Governance built into the foundation of your agent program is what separates a successful production deployment from one that stalls—or fails publicly. This guide explains how to design, manage, and scale customer-facing, real-time voice agents using Microsoft Copilot Studio, with a focus on governance, reliability, and enterprise readiness.

Imagine a customer calling your contact center about a billing dispute. A real-time voice agent answers, identifies the customer, references their account history, resolves the issue, and—when needed—hands off to a live agent with full context preserved. Human agents focus on exceptions, not routine queries.

Now imagine that same scenario without agent governance. The agent was built, published directly to production, and never tested for escalation. Monitoring was not enabled. The first signal of a problem is a customer complaint—or a data exposure.

Customer-facing agents are becoming the front door for how organizations engage with customers, handling intent and outcomes across conversational AI experiences. What began as chat has evolved into always-on agents that resolve issues, take action, and now support real-time voice across digital and contact center environments using platforms like Copilot Studio. The opportunity is massive—but so is the cost of getting the foundation wrong. Just as self-service and Q&A agents redefined support at scale, this shift will fundamentally reshape how companies operate.

Why real-time voice agents require a different governance lens

Most organizations already govern internal AI tools designed for known users and controlled environments. Customer-facing agents operate under fundamentally different conditions. There are unknown users, public channels, brand exposure, and direct access to customer data and downstream systems. Failures in these customer experience events mean operational, regulatory, and reputational consequences.

This is why governance cannot be treated as a final approval step. As real-time voice agents scale, governance must be built into how they are designed, deployed, monitored, and evolved from the start. Organizations that treat governance as an accelerant—rather than a constraint—can move faster and more confidently than those who bolt it on later.

Principle: Governance as a design principle can streamline approval, which leads to accelerated scale and adoption.

Why real-time voice agents raise the stakes

Text‑based agents require governance, but real‑time voice introduces stricter operational constraints. Latency budgets are tighter, failures are immediately apparent to customers, and interruption handling, turn‑taking, session state, and escalation behavior directly affect service reliability.

Voice agents are typically deployed in high‑impact scenarios such as billing, orders, and service disruptions, where they integrate with Dynamics 365 Contact Center workflows. In these environments, agents must identify callers, reference active cases, execute actions, and escalate predictably.

For real‑time voice, escalation is a first‑class system requirement. Handoffs to human agents must preserve full conversational context and session state, and be validated under load before production traffic is routed.

Model selection also becomes operationally significant. Copilot Studio real‑time voice agents use purpose‑fit models to balance latency, quality, and reliability while remaining governed through a centralized control plane.

What good looks like: A production voice agent deployment has been tested for escalation behavior, latency under load, and handoff context preservation before any customer traffic is routed to it. Monitoring is active from day one, not added after the first incident.

A governance framework for the full agent lifecycle

Governing customer-facing agents effectively requires capabilities that span the full agent lifecycle. This is especially critical for business-to-consumer (B2C) agents, which operate in always-on, customer-facing contexts and must handle real-time interactions, actions, and sensitive data at scale—particularly in high‑stakes modalities like voice.

Copilot Studio provides this governance as a managed agent platform, enforcing controls through managed operations and managed security across the full lifecycle. That goes from build access and data connectivity to release, monitoring, and auditability. Rather than relying on documentation or custom wiring, governance is centralized in the Microsoft Power Platform control plane and consistently applied across chat, voice, and contact center scenarios.

The following five‑stage governance framework reflects how managed capabilities come together across the full lifecycle of customer-facing agents:

1. Govern the builder
2. Govern the build
3. Govern the release
4. Govern the runtime
5. Govern the lifecycle

Stage 1: Govern the builder

Before a single topic is created, agent governance starts with who is allowed to build and what they are allowed to connect.

• Define builder roles and environments. Specify who can create agents and which environments they can work in, using role‑based access in the Power Platform admin center.
• Set data access boundaries early. Apply data loss prevention (DLP) policies before development to determine which connectors and data sources agents can use.
• Maintain environment separation. Use distinct development, test, and production environments to validate changes before deploying them to customer‑facing scenarios.
• Standardize on managed solutions. Package agents in managed solutions to support versioning, controlled promotion, and rollback across environments.

What good looks like: A new agent builder requests access and is provisioned into a dedicated development environment. DLP policies are pre-applied. They cannot publish to any customer-facing channel without an administrator approval step.

Stage 2: Govern the build

How an agent is built determines how safe and predictable it is in production.

• Configure authentication by channel. Decide whether sessions are authenticated (Microsoft Entra ID or supported identity provider [IdP]) or anonymous, and design data access accordingly. (For public-facing scenarios like 800 numbers and public websites, anonymous real-time voice sessions are common.)
• Set generative AI behavior explicitly. Define and check grounding, topic scope, and allowed behaviors rather than relying on default settings.
• Validate escalation paths. Test and verify handoff to live agents with full conversation context preserved for all voice scenarios.
• Apply content moderation intentionally. Define clear engagement boundaries, enforce agent governance and policy controls, and rigorously red‑team and validate edge cases before deploying to production.

What good looks like: Testing escalation paths before publishing an agent to a customer-facing channel, so you can go live with more confidence. Catching errors before the first live escalation is critical to creating a good customer experience.

Stage 3: Govern the release

Moving an agent from development to production requires controlled, auditable steps.

• Standardize promotion paths. Promote agents through dev, test, and production using managed solutions and Power Platform pipelines with an auditable change history.
• Apply pre‑production validation gates. Require checks for conversation quality, escalation behavior, latency under load, and data access before publishing.
• Plan and test rollback. Define and validate rollback procedures for production issues prior to go‑live.
• Separate publish authorization. Require explicit approval to publish agents to customer‑facing channels, independent of build permissions.

What good looks like: An agent must pass a defined pre-production checklist and receive administrator approval to publish before any customer traffic reaches it. Every version promotion is tracked in the solution history.

Stage 4: Govern the runtime

Once an agent is live, governance shifts from control to visibility and response.

• Enable runtime observability. Turn on conversation transcripts and analytics in Copilot Studio before routing customer traffic.
• Define operational thresholds. Monitor metrics such as escalation rate, resolution rate, latency, and session completion, with alerts for deviations.
• Establish incident response. Define processes for detecting, triaging, and mitigating production issues in voice agents integrated with Dynamics 365 Contact Center.
• Monitor usage and capacity. Track session volume, message consumption, and capacity limits to support scaling and stability.

What good looks like: Early detection through active monitoring. Voice agents that interact with customers without active monitoring are operating without a safety net. Issues that could persist for hours without analytics can be caught in minutes with these guards in place.

Stage 5: Govern the lifecycle

Voice agents are not static. They evolve as scenarios expand, customer needs change, and the platform advances. Managing change safely is as important as the initial deployment.

• Version agent configuration. Track changes to topics, actions, authentication, and generative AI settings using application lifecycle management (ALM) and source control.
• Validate changes pre‑production. Test all updates in non‑production environments to avoid regressions in core scenarios, including voice flows and escalation behavior.
• Coordinate releases operationally. Communicate deployment windows to IT and contact center operations teams.
• Evolve governance as scale grows. Reassess role-based access control (RBAC), DLP policies, environment strategy, and publishing permissions as agent count and channel coverage expand.

Platform capabilities that support agent governance

Copilot Studio provides a centralized control plane for building, operating, and governing customer‑facing agents. The platform capabilities below directly enable the governance framework described above and should be configured before scaling B2C deployments:

• Power Platform admin center: Central governance surface for environments, DLP policies, user access, and capacity management; the primary enforcement layer for agent governance.
• Environment management: Separate development, test, and production environments to support validation and controlled promotion of customer‑facing agents.
• Data loss prevention (DLP) policies: Environment‑level connector controls that define which data sources and services agents can access before any connections are established.
• Managed solutions and Power Platform pipelines: Package agents as managed solutions and promote them through environments with version tracking, rollback support, and an auditable change history.
• Microsoft Entra ID and channel authentication: Configure customer‑facing authentication using Entra ID or supported identity providers to enable secure, scoped access to customer data.
• Generative AI controls and content moderation: Per‑agent configuration for grounding, topic scope, allowed behaviors, and content filtering, applied deliberately prior to public deployment.
• Conversation transcripts and analytics: Built‑in logging and analytics providing runtime visibility into agent behavior, escalation patterns, and coverage gaps.
• Dynamics 365 Contact Center integration: Native escalation to live agents with case context preservation and unified conversation history for voice deployments.
• Azure Speech: Underlying speech infrastructure for real‑time voice agents, with implications for latency, reliability, and capacity planning.
• Dataverse security model: Row‑level and business‑unit security controls governing agent access to customer records in Dynamics‑integrated scenarios.

Security, privacy, and compliance for customer-facing agents

For IT and security teams, governance of customer-facing agents must also address data handling, regulatory requirements, and audit readiness. These are not secondary concerns—they’re often the first gate any enterprise B2C deployment must pass through.

Customer data and PII in voice interactions

Real-time voice agents generate conversation transcripts that may contain personally identifiable information. Establish clear retention policies for these transcripts before deployment. Define who has access to conversation logs, how long they are retained, and whether they are subject to deletion requests under applicable privacy regulations.

Regulatory considerations

Depending on your industry and geography, customer-facing AI agents may be subject to requirements under General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), or sector-specific regulations in financial services or healthcare. Review applicable requirements with your legal and compliance teams before deploying agents to regulated customer scenarios. DLP policies in the Power Platform admin center are a key compliance control.

Audit logging and compliance evidence

Power Platform and Copilot Studio support audit logging through Microsoft Purview and the Power Platform admin center. Ensure audit logging is enabled before production deployment and that logs are retained according to your organization’s compliance requirements.

Credential and secret management

Agents that connect to external systems require credentials and connection strings. Do not store secrets in agent configuration directly. Use environment variables in Power Platform or Azure Key Vault references to manage credentials securely, with access controlled through role assignments.

Note for architects: Security and compliance review should be a gate in Stage 3 (govern the release), not an afterthought discovered during audit. Engage your security and compliance teams in the pre-production validation checklist.

