Control 2.25: Microsoft Agent 365 — Admin Center Governance Console
Control ID: 2.25
Pillar: Management
Regulatory Reference: FINRA Rule 3110 (Supervision), FINRA Rule 4511 (Books and Records), FINRA Regulatory Notice 25-07 (AI Tools), SEC Rules 17a-3/17a-4 (Recordkeeping), SOX Sections 302/404 (Internal Controls), GLBA 501(b) (Safeguards Rule), OCC Bulletin 2011-12 (Technology Risk Management), NYDFS 23 NYCRR 500 (Cybersecurity)
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated
Generally Available — May 1, 2026
Microsoft Agent 365 reached general availability on May 1, 2026. It is licensed two ways: (1) bundled in Microsoft 365 E7 — the "Frontier Suite" combining E5, Microsoft 365 Copilot, Microsoft Entra Suite, and Agent 365 — or (2) as a standalone Microsoft Agent 365 per-user license layered on top of a Microsoft 365 Copilot prerequisite. Agents acting on behalf of a licensed user (OBO) are covered under that user's license; autonomous agent identities with their own mailboxes and broad permissions remain in preview at GA and are out of scope for this control until Microsoft publishes GA licensing for that pattern.
Organizations on the pre-GA Frontier feature program should plan their transition to GA licensing. Tenants that did not participate in Frontier can adopt Agent 365 directly at GA without prior enrollment. See Agent 365 overview for current SKU and entitlement guidance.
Configuration steps in this control were verified against the pre-GA Frontier experience in March 2026 and refreshed for the GA release in April 2026. Re-verify portal navigation periodically — naming, entry points, and the Default Governance Template policy composition are expected to evolve in 2026 Wave 1 and Wave 2 release cycles.
Sovereign Cloud Availability — GCC, GCC High, DoD
As of GA (May 1, 2026), Microsoft has not announced parity availability for the Agent 365 Admin Center, governance templates, or admin-gated publish/activate workflows in GCC, GCC High, or DoD. Underlying Copilot agents (Researcher, Analyst) are rolling into US Gov clouds on a separate, lagging schedule, and no public Microsoft roadmap item names "Agent 365 admin center governance console" parity for sovereign clouds. FSI tenants operating in sovereign clouds should:
- Not treat this control as technically enforceable in GCC, GCC High, or DoD until Microsoft publishes parity guidance.
- Maintain a documented compensating control: named human owner in the Control 1.2 Agent Registry, manual quarterly attestation, change-management approval per Control 2.3, and SoD per Control 2.8.
- Disclose the absence of native technical enforcement in the firm's Written Supervisory Procedures so FINRA, OCC, or NYDFS examiners are not surprised.
- Re-verify the sovereign roadmap quarterly via the Microsoft 365 Government roadmap and the Microsoft Agent 365 overview.
Agent Management Essentials prerequisites
Microsoft documents AI Administrator, Entra Global Admin, and Entra Global Reader (view only) as the primary roles for managing agents in the Microsoft 365 admin center. The role catalog further records that, at GA, Agent 365 administrative access is limited to Entra Global Admin and AI Administrator — no fine-grained or read-only Agent 365-specific roles are planned for the GA wave (see docs/reference/role-catalog.md). Use least-privilege role assignment for day-to-day operations and apply Microsoft Entra Privileged Identity Management (PIM) to Entra Global Admin.
Objective
Establish administrative governance over Microsoft 365 AI agents through the Microsoft Agent 365 Admin Center governance console — the unified control plane for agent lifecycle management, publication and activation approval workflows, governance template enforcement, ownerless-agent remediation, and operational monitoring. This control supports compliance with FINRA Rule 3110 (Supervision), FINRA Rule 4511 (Books and Records), SEC Rules 17a-3/17a-4 (Recordkeeping), SOX Sections 302/404 (Internal Controls), GLBA 501(b), OCC Bulletin 2011-12, and NYDFS 23 NYCRR 500 by providing an admin-governed approval and monitoring surface for organization-published and activation-gated agents. It does not replace written supervisory procedures, supervisory review, or required registered-principal oversight where those obligations apply.
