Contact Us
Support
Partners
Downloads
Cayosoft®
Book a Demo
Blog > Microsoft 365 E7 and the Rise of Agent Identities
  • Cybersecurity

Microsoft 365 E7 and the Rise of Agent Identities

TL;DR 

hello

March 2026 marked the introduction of Microsoft 365 E7, the first new Microsoft enterprise licensing tier since E5, with general availability beginning May 1, 2026. E7 bundles E5, Copilot, the full Entra Suite, and a new capability called Agent 365. But E7 is not just a licensing update. It is Microsoft formalizing a shift already underway: AI agents are now operational entities that authenticate, hold permissions, and act inside production systems. They are identities. That single fact changes how identity security and Identity Threat Detection and Response must work.

Beyond Licensing: Microsoft 365 E7 is an Architectural Statement

From a practitioner perspective, E7 matters less for what it bundles and more for what it assumes. Microsoft is no longer treating AI as something that assists users occasionally. E7 is built for a model where work is increasingly executed by agents on behalf of people.

Why Agent 365 is the Most Important Addition

By embedding Agent 365 and the full Entra Suite into E7, Microsoft is making something unambiguous:

Agent 365 exists to give organizations centralized visibility and governance over AI agents operating across Microsoft 365 and Entra ID. Microsoft is acknowledging that agents are being created faster than IT teams can track them often by business units, often without security teams having a clear picture of what exists.

Identity is the control plane for agents. There is no parallel system coming later. If agents are going to operate at scale, identity is where governance, access control, and accountability must live.

What Microsoft 365 E7 Assumes

  • Work is increasingly executed by agents, not just assisted by them
  • Agents are proliferating faster than IT governance can track
  • Identity is the only viable control plane at scale
  • Security teams must be ready to govern non-human actors

Agent Identities Are Not New They Are the Next Evolution

Agent identities do not introduce a brand-new category of identity risk. They amplify one that already exists. Most enterprise environments are already dominated by non-human identities and agents fit directly into this established model.

Legacy Non-Human Identities

Service accounts, managed identities, application identities, automation accounts, and scheduled jobs routinely outnumber human users. They authenticate constantly, accumulate permissions over time, and often lack clear ownership.

Agent Identities Today

Agents authenticate, hold permissions, and perform actions just like their predecessors. The critical difference is speed, scale, and autonomy. They act continuously and with far greater reach than any single service account.

The Microsoft 365 E7 Acceleration Effect

Microsoft 365 E7 accelerates agent adoption across the enterprise, which increases both operational efficiency and identity risk at the same time. Governance must scale with adoption.

Agent identities are not an edge case. They are the next dominant identity type in enterprise environments, and they are arriving faster than most security programs are prepared for.

Why Traditional ITDR Struggles in an Agent-Driven World

Most Identity Threat Detection and Response programs were built around human behavior. A person signs in with compromised credentials. Permissions change unexpectedly. An alert fires. An analyst investigates and responds. Agent identities break every one of those assumptions.

How Agents Behave Differently

Continuous Action

Agents act continuously not in discrete sessions. There is no “login event” to anchor detection logic.

High-Volume Changes

Agents initiate large volumes of changes simultaneously, far exceeding what any human user would trigger.

Cross-Identity Modification

Agents often modify identities other than their own resetting accounts, updating memberships, and altering policies.

Workflow-Driven, Not Interactive

Agents work through automation layers, not interactive sign-ins, bypassing most human-centric detection signals.

Real-World Blind Spots

  • An automation agent can reset hundreds of accounts, update group memberships, or modify access policies in minutes without triggering a suspicious login event.
  • A DevOps agent can change infrastructure and identity permissions simultaneously, blurring the line between infrastructure and identity risk.
  • An onboarding bot can alter multiple identities in sequence without any of the behavioral signals ITDR tools are tuned to detect.

If ITDR tooling is only watching for human-centric indicators, much of this activity goes completely unexamined.

Microsoft 365 E7 Turns ITDR Maturity into a Requirement

Microsoft 365 E7 going to GA acts as a catalyst. It signals that enterprises are expected to run agents on a scale and that identity teams are expected to govern them. It also signals that security teams will be expected to respond when those agents are misconfigured, abused, or compromised.