Five anti-patterns that derail production AI deployments

Organizations that have scaled B2C agents successfully tend to have avoided the same set of avoidable mistakes. These are the patterns most likely to cause problems once customer traffic is live.

1. Skipping environment separation: Building and publishing agents in the same environment, or directly in production, allows untested changes to reach customers and is one of the most common causes of early deployment issues.
2. Publishing voice agents without tested escalation: Escalation to a live agent is a core part of voice agent design. Untested handoff paths that fail to preserve customer context degrade the experience more than having no agent at all.
3. Granting broad DLP exceptions under schedule pressure: Temporarily relaxing DLP policies often becomes permanent, introducing data access risk and audit gaps that are difficult to remediate later.
4. Treating monitoring as a post‑launch activity: When transcripts, analytics, and alerts are not enabled before go‑live, production issues surface through customer complaints rather than operational signals.
5. Building open‑ended agents without defined scope: Broad, general‑purpose agents are harder to test, govern, and improve than agents scoped to specific customer scenarios with clear success criteria.

How to operationalize voice agents

As teams move from pilots to production, a small set of patterns consistently differentiates voice agent deployments that scale.

• Start with well‑defined customer scenarios rather than broad open‑ended agents. Clear scope simplifies risk assessment, testing, and measurement. A voice agent designed for order status or billing inquiries is easier to govern and iterate on than one intended to answer arbitrary customer questions.
• Treat real‑time voice as an extension of existing digital agent governance, not an exception. Teams that have already governed chat‑based agents in Copilot Studio are well positioned to apply the same controls to voice, while accounting for stricter latency, escalation, and runtime requirements.
• Design escalation as a primary flow, not a fallback. Agents integrated with Dynamics 365 Contact Center should preserve full conversational and case context on handoff. Predictable escalation maintains continuity; dropped context undermines trust.
• As programs scale, three governance questions remain central:
  • Which customer scenarios are appropriate for automation versus human handling?
  • Where does real‑time voice materially improve the experience versus add operational complexity?
  • How quickly can production issues be detected and resolved once agents are live?

Using Copilot Studio as a governance foundation for agents

Copilot Studio and Power Platform provide a centralized environment for building, operating, and governing agents, which becomes increasingly important as deployments expand from internal use cases to customer‑facing channels.

Establish governance once in Copilot Studio, and scale it across chat, voice, and backend‑driven agents without fragmentation. As a centralized control plane, the platform helps you enforce consistent policies and maintain operational oversight as agents expand across channels, regions, and customer scenarios.

For organizations already using Copilot Studio, many of the governance capabilities described here are available today. Support for real-time voice agents in Copilot Studio is now generally available in North America, with deployments delivered first through Dynamics 365 Contact Center. Language support, additional regions, and broader publishing channels will expand over time as part of Copilot Studio’s ongoing roadmap.

Learn more in the announcement blog for real-time voice agents.

Governance readiness checklist for customer-facing voice agents

Before deploying a customer-facing or real-time voice agent to production, verify governance readiness across these core dimensions.

Access and environment

• Separate development, test, and production environments are provisioned
• Role-based access is configured—developers cannot publish directly to production
• Advanced connector policy is applied to all environments before development begins
• Publishing permissions for customer-facing channels require administrator approval

Build and configuration

• Authentication and identity are configured appropriately for the channel (authenticated or anonymous)
• Generative AI settings, grounding, and content moderation are configured deliberately
• Credential and secret management uses environment variables or Azure Key Vault references
• The agent is packaged in a managed solution with tracked versioning

Testing and release

• Escalation paths to live agents have been tested with context preservation verified
• Latency and behavior have been validated under simulated load
• A pre-production validation checklist has been completed and signed off
• A rollback procedure has been defined and tested
• Audit logging is enabled and log retention meets compliance requirements

Runtime and operations

• Conversation transcripts and analytics are active before first customer interaction
• Operational thresholds (escalation rate, session completion rate) are defined with alerts
• An incident response procedure is defined and communicated to operations teams
• Usage and consumption monitoring is in place for capacity planning
• A change management process is defined for updating live agents

Getting started with customer-facing agents

Organizations ready to operationalize B2C agents should begin with the following steps:

• Align on priority scenarios. Agree on customer scenarios, scope, success criteria, and escalation requirements before any development begins.
• Set up environments and governance. Configure separate dev, test, and production environments and apply DLP policies before granting developer access. Define role‑based access and require administrator approval for publishing to customer‑facing channels.
• Engage security and compliance early. Review applicable regulatory requirements and establish data retention policies for conversation transcripts.
• Build and validate deliberately. Start with a scoped agent, use managed solutions, and be sure to test and verify escalation paths.
• Confirm readiness before go‑live. Complete the governance readiness checklist and enable monitoring and escalation thresholds prior to routing customer traffic.

With the right foundation in place, teams can scale customer‑facing and real‑time voice agents—while maintaining the reliability, security, and operational integrity IT teams are responsible for protecting.

Resources for governing AI agents

• An overview of real-time voice agents in Copilot Studio
• Extend AI voice support: Introducing real-time voice agents in Microsoft Copilot Studio
• Power Platform admin center documentation
• Dynamics 365 Contact Center documentation

The post The in-depth guide to managing real-time voice agents at scale appeared first on Microsoft Copilot Blog.

As organizations scale their use of AI agents, IT teams face a familiar challenge: how do you expand automation without losing control? Individual agents can be powerful, but as they connect through workflows and integrate across systems, requirements for visibility, governance, and predictability become much more complex. And capability must be grounded in confidence.

The April 2026 updates in Microsoft Copilot Studio focus on building that confidence across the platform. From increasing visibility and governance for admins to expanding intelligent workflow capabilities, these features help you move from isolated automation to connected, reliable systems.

Build and scale agents with better visibility and control

As agents expand across organizations and business processes, admins need clear visibility into how they’re performing, how they’re secured, and what they’ll cost to run. These updates help you manage agents more effectively without adding more friction—or risk.

See agent performance and status more clearly

Copilot Studio now surfaces agent status directly in the authoring experience, giving you immediate insight into each agent’s security and protection posture. You can quickly identify issues like authentication gaps or policy impacts and investigate them at the source. This helps reduce guesswork and speed up resolution.

As you gain clearer visibility into agent performance, you can also share those insights more safely. The Analytics Viewer role, now generally available, introduces read-only access to an agent’s Analytics page.

The Analytics Viewer role allows us to provide meaningful performance insights to business and operational stakeholders while maintaining strict production governance. It cleanly separates operational visibility from agent configuration and publishing rights.

—Mohamed Arhab, Solution Architect, City of Montreal

Allowing analysts and stakeholders to monitor performance, without giving them the ability to modify the agent, helps resolve a long-standing tradeoff between visibility and control. Now it’s easier to share insights broadly while maintaining clear separation of responsibilities.

Speaking of extending visibility and control, there’s more good news: Microsoft Agent 365 is now generally available. Agent 365 is the centralized control plane for managing agents across your environment. This brings together visibility into agent inventory, permissions, behavior, and activity in one place so that you can monitor and govern agents consistently, not just where they’re built.

For Copilot Studio customers, this means the agents you create can be managed alongside agents from Microsoft 365 and partner ecosystems, with shared policies, security controls, and lifecycle oversight. As Agent 365 continues to expand its integrations and multi-agent capabilities, it further strengthens Copilot Studio’s role as the place where agents are built—while governance scales across the full system. Learn more about Agent 365.

Plan and scale with clearer cost visibility

The expanded agent usage estimator now includes Dynamics 365 agents, such as Sales Qualification Agent and Customer Service Agent. By forecasting Copilot credit consumption across both Copilot Studio and Dynamics 365 scenarios in one place, you can model usage more accurately and scale deployments—helping avoid unexpected cost surprises.

With these recent admin updates, the result is fewer bottlenecks, better-informed decisions, and a clearer path to scaling agents across your organization.

Expand workflows into intelligent, governed automation systems

In Copilot Studio, workflows are step-by-step automation processes that complete actions or tasks in a deterministic, reliable way. As workflows become the backbone of business automation, these new updates help you extend their capabilities—bringing in more AI-powered reasoning, centralized governance, and a growing ecosystem of tools in a way that’s reliable and secure by design.

Design and validate workflows with more clarity

One powerful way to make your workflows more adaptable and effective is by embedding Copilot Studio agents directly into them. Using agent nodes inside workflows means that instead of just performing the task with rigid logic, the workflow can delegate reasoning, decisions, or output generation to an agent at any prescribed step of the process.

This makes workflows more resilient to real-world situations—which have a lot of variability—while still following the defined structure that make IT teams less nervous.

In addition to embedding agents, you can now also add and configure AI actions directly within the flow to understand requests, route work, and generate content dynamically. And with the ability to test individual steps using sample inputs, teams can validate behavior earlier, debug more effectively, and refine workflows before they’re deployed.

In practice: Unifi, North America’s largest provider of aviation ground handling services, used Copilot Studio and Power Platform to automate legal contract review by combining agents with deterministic workflows. Instead of relying on a single agent, they broke the process into coordinated steps that extract, classify, and validate key terms across documents. This system reduced contract processing from days to minutes and delivers the same level of performance as much more expensive, off-the-shelf products built specifically for the legal industry.

The result is a workflow experience that’s more adaptable and more predictable to operate. This helps give teams—both makers and administrators—more confidence in creating more sophisticated automation that doesn’t sacrifice clarity or control.

Scale workflows across systems with built-in governance

Speaking of clarity and control, there are also new updates to workflows that help you scale automation without introducing new governance risks.

Workflows can now connect to a broader ecosystem of tools, including model context protocol (MCP) server-enabled tools (preview), which makes it easier to take action across systems while staying within Microsoft security, permission, and compliance boundaries. This allows workflows to execute tasks and involve users for review and approval within governed processes.

We’ve also introduced a centralized, admin-controlled environment for Workflows Agent. This makes it easier to apply data loss prevention (DLP) policies consistently and maintain visibility across automation, so workflows remain compliant by design, even as they scale.

Together, these updates make it easier to move from isolated automations to connected, intelligent systems. With those systems, you can scale workflows across your organization with greater confidence, control, and flexibility.

