Everything developers need to observe, secure, and govern fleets of AI agents โ from code to runtime. The Foundry Control Plane is the developer-facing counterpart to Agent 365: while Agent 365 gives IT and security teams governance visibility, Foundry Control Plane gives developers the tools to build agents that are secure and compliant by design.
Source: Microsoft Agent 365 Training ยท Microsoft Foundry documentation ยท May 2026
Agent 365 (admin.cloud.microsoft) โ IT administrators and security teams. Observe, govern, and secure all agents at the tenant level. GA May 1, 2026.
Foundry Control Plane (ai.azure.com/foundry) โ Developers and platform engineers. Build, evaluate, monitor, and govern agent fleets from code through production. Announced alongside Agent 365.
Agents built in Foundry are automatically deployed to Agent 365 for IT/security governance. The two planes share the same Entra identity layer โ an agent identity created in Foundry appears in Agent 365.
| Stage | Developer (Foundry Control Plane) | IT/Security (Agent 365) |
|---|---|---|
| Define | Inherit enterprise policies, set guardrails, configure evaluators | Define enterprise policies, set allowed templates |
| Build | Develop with SDK, run evals, integrate Content Safety, AI Red Teaming | โ |
| Approve | Deploy agent to Agent 365 (triggers IT approval workflow) | Onboard agent, apply guardrails, enforce policies |
| Operate | Monitor performance, quality, cost, risk via Foundry dashboards | Monitor all deployed agents: usage, performance, risk |
| Govern | Continuous evaluation, tracing, debugging, A/B experimentation | Manage policies (access, data security, compliance), defend against threats |
Foundry Control Plane provides structured evaluation of agents before and after deployment. Evaluations run locally during development, in CI/CD on every commit, and in production against real user inputs.
| Category | Evaluators | What they measure |
|---|---|---|
| Quality | Groundedness ยท Coherence ยท Fluency ยท Relevance ยท Retrieval Score ยท Similarity ยท NLP Metrics (F1) | Is the agent response accurate, relevant, and well-formed? Does it faithfully use grounded sources? |
| Risk & Safety | Jailbreak Defect ยท Hate and Unfairness ยท Sexual ยท Violence ยท Self-Harm ยท Protected Material ยท Ungrounded Attributes ยท Code Vulnerability | Does the agent produce harmful, unsafe, or legally problematic outputs? Can it be manipulated? |
| Agent-Specific | Intent Resolution ยท Tool Call Accuracy ยท Task Adherence ยท Response Completeness | Does the agent correctly understand user intent, use tools accurately, and complete tasks as instructed? |
Test data: Generate adversarial and non-adversarial test datasets using the Foundry evaluation client library, or upload your own domain-specific prompts.
Evaluator: Metric instructions + Azure OpenAI model โ scores each response with reasoning for human review.
CI/CD integration: Batch evaluation runs on every check-in and deployment. Production evaluations run against real user inputs using traces to debug issues.
A/B experimentation: Compare models, prompts, and workflows at scale before committing to a change.
The Foundry Control Plane includes a built-in AI Red Teaming Agent powered by PyRIT integration. Distinct from running PyRIT manually โ the Foundry Red Teaming Agent is a managed, scheduled service that automatically probes your agents for content risks and security vulnerabilities as part of the development lifecycle.
| Capability | Detail |
|---|---|
| Automated content risk scans | Scheduled adversarial probing across harmful content categories, jailbreak attempts, and sensitive information extraction |
| Evaluate probing success | LLM-as-judge scoring on whether attacks succeeded โ not just whether the attack ran |
| Reporting and logging | Structured findings linked to OWASP LLM Top 10 categories; exportable for compliance evidence |
| PyRIT integration | Built on the same Microsoft PyRIT framework โ 53+ adversarial datasets, 70+ converters, 6 attack strategies |
| When to use | Pre-deployment (gate on result), post-deployment (continuous monitoring), after system prompt changes |
The Foundry Red Teaming Agent is a managed service โ scheduled, governed, and integrated with Foundry observability. PyRIT standalone (Playbook 06) is a flexible research library you wrap yourself for custom CI/CD pipelines. For organisations using Foundry, the managed agent is the right starting point. For custom agents on other platforms, PyRIT standalone is the tool.
Azure AI Content Safety is integrated directly into the Foundry Control Plane, providing the same configurable content filters used by Microsoft's own Copilot products. Applied at both input (prompt) and output (response) layers.
User prompt โ Content Safety evaluates โ Modified/filtered prompt โ Foundry model โ Filtered response โ App response. Purview data governance and Defender threat detection run alongside this pipeline โ not instead of it.