Why This Matters for FSI
- FINRA Rule 3110 (Supervision): FINRA requires broker-dealers to establish and maintain a supervisory system reasonably designed to achieve compliance with applicable rules. AI agents executing on behalf of registered representatives or handling customer communications represent a supervisory risk if deployed without adequate review and ongoing monitoring. Agent 365's admin approval workflow creates a documented chain of supervisory review before any agent becomes active, supporting — but not substituting for — the firm's obligation to assign an appropriately registered principal where Rule 3110 requires registered supervisory responsibility. Governance tooling provides examiner-ready attribution; it does not relieve the firm of WSP, registration, or qualification requirements. FINRA examination staff have begun requesting evidence of AI tool governance during cycle exams (see FINRA Regulatory Notice 25-07); the Agent 365 inventory export and governance card history provide audit-ready artifacts.
- SEC Rules 17a-3/17a-4 (Recordkeeping): Broker-dealers must retain records of business activities conducted through technology systems. Agents that generate communications, process orders, retrieve customer data, or produce research outputs may generate records subject to retention requirements. The Agent 365 registry — including agent metadata, approval history, and activity logs — must be treated as part of the firm's books and records. The inventory export function supports regular snapshots as required documentation.
- SOX 302/404 (Internal Controls): SOX requires management attestation and auditor assessment of internal controls over financial reporting. AI agents with access to financial systems, reporting pipelines, or sensitive financial data represent a potential control risk. The Agent 365 governance console is the primary mechanism for establishing control over which agents have access to what data, who approved them, and whether controls remain in place — all of which may be in scope for IT general controls (ITGC) testing.
- OCC Bulletin 2011-12 (Technology Risk Management): The OCC expects supervised institutions to manage risks arising from technology, including tools developed by or integrated with third parties. Agent 365's governance templates — which bundle Entra Identity Protection, Purview audit policies, and SharePoint access controls — directly support the layered security and vendor risk management principles of OCC 2011-12. Institutions must document that governance controls are applied consistently and tested periodically.
Control Description
| Capability | Description |
|---|---|
| Agent 365 Overview Dashboard | Hero metrics panel showing Agent Registry count, Active Users, Total Sessions, Exception Rate, and Agent Runtime over the last 30 days. Provides instant operational awareness and anomaly detection for governance staff. Agent 365 provides the unified registry and discovery layer for AI agents, while Microsoft Entra Agent ID serves as the IAM foundation for agent identity, authentication, and policy enforcement. |
| Governance Cards | Persistent action panels on the Overview page: Pending Requests (sorted oldest-first with week-over-week delta badge) and Ownerless Agents (with inline Assign Owner action). These cards drive daily/weekly governance queue management. |
| Agent Registry | Complete inventory of all agents in the tenant, including publisher, platform, owner, status, and deployment scope. Filterable and exportable for audit and examination preparation. |
| Publishing Approval Workflow | Admin-gated publish flow requiring review of agent description, owner, data connections, and tools before scoping the audience and completing publication. Prevents shadow AI deployment. |
| Activation Approval Workflow | For agents requiring an instance to be created, admins review and approve activation requests separately from publication, allowing phased rollout control. |
| Deploy, Pin, Block, Remove, Delete | Lifecycle actions enabling admins to push agents to users automatically (Deploy), surface them in Copilot (Pin), restrict access org-wide (Block), remove from inventory (Remove, re-addable), or permanently delete with associated files (Delete). |
| Approve Updates | Holds agent updates in a pending state until an admin reviews and approves; the previous version remains active until approval is granted, preventing unreviewed changes from reaching users. |
| Governance Templates | Configurable policy bundles applied at publish or activate time. Microsoft documents the Default Template at GA as bundling a baseline set of Microsoft Entra Identity Protection, Lifecycle Management, SharePoint access, and Microsoft Purview Audit / AI Compliance Assessment policies, plus auto-assignment of the Agent 365 license. Verify the exact policy composition in your tenant after each Microsoft release wave before asserting any specific policy is enforced. Custom Templates extend the default with additional policies such as Entra Access Packages, Global Secure Access (GSA) network visibility, Purview Know Your Data, SharePoint Content Permissions Insights, and other governance components per firm policy. |