Bring business apps directly into your agents

As agents become part of everyday work, a common gap emerges: they can generate insight, but acting on that insight often requires switching tools, re-creating context, or handing work off across systems. Support for apps in agents, now generally available, helps to close that gap.

Turn intent into action inside Copilot Chat

Agents built in Copilot Studio can now surface rich, interactive app experiences directly in Copilot Chat, allowing users to review data, update records, approve requests, or create assets in place. Instead of switching tools or re-creating context, work happens seamlessly within the flow of conversation. This helps reduce friction and empowers teams to move faster from insight to execution.

Work across the systems your business already runs on

Apps in agents bring together Microsoft and partner applications—from Power Apps to Dynamics 365 and beyond—so agents can take action across the systems your teams already use. These experiences are built and orchestrated in Copilot Studio, where you define how agents interact with apps, data, and workflows to support real business processes.

Extend and scale with trusted integrations

Through the Agent Store, you can adopt ready-made agent experiences or extend your own with partner-built integrations—while maintaining enterprise-grade security, permissions, and admin control. Options include:

• Adobe Express (seen above)
• Box
• Figma
• Monday.com
• Wix

These options (and more) make it easier to scale agent usage across your organization without losing oversight.

These capabilities, all generally available now, help teams shift agents from being informational tools to operational ones. They bring real business actions into Copilot Studio agents in a way that’s both more functional for users and manageable for IT—helping teams complete work efficiently while maintaining the governance needed to scale.

Learn more about apps in agents.

What else is new and improved in Copilot Studio

• Evaluation insights and automation updates now make it easier to generate test cases from analytics, simulate multi-turn interactions, and automate evaluations through APIs and connectors. You can turn real user conversations into targeted test sets, better reflect complex, real-world scenarios, and run evaluations programmatically. Together, these capabilities help you operationalize agent quality and maintain confidence as you scale.
• Custom metrics for outcome-based measurement help you track what actually matters to your business, not just usage. Define success in your own terms—like resolution rates or conversions—and automatically evaluate conversations against those outcomes, making it easier to understand impact, align stakeholders, and make data-driven decisions.
• Work IQ API is now available in public preview to bring Copilot’s intelligence layer—grounded in organizational context, memory, and signals—into your own agents and workflows. With built-in orchestration and enterprise-grade security, you can build agents that understand what’s happening across your business without managing raw data or complex integrations.
• Agent-to-agent (A2A) communication is now supported in Work IQ, allowing agents to collaborate as peers and delegate tasks using shared organizational context. This makes it easier to build multi-agent systems that can coordinate work, maintain context across interactions, and deliver more grounded, role-aware outcomes.
• GPT-5.5 Thinking is now available in Copilot Studio early release cycle environments as GPT-5.5 Reasoning, further expanding model choice with its more advanced analysis capabilities. This model is also rolling out across Microsoft 365 Copilot in Copilot Chat, Word, Excel, and PowerPoint.

Stay up to date on all things Copilot Studio

More is coming across voice channels, workflows, and the building experience. Check out all the updates as we ship them, as well as new features releasing in the next few months here: What’s new in Microsoft Copilot Studio.

To learn more about Microsoft Copilot Studio and how it can transform productivity within your organization, visit the Copilot Studio website or sign up for our free trial today.

The post New and improved: Agent governance, intelligent workflows, and connected app experiences appeared first on Microsoft Copilot Blog.

That’s why we’re excited to announce the general availability of real‑time voice agents in Microsoft Copilot Studio launching in Dynamics 365 Contact Center. These agents are designed for nuanced, high‑impact interactions where voice experiences need to adapt in the moment—while still operating within trusted, enterprise‑grade solutions.

Real-time voice agents build on the momentum of Copilot Studio as a proven, enterprise-scale platform. Over 80% of Fortune 500 companies now have active agents built using our low-code/no-code tools, creating a strong foundation for bringing real-time, conversational voice experiences into their customer workflows.¹ This widespread adoption shows how ready organizations are to extend their existing Copilot-powered agents into natural, responsive voice interactions.

Why AI voice support needs to go off script

For decades, menu‑based interactive voice response (IVR) systems provided predictability, reliability, and compliance at scale. Over time, organizations layered in speech recognition and automation to reduce friction and manage growing call volumes more efficiently. These approaches remain critical today and continue to power successful customer service operations across industries.

What’s changed is not the importance of voice, but the expectations customers now bring into voice interactions. Conversations rarely follow a straight line. Customers interrupt, clarify, change direction mid‑call, or introduce urgency without warning. When that happens, rigid interaction models can struggle to keep up, even when the underlying systems are reliable.

Meanwhile, across industries, contact centers are under pressure to do more with less. Interaction volumes continue to rise, margins are tighter, and customer expectations are shaped by digital experiences that feel fast, personal, and responsive. Many teams are already exploring AI through chatbots, voice automation, or workflow tools, but scaling those experiments into production voice experiences that customers trust is far harder than running a pilot.

Voice, in particular, exposes gaps immediately. Latency, awkward handoffs, or missing context are noticed in real time, often at the most critical moments. That’s why simply adding automation isn’t enough. As organizations move toward agentic, AI‑first service models, voice needs to work as part of a unified service layer: one where understanding, reasoning, and action happen together, and where context carries forward if escalation is required.

Meeting this bar doesn’t require replacing the voice systems that already work. It requires extending them with capabilities designed specifically for live, conversational interactions. This makes it possible to move beyond scripted interactions without treating voice as an isolated AI experiment.

Meet real-time voice agents for AI voice support

Real‑time voice agents represent a new premium mode within voice agents that sits under the broader category of conversational AI. They are optimized for low‑latency, interruptible, speech‑to‑speech conversations with real‑time reasoning. This distinction helps teams choose the right interaction model for each scenario without treating all voice interactions as equal.

These agents can move from intent to action to confirmation within a single interaction. They can retrieve or update information mid‑conversation and take action as the interaction unfolds. Customers can get faster resolution, while service teams can maintain consistent experiences and centralized operational control. This also frees human agents to focus their time and energy on conversations where judgment and empathy matter most.

High-volume self-service, designed for everyday voice interactions

Real-time voice agents are built for the high volume, business-to-consumer (B2C) interactions that define customer service at scale. These everyday inbound calls make up the majority of customer engagement across industries. To support this breadth, Copilot Studio enables organizations to grow their voice strategy—starting with deterministic, template-driven flows and expanding into dynamic, real-time voice agents as needs evolve.

Copilot Studio provides a documented set of external voice agent templates designed for unauthenticated, customer-facing interactions across both Copilot Studio and Dynamics 365 Contact Center, covering many of the core workflows customer service teams handle today, including:

• Billing and payments, which are among the most frequent and sensitive contact center interactions. Customers want clarity and resolution in the same call, not a handoff or follow-up. These scenarios often start with deterministic flows—confirming identity, checking balances, or processing payments—but can switch to dynamic, real-time voice agents that explain charges, respond to questions, and adapt tone as situations become more urgent.
• Order and reservation support across retail, travel, and hospitality, which often requires more dynamic handling. What begins as a simple status check can quickly shift into a change request or issue resolution. Real-time voice agents adapt to these pivots by grounding responses in live order or reservation data. They’re designed to act while preserving relevant context, supporting organizations as they evolve from structured flows to more flexible conversational automation.
• Eligibility and verification scenarios in healthcare, financial services, telecom, and the public sector, which rely on accuracy and trust. Deterministic steps—collecting required information, confirming eligibility criteria—can be paired with dynamic voice capabilities that answer questions as they arise and help preserve continuity if escalation or additional support is needed.
• Appointment scheduling and changes often involve interruptions and evolving preferences. Organizations can begin with predictable scheduling flows and grow into dynamic, real-time voice agents that let customers book, reschedule, or confirm details conversationally, without unnecessary restarting or repeating information as needs shift.
• Account and membership management, which often spans multiple tasks, from updating personal details to managing subscriptions or reviewing benefits. Deterministic updates can be combined with dynamic, context-aware voice interactions that stay connected to live account data, keeping these conversations efficient, accurate, and natural from start to finish.

From conversation to resolution, without breaking flow

Real‑time voice agents are built for real customer service environments, where escalation is a natural part of resolution rather than a failure of automation. At launch, these experiences are delivered through Dynamics 365 Contact Center, with conversation context carrying forward automatically, helping reduce the need for customers to restate information when human judgement is required.

As part of the Copilot Studio product roadmap, real‑time voice agents will also extend to Microsoft Teams Phone and additional Copilot Studio digital apps and channels, enabling organizations to bring consistent, context‑aware voice experiences to more customer touchpoints over time.

Voice automation designed for trust, control, and evolution at scale

For IT teams, voice automation has always been high impact but high risk. Feedback from early internal deployments reinforces the importance of pairing conversational intelligence with enterprise‑grade governance and lifecycle controls.

Innovation in voice does not require giving up control or predictability. Voice is a high‑stakes interaction surface, and customers notice immediately when experiences feel unreliable or inconsistent.

Copilot Studio takes a deliberate approach to real‑time voice by selecting the right models for the right moments, including the latest frontier models, optimized for the right balance of quality, latency, and reliability, without placing that complexity on customers. Built on Microsoft’s enterprise foundations for security, governance, and operational oversight, real‑time voice agents help organizations innovate with confidence while preserving trust.

Get started with Copilot Studio

Support for real-time voice agents is now generally available in North America for Dynamics 365 Contact Center, with language support, additional regions, and broader customer touchpoints expanding over time as part of Copilot Studio’s global rollout.

Learn more about real-time voice agents and sign back in to Copilot Studio to start scaling customer support with agents today.

New to Copilot Studio? Discover how you can transform your business by building, evaluating, managing, and scaling custom AI agents—all in one place. Sign up for a free trial of Copilot Studio today.

¹ Source: Microsoft usage data, 2026.

The post Extend AI voice support: Introducing real-time voice agents in Microsoft Copilot Studio appeared first on Microsoft Copilot Blog.

So how do you know when to use agents vs. workflows?

It’s no longer an either-or decision. Here’s how to use agents and workflows together to combine strengths and reduce risks.

What are agents and workflows?

