Key insight
Agent 365 is built on five pillars: Registry (a complete inventory of every agent), Access Control (limit each agent to only what it needs), Visualization (see the connections and behaviour), Interoperability (let agents safely do real work), and Security (protect and govern with trusted systems). Each pillar rests on a Microsoft service the organisation already runs, and together they move agents from scattered and unmanaged to seen, governed, and trusted.
Microsoft Agent 365 is a control plane that lets an organisation observe, govern, and secure every agent. Those three verbs are useful, but Microsoft describes the product in slightly finer grain, as five pillars. The pillars are simply the five distinct jobs the control plane does. Learning them gives you a map of the whole product: each pillar is a substantial subject in its own right.
1 · Why “five pillars” is a useful map
A pillar, in this sense, is a load-bearing capability: something the whole structure depends on. Microsoft groups Agent 365 into five because each answers a different, necessary question. Do we know every agent exists? (Registry.) Can we limit what each one reaches? (Access Control.) Can we see how they connect and behave? (Visualization.) Can they actually do useful work safely? (Interoperability.) Are they protected as they run? (Security.) Miss any one and the others weaken — perfect access rules are useless for an agent you never knew existed. Let us take them one at a time.
2 · Pillar 1 — Registry: one inventory of every agent
The registry is the beating heart of Agent 365: a single, complete inventory of every agent operating in the organisation. Critically, it is not just the agents you built on purpose. Microsoft describes it as covering three sources at once:
- Agents with an identity — agents already carrying a Microsoft Entra Agent ID, including those built in Copilot Studio and Azure AI Foundry.
- Agents you register yourself — agents an administrator adds by hand, including synchronised copies of agents managed on external platforms.
- Shadow agents — agents discovered running in the tenant that nobody formally registered.
Beyond a bare list, the registry also tracks ownership — who is responsible for each agent — which is what makes accountability and attestation (a periodic confirmation that an agent is still needed and correctly owned) possible. If the nightmare is agent sprawl, the registry is the direct cure: you cannot govern what you cannot see, and the registry is how you finally see everything.
3 · Pillar 2 — Access Control: only what each agent needs
Access control brings agents under management and limits each one to only the resources it genuinely needs, using Microsoft Entra’s identity-based authorization. In plain terms, once an agent has its own identity, the organisation can decide precisely what that identity may reach — and, just as importantly, what it may not. Microsoft calls out three mechanisms:
- Role-based access control (RBAC) — permission granted by role, the same way a “cashier” role grants exactly the till functions a cashier needs.
- Attribute-based access control (ABAC) — permission decided by characteristics (attributes) such as the type of resource or the sensitivity of the data, allowing finer, more contextual rules.
- Risk-based Conditional Access — policies that add extra checks, or block access outright, when a request looks risky, so a compromised agent cannot quietly keep operating.
This is the pillar that enforces least privilege — giving only the access a task needs — for agents.
4 · Pillar 3 — Visualization: seeing connections and behaviour
Knowing agents exist (Registry) and constraining them (Access Control) still leaves a question: what are they actually doing, and how do they connect to everything else? Visualization answers it. It lets an organisation explore the connections between agents, people, and data, and monitor each agent’s behaviour and performance in real time, to assess its impact. Where the registry is a list, visualization is a live map — showing, for instance, that one agent touches a sensitive dataset, hands work to a second agent, and reports into a workflow a particular team depends on. That map is what turns raw activity into understanding, and it is the front end of the observability we will build on in Levels 300 and 500.
5 · Pillar 4 — Interoperability: letting agents do real work
An agent that can reach nothing is safe but useless. Interoperability is the pillar that lets agents actually participate in real workflows — equipping them with governed access to Microsoft 365 apps and organisational data so they can read mail, update files, check calendars, and act, all under central control. The capability that delivers this is Work IQ, which gives agents a simplified, governed surface onto Microsoft 365 data rather than a sprawl of raw permissions. The key word is governed: interoperability is not “let agents touch everything,” it is “let agents do real work through a controlled gateway.” How this gateway is built and locked down is a rich subject in its own right.
6 · Pillar 5 — Security: protect and govern
The fifth pillar, Security, ties the others together by extending Microsoft’s enterprise-grade protections across agents. Microsoft frames it as three services working in concert:
- Microsoft Entra enforces consistent, risk-based access controls for users and for the agents acting on their behalf — so agents reach only authorised resources.
- Microsoft Purview provides deep visibility into data risk, with information protection and data-loss prevention — so agents do not leak sensitive data.