| Agent Analytics | Breakdown of agents by publisher (org-created vs. external), by platform (Copilot Studio, Azure AI Foundry, partner platforms), and an Active Users Over Time trend chart for capacity and risk planning. |
| Researcher with Computer Use | Admin-controlled configuration for the Researcher agent's Computer Use capability — generally available since October 2025 for tenants with Microsoft 365 Copilot licensing (no longer Frontier-gated). Configures access scope (all users / specific groups / no users), Work data access toggle (off by default; user-enableable unless admin restricts), and Website Access policy (allow all / specific URLs / exclude specific URLs). Configured at Microsoft 365 admin center > Integrated Apps > Agents > Researcher > Computer Use. |
| Inventory Export | One-click export of the full agent inventory as a downloadable file (CSV or Excel, per current Microsoft documentation) for audit evidence, examination submission, and offline reporting. At minimum confirm exports include: agent ID, display name, publisher, platform, owner UPN, status, deployment scope, governance template applied, last approval timestamp, and approver UPN. Where Microsoft's export omits any of these, supplement with the Microsoft Graph API or the Control 1.2 Agent Registry record. |
Key Configuration Points
- Agent 365 Licensing (prerequisite): Confirm the tenant has appropriate Agent 365 licensing — either via Microsoft 365 E7 (the "Frontier Suite") or the standalone Microsoft Agent 365 per-user license layered on a Microsoft 365 Copilot prerequisite. Pre-GA tenants required Frontier enrollment; at GA navigate to Microsoft 365 admin center > Billing > Licenses to verify Agent 365 license assignments. At least one Microsoft 365 Copilot license is required as a base prerequisite.
- Establish admin approval as the default: Ensure that all agent publication and activation paths require admin approval. Do not bypass the publishing wizard by granting end users self-service publish rights in Zone 2 or Zone 3 environments. Document the rationale in your AI governance policy.
- Assign AI Administrator for day-to-day operations: Reserve Entra Global Admin for tenant enrollment, licensing, and emergency actions (managed under PIM). Use AI Administrator for routine approval, registry, deployment, and blocking tasks; use Entra Global Reader for evidence-only access.
- Apply governance templates at publish time: During the publishing wizard, the Apply Template step must not be skipped. Zone 2 agents must receive at minimum the Default Governance Template. Zone 3 agents must receive a Custom Governance Template that includes an Entra Access Package for scoped, time-bound access authorization.
- Configure Researcher with Computer Use explicitly: Navigate to Integrated Apps > Agents > Researcher > Computer Use and make an affirmative access decision for every zone (do not leave in default-on state). Computer Use is generally enabled for tenants with Copilot licensing unless explicitly disabled by an admin; FSI Zone 2 and Zone 3 organizations should make an affirmative restrictive decision rather than relying on default-on. For Zone 3 institutions handling MNPI or trading data, set access to No Users or specific controlled groups, and restrict Website Access to an approved URL allowlist.
- Schedule Pending Requests review: Assign a named governance administrator responsible for reviewing the Pending Requests governance card on a defined cadence (weekly for Zone 2, daily for Zone 3). Oldest-pending requests should not exceed the firm's documented SLA. SLAs in this control are illustrative defaults; firms must set and document their own SLAs in the AI governance policy and WSPs — examiners will hold the firm to its own documented SLA.
- Remediate Ownerless Agents immediately: The Ownerless Agents governance card should be reviewed at every governance session. Use the inline Assign Owner action to assign a named, accountable owner before the next governance cycle closes. Ownerless agents pose both a regulatory (no supervisory chain) and a security (no incident contact) risk.
- Export inventory monthly: Use Agents > All Agents > Export to produce a monthly inventory snapshot. Retain exports in a compliance repository on WORM-protected storage with a retention period matching SEC 17a-4 / FINRA 4511 obligations (treat the entire signed evidence pack as 6-year retention; 3-year minimums apply only to non-supervisory artifacts where the firm has documented that classification). Name exports with ISO 8601 date stamps for unambiguous audit-trail chronology.
