TL;DR: Microsoft Agent 365 brings the identity, access, and data-loss controls you already use for users and applications to AI agents your developers build on third-party stacks like Anthropic Claude. The agent gets its own Entra Agent ID, Conditional Access can target it, Purview sees its activity and flags sensitive data flows, and eDiscovery captures the interaction record. This works today for custom-built agents, including agents running on models Microsoft does not own. Two caveats: the user-to-agent identity binding mechanics are thinly documented as of this writing, and the licensing model is layered enough to surprise people. However, don’t let that deter you. Agents having observable identities that can be managed with separation of duties is a big win in itself.
The governance problem custom agents create
Your developers are going to build custom agents. You probably already have them even if you don’t know about them. They will build them on whatever AI stack fits the job or their experience: Anthropic, OpenAI direct, open-source models, something that changes Month to Month. This will be constantly changing as models emerge and improve.
Traditional governance assumes the thing being governed is a user or an application running on a platform you control. A custom agent built on something like Anthropic's Enteprise plan models fits neither bucket. It acts on behalf of users, can touch business data, and produces output that can end up in front of a client or a regulator. Without a governance plane, every one of those agents is shadow AI with access to whatever its developer wired it to and their own set of identities, service principals, etc. have access to.
The framing that matters: governance cannot depend on the agent being a Microsoft agent or running in the Microsoft ecosystem. It has to work on any agent the organization brings under management. That separation is what Agent 365 aims to solve. Developers build with the best tool for the job. IT and security govern the result without rewriting the agent. The identity manages the access of the agent, not the prompt or the code it creates.
What a registered custom agent gets
I wanted to see this work in reality so I built a custom agent on Anthropic Claude (Haiku because I’m cheap), registered it through Agent 365, and ran it under full governance. Here is what the platform provides once that registration is in place.
An identity in Entra. The agent gets an Entra Agent ID: its own directory object with an owner, a sponsor, lifecycle dates, and a place in the tenant hierarchy. The same identity machinery you run for people now covers the agent.
Permissions granted and revoked tenant-side. What the agent can reach (mail, files, SharePoint, MCP tools) is scoped through standard Entra consent. Revoking access is an admin action in the tenant. The agent's code never changes and can only access what I allow it to.
Conditional Access targeting. Policies can name the agent's identity. Require compliant networks, block specific locations, demand additional risk signals before the agent can acquire tokens. The same policy engine, pointed at a new class of principal.
DLP that names the agent instance. Purview DLP policies can target agent interactions specifically, with observability of what the agents interactions and communications are, human to agent and agent to human.
Observability. Purview DSPM for AI shows interaction volume, attributes activity to the agent identity, and flags sensitive content like SSNs, credit card numbers, or PHI passing through a conversation. Whatever DLP rules you have in place that are meaningful to your compliance.
eDiscovery coverage. Agent interactions land in compliance archives, discoverable for legal hold and investigation the same as mail or Teams messages. This is where you can read the interactions.
Bonus: Microsoft Defender Advanced Hunting also surfaces the Agents activities and metadata so you can do security reviews.
The M365 governance stack you already operate extends to any agent that is properly registered and instrumented. The model underneath can be Claude or other public or local LLMs.
The architecture in one paragraph
The developer needs to build the agent with the Microsoft Agent 365 SDK that handles hosting and message routing, plus an observability library that emits telemetry to Microsoft's backend. The agent's brain is whatever model you choose; mine is Haiku. The agent runs on infrastructure you pick (Azure Web App and Bot Framework was my path for this simple chat interface, other clouds work). Registration happens through the Agent 365 CLI, which creates the Entra Agent ID and binds it to the agent registry. Users reach the agent through any authenticated channel: Teams, Copilot, or a custom web interface fronted by single sign-on (like my example). The agent can reach trusted sources based on it’s Entra permissions.
The licensing
This is where Microsoft's published material gets confusing, so here is the layered picture in one place.
Agent 365 is per user, per Month. The unit is the user. The number of agents you register does not change the bill. It is bundled into Microsoft 365 E7 at $99 per user per month alongside M365 E5 and the Entra Suite or you can buy it a la carte if you have Microsoft 365 E5.
M365 E5 is a prerequisite. There is no a la carte path from lower tiers. If your organization is on E3, the E5 or E7 move is part of this conversation, and the E7 breakdown I wrote earlier this year covers that math. This isn’t punishment, it’s just simply that you need Entra ID, Defender, and Purview to do anything beyond register the agent and see that it has activity. You can see below how they work together and what each does.
