Microsoft AI Technologies Reference

This section provides a comprehensive overview of Microsoft’s AI technology stack, from end-user productivity tools to infrastructure services.

Use this page as a reference after you’ve narrowed the decision: it’s optimized for confirming capabilities, boundaries, and status (GA/Preview) rather than teaching the selection process.

Problem-first reminder: Start with the business outcome and scenario, then pick the simplest technology that satisfies it. Use Scenarios to anchor real problems and the Decision Framework to gate technology choices.

Table of contents

  1. Microsoft AI Technologies Reference
    1. Table of contents
      1. Core AI Platforms
    2. Word, Excel, and PowerPoint Agents (Frontier) {: .tech-heading }
    3. Copilot Studio
    4. Power Apps Plan Designer
    5. Microsoft Foundry (Azure)
    6. Foundry Agent Service {: .tech-heading }
    7. Agent 365 {: .tech-heading }
    8. Foundry Control Plane {: .tech-heading }
    9. Azure AI Search {: .tech-heading }
    10. AI Builder {: .tech-heading }
      1. Data & Analytics Platforms {: .no_toc }
    11. Microsoft Fabric {: .tech-heading }
      1. Developer Tools {: .no_toc }
    12. GitHub Copilot {: .tech-heading }
    13. GitHub Models {: .tech-heading }
    14. Visual Studio Code {: .tech-heading }
    15. Microsoft 365 Agents SDK & Toolkit {: .tech-heading }
    16. Microsoft Agent Framework {: .tech-heading }
    17. Technology Selection Quick Guide
    18. Network Isolation Decision Matrix
    19. Identity & Permissions Architecture {: .tech-heading }
      1. Implementation Approach {: .no_toc }
      2. Identity & Permissions Matrix {: .no_toc }
      3. Microsoft 365 Copilot: User-Scoped by Design {: .no_toc }
      4. Copilot Studio: Configurable Delegated or Service Accounts {: .no_toc }
      5. Microsoft Foundry (Azure) & Foundry Agent Service: RBAC + Managed Identity First {: .no_toc }
      6. Microsoft 365 Agents SDK: Bring Your Own Authentication {: .no_toc }

Core AI Platforms

Microsoft 365 Copilot

Description: Integrated AI assistant across M365 apps (Word, Excel, Teams, Outlook, PowerPoint, OneNote) with tenant context and Graph security. Supports extensibility via declarative agents (low-code) and custom engine agents (pro-code) for tailored productivity experiences.
Official Docs: Microsoft 365 Copilot Overview
Status: GA

Key Features:

  • Tenant-aware AI: Works across Word, Excel, Teams, Outlook, PowerPoint, and OneNote while inheriting Microsoft Graph security and compliance controls. (Updated declarative agents guidance - Retrieved: 2025-10-30)
  • Extensibility options: Build declarative agents with instructions, knowledge, and actions or bring custom engine agents for full orchestration control. (Agents for Microsoft 365 Copilot - Retrieved: 2025-10-30)
  • Unified discovery: Users can discover and install agents from the in-app store inside Word and PowerPoint, with Excel support in rollout. (Microsoft 365 Copilot release notes - Updated: 2025-07-08)
  • Admin governance: Admins can pre-approve trusted agents and audit usage to streamline tenant-wide deployments. (Microsoft 365 Copilot release notes - Updated: 2025-08-05; 2025-07-08)
  • Grounded knowledge: Agents can draw from Teams meetings, SharePoint, OneDrive, email, Dataverse, and approved connectors with tenant-scoped security. (Extend Microsoft 365 Copilot with agents - Retrieved: 2025-10-30)
  • Fine-tuning (Preview): Copilot Tuning lets makers fine-tune declarative agent models using tenant data under admin control. (Microsoft 365 Copilot release notes - Updated: 2025-08-05)

Recent Updates (2025):

  • Oct 28, 2025: Static tabs for custom engine agents in Teams meetings and @mention routing for Copilot Chat to target specific agents. (Microsoft 365 Copilot release notes - Updated: 2025-10-28)
  • Aug 19, 2025: Declarative agents can be invoked directly in Excel and include enhanced governance to review file-based knowledge. (Microsoft 365 Copilot release notes - Updated: 2025-08-19)
  • Aug 5, 2025: Tenant data fine-tuning, admin pre-approval for trusted declarative agents, and improved SharePoint file Q&A accuracy. (Microsoft 365 Copilot release notes - Updated: 2025-08-05)
  • Jul 8, 2025: Unified store surfaces Copilot agents inside Word and PowerPoint and adds Dataverse as an in-product knowledge source. (Microsoft 365 Copilot release notes - Updated: 2025-07-08)

Network Isolation:

  • VNet Support: No custom VNet support
  • Fully managed SaaS (no VNet integration available)
  • Requires gateway architecture for private on-premises data access
  • Inherits M365 tenant network security
  • Ideal for: Organizations accepting Microsoft-managed SaaS networking model
  • Guidance: Microsoft recommends leveraging M365 admin controls and security policies to govern agent data access. (Data, privacy, and security considerations - Retrieved: 2025-10-30)

