Thinking about Microsoft 365 E7 and the AI governance story? Your upgrade path depends entirely on where you’re starting from — and the gaps are not what most people expect.
Microsoft 365 E7 launched May 1st. At $99/user/month it bundles M365 E5, Copilot, Entra Suite, and Agent 365 into a single SKU — Microsoft’s commercial answer to the agentic enterprise. But E7 isn’t the right starting conversation for every organisation. Some need to understand what Agent 365 actually is before committing to the full bundle. Others are already adding it as a standalone add-on on Business Premium or E3, assuming the governance job is done.
It isn’t. And the upgrade math from each starting point is different — and in one case, quietly expensive.
This post covers both: what Agent 365 is, how the licensing works, and the specific path from Business Premium, E3, and E5 to the full E7 governance story.
The control plane is real. But the controls live somewhere else.
Agent 365 is available as a standalone add-on at $15/user/month — licensed per user, not per agent. One license covers all agents owned or managed by that user, regardless of how many they’ve built. Agents themselves don’t need their own license.
The pitch is compelling: a unified control plane for every AI agent in your tenant. A registry. Blueprint governance. Shadow agent discovery. Entra Agent ID. The whole picture in a single view inside the M365 Admin Center and at ai.security.microsoft.com.
The Microsoft Learn docs say it directly: “Microsoft Agent 365 does not require specific product prerequisites to enable.” That’s accurate. Agent 365 will install, activate, and show you a registry of agents in your tenant without any other add-ons.
But there’s a sentence that follows which most people skip: “it is recommended that customers have Entra P1, Entra P2, or Entra Suite in addition to Purview Data Loss Prevention to make full use of the benefits.”
That gap between “enable” and “make full use of” is what the first half of this post is about. The second half is the upgrade path math — by starting point, by step, with the numbers that actually matter.
🏗️ What Agent 365 Actually Is
Before we talk about what’s missing, let’s be clear about what Agent 365 is — because the architecture matters here.
Agent 365 is not a standalone security product. It is a convergence layer — a unified surface that pulls identity signals from Entra, data risk signals from Purview, and threat signals from Defender, and presents them in a single view inside the M365 Admin Center and at ai.security.microsoft.com.
Think of it like a dashboard in a car. The dashboard doesn’t make the engine run, doesn’t power the brakes, doesn’t steer. It aggregates and displays what the mechanical systems underneath it are doing. If those systems aren’t present, the dashboard still exists — but most of the gauges are empty.
That’s the honest picture of Agent 365 on Business Premium or E3 without the supporting security stack.
🪪 How Agent 365 Licensing Actually Works
Before we get into capabilities, there’s a licensing model clarification worth making — because the Frontier preview created some confusion that hasn’t fully cleared up.
Agent 365 at GA is licensed per user, not per agent.
Microsoft is explicit: “For general availability, Agent 365 is licensed per user. All agents managed or owned by a licensed user, regardless of type, are covered under that user’s Agent 365 or Microsoft 365 E7 license. Agents don’t require their own Agent 365 or Microsoft 365 E7 license.”
This is a meaningful distinction. In the Frontier preview, licenses were assigned per agent instance and had to be allocated before an agent could be created. That model is gone at GA. Now the licensing anchor is the human user who owns or manages the agent — not the agent itself.
What this means practically:
- A developer who builds ten agents in Copilot Studio needs one Agent 365 license, not ten.
- Agents acting on behalf of a licensed user are covered under that user’s license.
- Users who consume or interact with agents don’t automatically need Agent 365 — though they may need M365 Copilot or Copilot Chat licenses depending on what the agent does and what data it accesses.
- Usage-based billing is separate. Agent 365 is the governance and control-plane entitlement. Agents that access SharePoint, Microsoft Graph, or external connectors can trigger metered billing in Copilot Studio depending on the scenario. These are different line items.
So the license model is: Agent 365 = governance entitlement for the user who owns agents. Runtime consumption = separate, depending on what the agent does.
With that clear, here’s what that $15/user actually unlocks — and what it doesn’t.
🗂️ What You Actually Get — And What You Don’t
Let me be specific, because vague warnings aren’t useful.
✅ What works on BP or E3 + Agent 365 alone
The Agent Registry — fully functional. Every agent in your tenant surfaces in the All Agents view in the M365 Admin Center. Microsoft-built agents, partner agents, agents your users built in Copilot Studio, and shadow agents — agents created without IT approval and shared informally across the organization. This works regardless of your security stack. The docs are explicit: viewing the agent inventory requires no license beyond Agent 365 itself.
