Microsoft 365 E7 Frontier Suite: The New All-in-One Enterprise Package

Starting in May, Microsoft will bundle its entire AI and security portfolio into a single enterprise package. The company made this official announcement today.

What had been widely anticipated is now confirmed: with the Microsoft 365 E7 Frontier Suite, Microsoft is launching a comprehensive package designed to consolidate the previously fragmented landscape of productivity tools, AI assistance, and enterprise security under one roof. The suite will be generally available from May 1, 2026, at a list price of 99 US dollars per user per month (pupm).

The Microsoft Frontier Suite is a comprehensive bundle of cloud services and AI tools developed specifically for enterprises in highly regulated industries such as defense, government, and critical infrastructure. It offers advanced security features and specialized AI models to handle sensitive data confidently within isolated or specially protected environments.

With Wave 3 of its Microsoft 365 Copilot strategy, Microsoft is ushering in a new era of AI-powered work on March 9, 2026. The new package, the Frontier Suite, comprising Microsoft 365 E7 (ME7), Agent 365, and Copilot Cowork, is aimed at enterprises seeking to deploy agent-based AI at scale. As AI spending according to Gartner is set to grow to 2.52 trillion US dollars in 2026 (up 44% year-over-year), the critical question for IT decision-makers is: What does this actually deliver, when does the upgrade make sense, and what risks lurk behind the 99 US dollar bundle?

Wave 3: The frontier transformation begins

Microsoft’s announcement on March 9 marks the third development phase, Wave 3, of the Microsoft 365 Copilot strategy. Following the introduction of AI assistance functions (Wave 1) and Copilot integration into business applications (Wave 2), Wave 3 represents the full transformation toward agent-based AI in the enterprise. With the Frontier Suite, Microsoft addresses the most pressing questions that CIOs, CISOs, and security decision-makers are raising with growing urgency: How can AI agents be controlled? How do you prevent them from becoming security vulnerabilities or, in the worst case, acting as rogue agents?

According to Gartner, Microsoft is the company to beat in the enterprise-wide AI race. Its deep integration into enterprise applications and infrastructure allows Microsoft to embed AI into backend and frontend systems more easily than any competitor. At the same time, competition is intensifying from Google Workspace, ChatGPT Enterprise, and Claude Enterprise.

Microsoft 365 E7: The 99 dollar bundle as negotiation lever or real value?

From May 1, 2026, Microsoft 365 E7 (ME7) will be available at a list price of 99 US dollars per user per month. The package combines ME5 (60 US dollars pupm), Microsoft 365 Copilot (30 US dollars pupm), Agent 365 (15 US dollars pupm), and the Entra Suite (9 US dollars pupm as an add-on to ME5). Compared to ME5, whose price will stand at 60 US dollars pupm from July 1, 2026, ME7 represents a surcharge of 39 US dollars or 65 percent.

Bundle savings: ME7 disappoints on closer inspection

A direct comparison reveals a striking discrepancy: while ME3 and ME5 offer savings of 14.5 and 16.4 percent respectively against buying components individually, the bundle savings for ME7 amount to just 13.2 percent, despite the package being more expensive. The individual components would sum to 114 US dollars; ME7 therefore saves a mere 15 US dollars. Customers who pay more receive proportionally less of a discount, an anomaly that Gartner explicitly criticizes.

Gartner: ME7 as a strategic negotiation lever

Gartner expects that by 2028, around 50 percent of acquired ME7 licenses will be used primarily to strengthen negotiating positions at contract renewals, rather than to fully exploit all included features.

Gartner analysts Michael Silver, Zach Nagle, Stephen White, and Max Goss recommend incorporating a limited number of ME7 licenses strategically into contract renewals to build negotiating leverage through potential usage, thereby achieving substantial discounts on the overall portfolio. At the same time, the experts warn against hasty full rollouts. The real value of ME7 depends significantly on the maturity of Agent 365. Additionally, contracts should not include non-reduction clauses that would prevent customers from benefiting from potential price adjustments if ME7 and Agent 365 fail to achieve expected market acceptance.

Important note for ME3/ME5 FSA licensees: To retain valuable FSA pricing rights when upgrading to ME7, customers must first acquire ME5 FSA plus an ME7 tier upgrade. Microsoft has not announced any ME7 “from SA” SKUs.