Microsoft 365 E7 Provides:

  • Centralized Agent Governance
  • Visibility across M365 and Entra ID
  • Entra Suite Integration
  • Agent 365 Management Plane

Microsoft 365 E7 Does Not Provide:

  • Full ITDR for Hybrid Identity
  • Detection of Harmful Identity Changes
  • Agent-Driven Incident Workflows
  • Rollback and Recovery Capabilities

That gap is why ITDR must evolve. Security teams need the ability to see agent-driven identity changes, correlate those changes with outcomes, and roll them back when automation goes wrong.

See

Full visibility into agent-driven identity changes across hybrid environments not just human user activity.

Correlate

Connect identity changes to downstream outcomes. Understand what an agent did, when, and what it affected.

Respond

Investigate incidents involving agent identities using the same workflows built for users, groups, and applications.

Recover

Roll back agent-driven changes when automation goes wrong treating agents as first-class identities, not exceptions

Agent identities cannot be treated as edge cases or exceptions. They must be treated as first-class identities from a security perspective with the same governance, monitoring, and recovery capabilities as any human user.

Treat Agent Identities as Core Identities

Anything that can authenticate and act inside the environment must be governed, monitored, and recoverable like a user even if it is not human.

The Cayosoft Guardian Approach

Cayosoft Guardian Audit and Restore extends identity monitoring, detection, alerting, and rollback to AI agent identities inside Microsoft Entra and Microsoft 365 using the same workflows security teams already rely on for users, groups, and applications.

There is no separate track for agent identities. No parallel governance model. No exceptions carved out for automation. Every identity that can act is treated with the same rigor.

  • Monitor agent identity activity alongside human users
  • Detect anomalous or harmful agent-driven changes
  • Alert security teams using familiar workflows
  • Roll back agent-driven changes when automation causes harm

Read more about how Cayosoft Guardian brings agent identities into existing identity threat detection and response workflows.

Key takeaways

Microsoft 365 E7 Makes It Official

Agent identities are no longer experimental. Microsoft 365 E7 formalizes their role as operational entities inside enterprise environments.

ITDR Must Evolve with That Reality

Identity Threat Detection and Response programs built for human behavior are not sufficient. The detection model must expand to cover non-human actors on a scale.

Identity Is the Control Plane

Governance, access control, accountability, and recovery all flow through identity for humans and agents alike.

FAQ

Microsoft 365 E7 is the first new Microsoft enterprise licensing tier since E5, introduced in March 2026 with general availability beginning May 1, 2026. It bundles E5, Copilot, the full Entra Suite, and a new capability called Agent 365.

Agent 365 is a management plane included in Microsoft 365 E7 that gives organizations centralized visibility and governance over AI agents operating across Microsoft 365 and Entra ID. It exists because agents are being created faster than IT teams can track them, often by business units, without security teams having a clear picture of what is running in their environment.

The underlying model is the same. Agents authenticate, hold permissions, and perform actions just like service accounts or managed identities. The difference is speed, scale, and autonomy. Agents act continuously, initiate high volumes of changes simultaneously, and can modify other identities in ways that far exceed what any single service account would trigger.

Most Identity Threat Detection and Response programs are built around human behavior: a login event, an unexpected permission change, an analyst alert. Agents do not work that way. They act continuously without discrete sessions, bypass interactive sign-ins, and can reset hundreds of accounts or modify access policies in minutes without producing any of the behavioral signals ITDR tools are tuned to detect.

Despite its governance tooling, E7 does not provide full ITDR for hybrid identity environments, detection of harmful identity changes, agent-driven incident response workflows, or rollback and recovery capabilities. Those gaps remain the responsibility of dedicated identity security tooling, which needs to treat agent identities with the same rigor as human users.

See Cayosoft in Action

Get A Demo

Only Cayosoft provides immediate threat detection and rollback of unwanted changes in Intune, Entra ID. Microsoft 365 and Active Directory. All from a single pane of glass. Schedule a demo to see the capabilities in depth.