When to use: Broad productivity gains, existing M365 licenses, tenant-aware context, no deep AI expertise required, extend via low-code (Copilot Studio) or pro-code (M365 Agents SDK)

Sources:

Word, Excel, and PowerPoint Agents (Frontier) {: .tech-heading }

Description: Frontier-only preview creation agents inside Microsoft 365 Copilot Chat that draft Word, Excel, and PowerPoint files using Anthropic reasoning models after explicit admin opt-in.
Official Docs: Word, Excel, and PowerPoint Agents (Frontier)
Status: Frontier Preview (experimental; requires M365 Copilot license + Frontier enrollment)

Key Features:

  • Frontier-gated access: Admins enable via Microsoft 365 admin center (Copilot > Settings > User access > Copilot Frontier) and must connect the Anthropic provider before agents appear. (Overview of Microsoft Agent 365 - Retrieved: 2025-12-08; Manage Microsoft 365 Copilot scenarios - Retrieved: 2025-12-08)
  • Document creation agents: Generate drafts for Word, Excel, or PowerPoint from prompts in the Copilot app, grounded by Microsoft Graph data the user is authorized to access. (Get started with Word, Excel, and PowerPoint Agents - Retrieved: 2025-12-08)
  • Data boundary and consent: Anthropic model calls run outside Microsoft-managed environments; Microsoft Product Terms/DPA do not apply. Use is governed by Anthropic commercial terms, and admins can disable the provider at any time. (Data Privacy and Security - Retrieved: 2025-12-08)
  • Storage and security: Generated files save to OneDrive; only user-permitted Graph context is shared, with sensitivity labels and compliance policies respected. (Data Privacy and Security - Retrieved: 2025-12-08)
  • Limitations: English-only preview, side-by-side pane is read-only, and users open the full app to edit. (Responsible AI FAQ - Retrieved: 2025-12-08)

When to use: Early testing of AI-generated Office documents when admins accept third-party processing under Frontier terms; avoid for regulated production workloads until Microsoft-hosted GA availability.

Sources:

Copilot Studio

Description: Low-code and pro-code authoring environment for building declarative and custom engine agents with governance, analytics, and multi-channel delivery. Available as a standalone web app and inside Microsoft Teams.
Official Docs: Copilot Studio Documentation
Implementation Guide: aka.ms/CopilotStudioImplementationGuide

Key Features:

  • Unified authoring: Makers use the refreshed authoring canvas, trigger management, and analytics across lite and full experiences. (Upgrade to Copilot Studio unified authoring - Retrieved: 2025-10-30)
  • Model choice: GPT-4.1 is now the default model for generative orchestration with GPT-5 available in preview, while GPT-4o retires in managed tenants. (What’s new in Copilot Studio - Updated: 2025-10-31)
  • Real-time data connectors: Makers can ground agents with structured data from Microsoft and selected third-party systems for live responses. (Microsoft 365 Copilot release notes - Updated: 2025-08-05)
  • Expanded knowledge capacity: Agents can use up to 1000 SharePoint or OneDrive files with grouped instructions for precise responses. (Use up to 1000 files per agent - GA: 2025-10-06)
  • MCP tool integration: Agents can call remote Model Context Protocol servers to reach external tools securely. (What’s new in Copilot Studio - Updated: 2025-10-31)
  • Agent2Agent (A2A) Protocol: Publish agents as skills that can be discovered and invoked by other agents in a decentralized mesh. (Preview: 2025-05-21)
  • Channel reach: Publish agents to Microsoft 365 Copilot, Teams, web, and messaging channels including WhatsApp via Azure Communications Service. (Publish agents to WhatsApp - GA: 2025-09-08)
  • Orchestration modes: Generative orchestration (default) handles multi-intent planning; makers can switch to Classic NLU/Classic NLU+ for deterministic topic routing or connect Azure AI Language (CLU) for advanced entity extraction when licensing allows. (Natural language understanding overview - Updated: 2025-09-12; Create and edit topics - Updated: 2025-09-12)

Recent Updates (2025):

  • Oct 2025: Default model upgrade to GPT-4.1, GPT-5 preview access, MCP server tool, analytics enhancements, and flow express mode to reduce timeouts. (What’s new in Copilot Studio - Updated: 2025-10-31)
  • Oct 2025: Knowledge management improvements, including grouped instructions and 1000-file limits for SharePoint/OneDrive uploads. (Group files with instructions - GA: 2025-10-01; Use up to 1000 files per agent - GA: 2025-10-06)
  • Sep 2025: General availability of WhatsApp channel publishing for customer-facing agents. (Publish agents to WhatsApp - GA: 2025-09-08)
  • Jun 2025: Weekly active user insights for Copilot Studio agent reports in Viva Insights dashboards. (Microsoft 365 Copilot release notes - Updated: 2025-10-28)

Network Isolation:

  • VNet Support: Supported via Microsoft-managed VNet data gateway; runtime remains in Power Platform. (VNet data gateway overview - Retrieved: 2025-10-30)
  • Makers can deploy managed environments with private endpoints to Azure resources through the Power Platform VNet data gateway. (VNet data gateway overview - Retrieved: 2025-10-30)
  • On-premises data gateway enables secure connectivity to local systems. (VNet data gateway overview - Retrieved: 2025-10-30)
  • Ideal for: Managed PaaS scenarios requiring low-code authoring with governed access to Azure or on-premises data.