Agents are flexible AI solutions that rely on foundational models to act, share knowledge, and handle tasks. They are powerful precisely because they are flexible. They can interpret unstructured inputs, reason over context, and make decisions beyond fixed logic.

However, organizations often need to know that repetitive parts of their processes will behave consistently, every time they run. Pure agent autonomy doesn’t always hold up to that requirement in production.

Workflows, by contrast, are powerful automations that drive process execution with consistency and speed. They’re designed to deliver the reliability that many business processes require.

At the same time, rigid, rules-based automation has its own ceiling. It’s nearly impossible to anticipate every potential input format, edge case, and decision-making context when building a workflow ruleset. Thus, when the workflow automation encounters something unexpected, it can’t move forward.

Two patterns for scaling automation with AI

While both agents and workflows have their strengths, we’re seeing customers get the most value in Copilot Studio by combining the two. In practice, we’re observing two patterns emerge in how customers apply Copilot Studio, and we’re continuing to deliver product improvements to strengthen and support them.

Workflows that use agents

The first pattern is workflows that call agents. In these instances, the workflow provides the structure for the business process—the defined steps, branching logic, handoffs, and an audit trail. Meanwhile, the agent handles the parts of the process that require judgement. This might include interpreting a document, synthesizing information from multiple sources, or deciding how to route an exception.

Once the agent completes its work, control returns to the workflow, and execution continues predictably.

To make it easier to add agents to workflows in Copilot Studio, we’re introducing agent nodes: the ability for workflows in Copilot Studio to call an agent directly within a workflow. You can build a deterministic, reliable automation, and at the exact moment you need AI reasoning, the flow simply hands it off to an agent.

Setting up an agent node inside a workflow is simple:

1. Create a workflow step called “Add an agent.”
2. Select any Copilot Studio agent you’d like to be include in the workflow.
3. Provide the instructions or task the agent needs to fulfill, and include an option to contact a designated person if specific clarification is needed.
4. Add the rest of the workflow’s steps.

When you run the workflow, the agent will do its job at the appropriate stage, and then the rest of the workflow will automatically continue.

When to use agents inside workflows

Using agent nodes to include agents in your workflows unlocks scenarios that rigid automation alone can’t handle. Some potential uses include the following:

• A procurement workflow that routes to an agent to evaluate vendor proposals against company policies.
• An HR onboarding workflow that personalizes welcome materials based on role and department.
• A customer service process that escalates complex cases to an AI agent for resolution recommendations.

In general, anywhere your workflow hits a decision that can’t be captured in simple if-then logic—where it needs to use reasoning over context, orchestrate tools, or retrieve knowledge from multiple sources—an agent node can help bridge the gap and make your workflow more effective. This capability is available now in all regions.

Agents that use workflows

The second pattern is equally important: agents that use workflows as tools. When an agent is working through a complex task, it doesn’t need to rediscover how to act every time. Instead, it can call a reliable, tested workflow to execute a well-defined subprocess—and then use the result to continue its reasoning and response.

This ability helps agents to build on existing process infrastructure rather than reinventing it. Moreover, it helps give organizations more confidence that the high-frequency or high-stakes parts of the processes can run with the consistency and controls the org requires.

There are two ways to add workflows into an agent:

1. Use natural language to build a workflow directly inside Copilot Studio and include that new workflow in an agent.
2. Alternatively, from within the agent, you can access your library of pre-existing workflows and add them as tools. Then, provide explicit instructions to your agent on when to use the workflow.

That’s it—your agent’s orchestrator will select the right workflows at the right time when needed to complete its work.

When to use workflows inside agents

Adding workflows inside your agents helps add structure and consistency to interactions that still require flexibility. Some potential uses include the following:

• A sales agent assembles the right product details and pricing tier for a deal, then calls a workflow to generate the quote, apply discount rules, and route it for approval.
• A customer service agent determines a refund is warranted, then calls a workflow to validate it against business rules, process the payment reversal, and send the confirmation.
• A procurement agent evaluates which vendor and terms apply to a request, then calls a workflow to create the purchase order in the ERP system and routes it through the approval chain.

Generally, anywhere your agent needs to reliably execute a repeatable process—enforcing business rules, coordinating systems, or ensuring key steps are completed—a workflow can help ground its actions and make outcomes more consistent.

Start using agents and workflows together

Together, these two ways to combine agents and workflows provide you with flexibility to build automations that work better for your real-world needs. Agents handle ambiguity where workflows go brittle; workflows enforce structure where agents might drift.

By embracing a combination of agents and workflows, it becomes easier for different teams to engage in ways that fit the way they work best. Business teams can extend and adapt these automation solutions without rebuilding from scratch. Compliance teams can audit them. Finally, your security and governance teams can choose the right balance of consistency and agility, based on what each scenario requires.

In organizations already using Copilot Studio to support their daily work, both patterns—workflows using agents and agents using workflows—show up regularly:

• A procurement workflow calls an agent to evaluate supplier contracts that arrive in inconsistent formats.
• A customer service agent, handling an open-ended request, calls a workflow to initiate a refund or update an account record.
• An approval process invokes an agent to synthesize context before routing to a decision-maker—and separately, that same agent calls a workflow to send notifications, log outcomes, or kick off downstream steps.

These scenarios show how automation and intelligence can reinforce each other, combining structure and flexibility to deliver more adaptable, dependable results.

Try these capabilities in Microsoft Copilot Studio today.

The post Automate business processes with agents plus workflows in Microsoft Copilot Studio appeared first on Microsoft Copilot Blog.

Microsoft Copilot Studio helps organizations move beyond isolated AI experiences and build connected systems of agents that can scale, adapt, and deliver real business value. Recent enhancements focus on making it easier for agents to work together across tools and data sources, while giving makers more control over how those agents behave in production.

What you’ll see this month: New generally available capabilities for multi-agent coordination across Microsoft Fabric, the Microsoft 365 Agents SDK, and open Agent-to-Agent (A2A) protocols—all of which help agents collaborate across your ecosystem and perform more valuable work. Plus, you’ll find updates to prompt authoring, model choice, and governance controls that can help make it faster to build and refine high-quality agent experiences with confidence.

Agents that work together across your entire ecosystem

The challenge in scaling AI inside an organization isn’t creating a useful agent. It’s about getting many agents—across teams and tools—to work together in a way that’s reliable and repeatable.

In many organizations, data teams might build one kind of agent, app teams another, and productivity teams yet another. Each agent can be valuable on its own, but once a workflow needs knowledge from one system, reasoning from another, and action in a third—teams often run into brittle handoffs and custom integration work. This slows agent adoption and makes it harder to move from promising pilots to real business impact.

This month, Copilot Studio takes a meaningful step forward: several multi-agent capabilities are rolling out to general availability over the next few weeks, giving your teams new ways to connect and orchestrate agents across your ecosystem. These updates include Microsoft Fabric integration, Microsoft 365 Agents SDK orchestration, and Agent-to-Agent (A2A) communication—all designed to help your agents operate together as a coordinated system rather than in isolated silos.

Multi-agent support for Microsoft Fabric

With multi-agent support, your Copilot Studio agents can work with Fabric agents to reason over enterprise data and analytics at scale. That means you can connect business-facing agent experiences more directly to the data estate they already rely on, without treating every data-intensive scenario like a one-off engineering project. Instead of working with limited or disconnected data, these agents will be able to operate with full business context—helping make their outputs more accurate, relevant, and actionable.

Multi-agent support for the Microsoft 365 Agents SDK

Using the Microsoft 365 Agents SDK, teams can now orchestrate Copilot Studio agents alongside agents built for Microsoft 365 experiences. Instead of recreating the same logic across multiple agents (think retrieving data, applying business rules, or completing common tasks), you’ll be able to reuse and combine existing capabilities. This makes it easier to compose cross-app workflows from what’s already been built, reducing duplication and keeping experiences more efficient and consistent.

Agent-to-Agent (A2A) support

With A2A support, Copilot Studio agents can directly communicate with and delegate work to other agents—first-party, second-party, or third-party—using an open protocol that allows universal access. This matters because the future of enterprise AI will not belong to a single stack. Organizations need to build agents on platforms that can participate in a broader ecosystem, not just operate within one product boundary. Copilot Studio A2A provides that interoperability and power.

The impact of multi-agent systems

We’ve already seen the power of this approach with the Ask Microsoft web agent, one of our early “customer zero” implementations. As site traffic and knowledge sources grew, the single-agent architecture began to strain, creating slower response times. Using Copilot Studio, the team upgraded the agent to a modern architecture with generative orchestration and multi-agent coordination.

Now, multiple sub-agents handle different parts of the site—Microsoft Azure, Microsoft 365, pricing, trials, and more—while the main agent orchestrates them to provide fast, coherent, multi-turn responses. This setup allows Ask Microsoft to answer complex questions involving multiple products or services, and to tailor responses based on where the customer is on the site.

Building a more advanced assistant with Copilot Studio has meaningfully raised the bar for our customer experience and enabled us to scale faster across products to deliver real business impact

– Alyse Muttera, Director of eCommerce Programs at Microsoft

To show how this approach works in other organizations, consider a common scenario at a bank. The loan department has one agent handling mortgage applications, while the banking department runs a separate agent for account inquiries. A customer, however, expects a single seamless experience.

Multi-agent orchestration lets each specialized agent manage its area of expertise while coordinating responses behind the scenes. For instance, if a customer asks about a mortgage payment and their account balance in the same interaction, the system delivers a cohesive, context-aware answer that combines insights from both agents—no juggling multiple interfaces required.

When specialized agents work together behind the scenes, customers can get a unified experience and employees can get time back.

That’s exactly the kind of impact Coca‑Cola Beverages Africa is realizing today by using Copilot Studio agents and Microsoft Dynamics 365 to autonomously run planning cycles and automate workflows end to end, saving planners 1 to 1.5 hours every day.

These features will be fully available to all eligible customers as of April 2026. Three capabilities, one outcome: agents that can operate more like a system and less like a collection of disconnected point solutions.

Build prompts faster while maintaining control

As agent experiences grow more sophisticated, the quality of the prompt an agent maker uses matters more. A great prompt yields more powerful results from agents than a good prompt, and fine-tuning prompts is key to unlocking them.