Foundry Control Plane provides comprehensive tracing of every agent action โ enabling debugging, performance optimisation, and accountability. All traces are stored and queryable, forming an audit trail of what the agent did and why.
| Layer | What is traced | Why it matters for security |
|---|---|---|
| Model inference | Every LLM call: model, tokens, latency, prompt, response | Detects unusual inference patterns, cost anomalies, model substitution |
| Tool invocations | Every tool/MCP call: name, parameters, result, duration | ATG blocks happen here; traces show what was attempted vs blocked |
| Memory operations | Reads/writes to agent memory (Dataverse) | Memory is a persistent data store โ sensitive context accumulates over sessions |
| Agent-to-agent | Orchestrator calls to sub-agents in multi-agent workflows | Lateral movement risk; trust propagation between agents |
| User interactions | Session start/end, message counts, satisfaction signals | Behavioural baseline for ID Protection anomaly detection |
| Control | Detail |
|---|---|
| Managed VNet | AI hub and projects run within a managed virtual network. Private endpoints for all connected resources (Azure Storage, Key Vault, Container Registry, Foundry models). No public internet exposure for managed resources. |
| ExpressRoute / VPN | On-premises connectivity to Foundry via ExpressRoute or VPN Gateway to your Azure VNet. |
| Credential-less storage | Foundry supports credential-less access to Azure Storage and Foundry IQ using managed identity โ no stored secrets, no rotation required. Generally available. |
| Customer-managed encryption | Add your own encryption layer on top of Microsoft-managed encryption. Customer-managed key (CMK) for Blob Storage, Foundry IQ, and Azure CosmosDB resources. |
| Entra Agent ID | Every Foundry agent is automatically provisioned with an Entra Agent Identity. CA for Agents, ID Protection, and lifecycle governance apply at the identity layer. |
The new Foundry projects model significantly simplifies the previous Hub โ Project โ Resource hierarchy that made setup and coding complex.
| Old: Hub + Projects | New: Foundry Projects | |
|---|---|---|
| Entry point | AI Hub โ Projects โ Multiple SDKs | Single Foundry Resource โ Foundry SDK or API |
| Resources | Many different resources needed upfront | Multi-tenant services by default; attach dedicated resources optionally |
| SDK | Azure ML SDK, Azure OpenAI SDK, various others | Single Foundry SDK (or Azure OpenAI SDK for compatibility) |
| Optional attachments | All required | Azure OpenAI, AI Search, Storage, Fabric, Azure Monitor โ attach as needed |
| Scale | Complex enterprise configuration required from start | Start simple, add enterprise controls as needed |
Microsoft Purview Data Security Investigations (Preview) is a three-stage workflow for investigating data security incidents involving AI โ enabling security teams to find impacted data, analyse risks, and coordinate remediation without moving data between tools.
| Stage | What you do | Key capability |
|---|---|---|
| 1 โ Identify | Find incident-relevant data across the M365 estate | Search documents, emails, Copilot prompts/responses, and Teams messages. Launch directly from a Purview IRM case or a Defender XDR incident โ pre-scoped to relevant data. |
| 2 โ Investigate | Analyse impacted data for security risks | AI-powered content categorisation, severity assessment, vector search (find all content related to a subject based on context and meaning, not just keywords), key risk identification. |
| 3 โ Mitigate | Coordinate remediation across teams | View data/user/activity correlations, create a mitigation plan, add reviewers from partner teams securely, use incident learnings to improve security practices. |
Advanced Hunting (AIAgentsInfo, CloudAppEvents) gives you metadata and telemetry. Purview Data Security Investigations gives you the actual content โ prompt text, response text, document content, emails โ with AI-powered analysis to understand what sensitive data was exposed and to whom. The two tools are complementary: use Advanced Hunting to detect the incident, Purview DSI to investigate what was actually in the data.
The AI Baseline assessment in Microsoft Compliance Manager provides an out-of-the-box trust assessment that automatically evaluates your AI deployment against global AI regulations (EU AI Act, NIST AI RMF) and surfaces gaps with recommended remediation actions.
Agent 365 provides a managed MCP tooling gateway that integrates certified tools for a consistent developer and governance experience. These tools are available to agents built with any SDK โ Foundry, Copilot Studio, LangChain, or custom.
| Category | MCP Tool | Key capabilities | Typical use |
|---|---|---|---|
| Search & AI | Copilot Search | Chat, multi-turn conversations, grounding with files | Knowledge retrieval |
| Business Data | Dataverse | Dynamics 365 CRUD operations, domain actions | Business workflows |
| Communication | Outlook Mail & Calendar ยท Microsoft Teams | Messaging, meetings, channel operations | Collaboration |
| Content & Files | SharePoint ยท OneDrive | Upload, search, metadata management, lists | Content management |
| Identity | User Profile | Manager reports, profile lookup, org chart | Organisational context |
| Documents | Microsoft Word | Create/read documents, comments | Document workflows |
Central admin control: Admins manage MCP servers via Microsoft 365 admin center โ blocking a server blocks it for all users and agents.
Scoped permissions: Each MCP server = one app permission requiring admin consent during onboarding.
Observability: Full tool call tracing โ tool invoked, parameters, execution outcome.
Security: Rate limits, payload checks, security scans on all MCP traffic.
Admin tasks: View activated MCP servers, allow/block servers, apply scoped permissions.
Source: Agent 365 Training Day 3 โ Module 5
| Step | Action | Detail |
|---|---|---|
| 1 | Enable Internet Access traffic forwarding | Global Secure Access โ Traffic forwarding โ Enable Internet Access profile. Routes internet traffic through GSA client for inspection. |
| 2 | Assign users and groups | Assign the Internet Access profile to target users/groups. Can scope to specific users for phased rollout or POC before tenant-wide deployment. |
| 3 | Install the GSA client | Deploy Global Secure Access client to user devices. Verify in Connections view: Status should show connected, Channels configured. |
| 4 | Access Shadow AI discovery | Global Secure Access portal โ App discovery โ Use Generative AI apps filter. See detected AI applications with usage statistics and risk scores. |