This is genuinely useful. For many organisations, the registry alone is the first time IT has ever seen how many agents actually exist in their tenant. That visibility has real value.
Blueprint governance — fully functional. Creating blueprints, assigning agents to blueprints, and the lifecycle controls that come with them — including the kill-switch capability, where disabling a blueprint immediately deactivates every agent instance created from it — all of this works on the Agent 365 license alone. No Entra Suite, no Defender Suite required.
Entra Agent ID — partially functional. Every agent gets a first-class identity in Entra — an Agent ID — which is a new service principal subtype purpose-built for AI agents. This foundational registration works. And here’s the nuance that matters: because Business Premium and E3 both include Entra ID P1, two significant Entra security features for agents work immediately:
- Conditional Access for agents — requires Entra P1 or M365 E3. ✅ You have it.
- ID Governance for agents — requires Entra P1 or M365 E3. ✅ You have it.
This is more capability than most people realise. You can write Conditional Access policies that apply to agents — controlling what resources they can access, from where, under what conditions. You can manage agent entitlements and lifecycle through ID Governance. These aren’t trivial capabilities.
First-party agent observability — functional. For agents built on Copilot Studio and Azure AI Foundry, telemetry flows into Agent 365 automatically once Terms of Use are accepted. Invocation data, tool calls, error rates, timing — visible in Admin Center analytics. No additional licensing required.
❌ What doesn’t work without the supporting stack
This is where the dashboard gauges go dark.
Risk-based Conditional Access and ID Protection — not available. The ability to evaluate real-time risk signals when an agent authenticates — flagging anomalous behavior, unusual access patterns, impossible-location token requests — requires Entra ID P2. That’s not in Business Premium or E3. It requires either the Defender Suite add-on (which includes P2), the Entra Suite, or E5/E7. Without P2, your Conditional Access policies for agents are rule-based only — you define fixed conditions, but the platform cannot dynamically elevate risk or block an agent based on behavioral anomalies it has detected.
MDA behavioral threat detection — not available. The Risks column in the Agent Registry is one of Agent 365’s most compelling features — a real-time aggregation of high-severity signals from Entra, Defender, and Purview, surfaced per agent in a single view. Without Microsoft Defender for Cloud Apps (MDA), the Defender signal is absent. The column exists, but it’s populated only by Entra signals. You can see that an agent has a governance issue related to identity — but you cannot see behavioral anomalies, data exfiltration patterns, or threat detections from the security layer.
MDA is not in Business Premium or E3 natively. It arrives with the Defender Suite add-on or as part of E5/E7.
Purview DLP for agent data interactions — not meaningfully available. The data protection story for agents — stopping an agent from touching sensitive data it shouldn’t, enforcing DLP policies on agent interactions, surfacing data risk in the Risks column — requires Purview. Specifically it requires Purview DLP at a depth that Business Premium and E3 don’t include natively. Basic Purview DLP exists in both plans, but Insider Risk Management, Communication Compliance, advanced DLP for AI interactions, and Data Security Posture Management for AI (DSPM for AI) all require the Purview Suite add-on or E5/E7.
Without Purview depth, the data risk signal in the Risks column is dark. You can see that an agent exists and has an Entra identity. You cannot see whether it has been interacting with sensitive data it wasn’t supposed to touch.
Network controls for agents — not available. Entra Internet Access — the capability that gives you GSA-based shadow AI discovery, the ability to see which external AI tools your users are accessing and block them based on identity and risk — is part of the Entra Suite. It is not in Business Premium or E3. Without it, your visibility into external AI tool usage is limited to what MDA can capture via the MDE integration (which itself requires the Defender Suite), and the shadow AI discovery experience in the Agent Registry and Application Usage Analytics dashboard is unavailable.