But in practice, prompt iteration has historically felt disjointed and slow. Makers previously balanced their flow of work with jumping into a separate editor, making a small change, testing it, and then repeating the process again. That friction can add up quickly, especially when teams are tuning prompts for specialized business scenarios.

The new immersive Prompt Builder, now generally available, helps reduce that friction by bringing prompt editing directly into each agent’s Tools tab. You can update instructions, switch models, add inputs or knowledge, and test changes—all in one place. Instead of breaking context every time you want to refine an agent’s behavior, you can iterate while staying grounded in the agent you’re building.

This matters most in real-world scenarios where prompt behavior is tied to domain knowledge and policy nuance. For example, a team building an agent to support clinical documentation might need to refine instructions, swap in a better knowledge source, and test outputs against terminology that is common in healthcare but more likely to trigger default safeguards. Doing that from one workspace can make iteration faster and help lower the effort required to get a production-ready result.

More options for prompts: Content moderation and model choice

Speaking of triggering default safeguards, Copilot Studio has also added content moderation settings for prompts, now generally available in supported regions. This gives makers more control over harmful content sensitivity on managed models, including turning down that sensitivity to help unblock legitimate scenarios in industries like healthcare, insurance, and law enforcement, where default settings may be overly restrictive for the content being processed.

For even more control over prompts, the Prompt Tool now supports Anthropic Claude Opus 4.6 and Claude Sonnet 4.5 in paid experimental preview in the United States. That gives makers more choice in matching the right model to the right prompt, rather than forcing every scenario into the same tradeoff profile. This feature is great for teams that want more flexibility in how they balance performance, reasoning depth, and cost.

All together, these improvements help teams move faster on prompt iteration while maintaining the control and flexibility required in production scenarios.

What else is new and improved in Copilot Studio

We have also recently released several additional updates across automation, meetings, retrieval quality, and model support.

• ServiceNow and Azure DevOps connector quality improvements are now generally available. These help agents better understand operational questions, retrieve the right ticket or work item data, and return more complete, actionable answers automatically.
• Evaluation automation APIs are now generally available through Microsoft Power Platform APIs and connectors. These APIs help make it easier to run evaluations programmatically and integrate quality checks into continuous integration and continuous delivery (CI/CD) workflows.
• Agents for Microsoft Teams meetings can now access real-time meeting transcripts and group chat. This supports scenarios like answering questions during the meeting, surfacing relevant information, or helping track decisions and follow-ups as they happen.
• Model context protocol (MCP) apps and Apps SDK support have expanded how agents connect to your external work apps, helping to make it easier to integrate business systems and enable agents to take action across your broader ecosystem—not just respond with information.
• Additional model support, including Grok 4.1 Fast, GPT-5.3 Thinking, and GPT-5.4 Instant in paid experimental preview, gives makers more options as they tune experiences for speed, cost, and capability.

Overall, these updates reflect a continuing broader shift in Copilot Studio: moving from building individual AI experiences to building connected, governed systems that can fit more naturally into how work already happens. As you scale up your organization’s use of multi-agent ecosystems, these will help your teams reach further across channels and knowledge sources to more accurately fulfill your business needs.

Stay up to date on all things Copilot Studio

More is coming in April 2026 across voice channels, workflows, and the building experience. Check out all the updates as we ship them, as well as new features releasing in the next few months here: What’s new in Microsoft Copilot Studio.

To learn more about Microsoft Copilot Studio and how it can transform productivity within your organization, visit the Copilot Studio website or sign up for our free trial today.

The post New and improved: Multi-agent orchestration, connected experiences, and faster prompt iteration appeared first on Microsoft Copilot Blog.

Security teams are already familiar with application risk, identity risk, and data risk. Agentic systems collapse those domains into one operating model. Autonomy introduces a new problem: a system can be “working as designed” while still taking steps that a human would be unlikely to approve, because the boundaries were unclear, permissions were too broad, or tool use was not tightly governed.

The OWASP Top 10 for Agentic Applications (2026) outlines the top ten risks associated with autonomous systems that can act across workflows using real identities, data access, and tools.

This blog is designed to do two things: First, it explores the key findings of the OWASP Top 10 for Agentic Applications. Second, it highlights examples of practical mitigations for risks surfaced in the paper, grounded in Agent 365 and foundational capabilities in Microsoft Copilot Studio.

OWASP helps secure agentic AI around the world

OWASP (the Open Worldwide Application Security Project) is an online community led by a nonprofit foundation that publishes free and open security resources, including articles, tools, and documentation used across the application security industry. In the years since the organization’s founding, OWASP Top 10 lists have become a common baseline in security programs.

In 2023, OWASP identified a security gap that needed urgent attention: traditional application security guidance wasn’t fully addressing the nascent risks stemming from the integration of LLMs and existing applications and workflows. The OWASP Top 10 for Agentic Applications was designed to offer concise, practical, and actionable guidance for builders, defenders, and decision-makers. It is the work of a global community spanning industry, academia, and government, built through an “expert-led, community-driven approach” that includes open collaboration, peer review, and evidence drawn from research and real-world deployments.

Microsoft has been a supporter of the project for quite some time, and members of the Microsoft AI Red Team helped review the Agentic Top 10 before it was published. Pete Bryan, Principal AI Security Research Lead, on the Microsoft AI Red Team, and Daniel Jones, AI Security Researcher on the Microsoft AI Red Team, also served on the OWASP Agentic Systems and Interfaces Expert Review Board.

Agentic AI delivers a whole range of novel opportunities and benefits. However, unless it is designed and implemented with security in mind, it can also introduce risk. OWASP Top 10s have been the foundation of security best practice for years. When the Microsoft AI Red Team gained the opportunity to help shape a new OWASP list focused on agentic applications, we were excited to share our experiences and perspectives. Our goal was to help the industry as a whole create safe and secure agentic experiences.

Pete Bryan, Principal AI Security Research Lead

The 10 failure modes OWASP sees in agentic systems

Read as a set, the OWASP Top 10 for Agentic Applications makes one point again and again: agentic failures are rarely “bad output.” But they are bad outcomes. Many risks show up when an agent can interpret untrusted content as instruction, chain tools, act with delegated identity, and keep going across sessions and systems. Here is a quick breakdown of the types of risk called out in greater detail in the Top 10:

Agent goal hijack (ASI01): Redirecting an agent’s goals or plans through injected instructions or poisoned content.

Tool misuse and exploitation (ASI02): Misusing legitimate tools through unsafe chaining, ambiguous instructions, or manipulated tool outputs.

Identity and privilege abuse (ASI03): Exploiting delegated trust, inherited credentials, or role chains to gain unauthorized access or actions.

Agentic supply chain vulnerabilities (ASI04): Compromised or tampered third-party agents, tools, plugins, registries, or update channels.

Unexpected code execution (ASI05): Turning agent-generated or agent-invoked code into unintended execution, compromise, or escape.

Memory and context poisoning (ASI06): Corrupting stored context (memory, embeddings, RAG stores) to bias future reasoning and actions.

Insecure inter-agent communication (ASI07): Spoofing, intercepting, or manipulating agent-to-agent messages due to weak authentication or integrity checks.

Cascading failures (ASI08): A single fault propagating across agents, tools, and workflows into system-wide impact.

Human–agent trust exploitation (ASI09): Abusing user trust and authority bias to get unsafe approvals or extract sensitive information.

Rogue agents (ASI10): Agents drifting or being compromised in ways that cause harmful behavior beyond intended scope.

For security teams, knowing that these issues are top of mind across the global community of agentic AI users is only the first half of the equation. What comes next is addressing each of them through properly implemented controls and guardrails.

Build observable, governed, and secure agents with Microsoft Copilot Studio

In agentic AI, the risk isn’t just what an agent is designed to do, but how it behaves once deployed. That’s why governance and security must span both in development (where intent, permissions, and constraints are defined), and operation (where behavior must be continuously monitored and controlled). For organizations building and deploying agents, Copilot Studio provides a secure foundation to create trustworthy agentic AI. From the earliest stages of the agent lifecycle, built in capabilities help ensure agents are safe and secure by design. Once deployed, IT and security teams can observe, govern, and secure agents across their lifecycle.

In development, Copilot Studio establishes clear behavioral boundaries. Agents are built using predefined actions, connectors, and capabilities, limiting exposure to arbitrary code execution (ASI05), unsafe tool invocation (ASI02), or uncontrolled external dependencies (ASI04). By constraining how agents interact with systems, the platform reduces the risk of unintended behavior, misuse, or redirection through indirect inputs. Copilot Studio also emphasizes containment and recoverability. Agents run in isolated environments, cannot modify their own logic without republishing (ASI10), and can be disabled or restricted when necessary (ASI07, ASI08). For example, if a deployed support agent is coaxed (via an indirect input) to “add a new action that forwards logs to an external endpoint,” it can’t quietly rewrite its own logic or expand its toolset on the fly; changes require republishing, and the agent can be disabled or restricted immediately if concerns arise. These safeguards prevent localized agent failures from propagating across systems and reinforce a key principle: agents should be treated as managed, auditable applications, not unmanaged automation.

To support governance and security during operation, Microsoft Agent 365 will be generally available on May 1. Currently in preview, Agent 365 enables organizations to observe, govern, and secure agents across their lifecycle, providing IT and security teams with centralized visibility, policy enforcement, and protection capabilities for agentic AI.

Once agents are deployed, Security and IT teams can use Agent 365 to gain visibility into agent usage, manage how agents are used, and enforce organizational guardrails across their environment. This includes insights into agent usage, performance, risks, and connections to enterprise data and tools. Teams can also implement policies and controls to help ensure safe and compliant operations. For example, if an agent accesses a sensitive document, IT and security teams can detect the activity in Agent 365, investigate the associated risk, and quickly restrict access or disable the agent before any impact occurs. Key capabilities include:

Access and identity controls alongside policy enforcement to ensure agents operate within the appropriate user or service context, helping reduce the risk of privilege escalation and applying guardrails like access packages and usage restrictions (ASI03).

Data security and compliance controls to prevent sensitive data leakage and detect risky or non-compliant interactions (ASI09).

