Adopt Microsoft Agent 365 as our agent control plane?

Microsoft Agent 365 went GA May 1 at $15/user/mo — a registry + access-control plane for every agent (including third-party) in your tenant.

· Counsel verdict · AIssential

The question

Every M365 tenant now has to decide whether to standardize agent governance on Microsoft Agent 365 — paying $15/user/mo for a control plane we don't operate — or roll our own agent registry, identity, and access-control infrastructure.

The premise

Team
~50 engineers, ~10 actively building AI features, single MLOps engineer. AI work pulls from feature-shipping capacity — any new commitment has to trade against the roadmap. IT runs M365 for ~200 employees; engineering ships product agents separately.
Compliance
SOC2 Type II in scope. EU customer data subjects us to GDPR plus the EU AI Act's August 2026 GPAI-deployer obligations.
Stack
M365 E5 for the company (~200 users, ~$45/user/mo). Entra ID for SSO. ~8 internal Copilot Studio agents in pilot (ops + HR automation). ~3 product-facing agents built with LangGraph + custom retrieval, not on M365. Standalone agents: no shared registry, no shared identity, no central audit log.
Budget
Monthly AI spend ~$30K with quarterly board visibility. Approvals required for sustained jumps >20%. Cost-per-outcome metrics in place; finance asks for unit economics by use case. Agent 365 at $15/user/mo for 200 users adds $36K/year — material against our current AI budget.

Does Agent 365 actually solve the problems we have today?

It solves agent identity, basic governance, and audit logging for agents that live inside the Microsoft graph. Our product agents (LangGraph + custom retrieval) are outside that graph; Agent 365's value for them is limited to identity + audit forwarding. So the real question is whether $36K/year is worth governance for the 8 internal Copilot agents alone.

What's the lock-in cost if we go all-in on Agent 365?

Moderate. The agents themselves stay portable (we own the prompts + workflows). What's not portable: the identity model, audit-log schema, and any policy logic we wire into Entra. Exit cost is rewriting that policy layer — ~2-4 engineer-weeks if we kept it lightweight, much more if we leaned in fully.

If we adopt, do we go big or pilot first?

Pilot first, on the 8 existing Copilot agents only. Six-month evaluation against concrete criteria: did it reduce agent-related incidents, did audit logs catch anything our existing logging missed, did Entra-based scoping prevent any documented blast-radius event. If the answer to all three is no, kill it.

Counsel's position

Standardize agent governance on Microsoft Agent 365 to secure both your Copilot Studio and LangGraph deployments ahead of the August 2026 EU AI Act deadline, as the $36K annual cost is justified by avoiding the engineering drain of building custom identity infrastructure before W3C standards mature.

Verdict

The verdict: Adopt Agent 365 to map agent blast radius and discover shadow AI — Costs $15 per user per month, scaling predictably by the number of human users interacting with the ecosystem rather than per agent.

Adopt Agent 365 to map agent blast radius and discover shadow AI

Given your SOC2 and EU AI Act compliance requirements, leverage Microsoft's control plane to gain visibility into both your internal Copilot Studio pilots and standalone product agents.

Defer building a custom agent registry until portable identity standards mature

Since your 10-person AI engineering team must trade infrastructure work against feature shipping, avoid rolling your own access-control layer while cross-plane governance schemas remain undefined.

Standardize on Microsoft's control plane to secure your agent identity layer

Given your existing Entra ID footprint and SOC2 requirements, prioritize unified identity and audit logging over custom orchestration flexibility.

Read another verdict

Get Counsel for your own decisions →