When Copilot Studio is the Right Tool:

  • Rapidly extend Microsoft 365 Copilot with declarative agents tailored to teams or departments.
  • Build custom engine agents that orchestrate complex workflows while remaining inside Microsoft-controlled infrastructure.
  • Leverage Power Platform connectors, triggers, and ALM tooling without deep ML engineering.

Sources:

Power Apps Plan Designer

Description: AI-assisted solution architect that generates Dataverse tables, security roles, and app structures from natural language descriptions. Accelerates the “Feasibility” phase of development.
Official Docs: Power Apps AI Overview
Status: GA

Key Features:

  • Schema Generation: Automatically creates 3NF normalized Dataverse tables and relationships based on business descriptions.
  • Role Generation: Suggests and configures security roles appropriate for the solution.
  • App Scaffolding: Generates the initial canvas or model-driven app layout.
  • Agent Feed: Integrated feed for monitoring agent activities and human-in-the-loop requests (Early Access).

When to use: Rapid prototyping, overcoming “blank canvas” paralysis, or enabling makers to build complex data models without deep architectural skills.

Microsoft Foundry (Azure)

Description: The cloud-based implementation of the Microsoft Foundry ecosystem (formerly Azure AI Foundry). A code-first environment for building, evaluating, and deploying AI solutions with Azure OpenAI, open-source, and custom models. Integrates with workforce tools such as Foundry Agent Service, prompt flow, and safety guardrails.
Official Docs: Microsoft Foundry (Azure) Documentation
Status: GA

Key Features:

  • Broad model catalog: Access GPT-5, GPT-5-mini, GPT-5-nano, GPT-4.1, GPT-image-1, Sora video generation, and GPT RealTime audio models alongside open-source offerings. (What’s new in Azure OpenAI - Updated: 2025-08-15)
  • Provisioned throughput management: Reserve PTUs and enable spillover to automatically route excess traffic to standard deployments. (What’s new in Azure OpenAI - Updated: 2025-08-15)
  • Safety and routing: Use model router, prompt shields with spotlighting, and structured outputs to protect prompts and dynamically select optimal models; GA router version 2025-11-18 adds routing profiles, custom subsets, Anthropic models, and reasoning_effort passthrough (billing effective Nov 2025). (Model router GA - Updated: 2025-11-18)
  • Workflow and evaluation tooling: Build end-to-end pipelines with prompt flow, evaluations, and integrated monitoring. (Azure AI Foundry Documentation - Retrieved: 2025-10-30)
  • Agent readiness: Pair with Foundry Agent Service for managed agent orchestration using the same model deployments. (Azure AI Foundry Documentation - Retrieved: 2025-10-30)

Recent Updates (2025):

  • Sep 2025: GPT-5-codex reasoning model released for Codex CLI and VS Code integration. (What’s new in Azure OpenAI - Updated: 2025-09-15)
  • Aug 2025: GPT-5 series, Sora image-to-video generation, GPT RealTime GA, and provisioned spillover reached GA. (What’s new in Azure OpenAI - Updated: 2025-08-15)
  • May 2025: Sora video generation preview, prompt shield spotlighting, and model router preview introduced. (What’s new in Azure OpenAI - Updated: 2025-05-30)

Context Windows:

  • GPT-5 series: Up to 400k tokens (272k input, 128k output) for reasoning workloads. (Foundry models sold directly by Azure - Retrieved: 2025-10-30)
  • GPT-5-chat: 128k token context for conversational scenarios. (Foundry models sold directly by Azure - Retrieved: 2025-10-30)
  • GPT-4.1: 1M token context for large document processing. (Foundry models sold directly by Azure - Retrieved: 2025-10-30)

Network Isolation:

  • VNet integration: Configure private endpoints for hubs and projects to keep traffic within customer VNets. (Configure a private link for Azure AI Foundry - Retrieved: 2025-10-30)
  • Managed virtual networks: Secure hubs with inbound and outbound network isolation, NSGs, and customer-managed keys. (Create a secure Azure AI Foundry hub - Retrieved: 2025-10-30)
  • Ideal for: Zero-trust deployments, regulated workloads, and sovereign data strategies.

