Your AI agent licensing math just changed
Microsoft shipped two products Friday. M365 E7 (a new top-tier enterprise license that bundles Microsoft 365 Copilot, Agent 365, and advanced identity controls into the existing E5 stack) and Agent 365 standalone. If you have AI agents in your tenant, the question used to be “should we deploy them.” Now it’s “how are they governed.” Two deadlines (June 15 and July 1) force the answer.
That’s the lead. We also have a Secure Score recommendation for the Secure Boot 2023 cert migration we covered in January, an Exchange Online TLS retirement that’s much narrower than the headlines say, and Microsoft 365 Copilot quietly turning on a grounding source you can’t disable. Plus your Purview Communication Compliance reviewers are not imagining the slowness.
Every Monday from Adversary Lab: Azure security news for practitioners. No fluff, just the updates to stay ahead.
🔥 Detection Engineer Accelerator. Build the GitHub portfolio that gets you hired. 90 days, $497, 15 seats. Check out the free lab and community here
In this issue
E7 launched Friday at $99 per user. Here’s what’s actually in it for security teams
Agent 365 went GA on the same day. Three things changed for your AI agent inventory
Two hard deadlines in the next eight weeks could break things in your tenant
The POP/IMAP TLS retirement you’ve seen everywhere is much narrower than it reads
The Secure Boot deadline from January now has a tracking tool in Defender for Endpoint
M365 Copilot is about to read your private Engage communities by default, and you can’t turn it off
Purview Communication Compliance is acknowledged slow through May 15
🔥 What’s Actually Breaking: Purview Communication Compliance is degraded through May 15
If your CC reviewers have been complaining for months that flagged message review throws intermittent errors, that exports time out, that the “Total pending” counter looks wrong, they’re not making it up. Microsoft is doing infrastructure work and the timeline got extended.
The Problem: Slow updates to policy insights and aggregated counts. Intermittent errors when reviewing flagged messages. Delays between alert notification and message access. Outdated report views. Some export functions temporarily unavailable.
Who’s Affected: Admins managing Microsoft Purview Communication Compliance policies and review workflows.
Current Status: Microsoft acknowledged. Original end date was April 30. Microsoft updated the message April 30 to extend through May 15, 2026.
Workaround: None. If exports fail, retry. If pending counts look wrong, give the backlog time to process.
Source: MC1214183
Microsoft 365 E7 launched Friday. Here’s what it actually means.
Microsoft 365 suite | GA May 1, 2026
Microsoft is calling it the Frontier Suite. The simple version: E7 is Microsoft bundling AI into the enterprise license. It includes everything you already get in E5 (the full Defender suite, Entra ID P2, advanced DLP, all of it) plus Microsoft 365 Copilot, Agent 365, and Microsoft Entra Suite (advanced identity).
What this means for security teams:
Agent 365 is the part that matters most for your job. It’s the new control plane for AI agents in your tenant. Inventory, governance, security policies, the whole package. It had been in preview through the Frontier program. Now it’s a real, licensable thing your CISO is going to ask about.
If your org buys E7, you get Agent 365 by default. If your org stays on E5 plus Copilot, Agent 365 is also available standalone. Either way, the question is no longer “should we deploy AI agents,” it’s “how do we govern the ones already running in our tenant.”
What it actually adds for security teams: Agent 365 itself is new as of Friday, but the larger story is that E7 bundles Microsoft Entra Suite, which most E5 customers haven’t been buying as a separate add-on. Together they give you Entra Agent ID for governing AI agents under conditional access policies, continuous adaptive conditional access that adjusts in real time based on risk signals, identity governance that covers AI agents alongside human users (lifecycle, entitlements, least privilege), the Secure Web and AI Gateway for filtering traffic to and from AI services (including blocking unauthorized AI usage), and Entra Private + Internet Access (the ZTNA and cloud-delivered SWG combo that replaces legacy VPN and proxy infrastructure). If your tenant has been on E5 without Entra Suite, that’s a real control surface unlock for AI agent governance, not just procurement consolidation. If you already have E5 plus Entra Suite plus Copilot as add-ons, you only needed Agent 365 to complete the picture.
