Everything developers need to observe, secure, and govern fleets of AI agents โ from code to runtime. The Foundry Control Plane is the developer-facing counterpart to Agent 365: while Agent 365 gives IT and security teams governance visibility, Foundry Control Plane gives developers the tools to build agents that are secure and compliant by design.
Source: Microsoft Agent 365 Training ยท Microsoft Foundry documentation ยท May 2026
Agent 365 (admin.cloud.microsoft) โ IT administrators and security teams. Observe, govern, and secure all agents at the tenant level. GA May 1, 2026.
Foundry Control Plane (ai.azure.com/foundry) โ Developers and platform engineers. Build, evaluate, monitor, and govern agent fleets from code through production. Announced alongside Agent 365.
Agents built in Foundry are automatically deployed to Agent 365 for IT/security governance. The two planes share the same Entra identity layer โ an agent identity created in Foundry appears in Agent 365.
As of Q4 2025, Microsoft has standardised on the name Microsoft Foundry across Learn documentation. Older content and some URLs still reference "Azure AI Foundry" โ they refer to the same product. The portal URL ai.azure.com remains active. Where older Microsoft content links say "Azure AI Foundry," current Learn uses "Microsoft Foundry". Site uses the new name throughout.
Foundry Control Plane capabilities are organised under the Operate toolbar in the Foundry portal. Each pane is designed around a specific job: Overview (fleet health, alert summaries, compliance metrics at a glance) ยท Assets (unified searchable agent/model/tool inventory across projects with health indicators) ยท Compliance (define and enforce guardrail policies; integrates with Azure Policy, Defender, Purview; supports versioned policies and bulk remediation) ยท Quota (view, adjust, request) ยท Monitoring (Application Insights integration; fleet-wide health metrics; cost tracking; anomaly detection). Source: What is Microsoft Foundry Control Plane?
Two new Purview โ Foundry capabilities landed in the June 2026 wave:
โ Purview insights embedded in Foundry Control Plane (GA) โ security-relevant telemetry surfaces directly in the developer workflow without leaving Foundry. Three signals appear: detected sensitive data in agent interactions, share of interactions involving sensitive content, and high-risk user indicators. Pushes risk discovery earlier in the build cycle so developers can adjust agent configurations before code reaches production. Generally available on launch โ meaningful because it removes the "wait until Purview admin reports the problem" delay.
โก DLP runtime controls for Foundry (Public Preview) โ inline DLP protection in Foundry's prompt handling. Sensitive Information Types (PII, financial data, custom SITs) are detected during execution; the system can block the request from being processed. Enforces consistent DLP regardless of how the agent or app on Foundry is built. Pairs naturally with the runtime evaluation framework already used for the nine continuous-evaluation dimensions described below.
Microsoft's announcement uses the legacy "Azure AI Foundry" name โ same product as Microsoft Foundry (consolidated naming in Q4 2025).
For cloud deployment of agents, Foundry Agent Service hosted agents (Public Preview) provides the same containment model that Microsoft Execution Containers (MXC) provides on Windows: instant-on sandboxes per agent. Each agent runs in its own isolated execution boundary; no shared runtime state with other agents in the tenant; spin-up cost amortised across the platform rather than the developer's project.
Why this matters architecturally: it removes a previously-real friction in agent deployments โ provisioning and maintaining agent compute infrastructure (App Service plans, Functions hosts, custom containers) was a meaningful tax on small-team agent projects. With Foundry Agent Service, the runtime layer is platform-provided and consistent with Agent 365's identity, observability, and governance plane. The control plane stays the same regardless of where the agent is hosted (local MXC, hosted Foundry Agent Service, or Windows 365 for Agents).
| Stage | Developer (Foundry Control Plane) | IT/Security (Agent 365) |
|---|---|---|
| Define | Inherit enterprise policies, set guardrails, configure evaluators | Define enterprise policies, set allowed templates |
| Build | Develop with SDK, run evals, integrate Content Safety, AI Red Teaming | โ |
| Approve | Deploy agent to Agent 365 (triggers IT approval workflow) | Onboard agent, apply guardrails, enforce policies |
| Operate | Monitor performance, quality, cost, risk via Foundry dashboards | Monitor all deployed agents: usage, performance, risk |
| Govern | Continuous evaluation, tracing, debugging, A/B experimentation | Manage policies (access, data security, compliance), defend against threats |
Foundry Control Plane provides structured evaluation of agents before and after deployment. Evaluations run locally during development, in CI/CD on every commit, and in production against real user inputs.
