” to “governed.”
Can existing Copilot Studio agents be retroactively upgraded to Agent 365?
No. Entra Agent IDs are provisioned at the time an agent is created on supported Microsoft platforms. Agents built before General Availability do not automatically inherit the new identity primitives. There is currently no retroactive process or bulk migration option. Existing agents must be rebuilt or republished to receive an Entra Agent ID. This has direct implications for organizations that have already deployed a significant number of Copilot Studio agents.
Does Agent 365 cover agents built outside Microsoft tools?
Only partially. Third-party agents from platforms like ChatGPT Enterprise, AWS Bedrock, or GCP can be governed by Agent 365 — but only if they are explicitly onboarded via the Agent 365 SDK. Agents that are not integrated through the SDK cannot be governed at the agent identity level. They may be visible as shadow activity through Defender signals, but full governance requires explicit registration. Additionally, third-party agents require both an Agent 365 license and their own native platform licensing. Agent 365 does not replace vendor licensing.
Can organizations register and govern custom MCP servers in Agent 365?
Yes, but it requires a developer-led approach. While Agent 365 provides a pre-configured catalog of Work IQ servers for Microsoft 365, you can onboard custom MCP servers for line-of-business scenarios. This is done via the Agent 365 CLI or by declaring the server in your app’s manifest file. Once registered, these custom tools appear in the Agent Registry where admins can allow or block them just like standard Microsoft tools
Does an Agent 365 license upgrade security capabilities on E3 plans?
No. This is a critical misconception worth addressing directly. An Agent 365 license does not grant E5-level Purview or Defender capabilities. It adds no additional user-level security entitlements. For example, Conditional Access for OBO agents requires M365 E3 per user. Identity Protection for OBO agents requires M365 E5 per user. Identity Governance for OBO agents requires Identity Governance standalone or Entra Suite. Agent 365 extends existing security investments to agents — it does not replace or upgrade them.
Does Agent 365 automatically clean up unused or expired agents?
Yes, as of May 2026, Microsoft has introduced rules-based lifecycle management. Admins can now define automated policies to expire inactive agents, flag “ownerless” agents when a sponsor leaves the company, or automatically block agents that trigger high-risk security signals. While the initial setup of these rules is manual, the execution is now automated.
Does Agent 365 guarantee that all data stays within my local region?
No. While Microsoft attempts to process data within local boundaries, it utilizes “flex routing” during periods of peak load or capacity overflow. This means your prompts and data may temporarily move outside your primary region (such as the EU Data Boundary) to another geography for processing. Administrators must explicitly consent to this by enabling the “Move data across regions” toggle in the Power Platform admin center; however, if this is disabled, some generative features may fail to function when local model capacity is maxed out.
Is Agent 365 limited to using only OpenAI models?
No. The platform has transitioned to a model-agnostic architecture . Through the Frontier program, users can access models from multiple providers, including Anthropic’s Claude 3.5 Sonnet alongside OpenAI’s GPT models . This allows the system to automatically select—or users to manually choose—the optimal engine for a specific task, such as utilizing Claude for deep research, completeness, and citation integrity
How can agents be used to automate legacy applications that lack modern APIs?
This is addressed through Windows 365 for Agents, which is currently in public preview (initially in the United States only). This service introduces a new class of Cloud PCs purpose-built for agentic workloads and managed via Microsoft Intune. It provides a secured environment where agents can run in policy-controlled spaces to interact with desktop applications and carry out work using the same identity and security controls used for human employees .
What’s the practical takeaway for IT and security leaders?
Agent 365 is a strong foundation for enterprise agent governance — but it is not a complete solution today. If your organization is deploying autonomous agents at scale, relying heavily on pre-GA Copilot Studio agents, or expecting Agent 365 to automatically secure everything it discovers, you will run into these walls quickly.
The honest approach: deploy Agent 365 for what it does well today — OBO agent governance, identity management, and centralized registry visibility — while maintaining a clear roadmap for the gaps. Know where autonomous agents, shadow agents, and pre-existing Copilot Studio agents sit outside the current governance perimeter.
Governance doesn’t start when a product reaches GA. It starts when you know exactly what you’re governing — and what you’re not.
Sources:
- Microsoft Agent 365 Licensing FAQs (April 2026)
- Microsoft Learn documentation (May 2026)
- Microsoft Agent 365 Partner Launch FAQ (March 2026)
- My Blogpost “Microsoft Agent 365 FAQ: What You Need to Know Before May 1st”
- Microsoft Purview vs Agent 365: Understanding Agentic AI Governance
PS: Ready to implement proper AI agent governance? Contact me, Ragnar Heil, for a consultation on Agent 365, SharePoint Advanced Management, Microsoft Purview (Information Protection, Data Loss Prevention Policies, DSPM for AI), Rencore Governance, EasyLife365 Collaboration, ShareGate Protect, Data&More or Agent 365 deployment strategies tailored to your organization’s needs. Find my calendar here at our HanseVision Governance Landing Page.
4 Comments