Honest take: Whether your org adopts E7 isn’t really your problem. Whether AI agents are running in your tenant is. The two deadlines below force that conversation either way.
Action item, specific path: Tell your manager E7 launched Friday and that Agent 365 is now a real product, not a preview. If you don’t already know whether your org has AI agents in production, find out this week. The June 15 deadline doesn’t care about your procurement calendar.
Source: Microsoft 365 E7 GA announcement | Microsoft Agent 365 GA, Microsoft Security Blog
Agent 365 went GA the same day. Three things changed for your AI agent inventory.
Microsoft Security | GA May 1, 2026
The control plane Charles has been covering since Ignite is now a paid product. The preview is over. If you’ve been waiting for the migration deadline to plan, here it is.
1. Microsoft is now naming specific shadow AI agents your endpoints might be running
This is the biggest detection-engineering story in the announcement. Microsoft Defender combined with Intune now discovers AI agents running on Windows endpoints, starting with OpenClaw, with GitHub Copilot CLI and Claude Code expanding soon, named explicitly by Microsoft in the GA announcement. A new “Shadow AI” page in the M365 admin center surfaces what’s running, on which devices. Intune policies can block common methods of running OpenClaw on managed endpoints.
If you’ve never inventoried what AI agents your developers are running locally, this is the most useful discovery surface Microsoft has ever shipped for that question. Caveat: current visibility requires Frontier program enrollment. The capability is rolling out broadly through Agent 365 + Defender + Intune, but the bleeding edge is gated.
2. Multicloud agent visibility, in public preview
Agent 365 registry sync with AWS Bedrock and Google Cloud (Google Gemini Enterprise Agent Platform, formerly Vertex AI) is in public preview today. Discovery, inventory, and lifecycle governance (start, stop, delete) across cloud platforms from a single console. If your developers build on multiple cloud AI platforms, the inventory just got centralized.
3. Network controls for agents are GA today
Agent 365 extends Microsoft Entra network controls to Microsoft Copilot Studio agents and to local agents like OpenClaw. Restricts connections to approved web destinations. Filters risky file movement. Helps block prompt-based attacks at the network layer before they trigger harmful actions. This is a real practical control, not a roadmap item.
One more thing worth knowing: Microsoft is hosting a live “Ask Microsoft Anything” session about Agent 365 on Tuesday, May 12, 2026. Useful if you need answers from product engineering rather than marketing. Register at aka.ms/51ama.
What it doesn’t do (yet): Asset context mapping in Defender (mapping each agent to its devices, MCP servers, identities, and reachable cloud resources) ships in public preview June 2026. Runtime blocking and rich incident context for managed agents arrives the same month. Today’s GA is the control plane and discovery; the deeper investigation surface is one month away.
Action item, specific path: If you’re on E5 plus Copilot today, sign in to the M365 admin center and check whether the All agents view is populated. If you have any agents listed, those need to be governed by Agent 365 going forward. If you have none and aren’t using Copilot Studio or custom Graph-registered agents, your immediate Agent 365 decision is whether to plan for it now or wait until your developers ship something.
Source: Microsoft Agent 365 GA, Microsoft Security Blog | Agent 365 overview on Microsoft Learn
Two hard deadlines that hit your tenant in the next eight weeks
Operational consequences | June 15 and July 1, 2026
Reading the Agent 365 GA announcement is the easy part. These two deadlines turn the announcement into work.
June 15, 2026: The agent registry Graph API retires.
Per MC1297981, the existing agent registry Graph API will no longer be supported starting June 15. Agents registered through the existing API and not re-registered through the new Agent 365-powered endpoint will stop functioning. Microsoft’s wording is unambiguous on that point. This does not apply to agents created through Copilot Studio or Foundry. It only hits custom agents that were self-registered through the Graph API.