| Category | Evaluators | What they measure |
|---|---|---|
| Quality | Groundedness ยท Coherence ยท Fluency ยท Relevance ยท Retrieval Score ยท Similarity ยท NLP Metrics (F1) | Is the agent response accurate, relevant, and well-formed? Does it faithfully use grounded sources? |
| Risk & Safety | Jailbreak Defect ยท Hate and Unfairness ยท Sexual ยท Violence ยท Self-Harm ยท Protected Material ยท Ungrounded Attributes ยท Code Vulnerability | Does the agent produce harmful, unsafe, or legally problematic outputs? Can it be manipulated? |
| Agent-Specific | Intent Resolution ยท Tool Call Accuracy ยท Task Adherence ยท Response Completeness | Does the agent correctly understand user intent, use tools accurately, and complete tasks as instructed? |
Test data: Generate adversarial and non-adversarial test datasets using the Foundry evaluation client library, or upload your own domain-specific prompts.
Evaluator: Metric instructions + Azure OpenAI model โ scores each response with reasoning for human review.
CI/CD integration: Batch evaluation runs on every check-in and deployment. Production evaluations run against real user inputs using traces to debug issues.
A/B experimentation: Compare models, prompts, and workflows at scale before committing to a change.
The Foundry Control Plane includes a built-in AI Red Teaming Agent powered by PyRIT integration. Distinct from running PyRIT manually โ the Foundry Red Teaming Agent is a managed, scheduled service that automatically probes your agents for content risks and security vulnerabilities as part of the development lifecycle.
| Capability | Detail |
|---|---|
| Automated content risk scans | Scheduled adversarial probing across harmful content categories, jailbreak attempts, and sensitive information extraction |
| Evaluate probing success | LLM-as-judge scoring on whether attacks succeeded โ not just whether the attack ran |
| Reporting and logging | Structured findings linked to OWASP LLM Top 10 categories; exportable for compliance evidence |
| PyRIT integration | Built on the same Microsoft PyRIT framework โ 53+ adversarial datasets, 70+ converters, 6 attack strategies |
| When to use | Pre-deployment (gate on result), post-deployment (continuous monitoring), after system prompt changes |
The Foundry Red Teaming Agent is a managed service โ scheduled, governed, and integrated with Foundry observability. PyRIT standalone (Playbook 06) is a flexible research library you wrap yourself for custom CI/CD pipelines. For organisations using Foundry, the managed agent is the right starting point. For custom agents on other platforms, PyRIT standalone is the tool.
Azure AI Content Safety is integrated directly into the Foundry Control Plane, providing the same configurable content filters used by Microsoft's own Copilot products. Applied at both input (prompt) and output (response) layers.
User prompt โ Content Safety evaluates โ Modified/filtered prompt โ Foundry model โ Filtered response โ App response. Purview data governance and Defender threat detection run alongside this pipeline โ not instead of it.
Foundry Control Plane provides comprehensive tracing of every agent action โ enabling debugging, performance optimisation, and accountability. All traces are stored and queryable, forming an audit trail of what the agent did and why.
| Layer | What is traced | Why it matters for security |
|---|---|---|
| Model inference | Every LLM call: model, tokens, latency, prompt, response | Detects unusual inference patterns, cost anomalies, model substitution |
| Tool invocations | Every tool/MCP call: name, parameters, result, duration | ATG blocks happen here; traces show what was attempted vs blocked |
| Memory operations | Reads/writes to agent memory (Dataverse) | Memory is a persistent data store โ sensitive context accumulates over sessions |
| Agent-to-agent | Orchestrator calls to sub-agents in multi-agent workflows | Lateral movement risk; trust propagation between agents |
| User interactions | Session start/end, message counts, satisfaction signals | Behavioural baseline for ID Protection anomaly detection |
| Control | Detail |
|---|---|
| Managed VNet | AI hub and projects run within a managed virtual network. Private endpoints for all connected resources (Azure Storage, Key Vault, Container Registry, Foundry models). No public internet exposure for managed resources. |
| ExpressRoute / VPN | On-premises connectivity to Foundry via ExpressRoute or VPN Gateway to your Azure VNet. |
| Credential-less storage | Foundry supports credential-less access to Azure Storage and Foundry IQ using managed identity โ no stored secrets, no rotation required. Generally available. |
| Customer-managed encryption | Add your own encryption layer on top of Microsoft-managed encryption. Customer-managed key (CMK) for Blob Storage, Foundry IQ, and Azure CosmosDB resources. |
| Entra Agent ID | Every Foundry agent is automatically provisioned with an Entra Agent Identity. CA for Agents, ID Protection, and lifecycle governance apply at the identity layer. |
The new Foundry projects model significantly simplifies the previous Hub โ Project โ Resource hierarchy that made setup and coding complex.