When Microsoft Foundry (Azure) is the Right Tool:

  • Latency-sensitive or high-throughput applications needing direct control over model deployments and caching.
  • Custom AI pipelines, evaluations, or RAG systems that exceed low-code platform capabilities.
  • Teams with Azure engineering expertise that must combine private networking, governance, and model flexibility.

Sources:

Foundry Agent Service {: .tech-heading }

Description: Managed PaaS for agent orchestration, skills management, and runtime infrastructure within Microsoft Foundry (Azure). Supports connected agents (multi-agent systems), 15+ built-in tools, full RBAC + VNet + BYO storage. GA with continuous feature additions. (Formerly Azure AI Agent Service).
Official Docs: Foundry Agent Service
Status: GA (May 2025)

Key Features:

  • Managed runtime: Microsoft hosts compute, memory, and thread state with built-in tracing and Azure Monitor metrics. (Foundry Agent Service GA - Updated: 2025-05-20)
  • Connected agents (GA): Orchestrate multi-agent systems that share context without external orchestrators; supports Fabric data agents. (Foundry Agent Service GA - Updated: 2025-05-20)
  • BYO storage: Bring Azure Cosmos DB for thread storage plus Azure AI Search and Azure Blob Storage for knowledge with private endpoints. (Foundry Agent Service GA - Updated: 2025-05-20)
  • Thread storage in Cosmos DB (GA): Standard setup provisions enterprise_memory containers (thread-message-store, system-thread-message-store, agent-entity-store) in your Cosmos DB for NoSQL account with BYO throughput. (Azure Cosmos DB integration with Azure AI Agents Service, retrieved 2025-12-08)
  • Trace agents SDK: Debug runs with thread-level insights, including inputs, tool calls, and outputs. (Foundry Agent Service GA - Updated: 2025-05-20)
  • Event triggers: Invoke agents from Azure Logic Apps or other workflows to respond to business events. (Foundry Agent Service GA - Updated: 2025-05-20)
  • VS Code integration: AI Foundry VS Code extension deploys and configures agent tools, including MCP integrations. (Foundry Agent Service GA - Updated: 2025-05-20)
  • MCP tool & Deep Research: Connect to remote Model Context Protocol servers and run multi-step o3-deep-research investigations grounded by Bing Search. (What’s new in Foundry Agent Service - Updated: 2025-06-15)

Built-in Tools (Knowledge):

  • Azure AI Search: Ground agents with indexed data, chat with your data
  • File Search: RAG with proprietary documents (Azure Blob Storage, local files). Uses vector stores (up to 10,000 files), automatic chunking/embedding (text-embedding-3-large), hybrid search (keyword + semantic), reranking
  • Grounding with Bing Search: Access real-time web information
  • Grounding with Bing Custom Search (GA June 2025): Enhanced responses with selected web domains
  • Microsoft Fabric (GA March 2025): Integrate with Fabric Data Agents for data analysis capabilities
  • SharePoint (Preview): Chat with private SharePoint documents, OBO authentication for security-trimmed access, leverages M365 Copilot API built-in indexing
  • Licensed Data: Proprietary data via licensed API keys (TripAdvisor, Morningstar, LexisNexis, LEGALFLY, etc.)

Built-in Tools (Action):

  • Function Calling: Custom stateless functions
  • Azure Functions: Intelligent, event-driven serverless code execution
  • Azure Logic Apps: 1,400+ connector-based workflows
  • Code Interpreter: Write and run Python code in sandboxed environment (data handling, visuals)
  • OpenAPI 3.0 Specified Tool: Connect to external APIs via OpenAPI spec
  • Model Context Protocol (GA June 2025): Access tools hosted on remote MCP endpoints for interoperable tool sharing. (What’s new in Foundry Agent Service - Updated: 2025-06-15)
  • Deep Research (GA June 2025): Multi-step web-based research with o3-deep-research model + Bing Search
  • Browser Automation (Preview): Real-world browser tasks via natural language with Playwright Workspaces
  • Computer Use (Preview): UI interaction via specialized computer-use-preview model, interprets raw pixel screenshots, virtual keyboard/mouse control
  • Image Generation (Preview): Generate and edit images as part of conversations and multi-step workflows

Agent Setup Options:

  • Basic Setup: Microsoft-managed search and storage (files stored in MS-managed storage, vector stores in MS-managed search)
  • Standard Setup: BYO Azure AI Search + Blob Storage + Cosmos DB (files in your Blob, vector stores in your AI Search, thread storage in your Cosmos DB), private networking, no public egress by default

Recent Updates (2025):

  • General Availability: Service went GA in May 2025
  • Connected agents: Multi-agent orchestration without external orchestrators (May 2025)
  • MCP tool: Connect to remote Model Context Protocol servers (June 2025)
  • Deep Research: o3-deep-research + Bing Search for multi-step analysis (June 2025)
  • Bing Custom Search: Specify websites for grounding (June 2025)
  • Azure Monitor integration: Metrics for file indexing, run tracking (April 2025)
  • BYO Cosmos DB: Thread storage in customer-managed Cosmos DB for NoSQL (April 2025)
  • VS Code extension: Develop, test, and publish agents with tool configuration inside Visual Studio Code. (Foundry Agent Service GA - Updated: 2025-05-20)