What this means in practice: If your developers built and registered any agents through the existing API, you have six weeks to re-register them through the new endpoint. The new API has been GA since May 1.
Action item, specific path: Open the M365 admin center, navigate to All agents. Identify agents marked as registered through the existing agent registry Graph API. Re-register before June 15.
July 1, 2026: Defender’s agent protection requires an Agent 365 subscription
The Microsoft Learn page on AI agent detection and protection states it directly: “Starting July 1, 2026, your organization needs an Agent 365 subscription to continue using agent protection and visibility capabilities.” If your team has been using Defender’s preview agent protection capabilities, the visibility goes away on July 1 unless your org has Agent 365 coverage. That’s a conversation to start with your CISO and licensing team this week, not in late June.
The audit gap callback: We covered last week that the Microsoft 365 Sentinel connector does not carry agent admin events from the Office 365 Management Activity API. That gap is now consequential. If you’re going to be re-registering agents and your Sentinel coverage doesn’t include agent admin operations, you’re migrating in the dark. Verify your detection coverage before Rule 1 (”agents stop working”) forces an unplanned operational test.
POP and IMAP TLS retirement: narrower than it reads
Exchange Online | MC1293480 | Confirmed retirement
Most security newsletters and aggregators are running this story as a broad POP/IMAP TLS retirement event. That overscopes the impact. The Exchange Team blog from April 27 is explicit about who’s actually affected.
Microsoft’s verbatim wording, italicized in the original blog: “Our expectation is that only customers who have explicitly opted into using those legacy endpoints are impacted by the deprecation we are announcing today.”
What this means in practice: Microsoft created a special opt-in legacy TLS endpoint in 2023 for customers whose POP/IMAP clients couldn’t speak TLS 1.2 yet. Most organizations never opted in. Their POP/IMAP traffic already negotiates TLS 1.2 or higher and will be unaffected by this retirement. The customers actually impacted are those who deliberately enrolled in the legacy endpoint. That’s a much smaller population than “everyone running POP/IMAP.”
The honest take: If you don’t know whether your tenant opted into the legacy endpoint, that’s the question worth answering. Microsoft’s expectation is that affected customers know who they are, but tenant configuration drift over years of admin turnover and managed service provider changes is real. A focused audit beats a surprise outage on July 1.
The timeline: Rollout starts July 1, 2026. Completes December 31, 2026. Connections using TLS 1.0 or TLS 1.1 will fail. The act-by date is June 29, 2026.
Action item, specific path: Check your tenant’s POP and IMAP configuration. The legacy TLS opt-in endpoint documentation shows what the configuration looks like. If you’re enrolled, identify the clients depending on the legacy endpoint and either update them or move them to a TLS 1.2-capable connector or relay.
Source: MC1293480 | Exchange Team Blog: Deprecating Legacy TLS for POP and IMAP
Secure Boot 2023 readiness recommendation lands in Defender for Endpoint Secure Score
Microsoft Defender XDR | MC1293483
Back in January we covered the Windows Secure Boot 2011 certificate expiration scheduled for June 2026. Until now, tracking who actually had the new 2023 certificates deployed was a manual exercise. That just changed.
Microsoft Defender for Endpoint added a new Secure Score recommendation called Ensure devices are updated to Secure Boot 2023 certificates and boot manager. Public preview rolled out late April through early May 2026. GA completes by late May. The recommendation is on by default and requires no configuration. It identifies devices that have not deployed Windows UEFI CA 2023 certificates and 2023-signed boot manager.
What this means in practice: This is the tracking tool you’ve been doing manually since January. Open Secure Score, find the recommendation, get a list of devices that aren’t ready for the June 2026 cert expiration.