- Monitor exception rate: Track the Exception Rate hero metric (percentage of sessions completing without errors) on the Overview dashboard. Configure alerting or a manual threshold (e.g., >5% exception rate triggers escalation) and document the threshold in your incident response runbook.
- Document admin consent grants: When governance templates apply policies that require admin consent (e.g., Entra Identity Protection for agents), ensure that the consent grant is logged by the approving administrator with a named business justification, retained in the change management system per Control 2.3.
Do Not Grant End-User Self-Service Publishing in Regulated Zones
Granting end users the ability to publish agents without admin approval in Zone 2 or Zone 3 environments directly undermines the supervisory chain required by FINRA Rule 3110 and the internal control framework required by SOX 404. Any deviation from admin-gated publishing must be documented as an accepted risk with CISO and compliance sign-off, subject to annual review. There is no regulatory safe harbor for unreviewed AI agent deployments in broker-dealer or banking environments.
Agent Suggestions — Planned 2026 Wave 1
Microsoft's 2026 Wave 1 release plan includes a planned feature where Microsoft 365 Copilot may suggest agents to users based on their work patterns (target GA per the 2026 Wave 1 release plan; verify the current roadmap status before reliance). This creates a potential shadow-agent governance risk in FSI environments — users may discover and interact with agents they did not explicitly seek, potentially accessing sensitive data or engaging with agents that have not completed the firm's vetting and approval process.
Governance action: When this feature becomes available, organizations should configure agent suggestion policies in the Agent 365 Admin Center to restrict suggestions to approved and governed agents only. Implementation requires verifying that suggestion policies align with existing publication approval workflows and governance templates documented in this control.
Zone guidance: Zone 2 environments should limit suggestions to agents that have received admin approval and have a Default Governance Template applied. Zone 3 environments should restrict suggestions exclusively to agents that have completed the full approval workflow — including Custom Governance Template application, compliance officer sign-off, and Entra Access Package assignment. This restriction aids in maintaining the supervisory chain required by FINRA Rule 3110 and helps meet SOX 404 internal control requirements.
Status: This feature is planned and not yet generally available. Monitor the Microsoft Power Platform 2026 Wave 1 release plan for availability updates. Implementation guidance in this control will be updated when the feature reaches general availability. Organizations should verify feature availability and configuration options in their tenant before taking action.
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Enroll in Frontier if applicable to the user's license. Review Agent Registry to understand which agents are available. Review Pending Requests weekly as an informational task. Understand inventory export for personal records. | Zone 1 users operate with minimal regulatory exposure but should maintain awareness of the agents available to them and their data access scope for personal risk management. |
| Zone 2 (Team) | Configure and enforce admin approval workflow for all agent publication and activation. Apply the Default Governance Template to all Zone 2 agents at publish time. Conduct weekly review of both governance cards (Pending Requests and Ownerless Agents). Resolve all pending requests within a 5-business-day SLA. Export inventory quarterly. | Zone 2 environments typically involve shared team data, collaborative workflows, and group-level Copilot usage. Admin approval and default governance templating ensure baseline supervisory oversight and data governance consistent with FINRA and SEC requirements without requiring the full custom template overhead of Zone 3. |
| Zone 3 (Enterprise) | Mandatory Custom Governance Template including Entra Access Package for all Zone 3 agents. Mandatory pre-publication security review with named compliance officer sign-off documented in the change management system. Daily monitoring of Exception Rate and Active Users metrics on the Overview dashboard. Export inventory monthly and retain as examination evidence. Fully document the agent approval chain (requestor, reviewer, approver, compliance sign-off) for every agent in the registry. Configure Researcher with Computer Use access to specific approved groups only, with a restricted website allowlist. | Zone 3 environments handle the firm's most sensitive data — including customer PII, trading data, financial reporting inputs, and MNPI — and are subject to the full weight of FINRA, SEC, SOX, and OCC oversight. Every agent operating in Zone 3 must be traceable to an accountable owner, approved through a documented chain of review, governed by the full policy bundle, and continuously monitored for anomalous behavior. Examination staff at FINRA and the OCC routinely request evidence of AI governance controls; Zone 3 documentation must be examination-ready at all times. |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Entra Global Admin | Enroll the tenant in Microsoft Agent 365 (or pre-GA Frontier); assign top-level licensing; configure tenant-wide admin approval settings; grant admin consent where broader tenant permissions are required. Operate under PIM with just-in-time activation. |