Network Isolation:

  • VNet Support: Full private networking support (same as Azure AI Foundry)
  • VNet integration with container injection
  • Private endpoints for all resources
  • Network Security Groups (NSGs) for traffic isolation
  • Standard Setup: No public egress by default
  • Ideal for: Managed PaaS with private networking requirements

Terminology note: In this guide, “Microsoft Agent Framework” refers to the open-source orchestration SDK, whereas “Foundry Agent Service” is the managed PaaS runtime that hosts agents in Azure AI Foundry.

When to use: Managed agent orchestration at PaaS layer, scalable agent infrastructure, multi-agent systems, comprehensive built-in tool ecosystem, prefer Azure-managed RAG infrastructure, need enterprise security + observability

Sources:

Agent 365 {: .tech-heading }

Description: Entra-backed agent identity and registry service providing lifecycle governance, conditional access, and defense-in-depth controls for agents across Microsoft experiences. Official Docs: Agent 365
Status: Preview

Key Features:

  • Agent registry & identity: Entra-issued agent identities with lifecycle actions (create, update, retire), ownership transfer, and audit. (Capabilities - Retrieved: 2025-12-08)
  • Conditional access & policies: Enforce conditional access, least-privilege scopes, and consented resources for each agent identity. (Capabilities - Retrieved: 2025-12-08)
  • Defense-in-depth: Prompt shield, risky-agent detection, and action guardrails for sensitive tools. (AI security what’s new - Updated: 2025-11-18)
  • Observability: Registry-backed telemetry for admins to monitor usage and enforce policy exceptions. (Admin actions - Retrieved: 2025-12-08)

When to use: Centralize identity, registry, and guardrails for agents that span M365 and Azure surfaces; pair with Foundry/Agent Service or Copilot Studio for runtime.

Sources:

Foundry Control Plane {: .tech-heading }

Description: Centralized registry and security posture hub for agents built in Microsoft Foundry. Integrates Azure Policy, Microsoft Defender, and Purview for unified governance. Official Docs: Foundry Control Plane
Status: GA (Nov 2025)

Key Features:

  • Agent registry: Inventory agents with RBAC, tenant isolation, and managed identities for each agent app. (Overview - Updated: 2025-11-18)
  • Policy & guardrails: Apply Azure Policy, Defender for Cloud, and Purview data security policies to agent projects from one pane. (AI security what’s new - Updated: 2025-11-18)
  • Observability & remediation: Security and policy tabs with bulk remediation for misconfigurations, plus hooks for Azure Monitor. (Overview - Updated: 2025-11-18)

When to use: Govern Foundry-built agents at scale-register, secure, and monitor agents alongside Azure resource policies.

Sources:

Azure AI Search {: .tech-heading }

Description: Azure-native search and retrieval platform with vector, hybrid, and agentic retrieval (knowledge bases) for RAG and grounding. Official Docs: Azure AI Search Documentation
Status: GA (agentic retrieval features in preview API version 2025-11-01-preview)

Key Features:

  • Agentic retrieval / knowledge bases (Preview): Knowledge sources with retrievalInstructions, partial responses, and reasoning_effort to reduce latency; Foundry IQ lets Agent Service agents call knowledge bases. (What’s new - Updated: 2025-11-18)
  • Security & governance: SharePoint indexer ACL flow-through (Preview), sensitivity label enforcement, and confidential computing (GA, +~10% surcharge). (What’s new - Updated: 2025-11-18; Sep 2025)
  • Knowledge sources: Indexed/remote SharePoint, indexed OneLake, and web sources with content extraction powered by Azure AI Content Understanding. (What’s new - Updated: 2025-11-18)
  • Ranking & analytics: Semantic ranker and agentic retrieval available on free tier (limited quotas); scoring function aggregation and facet aggregations for analytics. (What’s new - Updated: 2025-11-18)
  • Endpoint flexibility: Skills/vectorizers accept services.ai.azure.com and azure-api.net endpoints for Foundry-hosted models. (What’s new - Updated: 2025-11-18)

When to use: Enterprise RAG/agentic retrieval with ACL-aware indexing, label-aware enforcement, and integration into Foundry/Agent Service.

