How Entra’s Agent Registry and Purview Team Up to Conquer Agent Sprawl

AI agents are showing up everywhere in the enterprise: Copilot add‑ins, line‑of‑business copilots built in Studio, “helper” bots glued onto SaaS apps, home‑grown automations running in the background. Individually, each one looks harmless. Collectively, they turn into something more dangerous: agent sprawl.

You get dozens (soon hundreds) of agents with overlapping responsibilities, inconsistent permissions, and no clear answer to a basic question: Which agents are touching my critical data, and under what guardrails?

Microsoft’s answer is starting to crystallize:

  • Microsoft Entra Agent Registry as the single source of truth for agent identity and metadata.
  • Microsoft Purview for Agents as the enforcement layer for data protection, DLP, insider risk, and compliance—using those identities as first‑class policy subjects.

Agent sprawl: when “just one more Copilot” becomes a problem

Enterprises aren’t just deploying one AI agent; they’re building an AI workforce. Microsoft’s own estimates land in the billions of agents by the end of the decade.

Without a control plane, that workforce behaves like shadow IT:

  • Agents arrive through different channels: Microsoft 365 Copilot, Copilot Studio, Foundry, third‑party marketplaces, custom SDK builds.
  • Some run under human identities, some under service principals, some under whatever the developer found easiest.
  • A surprising number end up with broad access “just to get it working.”

From a data and security perspective, the symptoms are familiar:

  • No single inventory of what agents exist, who owns them, or what they’re allowed to touch.
  • No consistent way to apply data policies—especially AI governance controls like “this agent may see finance data, that one may not.”
  • No clean audit trail for “which agent did what to which data, when?”

“Stop building agents” isn’t an option. So the only viable move is to treat agents like people in the places that matter: identity, access, and data governance.

That’s exactly where Entra’s Agent Registry and Microsoft Purview meet.

What Microsoft Entra Agent Registry actually does

At its core, the Microsoft Entra Agent Registry is an extensible metadata repository for agents—part of the broader Entra Agent ID system. It is explicitly designed to solve the “we don’t know what’s running” problem for AI agents across Microsoft and non‑Microsoft ecosystems.

A few key capabilities, in plain language:

  • Unified agent inventory. The registry maintains an inventory of all registered agents—including those with Entra Agent IDs and externally hosted agents you choose to onboard—giving you a single view of the agent fleet.
  • Rich metadata and collections. Each agent has a card with metadata (owner, capabilities, host products, data sources, identity relationships), and agents can be grouped into collections for governance and discovery boundaries (“Finance agents,” “Experiment agents,” “External partner agents,” etc.).
  • Discovery‑before‑access. The registry integrates with Entra Core Directory and Agent ID so that discovery and access policies work together—agents must be known and governed before they can discover and connect to other agents and resources.

With Agent 365, Microsoft wraps that into the Microsoft 365 admin center as a full control plane: the Agent Registry view surfaces a tenant‑wide inventory of agents (Microsoft, partner, and custom), allows IT to quarantine unsanctioned ones, and gives business users a curated Agent Store.

The important shift for data folks: there is finally one place where “all agents” is a real, queriable concept, not a spreadsheet you hope someone remembered to update.

And because Agent Registry is in public preview, Microsoft is explicit that details can still shift—but the shape of the solution is clear.

Purview for Agents: data governance follows identity

If Entra Agent Registry answers “who and what are these agents?”, Microsoft Purview for Agents answers “what data can they see, and how do we hold them accountable?”.

With the Ignite 2025 announcements, Purview has started treating autonomous agents as first‑class subjects in its policies and analytics—not just extensions of whoever clicked “run.” Key elements of that move:

  • Purview Information Protection & DLP for agents. Purview can now scope Information Protection and Data Loss Prevention policies directly to autonomous agents with an Agent ID, across Microsoft 365 apps like Exchange, SharePoint, and Teams. Agents with their own identity get their own policy envelope instead of riding on user policies alone.
  • Insider Risk Management for agents. Purview Insider Risk introduces agent‑specific indicators and risk scoring, so suspicious agent behavior (e.g., unusual exfiltration patterns, repeated access to highly sensitive content) can be investigated with the same rigor as human insider risk.
  • Compliance for agent interactions. Communication Compliance, Data Lifecycle Management, Audit, and eDiscovery now extend to agent interactions, giving you retention, supervision, and legal hold coverage over agent‑generated and agent‑meditated content.
  • DLP on prompts and grounding data. Purview DLP can block Microsoft 365 Copilot and related agents from using or responding to prompts that contain sensitive data, and from using labeled files as grounding data when policies say “no.”

On the developer side, Purview’s SDK is being embedded into the Agent Framework SDK, making it possible for agent builders to integrate classification, labeling, and leak prevention directly into custom agents from day one.

In other words: Purview has learned to “speak Agent ID.” That’s the bridge to Entra’s registry.

Where the integration actually happens

So how do Agent Registry and Purview work together in practice to reduce agent sprawl instead of just putting dashboards on it?

You can think of it as two planes intersecting:

  • Identity & agent plane → Entra Agent Registry / Agent 365.
  • Data & policy plane → Microsoft Purview.

The integration points that matter:

1. Agent identity and registry metadata feed Purview’s view of risk

Every agent that matters is:

  • Given a Microsoft Entra Agent ID (where supported),
  • Registered in the Agent Registry (directly or via Agent 365),
  • Enriched with metadata about owners, host products, data sources, and collections.

That information becomes the backbone for Purview’s AI Observability in DSPM and Purview for Agents features: Purview can see “which agents exist, what they’re connected to, and how risky they look” across the estate.

