Last Updated on March 26, 2026 by Arnav Sharma
Microsoft doesn’t launch new enterprise licensing tiers very often. In fact, the last time it introduced one was 2015, when Microsoft 365 E5 came out. So when the company announced Microsoft 365 E7 on March 9, 2026, it wasn’t a routine product update. It was a signal.
The signal: AI agents are no longer experimental. They’re operational. And enterprises need a way to govern, secure, and scale them before the sprawl becomes unmanageable.
E7, officially called “The Frontier Suite,” is Microsoft’s answer to that problem. At $99 per user per month, it bundles everything you need to run an agentic enterprise: M365 E5, Microsoft 365 Copilot, the Entra Suite, and the brand-new Agent 365. General availability lands May 1, 2026.
Let me walk through what this actually means, what it costs (including the parts Microsoft doesn’t put in the headline), and whether it’s worth your organisation’s attention.
What’s in the Box
Before getting into the interesting stuff, the component breakdown is worth understanding because the pricing math only makes sense if you know what you’re paying for separately.
| Component | Standalone Price | What It Covers |
|---|---|---|
| Microsoft 365 E5 | $60/user/mo | Full productivity + security baseline (Defender, Purview, Intune) |
| Microsoft 365 Copilot | $30/user/mo | AI embedded in Word, Excel, Outlook, Teams |
| Microsoft Entra Suite | $12/user/mo | Advanced identity governance |
| Agent 365 | $15/user/mo | AI agent control plane |
| E7 Bundle | $99/user/mo | All of the above, unified |
- 1.What’s in the Box
- 2.Agent 365: The Part That Actually Changes Things
- ↳Identity: Every Agent Gets a Name and a Leash
- ↳Data Governance: Purview Comes to Agent Activity
- ↳Threat Detection: Defender for the Non-Human Layer
- 3.The Agent Registry: Seeing What You’ve Already Built
- 4.Work IQ: The Intelligence Layer Nobody Talks About
- 5.Copilot Cowork: Long-Running Tasks, Not Just Prompts
- 6.The Real Cost Conversation
- 7.What This Means for Security Architecture
- 8.Key Dates to Track
- 9.Getting Started: A Practical Sequence
- 10.The Bottom Line
- 11.Frequently Asked Questions
Buying these separately runs about $117 per user per month, so E7 saves roughly 15% or about $18 per user. At 1,000 users, that’s $216,000 annually. Not nothing.
The catch, and we’ll get to this in detail later, is that $99 is the seat licence. It is not the total cost of running an agentic enterprise.
Agent 365: The Part That Actually Changes Things
If Copilot was about AI assisting individual workers, Agent 365 is about AI acting as a worker. That distinction matters more than it might seem at first.
For years, Microsoft’s security stack was designed entirely around human actors. Entra ID manages human identities. Conditional Access controls what human users can do. Purview tracks what data human users touch. Defender watches for threats targeting human-driven workflows. None of these tools was built for non-human actors operating autonomously inside your environment.
Now imagine you’ve deployed a dozen agents across your organisation. One handles meeting prep, pulling from Outlook and SharePoint. Another monitors loan pipelines and sends Teams messages. A third drafts emails to clients. Each one has an identity, data access, and the ability to take action. And until Agent 365, there was no single place to see all of them, govern their permissions, or detect when one was behaving anomalously.
That’s the gap Agent 365 fills. It provides three things:
Identity: Every Agent Gets a Name and a Leash
Through Entra, every agent deployed in your environment gets its own identity, scoped permissions, and policy coverage under the same conditional access and least-privilege principles you apply to human users. Think of it as onboarding an employee: you wouldn’t give a new hire admin access to every system on day one. Same principle applies here.
Data Governance: Purview Comes to Agent Activity
Microsoft Purview Insider Risk Management now extends its coverage to agent activity. That includes a dedicated “Risky AI usage” policy template to detect prompt injection attempts, unauthorised access to protected materials, and data leakage originating from agent actions. Signals from this feed into Microsoft Defender XDR for a consolidated view of AI-related risk.