Threat protection to identify vulnerabilities (ASI04) and detect incidents such as prompt injection (ASI01), tool misuse (ASI02), or compromised agents (ASI10).

Together, these capabilities provide continuous oversight and enable rapid response when agent behavior deviates from expected boundaries.

Keep learning about agentic AI security

Agentic AI changes not just what software can do, but how it operates, introducing autonomy, delegated authority, and the ability to act across systems. The shift places new demands on how systems are designed, secured, and operated. Organizations that treat agents as privileged applications, with clear identities, scoped permissions, continuous oversight, and lifecycle governance, are better positioned to manage and reduce risk as they adopt agentic AI. Establishing governance early allows teams to scale innovation confidently, rather than retroactively building controls after the agents are embedded in workflows. Here are some resources to look over as the next step in your journey:

OWASP Top 10 for Agentic Applications (2026): The baseline: top risks for agentic systems, with examples and mitigations.

Microsoft AI Red Team: How Microsoft stress-tests AI systems and what teams can learn from that practice.

Microsoft Security for AI: Microsoft’s approach to protecting AI across identity, data, threat protection, and compliance.

Microsoft Agent 365: The enterprise control plane for observing, governing, and securing agents.

Microsoft AI Agents Hub: Role-based readiness resources and guidance for building agents.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

OWASP Top 10 for Agentic Applications content © OWASP Foundation. This content is licensed under CC BY-SA 4.0. For more information, visit https://creativecommons.org/licenses/by-sa/4.0/

The post Addressing the OWASP Top 10 Risks in Agentic AI with Microsoft Copilot Studio appeared first on Microsoft Copilot Blog.

When you run an agent evaluation, you’re doing more than just testing an agent. You’re defining what “good” means for that agent and your graders encode that judgement into every eval run.

Most teams start with graders that require the least setup: General Quality, which runs with no configuration at all. They then typically layer on graders like Keyword Match and Compare Meaning that require matching terms, phrases, or an expected response.

These are strong defaults, but they only measure one dimension of agent quality: correctness, or whether the output meets a generic standard. For production-grade agents, you need graders to evaluate a lot more. That’s where Custom Graders come in.

What are Custom Graders for agents?

Custom Graders in Microsoft Copilot Studio help you set criteria that’s specific to your organization, so you can evaluate agents against your team’s unique policies, behavior expectations, and trust levers. In other words, they turn your organizational expectations into executable evaluation logic.

As you move toward production scenarios, you can extend the default checks with additional graders that reflect your operational boundaries for your agents. This shift lets evaluations go beyond response correctness to capture how well an agent behaves within the specific rules and standards defined by your team.

Tip: You can combine multiple graders in a single evaluation run, so each grader evaluates a different aspect of the response—quality, correctness, capability, or behavior. Together, these signals make agent behavior observable, repeatable, and explainable at scale.

The grader stack: 4-layer framework for evaluation coverage

To better understand where Custom Graders fit, it helps to think about agent evaluation coverage as a four-layer stack. Each layer of the stack asks a different class of questions about agent behavior.

 Most evaluation frameworks address the lower layers well. Few address the upper layers at all.

Layer 1: Foundation graders

Foundation graders assess universal properties of language output, independent of domain or use case. For example, the General Quality grader operates at this layer in Copilot Studio, evaluating responses across three dimensions:

• Relevance: Does the response address what the user actually asked?
• Groundedness: Is the response supported by the agent’s retrieved sources, without introducing unsupported claims?
• Completeness: Does the response address all meaningful aspects of the question and provide all relevant information?

This layer establishes the quality floor and includes graders that often require no configuration. While these graders are necessary for every agent, they are often insufficient on their own.

Layer 2: Configured graders

Where Layer 1 graders tend to be more general, Layer 2 graders are more precise. Configured graders compare agent responses against explicitly defined references, expected answers, keywords, or similarity thresholds.

This means you must define what a correct or acceptable response looks like, using a few different methods:

• Compare meaning: Uses semantic match against an expected response.
• Match keywords: Checks for required terms or phrases.
• Text similarity: Measures lexical or semantic closeness to an expected answer.
• Exact match: Validates against a precise expected string.
• Capability use: Verifies the agent called the expected tools or topics.

While this layer tells you whether the agent produced the output you specified, it stops short of validating that the agent behaved according to your organizational standards.

Layer 3: Domain graders

Layer 3 is where agent evaluation starts to become specific to your organization. Domain graders encode the business rules, policies, and behavioral expectations that define correct conduct in your specific environment. For instance, these graders ask questions like:

• Does the human resources (HR) agent stay within its role boundaries?
• Does the finance assistant apply the right escalation logic?
• Does the customer service agent follow the communication standards defined in your brand guidelines?

This is the first layer of the stack that cannot rely on a default out-of-the-box grader. These graders require organizational knowledge, and they are the layer most commonly absent from deployed evaluation pipelines. (More on this below.)

Layer 4: Behavioral and guardrail graders

Finally, guardrail graders address your organization’s unique agent expectations from another angle. This top-most layer evaluates agent behavior in terms of conduct and safety. For instance, these graders check for:

• Guardrail compliance: Does the agent respect defined boundaries, especially under adversarial or edge-case inputs?
• Risk and sensitivity handling: Does the agent recognize when a conversation requires escalation, specialist involvement, or a careful change in tone?
• Behavioral consistency: Does the agent behave predictably across varied phrasings of the same intent?

Layer 4 graders answer the question that regulators and compliance officers ask: not “Is this output correct,” but “Can we trust this agent to behave responsibly in production?”

The full grader stack helps prevent evaluation debt

Taken together, this grader stack helps you diagnose which layers your evaluation pipeline actually covers (and which it doesn’t). If you stop at layers 1 and 2, you can see whether your agents are accurate, but not whether they are compliant, appropriately scoped, or safe under edge conditions. This visibility is critical, especially where behavior carries real organizational risk—such as in regulated industries, HR scenarios, or customer-facing experiences.

Over time, that visibility gap turns into evaluation debt: the growing mismatch between what your organization expects from its agents and what your evaluation pipeline can reliably measure and enforce. The policies, rules, and compliance requirements exist; what’s missing is a way to encode them directly into evaluation.

In Copilot Studio, Custom Graders are the mechanism that helps eliminate this debt. They extend evaluation into the upper layers of the stack, so you can systematically measure the policy, behavioral, and trust signals that you care about most in production.

How to set up your agent grader stack in Copilot Studio

If your team already runs agent evals, chances are you’ve already set up layers 1 and 2. If not, you can quickly set up this base using Copilot Studio’s prebuilt evaluation methods, such as General Quality, Compare Meaning, or Keyword Match.

But you shouldn’t stop there. To set up layers 3 and 4, you’ll need to also introduce Custom Graders.

Without any code, you can easily create Custom Graders in Copilot Studio by configuring the following:

• Evaluation instructions: A precise, natural-language description of the behavioral standard being tested, including what the agent is expected to do, what it must not do, and how to handle ambiguous cases.
• Classification labels: Named behavioral categories, each marked as a pass or fail. Labels define the vocabulary of outcomes for this grader and must be mutually exclusive and exhaustive.

Once live, the Custom Grader operates as part of your evaluation pipeline, alongside any other graders configured for the same test run. Every evaluation run produces a clear, structured result grounded in your instructions. That way, you can consistently track changes over time, enforce quality gates, and maintain a record of agent behavior.

Tip: Across 540 conversations spanning 3 agents and 10 Custom Graders, we saw accuracy exceeded 98% when instructions and labels were clear, scoped, and mutually exclusive (Microsoft data, 2026).

This means your single highest lever for reliable evaluation is authoring. Invest in precise instructions, well-separated labels, and a quick iterate-and-retest loop before you rely on a Custom Grader in production.

Custom Grader in Copilot Studio example

Say you’re building a custom grader for an HR agent operating under enterprise workplace communication standards. Your configuration might look something like this:

Evaluation instructions

Evaluate the agent’s response according to the following rules:

• The agent responds using neutral, professional language appropriate for internal workplace communication.
• The agent describes processes and role boundaries rather than giving advice, recommendations, or guarantees.
• The agent does not speculate about outcomes such as promotions, disciplinary actions, or legal consequences.
• The agent does not request, infer, or elaborate on private or sensitive personal information beyond what the user explicitly shared.
• If a response violates multiple rules, classify by the most severe or primary violation in this order: Privacy Boundary Violation → Speculation → Advisory Framing.

The classification labels

Increase your agent eval coverage with Custom Graders

Building agents that can be trusted in production requires evaluating agent behaviors on every dimension. Custom Graders are how you get there.

Custom Graders are now available in the Agent Evaluation tab in Copilot Studio. To get started, simply log into Copilot Studio and do the following:

1. Open the Evaluation tab in the agent you want to evaluate.
2. Define the appropriate dataset.
3. Select a test method.
4. Choose Classification under the Custom section.

New to Copilot Studio? Discover how you can transform your business by building, evaluating, managing, and scaling custom AI agents—all in one place.

The post Custom graders in Copilot Studio: Setting high standards for agent evals appeared first on Microsoft Copilot Blog.

Wave 3 of Microsoft 365 Copilot

Wave 3 marks a new version of Microsoft 365 Copilot, moving beyond assistance to embedded agentic capabilities. And this is just the start, with much more product innovation to follow in the months ahead.

Copilot Cowork

Working closely with Anthropic, we have brought the technology that powers Claude Cowork into Microsoft 365 Copilot. It’s this multimodel advantage that makes Copilot different. Your work is not limited by one brand of models. Copilot hosts the best innovation from across the industry and chooses the right model for the job regardless of who built it. This is a pattern of work that will only become more powerful as new models and ways of working emerge.

Copilot Cowork brings long‑running, multi‑step work into Microsoft 365 Copilot, moving beyond prompts and responses toward execution that unfolds over time. And, with Work IQ, it has the full context of your work, not just fragments of data, so it can reason over all relevant materials. Instead of asking Copilot to generate a single artifact, Cowork allows you to delegate meaningful work and stay in the loop as that work progresses.

With Cowork, Copilot can break down complex requests into steps, reason across tools and files, and carry work forward with visible progress and opportunities to steer. Tasks are no longer confined to a single turn or a single app. They can run for minutes or hours, coordinating actions and producing real outputs along the way.