📊 The Honest Capability Map
| Capability | Agent 365 on BP/E3 | + Defender Suite | + Purview Suite | + Entra Suite | E7 (Full) |
|---|---|---|---|---|---|
| Agent registry / inventory | ✅ Full | ✅ | ✅ | ✅ | ✅ |
| Shadow agent discovery | ✅ Full | ✅ | ✅ | ✅ | ✅ |
| Blueprint governance / kill-switch | ✅ Full | ✅ | ✅ | ✅ | ✅ |
| First-party agent observability | ✅ Full | ✅ | ✅ | ✅ | ✅ |
| Conditional Access for agents (P1) | ✅ Already in BP/E3 | ✅ | ✅ | ✅ | ✅ |
| ID Governance for agents (P1) | ✅ Already in BP/E3 | ✅ | ✅ | ✅ | ✅ |
| Risk-based CA / ID Protection (P2) | ❌ | ✅ | ❌ | ✅ | ✅ |
| MDA behavioral risk detection | ❌ | ✅ | ❌ | ❌ | ✅ |
| Risks column fully populated | ⚠️ Entra only | ⚠️ Entra + Defender | ⚠️ Entra + Purview | ⚠️ Entra + Network | ✅ All signals |
| Purview DLP for agent interactions | ⚠️ Basic only | ⚠️ Basic only | ✅ Full | ⚠️ Basic only | ✅ Full |
| DSPM for AI | ❌ | ❌ | ✅ | ❌ | ✅ |
| Shadow AI discovery (external tools) | ❌ | ❌ | ❌ | ✅ | ✅ |
| Security Copilot SCUs | ❌ | ❌ | ❌ | ❌ | ✅ (via E5) |
The pattern here is important. Agent 365 on BP or E3 gives you a governance foundation — visibility, identity registration, basic access controls. What it doesn’t give you is the risk intelligence layer. You can see the agents. You cannot see if any of them are behaving badly or touching data they shouldn’t be touching.
That’s the gap.
🚨 The Visitor Badge Analogy
Here’s the way I explain this in client conversations.
Agent 365 on Business Premium or E3 is like installing a visitor badge system in your office. You can see who’s in the building. You can control which doors they’re allowed to open. You can issue and revoke badges. If someone’s badge expires, they can’t get in anymore.
What you can’t do: watch what they’re doing inside the rooms. Detect if one of them is copying files from a cabinet they’re not supposed to be in. Flag one that’s been in the server room for six hours when they were only supposed to be in the lobby. Alert when a visitor starts behaving in ways that look like reconnaissance.
For that, you need cameras, sensors, and a security operations team watching the feed. In the Microsoft stack, those are Defender, Purview, and Entra Suite. Agent 365 is the badge system. The other products are the security infrastructure.
Both matter. But you can’t have a complete security story with just the badge system.
🔄 Part Two: The Upgrade Paths That Actually Make Sense
Let’s be direct about the commercial reality. If Agent 365 on BP or E3 is the foundation, here’s what you’re building toward — and what the math looks like at each step.
Starting Point: Business Premium ($22/user/month)
Business Premium already includes Entra ID P1, which means Conditional Access for agents and ID Governance for agents work the moment you add Agent 365. That’s a better starting position than most people realise.
The recommended build sequence:
Step 1 — Add Agent 365 ($15/user — licensed per user, not per agent). Total: $37/user.
You get the registry, shadow agent discovery, blueprint governance, Conditional Access for agents, ID Governance for agents, and first-party observability. Every agent owned or managed by a licensed user is covered — no per-agent allocation required. This is a legitimate governance foundation for organisations not yet running Copilot at scale. The Risks column will show Entra signals only. Know that going in.
Step 2 — Add the Defender + Purview Suite combo ($15/user). Total: $52/user.
This is the most impactful single commercial move available on Business Premium. You get Defender for Endpoint P2, MDA (which fills the Defender signal in the Risks column), Entra ID P2 (risk-based Conditional Access for agents), Purview Insider Risk, advanced DLP, and DSPM for AI. The Risks column now has three of its four signal sources. The governance story is substantially more complete.
Step 3 — Add Entra Suite ($12/user). Total: $64/user.
This adds GSA Internet Access, shadow AI discovery for external tools, and network-level agent controls. The Risks column is now fully populated. This also unlocks the Application Usage Analytics dashboard and the shadow AI discovery experience that shows you which external AI tools your users are accessing alongside your sanctioned agents.
Step 4 — Add Copilot Business ($21/user) + Intune Suite ($10/user). Total: $95/user.
At this point you are at near-complete E7 parity on capability. The remaining gaps versus E7 are Security Copilot SCUs (not available at the Business Premium tier) and the 300-seat ceiling that applies to all Business Premium add-ons.
At $95/user assembled versus E7 at $99/user, the conversation becomes: do you want four separate agreements and a seat ceiling, or one SKU with no ceiling and Security Copilot included?
Starting Point: Microsoft 365 E3 ($39/user/month)
E3 post-July 2026 is a better base than it was — it now includes Intune Plan 2, Remote Help, Advanced Analytics, and Defender for Office P1. It still includes Entra ID P1, so the same Conditional Access and ID Governance for agents story applies.
The recommended build sequence:
Step 1 — Add Agent 365 ($15/user — per user, all owned/managed agents covered). Total: $54/user.
