Microsoft 365's Agent Registry should list tools
29 Jun 2026
Microsoft’s new Agent 365 Agent Registry should list desktop IDE client tools like the GitHub Copilot CLI, GitHub Copilot VSCode Chat pane, etc. Anything less sells enterprises a security story that isn’t meaningful.
Microsoft Entra Agent ID product manager Vince Smith just came on episode 64 of Merrill Fernando’s “Entra Chat” podcast and shouted out a colleague’s project, the M365 Agent Registry.
Problem is, the M365 Agent Registry’s built-in Microsoft-authored agent listings don’t include client-side “chat UI tools” like GitHub Copilot CLI and the GitHub Copilot VSCode Chat pane.
Which means your average enterprise customer can’t actually get a good view of what’s behaving “agentically” on their staff members’ behalf.
Over a year ago in May 2025, I didn’t write my “securing authenticated agentic AI” post about the kinds of computer processes Microsoft 365 seems to be considering “agents” – I wrote it the moment it hit me just how bad of “lethal trifecta” trouble everyday corporate-employee software developers could get themselves into with the GitHub Copilot VSCode Chat pane, their usual enterprise productivity SaaS accounts like email or JIRA, and an MCP server logged into those accounts.
The threat model
While I was thinking about data integrity’s resistance to malice, George Fletcher, an identity specialist, gave a great example of the need for data integrity in the face of mistakes, in his June 2026 article “The Authorization Problem We Keep Half-Solving:”
I want to start by considering the following hypothetical. Alice asked her AI travel assistant to book a long weekend in Lisbon for her and her husband. Flights, a hotel near Alfama, a dinner reservation on Saturday night, a rental car for a day trip to Sintra.
Imagine it works. Mostly. The hotel booking goes through. The flight doesn’t, because the airline’s website rejects the agent’s session as “unrecognized device.” The restaurant reservation lands at the wrong restaurant (a similarly named place across town), and there’s no clean way to know whether the agent has exceeded Alice’s budget along the way, because no one has actually told it what its budget is. Alice just said “book us a nice weekend.” The agent inferred the rest.
I can’t remember where, but people followed up with all sorts of interesting comments and quote-posts, including, for example, the idea that when figuring out how we got to a point where suddenly Alice has overdraft fees in her bank account, 2 nonrefundable tickets to the north side of Portugal and no car booking yet a weekend’s nonrefundable reservation at the most expensive middle-of-nowhere boutique B&B on the south side of Portugal, there’s a ton of stuff besides “it was this agent” and “it was Alice’s account” that would be helpful during root cause analysis to have logged.
For example:
- Had Alice granted the agent read access double-check her bank account balance before booking things?
- Even if so, could that have helped – that is, did the agent even have a “do arithmetic” tool available to it?
- What likely went into the agent deciding that Alice’s word “
nice” should trump other things, like Alice’s actual funds left? For example:- What model was the agent trained on?
- While the agent ran, did it go out and read travel blogs, where one blog post said “land in northern Portugal – there’s light rail from the airport to everywhere you could want to go and you won’t even need a car!” while another blog post said “there’s nowhere in all of Portugal going except for this one southern Portuguese rural B&B”?
Tools can act agentically too
Unfortunately for Microsoft’s enterprise customers, there’s nothing about this Portugal nightmare that needs Alice’s “AI travel assistant” to be whatever it is that M365 might have decided “counts” as “an agent.”
Alice’s Portugal disaster totally could’ve happened through a basic desktop productivity tool like GitHub Copilot!
In other words, Microsoft’s omission of GitHub Copilot and its variants from the M365 Agent Registry’s listing of “Microsoft-authored” agents means that enterprise customers aren’t actually getting the observability into threats that Microsoft leadership is going around on podcasts promising M365 Agent Registry provides.
Yikes.
As Vince pointed out on episode 64 this weekend, the “lobsters” / “claws” as in “OpenClaw” proved to Microsoft’s leadership that they needed to avoid thinking of “agents” as services that only execute on servers that are remote to Alice.
But I challenge Vince and his colleagues at Microsoft to keep going. I challenge Microsoft’s leadership to stop thinking of “agents” as compute processes that only begin execution in response to events that happen when a human has long since walked away from the machine on which the agent is executing (e.g. a scheduled operating system task waking OpenClaw back up to re-check flight prices, because an earlier run of OpenClaw decided it seemed like a good idea to schedule that task).
Hyperscaler product managers, please pay attention: even a highly interactive desktop client chat UI “tool” like the GitHub Copilot CLI or the GitHub Copilot VSCode chat panel can, with Alice sitting right there patiently sipping coffee and waiting for the chat prompt’s “send” button to stop spinning, book the wrong trip to Portugal. And your enterprise customers need to know that when they look through products like M365 Agent Registry – that’s precisely what they turn to M365 Agent Registry to learn.
GenAI “tools” can behave agenticALLY (even at their most basic, the IDEs write content to OS files!), which means they 100% belong listed in “agent registries.” They are 100% part of what your enterprise leadership want to sleep well at night knowing they learned about when they poke through an “agent registry” trying to observe the threat landscape.
Distinguishing tools vs agents is not useful here
I just learned that CloudFlare reported 57.5% of web traffic they screen coming from bots instead of humans, to which Curt Tigges commented:
“I think it’s worth distinguishing between ‘bots’ and ‘agents’; most bot traffic is definitely not agents, it’s (deterministic screen-scraping) scripts.”
But then CloudFlare’s CEO defended focusing on the supercategory, saying:
“Bot / Crawler / Agent are all synonyms depending on whether you want them to be a good or bad thing, normatively.”
I think we’ve got a similar thing going on here – this is not the time to be pedantic and miss out on exposing crucial business information because it “didn’t count.”
Yes, I understand that creating fine-grained taxonomies have their use in human thinking, I really do. (Heck, it’s the core of what George Fletcher tries to name in his followup post, “A Framework for Delegated Authorization.)
- (Aside: shoutout to my French teacher for making us read Michel Foucault’s “Order of Things” preface. I swear I link to that “Celestial Emporium” article monthly in these times of rapid change naming the ways humans solve IT problems. The humanities are such awesome foundational training for adulthood.)
Yes, I get that there are times when it’s important to come up with names that break up the whole world of “LLM-driven software that can nondeterministically, at machine speed, cause ‘write’ side effects that might not have been the actual intention of whoever thought LLM-driven computation might be a great way to solve a given problem” along questions like:
- Which of the following types of invocation typically kick off the LLM-driven computation’s execution?
- Something potentially unattended, like a webhook / clock? or
- Something tightly and more or less actively “attended” by a human through a UI like a chat where the human is sitting around waiting for the computation to complete within a matter of seconds or minutes, before issuing the next instruction? or
- On what kind of machine does the LLM-driven computation kick off?
- A “client” (e.g. laptop / smartphone operating system software; e.g. a web application as visited through a web browser, etc.)? or
- A “server”?
But I don’t think this is one of those times.
Deciding which agentic-behavior-capable products authored by Microsoft belong in the “Microsoft-authored agents” section of the M365 registry has only one right answer to me – all of them.
Microsoft – call them all “agents,” because they can all, nondeterministically and at machine speed, drain a company bank account on booking the wrong nonrefundable trip to Portugal.