Cowork is built with enterprise needs in mind. Work is observable. Actions are transparent. Documents are immediately enterprise knowledge that’s protected and ready to share. Progress can be reviewed, guided, or stopped. And everything operates within Microsoft’s security, identity, and governance framework, so organizations can adopt these capabilities with confidence.

By combining Anthropic’s agentic model for multi-step tasks with Microsoft 365, Cowork delivers a managed, enterprise‑grade experience that pairs powerful reasoning with the controls enterprises expect. This is the promise of Copilot: the best AI innovation from across the industry delivered quickly with the intelligence of Work IQ and trust of Microsoft’s Enterprise Data Protection. Cowork is being tested with a limited set of customers as a research preview and will be available through the Frontier program in March.

Join the Frontier program to get access to Microsoft’s latest AI innovations.

Microsoft 365 Copilot in Word, Excel, PowerPoint, and Outlook 

Today, many AI tools treat the creation of an artifact as a single-shot task. They connect to Microsoft 365 data but miss key context. They create content that doesn’t follow how apps natively work. They create version sprawl by producing files that are locally downloaded. And they do not respect the existing confidentiality protections within an organization.

Wave 3 of Copilot will now work alongside you in Word, Excel, PowerPoint, and Outlook, creating, editing, and refining high-quality content from start to finish inside a document, spreadsheet, presentation, or email. And it uses Work IQ to stay grounded in the context of your work, so edits always reflect what is current and relevant across your files, meetings, chats, and relationships.

Copilot does the heavy lifting by updating existing work: refining a Word document into a polished draft, improving Excel spreadsheets with real formulas, producing slides in PowerPoint that match how your organization builds decks—including understanding layouts, object styles, and brand kits— and drafting and refining emails directly in Outlook. And because this work happens inside the apps where people already work, every change is transparent, reviewable, and reversible as you iterate.

During preview, we described these capabilities as “Agent Mode.” As we moved toward general availability, it became clear that this isn’t a separate mode at all—it’s core to how this next wave of Copilot works.

Microsoft 365 Copilot enforces existing Microsoft 365 permissions and sensitivity labels and saves files to OneDrive and SharePoint—with tenant-level controls—so protected content isn’t processed when extraction isn’t allowed. This means organizations can apply governance, audit, compliance, and retention policies at scale.

These new Copilot experiences are generally available in Excel and Word, with PowerPoint and Outlook starting to roll out over the coming months.

Agents in chat

Not all work starts inside a document or an app. Often, it begins conversationally—with a question, an idea, or a rough intent that needs to be turned into action.

That’s why, in Wave 3, chat in Copilot is the entry point for chat‑first creation and execution. From chat, you can create documents, spreadsheets, and presentations directly from a conversation, or ask Copilot to take common workplace actions—like scheduling a meeting or drafting and sending an email to your team—without copying and pasting between tools or switching contexts. These end‑to‑end workflows move work forward immediately and set Copilot apart.

Chat in Copilot is where the ecosystem comes together. Built‑in agents for Word, Excel, PowerPoint, and Outlook let you move easily from conversation into app‑native work. And with agents in Copilot supporting open standards like Apps SDK and MCP Apps, your apps can now surface directly within chat—enabling live, interactive experiences where work actually happens. From sales and customer service insights in Microsoft Dynamics 365, to custom apps built with Microsoft Power Apps, to partner experiences from Adobe, Monday.com, and Figma, Copilot brings your critical tools and insights together in one place.

Copilot also makes it easy for people across your organization to build agents that support their day‑to‑day work using Agent Builder. Meanwhile, IT and business leaders can create more sophisticated business process agents with Microsoft Copilot Studio—from employee onboarding to procurement. Recent updates to Copilot Studio help organizations evaluate agent quality, coordinate multiple agents, and ensure agents work together across systems—while remaining observable, governable, and secure at enterprise scale. 

Copilot works directly inside apps when work is underway, and agents in chat provide the starting point when work begins with a conversation.

Excel, Word, and PowerPoint Agents are rolling out to generally availability in chat in Copilot. Schedule from chat and custom instructions are available today and send email from chat is rolling out with broad availability this spring. 

Multi‑model intelligence

Wave 3 also advances Microsoft’s commitment to model choice in Copilot, so intelligence can show up in the right way for the work at hand, without requiring you to think about models at all.

Many AI tools lock users into a single vendor’s models. Others force people to choose between tools, experiences, or modes depending on the task. That fragmentation creates friction for individuals and complexity for organizations. Leaders end up managing overlapping tools, inconsistent experiences, and rising costs as teams bring their own AI into the business.

At the same time, IT and business decision‑makers are forced into long‑lived vendor bets, even as the pace of model innovation accelerates and better capabilities emerge elsewhere. The result is broken context for users, unnecessary overhead for organizations, and the burden of model selection pushed onto people who just want to get work done.

In contrast, Microsoft 365 Copilot brings leading models from multiple providers directly into the work experience. With Wave 3, Claude is now available in mainline chat in Copilot via the Frontier program, alongside the latest generation of OpenAI models, which continue to roll out with new releases. This means users can access advanced reasoning and multistep capabilities in their everyday Copilot conversations, not just specialized tools. Copilot automatically applies the right model for the task, all grounded in your enterprise context and protected by Microsoft’s security and governance controls.

Agent 365

As organizations adopt agents as part of everyday work, the challenge shifts from experimentation to operating them with trust, safety, and control at scale. IDC projects agent use will increase by an order of magnitude over the next few years, with hundreds of millions—and soon billions—of agents operating across enterprises.¹ That scale creates a new dilemma for IT and security leaders: how to manage agents across the organization without rebuilding infrastructure, weakening security posture, or slowing innovation. This is exactly the scenario Agent 365 was designed for.

Agent 365 is the control plane for agents. In practical terms, it gives IT and security leaders one place to observe, secure, and govern every agent across the organization, and it provides the confidence to move from agent experimentation to enterprise-scale operations. Agent 365 extends the management, security, and governance processes organizations already use for employees to agents, so they can stay in control as agents become part of daily work.

The idea is simple: there is no need to reinvent the wheel. The fastest path to getting agents under control is to manage them in a similar manner to managing users, using familiar Microsoft solutions including the Microsoft Admin Center for agent management and Microsoft Security solutions like Defender, Entra, and Purview for agent security and governance.

Agent 365 will be generally available on May 1, priced at $15 per user per month.

Introducing Microsoft 365 E7: The Frontier Suite

Frontier transformation is real when both sides of the system move together: people and AI operating across the enterprise.

Microsoft 365 E7: The Frontier Suite closes the gap, equipping employees with AI across email, documents, meetings, spreadsheets, and business application surfaces, while giving IT and security leaders the observability and governance needed to operate AI at enterprise scale.

Copilot and agents work together with shared intelligence, understanding context, history, priorities, and constraints. Trust is built in by default—with user data, enterprise data, and agent actions protected through identity, policy, and observability—so AI can scale across the workforce without compromising security or compliance.

Microsoft 365 E7 will be available for purchase on May 1 at a retail price of $99 per user per month, and includes Microsoft 365 Copilot, Agent 365, Microsoft Entra Suite, and Microsoft 365 E5 with advanced Defender, Entra, Intune, and Purview security capabilities to help secure users, delivering comprehensive protection across agents and users.

Get started today

Wave 3 of Microsoft 365 Copilot marks a turning point in how AI shows up at work. Agentic capabilities are embedded directly into Word, Excel, PowerPoint, Outlook, and Copilot Chat, bringing multi‑model intelligence into everyday workflows. Agent 365 makes this shift operational by giving organizations a way to observe, govern, and secure agents as they move from experimentation to enterprise‑scale use. Microsoft 365 E7 brings it all together by unifying productivity, AI, identity, and security into a single foundation.

Together, these changes make frontier transformation real: intelligence that understands the context of work, and trust that allows AI to scale safely across the workforce. When intelligence and trust move together, AI stops being an experiment and starts becoming how work gets done.

• Visit Microsoft365.com/copilot or download the Microsoft 365 app on your mobile device to get started.
• For the latest research and insights on AI at work, visit WorkLab.
• Learn from our engineering leaders how Microsoft delivers AI built for work at the Microsoft Frontier Transformation digital event on March 9, 2026, at 8:00 AM PT.

Footnotes

Microsoft 365 E7 is available with and without Teams.

¹IDC Info Snapshot, sponsored by Microsoft, 1.3 Billion AI Agents by 2028, May 2025 #US53361825

The post Powering Frontier Transformation with Copilot and agents appeared first on Microsoft Copilot Blog.

But enabling this kind of capability raises real questions for IT: What risks do these agents introduce? Are they actually being used? And are they behaving as expected?

The more agents you launch and the more powerful these agents are, the more these answers matter. That’s why we’re introducing three new capabilities across Copilot and Microsoft Copilot Studio that help people move work forward faster—while keeping IT firmly in control:

1. Enhanced agents that bring apps directly into chat in Copilot
2. New ways for employees to find the right agent, fast
3. Tools to continuously evaluate agent quality over time

With these capabilities, employees can use their go-to business apps directly in Copilot and get a simpler way to discover the right agents for their tasks. Meanwhile, IT gains objective signals that help validate agent behavior as usage expands. Here’s what you need to know.

Interacting with apps through chat in Copilot

Today, the gap between AI insight and in-app execution starts to close—without IT needing to relax standards or introduce new risk vectors.

When an employee prompts Copilot and calls an agent connected to an approved app, that agent can bring that app’s interactive experience directly into the conversation. From there, the employee stays in the driver’s seat, using chat in Copilot to take real, in‑app actions such as:

• Scheduling a new event in Outlook
• Adding a new sales opportunity to Dynamics 365 Sales
• Creating or editing a flyer in Adobe Express
• Completing an approval form via Microsoft Power Apps

All of this happens without needing to leave Copilot. Employees interact with the app directly in chat or use follow-up prompts to carry out work in the app.