- Microsoft Defender adds continuous threat detection and real-time protection — so unsafe behaviour and malicious activity are blocked as an agent runs.
Notice that Security is not a separate silo bolted on at the end; it reuses the same identity (Entra) that powers Access Control and the same data systems that inform Visualization. That reuse is the whole design philosophy: protect agents with the systems you already trust for people.
7 · How the pillars combine — and what each license unlocks
The pillars are designed to reinforce one another. The registry feeds visualization; identity powers both access control and security; interoperability is only safe because the other four constrain it. Together they let an organisation move, in Microsoft’s words, “from ad hoc experimentation to treating agents as a managed, trusted part of” the environment.
One practical caveat worth knowing early: not every capability is available at every licensing level. Basic pillars are broad; the richer ones require higher tiers. A simplified view of the published feature availability:
| Capability | Microsoft 365 plans | Microsoft E7 / Agent 365 |
|---|---|---|
| Agent inventory in the registry | Yes | Yes |
| Basic governance actions (publish, deploy, block, delete, approve, reassign owner) | Yes | Yes |
| Conditions-based lifecycle automation | Yes | Yes |
| Policy templates for customised controls | No | Yes |
| Observability & monitoring (Visualization & telemetry) | No | Yes |
| Tenant-wide control of which tools/MCP servers agents may use | No | Yes |
| Graph API access to the registry and governance actions | No | Yes |
Licensing is covered on its own elsewhere. For now, the shape to remember is: everyone gets the inventory and basic governance; the deeper observability, policy, and tooling controls come with the higher tiers.
Registry, Access Control, Visualization, Interoperability, Security. Each of these five is a substantial subject in its own right. When a topic feels detailed, ask “which pillar is this?” and it will slot into place.
8 · Glossary — every short-form term, spelled out
- Pillar
- A load-bearing capability the whole product depends on; Agent 365 has five.
- Registry
- A single, complete inventory of every agent in the organisation — identified, self-registered, and discovered shadow agents — including who owns each one.
- Attestation
- A periodic confirmation that an agent is still needed and correctly owned, supporting governance.
- Access control
- The pillar that limits each agent to only the resources it needs, using Microsoft Entra identity-based authorization.
- RBAC (role-based access control)
- Granting permissions by role, so anything with a given role gets exactly that role’s access.
- ABAC (attribute-based access control)
- Granting permissions based on characteristics (attributes) such as resource type or data sensitivity, for finer, contextual rules.
- Conditional Access
- Policies that add extra checks, or block a request, when it looks risky — here, applied to agents.
- Least privilege
- Granting only the access a task genuinely needs, nothing extra.
- Visualization
- The pillar that lets an organisation explore connections between agents, people, and data, and monitor behaviour and performance in real time.
- Interoperability
- The pillar that gives agents governed access to Microsoft 365 apps and data so they can participate in real workflows.
- Work IQ
- The capability that provides agents a simplified, governed surface onto Microsoft 365 data; the engine behind interoperability.
- Security (pillar)
- Protecting and governing agents using Microsoft Entra (identity), Purview (data protection), and Defender (threat defence).
- MCP (Model Context Protocol)
- A standard way for agents to reach tools and data; Agent 365 lets administrators control which MCP servers agents may use.
- Graph API
- A programming interface for reaching Microsoft 365 data and actions in code; higher tiers expose the agent registry through it.
Agent 365 is built on five pillars, each answering a distinct question about agents.
Registry gives one complete inventory — identified, self-registered, and discovered shadow agents — with ownership recorded.
Access Control limits each agent to only what it needs, using Entra identity with RBAC, ABAC, and risk-based Conditional Access.
Visualization turns the inventory into a live map of connections and behaviour between agents, people, and data.
Interoperability lets agents do real work through Work IQ’s governed gateway onto Microsoft 365 data.
Security protects and governs agents with Entra, Purview, and Defender — reusing the systems already trusted for people.
The pillars reinforce each other, but richer capabilities (observability, policy templates, tenant-wide tool control, Graph API) require the higher E7 or Agent 365 licensing.
References
- Microsoft Learn, Microsoft Agent 365 integration with Foundry — the five-pillar capability table (Registry, Access control, Visualization, Interoperability). learn.microsoft.com
- Microsoft Learn, Responsible AI FAQ for Microsoft Agent 365 — Registry, Access control, Visualization, Interoperability. learn.microsoft.com
- Microsoft Learn, Overview of Microsoft Agent 365 — the Security pillar (Entra, Purview, Defender). learn.microsoft.com
- Microsoft 365 service descriptions, Microsoft Agent 365 — Feature availability. learn.microsoft.com