What it doesn’t do: The recommendation tells you who’s behind. It does not deploy the certificates for you. That still depends on your hardware vendor’s firmware updates and your patching cadence.
Action item, specific path: Once the recommendation appears in Microsoft Secure Score (early to late May), open it. Identify flagged devices. Coordinate with your firmware update process per the Windows Secure Boot certificate guidance. The June 2026 cert expiration is roughly seven weeks away.
Source: MC1293483 | Assess Secure Boot status with Microsoft Defender
M365 Copilot will read your private Engage communities by default. You can’t turn it off.
Microsoft Viva | MC1296480 | Roadmap 515144
Starting May 2026, Microsoft 365 Copilot will use content from private communities and private events as grounding sources when generating responses. The feature is enabled by default. Microsoft’s wording, verbatim: “cannot be turned off.”
What this means in practice: Anything in your private Viva Engage communities or private events is now a potential grounding source for Copilot answers. Microsoft’s safeguards are existing access controls (a user only sees content they have permission to access) and sensitivity labels (which display alongside Copilot citations).
What Microsoft won’t say: “Cannot be turned off” is doing a lot of work in that sentence. The framing is “your existing permissions and sensitivity labels are the controls.” That’s true. It’s also a different proposition than “you have a tenant-level switch to opt out.” If you have private communities full of casual draft-quality content, half-finished policies, leadership Q&A transcripts, or anything where the original intent was “this stays in this community,” Copilot grounding now treats those as fair game for any user who has access. The practitioner question this raises is not whether the permissions are honored. They are. The question is whether your sensitivity labels actually reflect the sensitivity of the content sitting inside private communities, and whether your reviewers have ever audited it.
What it doesn’t do: This is a grounding change, not an exfiltration vector. A user who can’t read the source community can’t get its content back through Copilot. The risk is internal lateral content discovery: someone who already has access to a private community can now ask Copilot questions that surface things the original poster never expected to be quoted in a chat.
Action item, specific path: Open Microsoft Viva Engage admin center. Pull the list of private communities. For each one with sensitive content, verify a sensitivity label is actually applied. For any high-risk community without one, assign one. Brief your information protection team that the grounding source change rolls out this month.
Source: MC1296480 | Microsoft 365 Roadmap ID 515144
Defender XDR moved your service accounts. If your runbook says “Discover,” it’s stale.
MicrosoftDocs/defender-docs | Operational restructure
Last week Microsoft restructured how service accounts are presented in Defender XDR. The “View service accounts” article was moved from the Discover section to the Investigate section. The commit body explains the rationale in one line: “service account discovery is an investigation activity, not a pre-breach discovery activity.”
This is consistent with the broader identity reorganization in Defender XDR we covered in March 2026: the Identity Security dashboard, the human and non-human identity inventory split, the non-human identities tab. Microsoft is treating service accounts and other non-human identities as investigation surface area, not asset-discovery surface area. This week’s move is the operational reflection of that taxonomy.
Bonus: The Security Alert Triage Agent doc lost its “(preview)” marker on the same day. Microsoft hasn’t posted an MC about it, but combined with the RSA 2026 announcement of the Triage Agent expansion to identity and cloud alerts, the GA is effectively here. Worth knowing if your alert tuning runbooks reference the old wording: “suppress” and “classify” are now “resolve” and “triage” in the docs.
What it doesn’t do: This isn’t a feature change. Your hunting queries against IdentityInfo and related tables don’t break. Only the location and conceptual framing changed.
Action item, specific path: Update your SOC runbooks. Anywhere they say “Defender XDR > Discover > Service Accounts,” change it to “Defender XDR > Investigate > Service Accounts.” If you maintain analyst training material with screenshots of the Discover panel, those screenshots are stale.