Same starting capability as Business Premium + Agent 365. Registry, blueprints, shadow agent discovery, Conditional Access and ID Governance for agents via the included P1. The same caveats apply — Risks column shows Entra signals only.
Step 2 — Here is where the E3 math gets dangerous.
To get the full Defender and Purview depth on E3, you’re paying $12/user for the Defender Suite and $12/user for the Purview Suite — $24/user versus the $15 combo available on Business Premium. E3 does not get the combo discount. After Step 2, you’re at $79/user and still missing Entra Suite, Copilot, and Intune Suite additions.
The assembled E3 stack to reach E7 parity looks like this:
| Component | Cost |
|---|---|
| E3 base | $39 |
| Agent 365 | $15 |
| Defender Suite | $12 |
| Purview Suite | $12 |
| Entra Suite | $12 |
| Intune Suite | $10 |
| Copilot | $30 |
| Total | $130/user |
That’s $31/user more than E7 at $99. For 200 users, that’s $74,400 per year in avoidable commercial overhead. Every time.
The honest guidance on E3: Add Agent 365 as an entry point if you need the registry and governance foundation immediately. But do not build the full add-on stack. The moment you’re adding more than one security or compliance add-on to E3, you should be having the E5 or E7 conversation instead. The math doesn’t work any other way.
Starting Point: Microsoft 365 E5 ($60/user/month)
E5 customers are the cleanest E7 story. E5 already includes the full Defender XDR stack, Purview E5 compliance, Entra ID P2, full Intune Suite, and Security Copilot SCUs. The three gaps that E5 doesn’t close are:
- No Entra Suite (no GSA Internet Access, no shadow AI discovery for external tools)
- No M365 Copilot (still a $30/user add-on)
- No Agent 365 ($15/user standalone)
Assembled: $60 + $30 + $12 + $15 = $117/user. E7 costs $99/user.
For an E5 customer already running Copilot, the E7 math is straightforward: $18/user/month saved, one agreement instead of three, Security Copilot SCUs auto-provisioned at 400 per 1,000 users, and Agent 365 included. For 500 users already paying for Copilot, that’s $108,000/year at list price. That’s the renewal conversation.
🎯 What This Means for Your Next Client Conversation
The Agent 365 standalone purchase on Business Premium or E3 is not a mistake — but it needs to be framed correctly. Here’s how I’m handling it:
For clients on Business Premium who just added Agent 365: Tell them what they have. The registry, blueprints, shadow agent discovery, and the P1-backed identity controls are real and useful. Show them the Risks column and explain which signals are populated. Be direct that the Defender and Purview signals are dark without the add-ons. Give them the Step 2 recommendation — the Defender + Purview combo at $15 — as the next move that unlocks the most capability for the least additional spend.
For clients on E3 who are thinking about adding Agent 365: Do the math with them before they buy anything. Show them the full add-on stack at $130 versus E7 at $99. Agent 365 as a standalone starting point is fine if the registry and basic governance are the immediate priority. But frame the destination as E5 or E7, not E3 fully loaded. The E3 add-on path is a commercial trap that gets more expensive the further you go.
For clients on E5 already running Copilot: This is the E7 conversation. Pull the current spend, model E7 at renewal, show the $18/user saving. The governance gap — no Entra Suite for shadow AI discovery, no Agent 365 for the registry — is the technical hook. The $18 saving is the commercial close.
🧠 The Bottom Line
Agent 365 is a genuinely important product. The registry is real. The blueprint governance is real. The shadow agent discovery is real. For organizations that have never had visibility into what agents exist in their tenant, even the standalone version at $15/user delivers meaningful value.
But it is a convergence surface, not a security stack. It aggregates signals from Entra, Defender, and Purview. If those underlying platforms aren’t present, the signals aren’t there to aggregate. And the most important signals — behavioral risk detection, data risk from agent interactions, network-level threat intelligence — are precisely the ones that require the Defender, Purview, and Entra Suite layers that Business Premium and E3 don’t include natively.
Buying Agent 365 on BP or E3 and calling the governance problem solved is like installing a smoke detector without wiring it to power. The device is there. The protection isn’t complete.
The path forward is clear. The math is clear. The question is whether you do it piecemeal or all at once.
Jonathan Blaue is a solution architect focused on the Microsoft cloud ecosystem. InfraBytes is his technical blog at jonathanblaue.com.
Tags: Microsoft Agent 365 · Microsoft 365 E7 · Business Premium · M365 E3 · AI Governance · Entra Suite · Microsoft Purview · Defender Suite · Licensing · Agent Registry · Blueprint Governance · Per-User Licensing