Agent 365: The control center for AI agents, promising but not yet mature

Agent 365 is the centerpiece of the Frontier Suite and the foundation upon which the value of ME7 ultimately rests. Generally available from May 1, 2026, Microsoft positions the platform as a unified control plane for all AI agents within the enterprise environment. Without such a control plane, IT, security, and business teams lack visibility into which agents exist, how they behave, who has access, and what security risks exist across the organization, according to Microsoft’s official announcement.

Real-world example: Avanade deploys Agent 365 in production

“Now that we are running Agent 365 in production, Avanade has comprehensive visibility into agent activity, the ability to control agent sprawl, manage resource usage, and manage agents as identity-based digital entities in Microsoft Entra. This significantly reduces operational and security risks and represents a decisive step toward scaling the agent lifecycle,” said Aaron Reich, Chief Technology and Information Officer at Avanade.

The Avanade example demonstrates that the benefits of Agent 365 are real, particularly for organizations with an already growing agent landscape. However, this represents an early-adopter scenario that is not yet representative of the day-to-day enterprise reality for most organizations.

The 4 governance pillars of Agent 365

1. Observability for every role Agent 365 provides IT, security, and business teams with role-specific insights into all managed agents. The agent inventory in the Microsoft 365 Admin Center displays all agents, whether from Microsoft AI platforms, ecosystem partners, or registered via API. Security teams receive the same overview directly within their existing Microsoft Defender and Purview workflows. Detailed reports on performance, usage metrics, and activity details round out the observability capabilities.

2. Access protection through Entra integration Each agent receives a unique Agent ID via Microsoft Entra, an identity tailored to the specific needs of agents. Conditional Access for agents makes real-time access decisions based on risk, device compliance (Microsoft Intune), and custom security attributes. Identity Governance allows restriction of agent access to defined resource packages, well below the permissions of the delegating user. Gartner considers this identity-first approach a solid foundation for future scalability.

3. Data security through Microsoft Purview (7 functional areas) This is where Agent 365 has the greatest functional depth. Microsoft Purview delivers seven dedicated functional areas for data security and compliance: Data Security Posture Management (DSPM) for proactive risk detection; Information Protection, where agents respect Sensitivity Labels just like human users; Inline Data Loss Prevention (DLP) for Copilot Studio agents that prevents processing of sensitive data such as PII or credit card numbers at runtime; Insider Risk Management that blocks risky agent data interactions; Data Lifecycle Management for retention and deletion policies on prompts and agent-generated data; Audit and eDiscovery that treats AI agents as auditable entities alongside users and applications; and Communication Compliance that detects risky AI communications and enables human oversight.

4. Cyber protection through Microsoft Defender (3 functional areas) Agent 365 integrates specific Defender protection functions against AI-typical threats such as prompt manipulation, model manipulation, and agent-based attack chains: Security Posture Management for Foundry and Copilot Studio agents that detects misconfigurations and vulnerabilities (public preview); Detection, Investigation and Response that enables investigation and remediation of attacks on agents (preview); and Runtime Threat Protection via the Agent 365 Tools Gateway that detects and blocks harmful agent activity at runtime. This new function enters public preview in April 2026.

Governance demand: 86 percent call for more control

The demand is real and urgent: according to a Gartner survey among IT managers responsible for Microsoft 365 Copilot, 70 percent are concerned about uncontrolled agent sprawl, and 86 percent call for additional governance controls, which now arrive with Agent 365 but not for free. Gartner criticizes Microsoft for not integrating these governance features into the M365 Copilot license, calling it a missed opportunity to strengthen its market position.

Gartner’s assessment: Not yet ready for widespread rollout

Despite the solid architectural foundation, Gartner identifies significant gaps: limited automation (risk alerts require manual response), gaps in agent coverage (retroactive Agent ID assignment for older agents is not possible), and dependency on the base SKUs (E3 users do not gain E5 features through Agent 365). Gartner recommends using freely available features (agent inventory, Purview DSPM Dashboard) and evaluating third-party alternatives such as AvePoint, Rencore, or Zenity (G00851155).

Copilot Cowork: Microsoft’s answer to Claude, with clear limitations

With Copilot Cowork (Frontier), Microsoft presents its response to Anthropic’s Claude Cowork, a multitasking-capable AI agent that evolves Copilot from a conversational assistant to an autonomous executor. Available as a Frontier feature in March 2026, Copilot Cowork requires a Microsoft 365 Copilot license and participation in the Frontier program. The architecture is based on a multitask orchestrator that coordinates Anthropic Claude models for email management, document creation, and calendar coordination, with continuous Microsoft Purview controls throughout.