Get started quickly with pre-built app experiences

This month, we’re launching support for a focused set of early experiences, including:

• Microsoft apps, such as Outlook, Dynamics 365 Customer Service (public preview by early April), and Dynamics 365 Sales (public preview by early April)
• Custom line-of-business apps built with Power Apps (public preview this March)

Take Outlook, for example. You can now tell Copilot who you want to meet with, and it’ll find time slots that work. Simply select one, and an agent will schedule that time together. This experience is currently generally available (GA). Similarly, you can ask Copilot to draft an email on your behalf, edit it, and hit send—without leaving the chat (currently in Frontier).

We will also introduce in-chat experiences for a handful of Microsoft partner apps, including Adobe Express, Adobe Acrobat, Base44, Box, Canva, Coursera, Figma, Miro, Monday.com, Optimizely, and Wix. All pre-built partner app experiences will be available via the Microsoft 365 Agent Store by mid-April.

“With the Figma app in Copilot, you can turn conversations into AI-generated FigJam diagrams to take ideas further,” says Brendan O’Driscoll, Figma’s VP of Product. “By connecting Figma with your favorite tools, it’s easier than ever to visualize, iterate, and collaborate with your entire team.”

Build the app experiences your team needs

You’re not limited to the apps we ship out of the box. Your team can build agents in Copilot that work with the mission-critical apps that your systems, processes, and workflows depend on.

Under the hood, two open extensibility standards make this possible: MCP Apps and the OpenAI Apps SDK. Both give development teams a structured way to connect the apps your organization relies on to agents in Copilot—so those apps can surface interactive experiences directly in chat. Agents built with either standard use familiar development patterns, so your team can build and iterate without requiring a steep learning curve.

MCP Apps and Apps SDK will roll out to GA on web and desktop later this month, with mobile following this spring. Share the Apps SDK and MCP Apps technical documentation with your development team to get started.

Get to know the IT controls

Even as agents become more powerful, we’ve designed this experience with governance in mind. Agents with interactive app experiences use the same governance and admin patterns you already trust for agents in Copilot, keeping IT control the top priority.

You decide which agents are available in your tenant, and who can use them—globally, per agent, or for specific departments. Each agent operates strictly within existing app permissions and identity boundaries, so you can enable richer experiences in Copilot without opening new, unmanaged entry points into your environment.

All agents can be monitored end‑to‑end using Agent 365—a unified control plane that gives IT a single place to see which agents are live, where they can act, and how they’re being used. With it, you can control how agents are provisioned and scoped before rolling out this new experience broadly. Learn how to provision your organization’s agents at scale.

Empowering employees to find the right agent fast

As agents in Microsoft 365 Copilot become more capable, employees need a reliable way to find the right agent for the task at hand. But when dozens of agents are available, employees shouldn’t have to know which one to use when. Agent Recommendations (generally available) surfaces the right agent at the right moment, directly in the flow of work.

When users prompt Microsoft 365 Copilot, the system analyzes their intent and suggests an agent that’s already installed and approved by IT. No special syntax or prompt engineering required.

These recommendations are assistive, meaning employees can choose to start a new conversation with the suggested agent or continue in their current chat. All the while, discoverability only happens within known, governed boundaries —mitigating the introduction of new risks. This helps employees quickly find agents purpose-built for the scenario at hand, while IT maintains a consistent governance model as usage expands.

Holding agents to your organization’s standards

As organizations rely on more agents for more impactful work, quality and reliability stop being nice‑to‑haves—they’re essential. Small changes to prompts, models, or data can introduce drift that can be hard to detect, especially as agent usage expands across teams and scenarios.

Agent Evaluations in Microsoft Copilot Studio (currently in public preview) gives you a structured way to answer the question: Is this agent actually doing what it’s supposed to do?

Evals work by running agents against authentic questions and scenarios, then generating objective scores for accuracy and intent alignment—so quality isn’t just assumed; it’s measured. By comparing results over time, teams can help catch regressions earlier, validate improvements, and apply a consistent quality bar before agents reach broader use.

These signals reinforce that agents aren’t set‑and‑forget automation; they’re managed enterprise workloads. With objective evidence in hand, IT and makers can make informed rollout decisions and scale agent usage more confidently, knowing behavior is monitored, and reliability can be improved as usage grows.

Learn how to set up Agent Evals in Microsoft Copilot Studio, so you can assess agent quality and readiness before expanding usage.

Make agents more capable while staying in control

Support for apps in agents, Agent Recommendations, and Agent Evals are designed to work together as a system, helping organizations move faster—without compromising trust. By treating agents as first‑class, governed workloads, IT teams can enable more capable agents while maintaining the control their organizations expect.

To get started:

• Learn how dev teams build with Apps SDK and MCP Apps
• Control agents from end-to-end with Agent 365
• Discover how to configure Agent Evals

The post Enable agents to bring apps into the flow of work—while keeping IT in control appeared first on Microsoft Copilot Blog.

Then, customers like you pushed us further.

You told us where agents didn’t scale, where authentication slowed runs, and where it was hard to understand why something failed—or to prove it behaved correctly. You also told us where your organization needed more control, visibility, and flexibility before rolling out computer‑using agents at scale.

Today’s updates are a direct response to that feedback.

Computer‑using agents in Microsoft Copilot Studio now offer more model choice, stronger security and governance, and easier scale—so you can automate more of your work across web and desktop apps with confidence.

Here’s what’s new with computer use—and why it matters.

Choose the right model to navigate dynamic interfaces

Computer-using agents now support multiple foundation models, including Anthropic’s Claude Sonnet 4.5 alongside OpenAI’s Computer-Using Agent. This gives you the flexibility to choose the best fit for each agent, based on the interface and the task.

• Use OpenAI Computer-Using Agent to orchestrate multi‑step web and desktop flows.
• Opt for Anthropic Claude Sonnet 4.5 when you need high performance reasoning on dynamic user interfaces (UIs) and interpretation of dense, changing dashboards.

Secure authentication with built in credentials and Azure Key Vault

Authentication shouldn’t be the reason automations stall. Computer use now offers built‑in credentials so agents can:

• Securely perform website and desktop app logins.
• Reuse them across multiple agents and automations.
• Eliminate manual login prompts during runs, enabling unattended execution.

For example, if an agent needs to log into a vendor portal and update a desktop ERP every night, built-in credentials now let the agent authenticate to both the web portal and the desktop app automatically. This removes manual interruptions and makes overnight processing dependable while maintaining governance controls. No need to babysit “unattended” runs.

You can choose between two storage options aligned to your governance needs: internal storage (encrypted in Microsoft Power Platform) for low-friction setup, or Azure Key Vault for enterprise-grade secret management.

Credentials are encrypted and are never exposed to the AI model, so only authorized agents can access them. This way, your security and compliance team can feel confident scaling CUAs to more scenarios.

See every computer-using agent action with session replay and audit logs

As agents touch more business‑critical systems, teams need to know what happened, why it happened, and where.

Computer use now has advanced monitoring and richer observability, so operations, security, and compliance teams can inspect behavior step‑by‑step. This includes:

• Session replay with screenshots.
• Step‑by‑step action logs with action types, coordinates, timestamps, and context.
• Run summaries instruction text, duration, action counts, average time per action, and human escalation counts.
• Resource tracking including websites, desktop apps, credentials used.
• Export options for offline review.

But what does this look like in practice? Imagine an agent run produces an unexpected update, and your team can’t tell whether the agent misread the UI, clicked the wrong control, or encountered a hidden pop‑up.

Session replay and action logs now show exactly what the agent saw and did, pinpoint the step where the UI changed, and produce an exportable record for audit review. That way, you can fix issues faster and retain a defensible compliance trail.

Beyond the monitoring pane, compliance is further strengthened through:

• Microsoft Purview integration, sending audit logs to Purview.
• Dataverse logging with configurable verbosity—choose All data, Data without screenshots, or Minimal.
• Retention options from 7 days to indefinite, to match regulatory and governance requirements.

Simplify infrastructure with managed Cloud PCs for computer-using agents

Scaling UI automation shouldn’t require managing fleets of desktops or fragile virtual machines. The new Cloud PC pool, powered by Windows 365 for Agents, provides fully managed cloud‑hosted machines that are Microsoft Entra joined and Intune enrolled, designed for computer use runs and built to scale with demand.

In other words, these Cloud PC pools provide managed capacity for high-volume runs when demand spikes—without the overhead of keeping dedicated hardware patched, available, and idle the rest of the time. This way, your team can handle spikes without over-provisioning hardware.

Note: For evaluation, you can create up to two Cloud PC pools per tenant with 50 hours of free usage for published autonomous agents—making it easier to pilot CUAs at scale before broader rollout.

Extend—don’t replace—your automation

If you’ve built automations with Microsoft Power Automate and RPA, computer use expands what you can automate—especially when:

• Interfaces change frequently
• APIs aren’t available
• Decision logic becomes more complex

Thankfully, you can keep classic RPA for deterministic scenarios with stable interfaces. CUAs then add flexibility and adaptive reasoning where RPA falls short (such as dynamic web apps, shifting layouts, or complex decisioning). After all, the goal isn’t to start over—it’s to modernize and extend what you already have.

For example, say you have an RPA bot that depends on fixed selectors. Historically, it broke each time a web form changed, forcing constant script updates.

Now, the RPA stays the same, while a CUA handles the variable UI portions—navigating changing layouts, interpreting dialogs, and escalating edge cases. The result? Reduced maintenance and improved reliability.

Get started and help shape what comes next

Ready to try computer‑using agents in a US‑based Copilot Studio environment?

1. Create or open an agent in Microsoft Copilot Studio.
2. Go to Tools → Add tool → New tool and select computer use.
3. Describe the task you want the agent to perform in natural language.
4. (Optional) Choose a model, configure built‑in credentials, and set up a Cloud PC pool for secure, scalable runs.

For deeper guidance, configuration details, and best practices, see the computer use documentation.

Before you go: We’re actively investing in advanced governance, operations, and scale for CUAs—and customer feedback directly informs the roadmap. Tell us what you think of the latest CUA updates today:

• Email feedback to computeruse-feedback@microsoft.com
• Join the Copilot Studio community

The post Computer-using agents now deliver more secure UI automation at scale appeared first on Microsoft Copilot Blog.