Sources:

AI Builder {: .tech-heading }

Description: Power Platform AI services for document processing, vision, text analysis, and predictions. Backed by Azure AI Document Intelligence and GPT models. Callable from Copilot Studio agents, Power Automate, and Power Apps.
Official Docs: AI Builder Documentation
Status: GA

Key Features:

Data & Analytics Platforms {: .no_toc }

Microsoft Fabric {: .tech-heading }

Description: Unified data and analytics platform that provides the “OneLake” foundation for AI. Includes Real-Time Intelligence, Data Engineering, and the new “Fabric Data Agents” for conversational analytics.
Official Docs: Microsoft Fabric Documentation
Status: GA

Key Features:

  • Fabric Data Agents (Preview): Q&A-style conversational agents that retrieve insights from OneLake sources while respecting data access permissions; consumable by Copilot Studio and M365 Copilot. Not an orchestrator-use Foundry Agent Service or Agent Framework for multi-step coordination.
  • Cosmos DB in Fabric (Preview): Deploy Cosmos DB (NoSQL) directly within Fabric for unified operational and analytical data without ETL.
  • OneLake Shortcut Transformations (Preview): Apply AI transformations (summarize, translate, classify) via Azure AI Foundry during data ingestion.
  • Translytical Task Flows (Preview): Trigger write-back actions and workflows directly from Power BI reports.
  • Digital Twin Builder (Preview): No-code tool in Real-Time Intelligence to map physical assets to digital twins.

Developer Tools {: .no_toc }

GitHub Copilot {: .tech-heading }

Description: AI-powered developer platform that has evolved from an in-editor assistant to a suite of autonomous agents and tools for the entire software lifecycle.
Official Docs: GitHub Copilot Documentation
Status: GA (Various features in Preview)

Key Features:

  • Copilot Coding Agent (Preview): Autonomous agent integrated into GitHub.com that can be assigned issues to refactor code, fix bugs, and implement features asynchronously. It creates PRs, runs tests, and iterates on feedback.
  • Copilot Agent Mode (Preview): “Peer programmer” mode in VS Code that can edit multiple files, run terminal commands, and self-heal errors during development.
  • Copilot Extensions: Ecosystem of third-party tools (DataStax, Sentry, Azure) that Copilot can invoke to perform specialized tasks.
  • Copilot Workspace: Natural language environment to plan, build, test, and run code in a cloud-based dev environment.

GitHub Models {: .tech-heading }

Description: Models as a Service (MaaS) platform integrated directly into GitHub, allowing developers to discover, test, and compare models (OpenAI, Meta, Mistral, Microsoft) without leaving their workflow.
Official Docs: GitHub Models Documentation
Status: Preview

Key Features:

  • Model Playground: Interactive hub to test prompts and compare model outputs.
  • Workflow Integration: Use models directly in PRs, issues, and CI/CD pipelines.
  • Prompt Management: Create, save, and share prompts across the organization.
  • Evaluation: Automated tools to evaluate model performance and cost for specific use cases.

Visual Studio Code {: .tech-heading }

Description: The world’s most popular code editor, now serving as the primary interface for “Agentic IDE” experiences.
Official Docs: VS Code Documentation
Status: GA

Key Features:

  • Agent Mode: The UI for autonomous coding agents (see GitHub Copilot).
  • PostgreSQL Extension (Preview): AI-powered database management with natural language to SQL capabilities.
  • Azure AI Foundry Extension: Build, test, and deploy agents directly from VS Code.

Microsoft 365 Agents SDK & Toolkit {: .tech-heading }

Description: Pro-code framework and tooling for multi-channel Microsoft 365 agents. Combines the Agents SDK (C#, JavaScript/TypeScript, Python) with Agents Toolkit extensions for VS Code, Visual Studio, GitHub Copilot, and CLI-based automation. Successor to Bot Framework for custom engine agents.
Status: GA (C#, JavaScript/TypeScript, Python)
Official Docs: M365 Agents SDK | M365 Agents Toolkit | Bot Framework Migration

Key Features:

  • Channel reach: Deploy custom engine agents to Microsoft 365 Copilot, Teams (chat, channels, meetings), web, email, SMS, and third-party messaging channels. (Microsoft 365 Agents Toolkit - Updated: 2025-05-30)
  • Model + orchestrator choice: Bring Azure OpenAI, Azure AI Foundry, Anthropic, or other APIs and pair with Microsoft Agent Framework or alternate orchestrators. (Microsoft 365 Agents SDK overview - Updated: 2025-10-20)
  • Toolkit formats: Use VS Code, Visual Studio, GitHub Copilot, or CLI tooling for scaffolding, debugging, publishing, and CI/CD automation. (Microsoft 365 Agents Toolkit - Updated: 2025-05-30)
  • Agents Playground: Local sandbox simulates Teams to iterate without a tenant or tunneling, supporting rapid agent debugging. (Microsoft 365 Agents Toolkit - Updated: 2025-05-30)
  • Migration path: Bot Framework retirement on Dec 31, 2025, routes existing solutions to the Agents SDK + Toolkit stack. (Bot Framework Migration Guide)

Recent Updates (2025):

Deployment & Hosting:

  • Bring-your-own hosting: Deploy Agents SDK workloads to Azure App Service, Azure Container Apps, AKS, or on-premises infrastructure with full control over VNets, private endpoints, and certificates. (Microsoft 365 Agents Toolkit - Updated: 2025-05-30)
  • CI/CD automation: Agents Toolkit CLI supports provisioning, packaging, and publishing inside GitHub or Azure DevOps pipelines. (Microsoft 365 Agents Toolkit command line interface - Retrieved: 2025-10-30)

When to use: Migrating Bot Framework bots, building enterprise-grade agents that must span Teams, Copilot, and external channels, or needing full governance over hosting, authentication, and orchestration stack selection.