Source: defender-docs commit 795e14d | RSA 2026: What’s new in Microsoft Defender
👀 On Our Radar
A new AI Reader role for Agent 365. Read-only access to agent usage, health, and configuration without granting administrative rights. Rolling out early May 2026. Must be explicitly assigned. If you’ve been using Global Administrator to give people reporting visibility into Agent 365, this is the role to assign instead. (MC1296473)
Copilot admin catalog packages Graph API hitting GA. Two new endpoints (/copilot/admin/catalog/packages and /copilot/admin/catalog/packages/{id}) for programmatic agent and app inventory. GA mid-April through early May. Useful for scripting an AI inventory pipeline. (MC1173195)
Anthropic models in Word for Copilot users. Builds on January 2026 Anthropic-as-subprocessor coverage. IT admins will be able to enable Anthropic models for specific users and groups within the tenant. (RM558440, RM557371). One to plan for if your Copilot governance has an opinion about which models touch your tenant data.
Sentinel connector activity. The Salesforce Event Log Connector got a major update with username/password OAuth2 support and previously missing events. A new ASIM Authentication parser shipped for Cisco DNAC. If you ingest either, plan a connector refresh.
📋 What You Should Actually Do This Week
🚨 CRITICAL (May 4):
If you run all-hands or compliance training through Engage live events powered by Teams Live Events, the option to schedule new ones is gone as of today, May 4. Existing events scheduled before today keep working through February 28, 2027. The replacement is Engage events powered by Teams town halls. (MC1227085)
⚠️ HIGH PRIORITY (this week):
Inventory custom agents registered through the agent registry Graph API. June 15 retirement.
Find out whether AI agents are running in your tenant. If they are, the June 15 agent registry retirement and the July 1 Defender protection requirement both apply to you. Loop in your manager and your CISO so the licensing decision happens before the deadline does.
Audit whether your tenant opted into the POP/IMAP legacy TLS endpoint in 2023. If yes, plan client migration before June 29.
Audit sensitivity labels on private Viva Engage communities. The Copilot grounding change starts rolling out this month and you don’t have an opt-out switch.
📋 MEDIUM PRIORITY (before month-end):
Once the Secure Boot 2023 readiness recommendation appears in Microsoft Secure Score (early May), evaluate against your fleet and coordinate with your firmware update process.
Update SOC runbooks to reflect the Defender XDR service accounts move from Discover to Investigate.
Update alert-tuning runbooks for the new Triage Agent terminology (resolve, triage).
Evaluate the new AI Reader role for Agent 365 reporting access.
Consider attending the Agent 365 AMA on May 12 if your team has open questions.
📎 LOW PRIORITY (when time permits):
Plan a Sentinel connector refresh for Salesforce or Cisco DNAC if either is in your ingestion pipeline.
Looking Ahead
May 4, 2026: Engage live events scheduling cutoff (existing events run through Feb 28, 2027)
May 12, 2026: Microsoft Agent 365 “Ask Microsoft Anything” live session
May 13, 2026: Patch Tuesday
May 15, 2026: Purview Communication Compliance migration completes
June 15, 2026: Agent registry Graph API retires
June 29, 2026: Act-by date for POP/IMAP legacy TLS endpoint customers
July 1, 2026: Microsoft 365 commercial price increases take effect (E3 to $39, E5 to $60). POP/IMAP TLS retirement begins. Agent 365 subscription required for Defender agent protection.
June 2026 (mid): Windows Secure Boot 2011 certificate expiration
💡 Build the portfolio. Get the job.
A GitHub portfolio isn't optional for security pros anymore.
The Detection Engineer Accelerator gives you 11 production Azure detections in 90 days.
A portfolio a recruiter can find. A lab you deployed yourself. Attack scripts for every detection.
Founding cohort: $497. 15 seats. Enrollment closes when full.
👉 Check out the free lab and community here
📚 About Adversary Lab
Azure security news for practitioners. No fluff, just the updates to stay ahead.
📤 Worth sharing? Forward it.
Charles Garrett | LinkedIn | theadversarylab.com