Instead of “an app did something weird,” you can attribute activity to a specific agent card with:

  • A stable identity (Agent ID),
  • A known collection (“Finance agents” vs “Experiment agents”),
  • A clear owner and publishing path (via Agent 365 admin workflows).

2. Purview policies can now be scoped to agents, not just humans

Because Purview can scope policies to Agent IDs, you can:

  • Apply existing DLP and Information Protection policies to specific agents or to groups of agents, not just to user accounts.
  • Define “high‑trust” vs “low‑trust” agent collections in the registry and target them with different policy sets (for example, “Experiment agents may not touch Highly Confidential content, even if the user could”).

When you publish an agent through the Microsoft 365 admin center, you can attach templates that bundle Entra, Purview, and SharePoint controls—the default template includes baseline security and compliance policies from all three. That gives your AI admins a repeatable pattern: new agents don’t go live without a minimum Purview posture.

3. Sensitivity labels and embedded knowledge stay attached to agents

For Copilot agents that use embedded files as knowledge, the Agent Registry view surfaces:

  • The file name,
  • The sensitivity label applied to those files,
  • The SharePoint Embedded container that stores them.

The service automatically applies a sensitivity label to the agent’s embedded content based on the most restrictive label of the uploaded files and any default labeling policy you’ve configured.

That closes an important gap: the same labels you rely on in Purview now follow the knowledge into the agent, and Purview policies can enforce against those labels when prompts/responses or downstream sharing cross a boundary.

4. Security & compliance loops stay closed

The broader Agent 365 control plane ties this together with Defender on the threat side and Purview on the data side:

  • Defender detects threats and misconfigurations targeting agents; Entra enforces access control; Purview prevents or flags data misuse and keeps the audit trail.
  • Purview Data Security Investigations and Insider Risk can pivot from agent‑level signals (“this agent is exfiltrating unusual volumes of labeled content”) back into registry metadata (“who owns it, which collection is it in, where is it deployed?”) for remediation.

Identity, app, and data security stop being three disconnected conversations; you get a coherent story about each agent’s lifecycle and blast radius.

Patterns that actually reduce agent sprawl

Putting the marketing diagrams aside, what does this integration let you do differently?

Here are practical patterns you can implement as the stack matures, without rewriting everything:

  • Make registry enrollment non‑negotiable.
    Treat Entra’s Agent Registry (surfaced via Agent 365) as the gate for production agents: if it isn’t in the registry with an Agent ID and owner, it doesn’t run against real data. Quarantine unsanctioned agents using registry controls so they can’t be discovered or connected to other agents or resources.
  • Attach Purview policies to collections, not individual agents.
    Use registry collections to express meaningful classes—“Customer‑facing agents,” “HR workflow agents,” “R&D experiment agents.” Then scope Purview DLP, Information Protection, and Insider Risk policies to those collections. Entra AgentID becomes the subject; collections become the policy dimension.
  • Start with your highest‑risk data paths.
    Use Purview’s AI observability and DLP analytics to identify which agents interact with your most sensitive labels (e.g., “Highly Confidential – Finance,” “Restricted IP”), then move those agents into stricter collections with more constrained Purview policies. Combine that with the sensitivity label behavior for embedded knowledge to ensure that if an agent is grounded in highly labeled content, it lives in a collection that reflects that risk.
  • Use templates to bake governance into the publishing workflow.
    Define custom Agent 365 templates that include additional Purview policies beyond the default template—especially for departments that handle regulated data. Publishing then becomes not just “make this agent visible,” but “make it visible under this governance contract.”
  • Instrument the feedback loop.
    When Purview flags risky agent behavior—via DLP alerts, Insider Risk indicators, or Data Security Investigations—treat that as a signal to update the registry: adjust the agent’s collection, quarantine it, or enforce a different template on its next version. Over time, this turns agent governance into a living system, not a one‑time setup.

None of this prevents your teams from experimenting with AI agents. The goal is different: experimentation happens inside a governed perimeter where identity and data policy reinforce each other instead of fighting.

Bringing it together: a path out of agent sprawl

Agent sprawl isn’t a temporary phase; it’s the default trajectory if everyone can ship an agent faster than security and data teams can keep up.

Microsoft’s emerging pattern—Entra Agent Registry + Agent ID on the identity side, Purview for Agents on the data side, tied together by Agent 365—isn’t perfect yet, but it’s the first opinionated, end‑to‑end attempt to treat agents as governed citizens of the environment, not unsupervised scripts.

If you own data strategy or security, the practical next steps are clear:

  • Get familiar with the Agent Registry concepts (agents, agent cards, collections, blueprints) and decide what “in the registry” means for your org.
  • Map your existing Purview labels and DLP policies onto agent collections instead of just users—especially where compliance risk is highest.
  • Treat every new agent request as a chance to apply a template that encodes identity, access, and data policy from the start.

You can’t stop the organization from adopting more agents—and you shouldn’t. But with a registry as your source of truth and Purview as your policy engine, you can let Microsoft Purview and AI governance scale with the AI workforce instead of being overwhelmed by it.

Taking it Further

Once you’ve managed your agent sprawl and started to treat agents as a part of your workforce, you need a system that’s designed to support managing, monitoring, evaluating, and controlling them. At that point, Neudesic’s Digital Workforce Management Platform comes deeply into play, enabling you to properly supervise the agents across your environment, even as you control and eliminate agent sprawl.

Note: The author is a part of Neudesic, an IBM Company.

Unknown's avatar

Author: Jason Miles

A solution-focused developer, engineer, and data specialist focusing on diverse industries. He has led data products and citizen data initiatives for almost twenty years and is an expert in enabling organizations to turn data into insight, and then into action. He holds MS in Analytics from Texas A&M, DAMA CDMP Master, and INFORMS CAP-Expert credentials.

Leave a comment