Sources:

Microsoft Agent Framework {: .tech-heading }

Description: Microsoft’s next-generation, type-safe orchestration SDK for composing multi-agent workflows with executors, edges, and reusable patterns. Successor to Semantic Kernel and AutoGen for building agents in .NET and Python.
Status: Public Preview (.NET, Python)
Official Docs: Microsoft Agent Framework overview | Workflows overview | Workflows - Checkpoints

Key Features:

  • Unified agents + workflows: Ship LLM-powered agents, MCP integrations, and workflow graphs from a single SDK that merges Semantic Kernel and AutoGen strengths. (Microsoft Agent Framework overview - Retrieved: 2025-11-12)
  • Orchestration patterns: Sequential, Concurrent, Handoff, and Magentic orchestrations accelerate multi-agent collaboration without bespoke control logic. (Workflows orchestrations overview - Retrieved: 2025-11-12)
  • Type-safe execution + checkpointing: Executors, edges, and checkpoint services provide deterministic routing, resumability, and human-approval loops. (Workflows overview - Retrieved: 2025-11-12; Workflows - Checkpoints - Updated: 2025-10-01)
  • Observability instrumentation: OpenTelemetry hooks capture workflow spans (workflow.run, message.send, etc.) via ENABLE_OTEL or setup_observability(). (Workflows - Observability - Retrieved: 2025-11-12)
  • Workflows as agents: Any workflow can be wrapped and exposed through the agent interface, enabling reuse across APIs or UI hosts. (Workflows - Using workflows as agents - Retrieved: 2025-11-12)

Technology Selection Quick Guide

Your Need Recommended Technology Why?
End-user productivity (no dev) Microsoft 365 Copilot Built-in, tenant-aware, immediate value
Custom agents (low-code) Copilot Studio Managed platform, fast deployment, governance
Custom agents (pro-code) M365 Agents SDK or Azure AI Foundry Full control, any model, any orchestrator
Managed agent runtime Foundry Agent Service PaaS for agent infrastructure, multi-agent support
Enterprise workflow + AI Azure Logic Apps 1,400+ connectors, MCP server, AI agent workflows
Document processing AI Builder Prebuilt models, Power Platform integration
Workflow orchestration Microsoft Agent Framework Checkpointing, type-safe workflows, multi-agent patterns

Network Isolation Decision Matrix

Technology VNet Support Private Endpoints Air-Gapped Gateway Required Best For
Azure AI Foundry Full Yes Yes No Zero-trust, air-gapped, sovereign data
Foundry Agent Service Full Yes Yes No Managed PaaS with private networking
Copilot Studio Gateway-based Via gateway No Yes Managed PaaS with Azure resource access
M365 Agents SDK Self-hosted Yes Yes No Custom network control
M365 Copilot No No No No No No Yes For on-prem Managed SaaS only

Identity & Permissions Architecture {: .tech-heading }

Why it matters: Successful agent deployments hinge on getting identity, authorization, and auditing right. Use this section to align authentication models with the platforms in this guide.

Implementation Approach {: .no_toc }

  1. Map identity boundaries for every surface (M365 Copilot, Copilot Studio, Microsoft Foundry (Azure), Agents SDK) so you know which services are inherently user-scoped and which require custom design.1234
  2. Choose delegated vs application scopes early, preferring delegated consent for user-driven actions and reserving service principals for automation that cannot run under a user identity.56
  3. Configure authentication flows using the native controls for each platform-Copilot Studio manual auth, Microsoft Foundry (Azure) managed identities, and MSAL providers in the Agents SDK.278
  4. Enforce least privilege and RBAC by assigning the minimum Entra ID roles, Graph scopes, and project-level permissions required for the workload; document any elevated service accounts.36
  5. Enable centralized auditing in Microsoft Purview and Dataverse so prompts, responses, and service-account executions are captured for compliance reviews.910

Identity & Permissions Matrix {: .no_toc }

Technology Default Identity Mode Service Accounts Supported? Primary Configuration Controls Audit Surface
M365 Copilot Always runs as the signed-in user No Tenant privacy & data access posture Microsoft Purview audit logs9
Copilot Studio User or service account depending on authentication setting Yes (manual auth) Agent authentication mode + connection references Microsoft Purview + Dataverse transcripts210
Microsoft Foundry (Azure) / Agent Service Configurable (API key, Entra ID, managed identity) Yes Azure RBAC assignments + managed identity role bindings Azure Monitor / Diagnostic logs
M365 Agents SDK Developer-defined (delegated, app-only, managed identity) Yes MSAL profile configuration + Graph scopes Custom logging + Purview via channel integration85

Microsoft 365 Copilot: User-Scoped by Design {: .no_toc }

  • Runs entirely under the requesting user’s identity and respects existing SharePoint, Exchange, and Teams permissions-“it only sees what you can see” is an architectural guarantee.1
  • All prompts and responses flow into Microsoft Purview audit logs and activity explorer, enabling retention and eDiscovery without extra configuration.9
  • Best choice when compliance teams require individual attribution with zero additional setup.

