Microsoft’s Build 2026 announcement — Frontier models and production agents advancing Microsoft Foundry for the agentic era — reframes Foundry from a model catalog into a place you run production agents. The headline that makes it real: hosted agents in Foundry Agent Service are now generally available, and the catalog spans both OpenAI and Anthropic frontier models (1,900+ on Microsoft Learn — not the “11,000” some coverage repeats). So it’s GA — but GA of what, exactly, and what should an enterprise architect actually do with it? This is the take, not a feature recap: the pro, the con, and where I’d draw the line.
What’s genuinely better — and it’s the governance, not the models#
The advance that matters is that agent identity is finally first-class. Entra Agent ID gives each agent a real identity instead of a shared service principal, with blueprints (apply Conditional Access and permissions once, inherit them across every instance), a mandatory human sponsor accountable for the agent’s lifecycle and access reviews, per-agent RBAC that scopes down to a single agent, and on-behalf-of so an agent can act inside the requesting user’s own access. If you have watched non-human identities sprawl into ungoverned secrets, this is the first credible answer — you govern agents with the same primitives you already use for people.
The Agent Control Specification (ACS) is the other piece worth adopting. It’s MIT-licensed, framework-agnostic, and enforces deterministic, fail-closed policy at defined checkpoints across an agent’s lifecycle, with adapters spanning LangChain, AutoGen, Semantic Kernel, the OpenAI and Claude SDKs, and more. Policies are portable YAML — you can enforce the same contract whether or not the agent runs on Foundry. That is the opposite of lock-in, and it pairs with ASSERT, which turns written policy into executable evals. The runtime is credible too: per-session VM-isolated sandboxes, framework-agnostic authoring, immutable agent versions with canary rollout, OpenTelemetry tracing wired in by default, and it scales to zero when idle — a real cost win over an always-on AKS cluster for bursty workloads.
So does it help you govern agents? At the identity and policy layer, genuinely yes — and those are the parts you can adopt without betting the stack on one runtime.
The proven cons — where an architect earns their keep#
- No SLA, even at GA. Microsoft states plainly that Agent Service has no availability or state-durability SLA, and there is no automatic failover or disaster recovery. Multi-region resilience is your architecture to build.
- The tooling you’d actually govern with is still preview. Rubric evaluator, Guided Guardrail Setup, Memory, the Foundry IQ portal, Conditional Access for agents, and ACS itself are public preview — no SLA, “not recommended for production.” Agent Optimizer and Agent ROI are only now reaching preview. The runtime shipped GA; the machinery to prove and audit it lags a release behind.
- Conditional Access for agent identities is block-only. Agent identities get allow/deny, not the MFA, device-compliance, and session controls humans get. Your adaptive-access story for autonomous agents is thinner than the marketing implies.
- Governance stops at the Microsoft boundary. Entra Agent ID governs agents inside Microsoft environments; real estates span AWS, GCP, Bedrock, GitHub, and Slack. Entro’s Itzik Alvas warns this risks recreating the “vault sprawl” the secrets-management world already lived through.
- Stack sprawl. Forbes analyst Janakiram MSV reports that Microsoft’s own IT needed three platforms to build a single internal agent, across too many overlapping entry points (Agent Framework, Copilot Studio, Agent Service, the M365 Agents SDK, Azure OpenAI, Agent 365).
- Vendor claims are unverified. Every performance figure is Microsoft’s own: the procedural-memory gain is ~5% on its own benchmarks, and the “10x cheaper than GPT-5.5” Frontier Tuning line rests on a single internal example. No independent benchmarking exists yet.
- Watch the bill’s edges. Enabling network isolation silently provisions a billed Azure Firewall; PTU savings only hold at steady token volume; and the ecosystem is five weeks old, so there are no long-haul production post-mortems to lean on — the GA cutover already deprecated the preview
azure-ai-agentsSDK out from under early adopters.
Bottom line#
Adopt Entra Agent ID and ACS now — they are the durable, portable parts, and they genuinely move agent governance forward. Wire up the hosted runtime for non-critical workloads to build muscle. But don’t put an SLA-bound agent on this yet, design your own HA/DR, and treat every benchmark as vendor-reported until someone independent runs it. This is the right direction with the governance layer still assembling — which is exactly the moment to design against it, not to bet production on it.