Conditional Access for agents requires Entra ID P1, which E5 already includes. Purview DSPM for AI for agents went GA in late May and requires E7 or Agent 365 licensing on the admin viewing the data, plus the AI Reader or AI Administrator role.
Two billing layers sit on top of the seat licenses. Some governance actions draw from a Security Compute Unit pool: E5 includes 400 SCUs per 1,000 users with a 10,000-unit cap, and overage throttles rather than fails. Organizations planning heavy agent traffic should model SCU consumption before rollout. And some of the newest Purview AI capabilities are pay-as-you-go against an Azure subscription rather than seat-licensed. The clearest example is the Purview connector for Anthropic Claude Enterprise (preview, announced in May), which requires PAYG billing enabled in the tenant. The budgeting conversation and the licensing conversation are two different meetings. You need both.
One timing note: the July 1 M365 price changes affect renewal math. If you are in a renewal window, run the bundle comparison now.
Four things to plan for
Anonymous channels lose per-user attribution. A custom web chat needs user authentication (Easy Auth or equivalent) for activity to flow into Purview attributed to a specific person. Without it, governance still works at the agent level, and the per-user story goes dark. No big deal, most interactions involving sensitive data under compliance requires Auth.
User-to-agent identity binding is manual outside Teams and Copilot. Teams installs create the binding behind the scenes. Custom surfaces require explicit configuration. Expect the platform to smooth this over time; today it is a step in your deployment plan, tomorrow it is likely a step by step enrollment wizard.
The CLI documentation lags the CLI. Microsoft is shipping Agent 365 tooling fast. When the docs and the --help output disagree, trust the tool. Leverage AI to probe the real capabilites.
Registration and activity are separate milestones. A registered agent shows up in the registry immediately, and the Activity view stays empty until interactions flow through the instrumented path with real user identity attached. If your dashboard looks dead after a clean setup, wire authentication into the chat surface and the telemetry appears in near-real-time.
Three paths for Claude governance
Readers tend to collapse "Claude governance" into one thing.
Employees using Claude Enterprise. Governed through the new Purview connector built on Anthropic's Compliance API (preview). Today it covers DSPM for AI visibility and unified audit. It does not yet cover DLP enforcement, sensitivity labels, eDiscovery, or Insider Risk. It requires Purview PAYG billing and Claude Enterprise on the Anthropic side; consumer and Team plans are out of scope. Expect about a day after setup before data populates. This is a real delay. I was suspicious then I woke up the next day and everything was populated.
Custom agents you build and host. The subject of this post, and the deepest governance available: Entra Agent ID, registry, Conditional Access, DLP targeting the agent instance, interaction observability, eDiscovery. Works regardless of the model powering the agent. You must incorporate Agent 365 SDK into your actual development stack. Probably not a bad idea to use the Purview SDKs as well if you want to get into enforcement beyond observability.
Agents on external platforms (AWS Bedrock, Google Cloud, Databricks). Microsoft has begun shipping registry sync connectors (both in public preview) for discovery, inventory, and basic lifecycle control. Coverage of Anthropic's own managed agent platform is the gap to watch. Expect this to expand as time moves one.
What this looks like in practice
An employee pastes an onboarding document containing an SSN into the agent. Purview detects it, attributes it to that user and that agent, surfaces it in DSPM for AI, and DLP policy can block the response (if Purview SDK is in the works, if not, its just observability).
IT grants the agent access to a SharePoint library, and it starts answering questions from that content. Six months later the library is reclassified and IT revokes the grant. The agent goes blind to that data immediately, without a redeploy.
Counsel needs the record of what the agent told an employee about a specific topic on a specific date. eDiscovery surfaces the interaction with the chain of custody intact.
This all works today and we can demonstrate it for your business. 60 minute A365 Demo.
Where this leaves you
Custom agent adoption is going to accelerate, and most organizations have a governance plan that assumes this all just works with governance tools out of the box. The agents your teams build on Anthropic, OpenAI, and open-source stacks are far from that. The platform is GA and the roadmap is rapidly being executed. That combination favors the organizations that get hands-on early. The agents are coming either way; the open question is whether your governance plane is ready when they arrive.
If you want to talk through what registering and governing your first custom agent would look like in your tenant, which licensing tier the math actually supports, and how to sequence the Purview work ahead of your first deployment, reach out.
Topics: Agent 365, Microsoft 365, custom AI agents, governance, Purview, Anthropic