Copilot Studio: Configurable Delegated or Service Accounts {: .no_toc }

  • Makers select Authenticate with Microsoft for delegated access (Teams channel only) or Authenticate manually to wire up Entra ID, federated credentials, or other OAuth providers.2
  • Connection references decide whether each action uses the caller’s identity or a pre-authorized service account-document every elevated credential and pair destructive flows with approvals.2
  • Purview auditing of maker and end-user interactions is GA (Jan 2025), and Dataverse conversation tables retain transcripts for 30+ days with configurable retention, giving you a complete audit trail.10
  • Ideal when you need to mix user-scoped reads with selective elevation for enterprise systems (for example, HR ticket creation under a bot account).

Microsoft Foundry (Azure) & Foundry Agent Service: RBAC + Managed Identity First {: .no_toc }

  • Replace static API keys with Microsoft Entra authentication and assign built-in roles (Azure AI User, Azure AI Project Manager, Cognitive Services OpenAI User) to enforce least privilege.3
  • Enable the project’s system-assigned managed identity and grant it scoped access (for example, Storage Blob Data Reader) so hosted agents can call downstream services without secrets.7
  • Use role assignments and diagnostic logging to trace every inference or tool call back to a user principal or managed identity-required for production-grade workloads.
  • Suits pro-code teams that already operate Azure landing zones and need fine-grained control.

Microsoft 365 Agents SDK: Bring Your Own Authentication {: .no_toc }

  • The SDK ships MSAL-based providers that can issue access tokens via delegated consent, client credentials, or managed identities; profiles are defined in configuration, not hard-coded.8
  • Pair the SDK with Entra ID app registrations that request only the Graph scopes you need, and use the Admin Center’s Permissions tab to review delegated vs application grants.56
  • Implement custom logging (Application Insights, Purview activity events) to record the initiating user, token type, and downstream actions-security teams will expect this evidence.
  • Choose this path when you require full control over token exchange, multi-channel adapters, and integration with existing identity middleware.

Next: Feature Comparison - Side-by-side capability matrices

  1. Data, privacy, and security for Microsoft 365 Copilot, Microsoft Learn. Retrieved: 2025-01-14. https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-privacy  2

  2. Configure user authentication in Copilot Studio, Microsoft Learn. Retrieved: 2025-01-14. https://learn.microsoft.com/en-us/microsoft-copilot-studio/configuration-end-user-authentication  2 3 4 5

  3. Role-based access control for Azure AI Foundry (hub-focused), Microsoft Learn. Retrieved: 2025-01-14. https://learn.microsoft.com/en-us/azure/ai-foundry/concepts/hub-rbac-azure-ai-foundry  2 3

  4. Configure authentication in a .NET agent (Microsoft 365 Agents SDK), Microsoft Learn. Retrieved: 2025-01-14. https://learn.microsoft.com/en-us/microsoft-365/agents-sdk/microsoft-authentication-library-configuration-options 

  5. Manage permissions for Microsoft 365 Copilot agents, Microsoft Learn. Retrieved: 2025-01-14. https://learn.microsoft.com/en-us/microsoft-365/admin/manage/manage-agents-permissions  2 3

  6. Overview of Microsoft Graph permissions, Microsoft Learn. Retrieved: 2025-01-14. https://learn.microsoft.com/en-us/graph/permissions-overview  2 3

  7. How to use Azure AI Foundry Agent Service with OpenAPI specified tools - Authenticating with managed identity, Microsoft Learn. Retrieved: 2025-01-14. https://learn.microsoft.com/en-us/azure/ai-foundry/agents/how-to/tools/openapi-spec#authenticating-with-managed-identity-microsoft-entra-id  2

  8. Configure authentication in a .NET agent (Microsoft 365 Agents SDK), Microsoft Learn. Retrieved: 2025-01-14. https://learn.microsoft.com/en-us/microsoft-365/agents-sdk/microsoft-authentication-library-configuration-options  2 3

  9. Microsoft 365 Copilot reporting options for admins, Microsoft Learn. Retrieved: 2025-01-14. https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-reports-for-admins  2 3

  10. Audit Copilot Studio activities in Microsoft Purview, Microsoft Learn. Retrieved: 2025-01-14. https://learn.microsoft.com/en-us/microsoft-copilot-studio/admin-logging-copilot-studio  2 3

Back to top

Copyright © 2025. This documentation is based on official Microsoft sources and best practices.