| AI Administrator | Day-to-day agent administration in the Microsoft 365 admin center, including approval, deployment, blocking, and registry review. Least-privilege role for routine governance operations per Microsoft's documented role mapping. |
| Entra Global Reader | Read-only access for evidence collection, examiner walk-throughs, and monthly inventory reviews where write access is not required. |
| AI Governance Lead | Operate the Agent 365 console daily (Zone 3) or weekly (Zone 2); review and act on Pending Requests and Ownerless Agents governance cards; execute inventory exports on schedule; monitor exception rate against threshold; sign quarterly attestation evidence pack. |
| Purview Compliance Admin | Configure and maintain the Microsoft Purview Audit, Know Your Data, and AI Compliance Assessment policies that are referenced by Agent 365 governance templates; coordinate with the AI Administrator on template-to-policy linkage; provide compliance evidence for examination. |
| Power Platform Admin | Maintain Copilot Studio environment governance underlying agents that surface in Agent 365; coordinate environment lifecycle and DLP policies that interact with agent data connections. |
| Compliance Officer | Provide sign-off on agent publication requests in Zone 3; review governance template policy bundles for regulatory adequacy; support evidence collection for management's SOX 302/404 control attestations (executive certification remains with management); engage with FINRA, OCC, or NYDFS examination staff regarding AI governance evidence. |
| Information Security Officer | Review agents' data connections and tool permissions during the publishing approval workflow; assess risk of Researcher with Computer Use configurations; respond to exception rate alerts; conduct periodic governance template adequacy reviews. |
| Technology Risk Manager | Incorporate Agent 365 governance console operations into the technology risk framework per OCC 2011-12; document agent governance as an IT general control for SOX purposes; escalate ownerless agent findings to the risk committee. |
| Agent Owner | Maintain accountability for assigned agents; respond to governance administrator inquiries; submit update approval requests through the publishing workflow; ensure agent purpose and data access remain within approved scope. |
| Change Management Lead | Integrate agent publication and update approvals into the firm's change management process per Control 2.3; maintain change records linking each agent approval to a change ticket. |
Related Controls
| Control | Relationship |
|---|---|
| 1.2 — Agent Registry and Integrated Apps Management | Foundational registration / inventory control. Reconcile the Agent 365 console registry view regularly with the authoritative inventory and metadata record maintained under Control 1.2 — Control 2.25 extends 1.2 with the Agent 365 console's full lifecycle management, governance templates, and operational monitoring capabilities. |
| 2.26 — Entra Agent ID Identity Governance | Identity-layer prerequisite. Microsoft Entra Agent ID provides the sponsored, lifecycle-governed identity object that Agent 365 manages. Zone 3 deployments under 2.25 require 2.26 to be operational — agent identities without sponsors, access packages, and lifecycle workflows fail SOX 404 access-control attestation regardless of whether 2.25 controls are configured. The 2.26 sovereign-cloud limitations propagate to 2.25 (see the Sovereign Cloud Availability admonition above). |
| 3.1 — Centralized Logging and SIEM Integration | Authoritative inventory and audit-event forwarding control. Agent 365 governance evidence (approval records, governance card outcomes, inventory exports) must be forwarded to the firm SIEM with 6-year retention per 3.1 to support FINRA 4511 / SEC 17a-4 examiner requests. |
| 2.3 — Change Management and Release Planning | Agent publication, activation, and update approvals processed through Agent 365 must be logged as change events per Control 2.3. The publishing wizard approval chain serves as the change authorization record. |
| 3.13 — Agent 365 Admin Center Analytics and Reporting | Companion reporting control (planned); operationalizes the analytics surfaces (by publisher, by platform, Active Users Over Time) available within the Agent 365 console documented here. Verify availability before relying on it. |
| 3.6 — Orphaned Agent Detection and Remediation | The Ownerless Agents governance card in the Agent 365 console is the primary detection mechanism for the remediation workflow defined in Control 3.6. Assignments made via the Assign Owner action must be reflected in the Control 3.6 orphaned agent register. |
| 1.11 — Conditional Access and MFA | Conditional Access policies referenced in the Default Governance Template are configured and maintained per Control 1.11. Governance template application in Agent 365 assumes 1.11 baseline CA policies are in place. |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- Agent 365 licensing confirmed: Billing > Licenses shows Agent 365 or Microsoft 365 E7 licenses assigned to governance-relevant users; Agents section is visible in the M365 admin center left navigation.