Strengths: Flexible, secure, deeply integrated into M365

Copilot Cowork enables the semi-autonomous planning of multi-step tasks: organizing the inbox, automating meeting preparation, and conducting parallel research. Notably, users can adjust instructions even while tasks are running without needing to restart the process. Work IQ with Skills functionality, meaning specialized instructions and guardrails per SharePoint site, reduces reliance on prompt engineering expertise and improves the predictability of outputs.

Weaknesses: No local computer access, no EU availability

Copilot Cowork launches with significant limitations compared to Claude Cowork: no local computer access, no direct interaction with local files or applications, and no native third-party integrations. Additionally, integration with Agent 365 is absent. The agent has no dedicated Entra Agent ID and operates under the user’s identity, which creates audit limitations.

Particularly critical for European organizations: Copilot Cowork is based on Anthropic Claude models that do not fall under Microsoft’s EU Data Boundary commitments. For EU, EFTA, and UK tenants, they are disabled by default; Government tenants are excluded entirely. There is not even an opt-in toggle for these tenants. This creates a two-tier Copilot experience: European enterprises are locked out of the core autonomous features.

IT Security in the era of the AI workforce

The Frontier Suite does not only unlock new capabilities; it substantially expands the attack surface. When AI agents autonomously access enterprise systems, process sensitive data and execute privileged operations, an entirely new category of security risk emerges that fundamentally challenges traditional perimeter-based protection models. Gartner forecasts that by 2028 roughly 33 percent of all enterprise applications will incorporate agentic AI, up from less than one percent in 2024. At the same time, non-human identities already outnumber human users by a factor of 17.

Identity as the new security perimeter

With the rise of autonomous AI agents, the security focus inevitably shifts from network boundaries to identity. Every interaction between an AI agent, a user and an enterprise system must be trustworthy, authenticated and auditable. The Entra integration provided by Agent 365, in particular the assignment of unique Agent IDs and real-time Conditional Access, provides a necessary but still insufficient foundation for this shift.

Security vendors such as RSA Security are responding to this paradigm shift with solutions specifically designed for the AI era: phishing-resistant, passwordless authentication for human users; context-aware risk intelligence; and secured access to enterprise systems even when AI agents act autonomously. The principle is clear: trust must never be assumed but continuously verified (“Zero Trust”), regardless of whether a human or a machine is accessing resources.

Concrete risks of the Frontier Suite for CISOs

Three risk dimensions deserve particular attention. First, agent sprawl: uncontrolled proliferation of AI agents without clear identity, defined access rights or audit trail. Second, the compromise of non-human identities: attackers who hijack an Agent ID can cause damage autonomously and at scale, without any human involvement. Third, prompt injection attacks, in which malicious inputs manipulate an agent into performing unintended or dangerous actions. Agent 365 addresses these threats through its Defender integration, which will offer Runtime Threat Protection for agents from April 2026. However, these capabilities remain in preview and should be assessed with caution for production-critical environments.

Copilot Cowork introduces an additional security-critical characteristic: since the agent operates under user identity and has no dedicated Entra Agent ID, audit capabilities are limited. CISOs must verify whether existing DLP and compliance policies also apply to autonomous agent actions performed under user identity, a gap that Gartner explicitly flags as a limitation.

Recommendations for IT decision-makers

Immediate actions (Q2 2026)

Use ME7 as a negotiation lever: incorporate a limited number of ME7 licenses strategically into contract renewals, even without full feature adoption, to achieve substantial discounts across the overall portfolio.

Test Agent 365 for free: the agent inventory in the M365 Admin Center and the AI Observability Dashboard in Microsoft Purview DSPM are available without an Agent 365 license. Activate these free entry points immediately.

Run a Copilot Cowork pilot: activate the Frontier program for a small group of trained users and involve compliance and data protection teams. EU tenants must first clarify data privacy review and sub-processor status.

Medium-term strategy (2026 to 2027)

Evaluate Agent Governance alternatives: compare AvePoint, Rencore, and Zenity with Agent 365. Review the Microsoft Graph API for the agent registry, as no Agent 365 license is required.

Analyze 10-year total cost of ownership: before a full rollout to ME7, a long-term cost perspective is essential, particularly given the growing lock-in risk and the possibility of further price increases.

Ensure Purview and Defender foundations are in place: Agent 365 is only as good as the underlying SKUs. E3 customers should evaluate whether E5 is necessary for full governance capabilities before licensing Agent 365.

Frequently asked questions