| Old: Hub + Projects | New: Foundry Projects | |
|---|---|---|
| Entry point | AI Hub โ Projects โ Multiple SDKs | Single Foundry Resource โ Foundry SDK or API |
| Resources | Many different resources needed upfront | Multi-tenant services by default; attach dedicated resources optionally |
| SDK | Azure ML SDK, Azure OpenAI SDK, various others | Single Foundry SDK (or Azure OpenAI SDK for compatibility) |
| Optional attachments | All required | Azure OpenAI, AI Search, Storage, Fabric, Azure Monitor โ attach as needed |
| Scale | Complex enterprise configuration required from start | Start simple, add enterprise controls as needed |
Microsoft Purview Data Security Investigations (Preview) is a three-stage workflow for investigating data security incidents involving AI โ enabling security teams to find impacted data, analyse risks, and coordinate remediation without moving data between tools.
| Stage | What you do | Key capability |
|---|---|---|
| 1 โ Identify | Find incident-relevant data across the M365 estate | Search documents, emails, Copilot prompts/responses, and Teams messages. Launch directly from a Purview IRM case or a Defender XDR incident โ pre-scoped to relevant data. |
| 2 โ Investigate | Analyse impacted data for security risks | AI-powered content categorisation, severity assessment, vector search (find all content related to a subject based on context and meaning, not just keywords), key risk identification. |
| 3 โ Mitigate | Coordinate remediation across teams | View data/user/activity correlations, create a mitigation plan, add reviewers from partner teams securely, use incident learnings to improve security practices. |
Advanced Hunting (AgentsInfo, CloudAppEvents) gives you metadata and telemetry. Purview Data Security Investigations gives you the actual content โ prompt text, response text, document content, emails โ with AI-powered analysis to understand what sensitive data was exposed and to whom. The two tools are complementary: use Advanced Hunting to detect the incident, Purview DSI to investigate what was actually in the data.
The AI Baseline assessment in Microsoft Compliance Manager provides an out-of-the-box trust assessment that automatically evaluates your AI deployment against global AI regulations (EU AI Act, NIST AI RMF) and surfaces gaps with recommended remediation actions.
Agent 365 provides a managed MCP tooling gateway that integrates certified tools for a consistent developer and governance experience. These tools are available to agents built with any SDK โ Foundry, Copilot Studio, LangChain, or custom.
| Category | MCP Tool (Work IQ naming) | Key capabilities | Typical use |
|---|---|---|---|
| Search & AI | Work IQ Copilot (was: Copilot Search) | Chat, multi-turn conversations, grounding with files | Knowledge retrieval |
| Business Data | Dataverse | Dynamics 365 CRUD operations, domain actions | Business workflows |
| Communication | Work IQ Calendar ยท Work IQ Teams (was: Outlook/Teams MCP) | Messaging, meetings, channel operations | Collaboration |
| Content & Files | Work IQ SharePoint Lists ยท Work IQ SharePoint & OneDrive (Frontier) | Upload, search, metadata management, lists | Content management |
| Identity | User Profile | Manager reports, profile lookup, org chart | Organisational context |
| Documents | Microsoft Word | Create/read documents, comments | Document workflows |
โ ๏ธ Note: Microsoft is renaming MCP servers to Work IQ branding. Existing connections using previous names (e.g. Microsoft Teams MCP Server) remain supported. For new connections, use the Work IQ named servers. Source: Microsoft Learn โ Work IQ MCP overview.
Central admin control: Admins manage MCP servers via Microsoft 365 admin center โ blocking a server blocks it for all users and agents.
Scoped permissions: Each MCP server = one app permission requiring admin consent during onboarding.
Observability: Full tool call tracing โ tool invoked, parameters, execution outcome.
Security: Rate limits, payload checks, security scans on all MCP traffic.
Admin tasks: View activated MCP servers, allow/block servers, apply scoped permissions.
Source: Agent 365 Training Day 3 โ Module 5
| Step | Action | Detail |
|---|---|---|
| 1 | Enable Internet Access traffic forwarding | Global Secure Access โ Traffic forwarding โ Enable Internet Access profile. Routes internet traffic through GSA client for inspection. |
| 2 | Assign users and groups | Assign the Internet Access profile to target users/groups. Can scope to specific users for phased rollout or POC before tenant-wide deployment. |
| 3 | Install the GSA client | Deploy Global Secure Access client to user devices. Verify in Connections view: Status should show connected, Channels configured. |
| 4 | Access Shadow AI discovery | Global Secure Access portal โ App discovery โ Use Generative AI apps filter. See detected AI applications with usage statistics and risk scores. |