- Admin approval workflow enforced (objective evidence test): For a random sample of N≥10 agents per quarter from the Agent Registry export, every record contains a non-null
approver(UPN) andapprovalTimestamp, and each can be traced to a corresponding change ticket per Control 2.3. Any agent without these fields is treated as a control exception requiring written remediation. - Governance template applied universally (evidence test): Every Zone 2 and Zone 3 agent in the registry export shows a Default or Custom Governance Template applied at publish or activation time, with template name and version captured in the inventory record. No Zone 3 agents are governed by the Default Template alone — all must reference a Custom Template that includes an Entra Access Package assignment policy.
- Pending requests resolved within firm-defined SLA: Governance card shows no requests older than the firm's documented SLA (illustrative defaults: 5 business days Zone 2, 1 business day Zone 3). SLA compliance documented in governance meeting minutes or ticketing system.
- Ownerless Agents card shows zero or actively remediated: Ownerless Agents count is zero, or each listed agent has a remediation ticket open in the change management system with an assigned owner and resolution due date within 48 hours.
- Exception rate monitored with defined threshold (evidence test): Overview dashboard Exception Rate metric is reviewed on the defined cadence; the firm's documented threshold (e.g., >5%) is captured in the AI governance policy with a named escalation path; at least one signed review log entry exists for each of the past 3 review cycles.
- Inventory exported monthly and retained on WORM (evidence test): Monthly inventory exports exist in the compliance repository with ISO 8601 date-stamped filenames for the prior 12 months, stored on WORM-protected storage; retention schedule aligns with FINRA Rule 4511 / SEC 17a-4 (treat as 6 years for the signed evidence pack). Each export captures at minimum: agent ID, display name, publisher, platform, owner UPN, status, deployment scope, governance template applied, last approval timestamp, and approver UPN.
- Researcher with Computer Use configured per policy (evidence test): Integrated Apps > Agents > Researcher > Computer Use shows an affirmative, documented configuration decision for every zone (not left in default-on state); Zone 3 configurations are limited to specific approved groups with a restricted Website Access allowlist; the configuration decision and rationale are documented in the AI governance policy or appendix and signed by the AI Governance Lead and CISO (Zone 3).
Additional Resources
- Microsoft Agent 365 overview
- Agent 365 overview page in Microsoft 365 admin center
- Manage agents for Microsoft 365 Copilot in the Microsoft 365 admin center
- Agent Management Essentials overview
- Agent prerequisites
- Agent 365 security overview
- Researcher agent with Computer Use
- Microsoft 365 Government roadmap (sovereign cloud feature parity)
- Microsoft Power Platform 2026 Wave 1 release plan
- FINRA Rule 3110 — Supervision
- FINRA Rule 4511 — General Requirements (Books and Records)
- FINRA Regulatory Notice 25-07 — AI Tools
- SEC Rule 17a-4 — Records Retention
- OCC Bulletin 2011-12 — Technology Risk Management
- NYDFS 23 NYCRR 500 — Cybersecurity Requirements
Post-GA Verification Recommended
Agent 365 reached general availability on May 1, 2026. Some feature areas (governance templates, Researcher with Computer Use, Observability SDK) may have UI or capability changes at GA. Re-verify portal paths and configuration steps against current Agent 365 documentation after the GA release.
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current (April 2026, post-GA refresh; re-verify quarterly)