For organisations in regulated industries, this is meaningful. Having audit-ready logs of what an agent touched, when, and why is not optional. It’s a compliance requirement.
Threat Detection: Defender for the Non-Human Layer
Agent 365 introduces Defender protections specifically designed for AI-native threats: prompt manipulation, model tampering, and agent-based attack chains. Security posture management for Foundry and Copilot Studio agents can detect misconfigurations before they become exploitable.
One important caveat here: as of the May 1 GA date, some of these detection capabilities will still be in public preview. Runtime threat protection via the Agent 365 tools gateway enters public preview in April 2026. Security posture management for Foundry and Copilot Studio agents stays in preview until at least May 1. If you’re buying E7 on day one expecting a complete detection story, you’ll be partially disappointed.
The Agent Registry: Seeing What You’ve Already Built
The Agent Registry gives IT teams a centralised inventory of every agent in your environment, whether it was built with Microsoft AI platforms, deployed by an ecosystem partner, or registered manually through the API. IT sees this in the Microsoft 365 Admin Center. Security teams see the same inventory inside Defender and Purview workflows. Same data, same agents, surfaced in the tools each team already uses.
This unified visibility is genuinely useful. The alternative, which is what most organisations are living with right now, is agents scattered across Copilot Studio, Teams, SharePoint, and third-party platforms, with no single owner and no audit trail.
Work IQ: The Intelligence Layer Nobody Talks About
Work IQ ingests signals from Outlook, Teams, SharePoint, and OneDrive to build a semantic graph of how work flows across your organisation. It maps relationships between people, projects, documents, and timelines. Over time, it develops a working model of how individuals and teams operate, who they work with, and what context is relevant to their current task.
This is what allows Copilot to suggest next steps that are actually relevant, rather than generic. It’s also what allows agents to reason across your data rather than just executing isolated commands.
Microsoft runs Work IQ entirely within the customer’s Microsoft 365 tenant. So the data never leaves your environment, and it operates under your existing enterprise data protection policies.
Copilot Cowork: Long-Running Tasks, Not Just Prompts
This is where the Anthropic partnership comes in. For customers on E7 or the standalone Copilot licence, Cowork uses Anthropic’s Claude for multi-step agentic reasoning. Microsoft has also made Claude available in mainline Copilot Chat through its Frontier program, running alongside OpenAI models. The architecture is now genuinely multi-model, with Copilot picking the best model for the task.
Cowork was demonstrated with four concrete use cases at launch:
- Calendar cleanup. Cowork reviews your Outlook schedule, flags conflicts and low-value meetings, proposes changes, and once you approve, accepts, declines, or reschedules on your behalf while blocking focus time.
- Meeting preparation. It aggregates inputs from emails, past meeting notes, and relevant files to produce a complete meeting packet: briefing document, supporting analysis, a client-ready deck, and a prep block on the calendar.
- Research tasks. Pulling from internal sources and approved external data to synthesise research across multiple documents and threads.
- Cross-functional coordination. Managing handoffs and updates across teams on multi-stakeholder projects.
These aren’t theoretical workflows. I’ve seen organisations spend 45 minutes manually on meeting prep that an agent could compress to a 4-minute review cycle. The ROI at the individual level is real. The question is governance, and that’s exactly what Agent 365 addresses
The Real Cost Conversation
Let’s be direct about pricing because the $99 headline figure is genuinely misleading if you don’t read the footnotes.
$99 is the seat licence, not the total cost.
Agent 365 is a governance and control plane. It does not build agents, and it does not provide compute to run them. Building and running agents happens through Copilot Studio or Microsoft Foundry, and those costs hit your Azure invoice separately as consumption charges.
In Copilot Studio, classic answers cost 1 credit, while agent actions cost 5 credits. Starter packs begin at $200 per month for 25,000 credits. For organisations running agents at scale across multiple business processes, the effective per-user cost can exceed $200 per month in mature deployments.
