1Security

Agents

Unified governance for every AI agent in your tenant — Copilot, Entra, and third-party — with the access insights and licensing you need to see them all.

Microsoft spreads AI agents across separate admin portals — Copilot, Azure AI Foundry, and Entra — each with its own model, tags, and APIs. The Agents screen unifies all of them into one governed list, with the same access-insight lens 1Security applies to users, apps, and files.

One screen for every agent

The Agents screen covers the three overlapping agent ecosystems Microsoft exposes:

  • Microsoft Copilot agents — declarative agents built in Copilot Studio / Agent Builder (e.g. a SharePoint policy finder, a Teams message extension).
  • Entra Agent ID agents — autonomous backend agents with their own Entra identity (Copilot Studio, Azure AI Foundry).
  • Third-party agents — SaaS apps that use Copilot behind the scenes (e.g. Decisions, Adobe).

Instead of three consoles, you get one list — and, where the same agent shows up in more than one place, a single unified record that joins its Copilot chat presence to its Entra API permission grants.

Unified access insights

Every agent is broken down by what it can actually reach — the same model 1Security applies to identities and apps:

  • Files, sites, users, and emails the agent can access
  • Sensitive data exposed through that access
  • Knowledge / data sources it reads from — SharePoint, OneDrive, Teams, email, Graph connectors, Dataverse, the web
  • Permissions — every atomic permission with its source (direct, inherited from a blueprint, or declared) and Microsoft's "blocked for agents" flag

The value is the stitching: signals from Copilot, Azure, and Entra become one agent record, so you can govern an agent's behaviour and its real data access in one place — without hopping between portals.

Licensing: what you can see

Agent visibility depends on the tenant's Microsoft licensing. This is a Microsoft API limitation, not a 1Security one.

1Security always scans the Entra backend. A license only gates the Microsoft Copilot Package catalog — the API where lightweight Copilot agents live.

Agent typeVisible without Agent 365Needs Agent 365
Entra Agent ID agents — Azure AI Foundry, heavier Copilot Studio bots (they create real Entra service principals tagged power-virtual-agents-* / AgenticInstance)
Declarative Copilot agents — SharePoint policy finders, Teams extensions, and third-party wrappers like Decisions / Adobe (no Entra footprint; they live only in the Copilot Package catalog)

Without the license, declarative Copilot agents either don't surface or look like ordinary enterprise apps — 1Security can't tell they're agents. This affects both third-party wrappers and first-party declarative Copilot agents, not just third-party apps.

Licensing: what you need to buy

You do not need the $99 Microsoft 365 E7 bundle. The product that unlocks the catalog is Agent 365.

  • E7 ("Frontier" suite) just bundles E5 + Microsoft 365 Copilot + the Entra Suite + Agent 365. It's the expensive way in.
  • Agent 365 is available standalone at ~$15/user per month and can be added on top of an existing E3 or E5 — this is all the API actually checks for.

You only need ONE license. 1Security reads the catalog with a delegated admin token, so Microsoft validates the license of the single admin who connected it — not every user. License that one admin account and the entire tenant's Copilot agent catalog unlocks.

For testing: assign one standalone $15 Agent 365 license to the admin account you use to connect 1Security.

Connecting & graceful degradation

To scan Copilot agents, an admin connects a delegated token once (see the Connecting Tenants guide). Until that's done — or if the tenant has no Agent 365 — 1Security:

  • still scans and governs every Entra agent,
  • shows a banner on the Agents screen explaining that Copilot agents need Agent 365,
  • never fails the tenant scan over a missing license.

Talking to customers

A customer worried about Copilot security already owns Microsoft 365 Copilot — and Microsoft requires Agent 365 to govern the agents they build with it using native tools, so most target customers already have it. If they don't, 1Security states the limit plainly:

We can only scan your Entra backend. License your admin with Agent 365 to also scan your Copilot chat agents.

Permission Graph

Learn how 1Security's permission graph provides a fully interactive tenant map for intuitive audits.

Sensitivity Scanning

Learn how 1Security performs sensitivity scanning, including supported formats, limitations, and licensing requirements.

On this page

One screen for every agentUnified access insightsLicensing: what you can seeLicensing: what you need to buyConnecting & graceful degradationTalking to customers