Microsoft Foundry Agent Security Moves to Agent 365: The Beginning of Enterprise AI Governance
Introduction
For years, security teams protected applications, identities, workloads, and data independently.
The rise of autonomous AI agents changes that model entirely.
An AI agent can authenticate, access sensitive information, invoke APIs, execute workflows, interact with business applications, make decisions, and even collaborate with other agents without direct human involvement.
From Microsoft's perspective, these agents are no longer applications.
They are digital workers.
This is precisely why Microsoft announced that the security capabilities previously delivered for Microsoft Foundry agents through Microsoft Defender for Cloud will transition to the new Microsoft Agent 365 licensing model beginning 1 July 2026.
Many organizations will initially view this as a commercial licensing update.
Architecturally, however, this is one of the most significant shifts in Microsoft's AI security strategy since the introduction of Zero Trust.
Why Defender for Cloud Was No Longer Enough
Microsoft Defender for Cloud was originally designed around three security pillars:
- Cloud Security Posture Management (CSPM)
- Cloud Workload Protection (CWPP)
- Threat Protection for cloud services
These capabilities work exceptionally well for:
- Virtual Machines
- Containers
- Kubernetes
- Databases
- Serverless workloads
- Azure AI services
AI agents introduce an entirely different security challenge.
Unlike traditional workloads, agents possess:
- Memory
- Context awareness
- Decision-making capabilities
- Tool execution permissions
- Data access rights
- Multi-agent communication capabilities
- Autonomous reasoning workflows
An AI agent can become:
- An insider threat
- A privileged identity
- A lateral movement vector
- A data exfiltration mechanism
- A compliance risk
Traditional workload security simply wasn't designed for this reality.
Microsoft's New Philosophy:
"Manage Agents Like You Manage Employees"
At Microsoft Ignite, Microsoft introduced a new concept:
Agents are the applications of the AI era.
The implication is profound.
Organizations already manage humans using:
- Identity
- Conditional Access
- Governance
- Compliance
- Risk policies
- Threat protection
- Audit trails
Microsoft now intends to apply the exact same operating model to AI agents through Agent 365.
What Changes on 1 July 2026?
Starting from July 2026, the following Microsoft Foundry security capabilities will no longer be provided through Defender for Cloud licensing:
Agent Discovery
Organizations previously relied on Defender CSPM to discover AI agents running in Microsoft Foundry environments.
This capability now becomes part of Agent 365 inventory services.
Security Posture Management
Security recommendations and configuration assessments for AI agents move to Agent 365 posture management.
Threat Detection
Agent-specific detections previously powered through Defender for AI Services transition to Agent 365 observability telemetry.
Runtime Protection
Threat detection logic is rebuilt around Agent 365 behavioral analytics rather than traditional cloud workload signals.
Organizations without Agent 365 licensing will lose access to these controls after the transition date.
The Birth of Agent Observability
Traditional cloud security focuses on telemetry such as:
- CPU usage
- Network traffic
- Process creation
- Container activity
- API calls
Agent security introduces entirely new telemetry categories:
- Prompt execution history
- Tool invocation chains
- Memory interactions
- Context retrieval operations
- Agent-to-agent communication
- Decision reasoning paths
- External connector usage
Microsoft calls this new dataset:
Agent Observability Logs
These logs become the foundation for:
- Detection engineering
- Threat hunting
- Behavioral analytics
- Runtime policy enforcement
- Compliance investigations
This is arguably the biggest innovation in Microsoft's AI security stack.
Advanced Hunting Changes Every SOC Team Must Know
One change that will surprise many SOC teams is the deprecation of:
AIAgentsInfoThe new source of truth becomes:
AgentsInfoAny of the following must be updated:
- Workbooks
- Detection rules
- Custom analytics
- Sentinel playbooks
- Threat hunting queries
- SOC dashboards
Failure to migrate these queries may result in complete visibility loss after the cutover.
Example:
AgentsInfo
| summarize arg_max(Timestamp, *) by AgentId
| where LifecycleStatus != "Deleted"Zero Trust for Non-Human Identities
The industry has spent years discussing machine identities.
Agent identities are significantly more complex.
An AI agent can:
- Request access
- Consume privileged data
- Trigger business workflows
- Interact with SaaS applications
- Delegate actions to another agent
Microsoft addresses this challenge using:
- Agent Registry
- Entra Agent ID
- Least Privilege Access
- Runtime Controls
- Behavioral Monitoring
- Policy Enforcement
This effectively extends Zero Trust from humans and workloads to autonomous AI systems.
Why This Matters for Security Architects
The security architecture conversation is rapidly changing from:
"How do we secure Azure AI?"
to:
"How do we govern autonomous digital workers?"
Future attack scenarios will include:
- Prompt injection attacks
- Agent privilege escalation
- Unauthorized tool execution
- Context poisoning
- Multi-agent lateral movement
- AI-driven insider threats
Agent 365 is Microsoft's answer to this new threat landscape.
Strategic Recommendation for Enterprises
Organizations deploying Microsoft Foundry should begin preparation immediately.
Priority 1
Validate Agent 365 licensing requirements.
Priority 2
Inventory all custom KQL queries using:
AIAgentsInfoPriority 3
Review existing Defender alert integrations and automation workflows.
Priority 4
Prepare migration to Agent observability telemetry.
Priority 5
Develop governance standards for agent lifecycle management.
The organizations that establish these controls today will be the ones capable of scaling AI securely tomorrow.
Final Thoughts
The transition from Defender for Cloud to Agent 365 represents much more than a product realignment.
Microsoft is creating an entirely new security category:
Agent Security Operations
Just as cloud security created CSPM and CNAPP, the next decade will likely introduce:
- Agent Security Posture Management (ASPM)
- Agent Detection and Response (ADR)
- Agent Identity Governance (AIG)
- Agent Runtime Protection (ARP)
Comments
Post a Comment