There’s also the question of whether every user in your organisation needs all four components of E7. Frontline workers, occasional users, and small teams probably don’t need the full bundle. A more targeted approach might be E5 or E3 for the broader workforce, with E7 or standalone Agent 365 reserved for power users in roles where multi-step delegation actually saves meaningful time.
Where E7 genuinely earns its price:
Legal teams reviewing and summarising large document sets. Finance teams running compliance pre-flight checks before submissions. HR running onboarding workflows. Security operations teams triaging alerts. Sales operations managing complex pipeline health. For these roles, the time savings are measurable and the governance requirements are real.
What This Means for Security Architecture
Agents are a new class of identity. They can be compromised through prompt injection. They can be misconfigured to access data they shouldn’t. They can be chained together in ways that amplify the blast radius of a single compromised credential. Traditional IAM, DLP, and EDR tools weren’t built with this in mind.
Some things to think through before committing:
- Prompt injection is now an enterprise policy problem. Entra Internet Access prompt injection protection, which goes GA on March 31, helps block malicious AI prompts across apps and agents by enforcing universal network-level policies. This isn’t a nice-to-have. It’s foundational for any organisation deploying agents that interact with external inputs.
- Over-permission is the single biggest risk in early agent deployments. Before you turn on any agent at scale, do a permission audit. SharePoint and Teams environments that have accumulated years of broad access will give your agents an equally broad footprint. Agents inherit what you give them. Least privilege applies here exactly as it does to human users.
- Vendor concentration is a real concern. When one vendor controls your productivity platform, identity layer, security stack, and AI runtime, the interdependency creates risk. Single-vendor consolidation simplifies management but expands the impact of any outage, breach, or policy change.
- Some capabilities aren’t production-ready yet. Runtime threat protection is entering public preview in April. Security posture management for Foundry and Copilot Studio agents remains in preview on May 1. Buying E7 at GA with an expectation of full security coverage is premature. Build your roadmap around what’s actually available, not what’s planned.
Key Dates to Track
| Milestone | Date |
|---|---|
| Entra Prompt Injection Protection GA | March 31, 2026 |
| Copilot Cowork Research Preview | March 2026 (Frontier program) |
| Purview in Copilot Control System GA | April 2026 |
| Runtime Threat Protection (public preview) | April 2026 |
| Agent 365 GA | May 1, 2026 |
| M365 E7 GA | May 1, 2026 |
| M365 E5 price increase to $60/user/mo | July 1, 2026 |
Getting Started: A Practical Sequence
If you’re evaluating E7 or planning an agent deployment, here’s a reasonable sequence:
- Fix your permission hygiene first. Run a SharePoint and Teams access audit. Agents inherit your existing access model. Clean it up before you automate at scale.
- Define your agent governance policy. Who can build agents? What data can they access? When does a human need to review before an agent acts? Write this down before deploying anything.
- Start with high-ROI, low-risk use cases. Meeting prep, calendar management, and internal document summarisation are good starting points. They save real time and operate on data your organisation already handles routinely.
- Apply for Frontier program access. Pre-GA access to Copilot Cowork is available through the Frontier program now. If you want to pilot before May 1, this is the path.
- Plan your consumption model. Work with your Microsoft account team to model expected Copilot Studio credit usage before it hits your Azure invoice. Surprises here are expensive.
The Bottom Line
For organisations already deep in the Microsoft stack, running E5, scaling Copilot, and hitting the limits of manual governance over a growing agent estate, E7 is a logical next step. The Agent Registry alone fills a gap that most security teams are currently managing through spreadsheets and hope.
For everyone else, the honest advice is to start with Agent 365 as a standalone at $15 per user and understand your governance requirements before paying for the full bundle. The agentic enterprise isn’t a destination you reach by buying a licence. It’s a discipline you build over time.
I help organisations secure their cloud infrastructure and stay ahead of evolving cyber threats. Microsoft MVP and Certified Trainer, author of Mastering Azure Security, and founder of arnav.au ā a platform for practical Cloud, Cybersecurity, DevOps and AI content.