336-886-3282[email protected]
Preferred Data Logo
Schedule

Microsoft Agent 365 & Copilot Wave 3: Small Business Guide NC 2026

Microsoft launched Agent 365 and M365 E7 on May 1, 2026. What NC small businesses must know about AI agents, governance, and cost. Call (336) 886-3282.

Cover Image for Microsoft Agent 365 & Copilot Wave 3: Small Business Guide NC 2026

TL;DR: On May 1, 2026, Microsoft launched Agent 365 and the new Microsoft 365 E7 plan, plus Copilot Wave 3 in-app agent building. Agent 365 is available at $15 per user per month as an add-on or bundled into M365 E7 at $99 per user per month. Combined with the July 1, 2026 Microsoft 365 pricing update affecting Business Basic, Business Standard, Office 365 E3, and M365 E3/E5/F1/F3, North Carolina small businesses face both a new productivity opportunity and a new line of governance work.

Critical takeaway: AI agents are no longer a science project. They are a licensed identity inside your Microsoft 365 tenant with the ability to read mail, edit documents, take actions, and call APIs. Every NC small business needs an answer to "which agents, doing what, for whom, and with what oversight?" before broad rollout.

Want a Copilot and Agent 365 readiness review? Contact Preferred Data Corporation at (336) 886-3282. Serving High Point, Greensboro, Charlotte, Raleigh, Winston-Salem, and the Piedmont Triad since 1987.

What launched on May 1, 2026?

According to Microsoft's official December 2025 announcement and the M365 Packaging and Pricing Updates page, three distinct things became available on May 1, 2026:

  1. Microsoft 365 E7. A new Enterprise plan bundling M365 E5, Microsoft Entra Suite, Microsoft 365 Copilot, and Agent 365, at $99 per user per month
  2. Agent 365. A standalone add-on at $15 per user per month providing AI agent capabilities, observability, and governance
  3. Microsoft 365 Copilot Wave 3. Introduces the ability to create and modify artifacts directly within Copilot, plus in-app agent building inside Word, Excel, PowerPoint, and Outlook

A separate price update takes effect July 1, 2026 for Business Basic, Business Standard, Office 365 E3, Microsoft 365 E3, M365 E5, and Microsoft 365 F1/F3. Notably, Microsoft 365 Business Premium pricing is not changing in this update.

What is Agent 365 and how is it different from Copilot?

Microsoft 365 Copilot is an AI assistant that runs alongside a user inside Office apps, summarizing mail, drafting documents, analyzing spreadsheets, and chatting against tenant data. Copilot is human-in-the-loop by design.

Agent 365 is the layer for non-human agents that operate semi-autonomously inside your Microsoft 365 tenant. Per the Microsoft announcement, Agent 365 provides:

  • Agent identity. Each agent gets a managed identity inside Microsoft Entra ID, separate from human users
  • Access and policy governance. Conditional access, scope controls, and lifecycle policies applied to agents
  • Observability and audit. Telemetry on what agents are doing, against which data, for which users
  • Agent Store and tooling. A catalog of agents and the in-app builders introduced with Copilot Wave 3

In practice, Copilot helps a person draft an email. An agent might autonomously read a shared mailbox, classify inquiries, draft replies, and post tasks into Planner for human review. The governance question is no longer "is the user authorized?" but "is the agent authorized, observed, and revocable?"

How do M365 E7, M365 E5, and Business Premium compare for a 25 to 250 person business?

FeatureBusiness PremiumM365 E5M365 E7 (May 1, 2026)
Office apps + Exchange + SharePoint + TeamsYesYesYes
Defender for Business / Office 365Defender for BusinessDefender for O365 P2Defender for O365 P2
Intune device managementYesYesYes
Entra ID / Azure ADEntra ID Premium P1Entra ID Premium P2Entra Suite included
Microsoft Purview complianceLimitedFullFull
Microsoft 365 CopilotAdd-on ($30/user/mo)Add-on ($30/user/mo)Included
Agent 365Add-on ($15/user/mo)Add-on ($15/user/mo)Included
List price (per user / month, USD)$22$57$99

Pricing reflects current Microsoft public list pricing for direct comparison; consult your licensing reseller for actual eligibility, channel pricing, and any contractual minimums.

For most NC SMBs in the 25 to 100 user range, Business Premium plus selective Copilot add-ons remains the most defensible starting point. Companies that have already committed to E5 or that need the full Entra Suite (privileged identity, identity protection, conditional-access workload-identity controls) have a clearer path to E7. We covered this baseline in our Microsoft 365 Copilot small business rollout guide.

What is Copilot Wave 3 and why does in-app agent building matter?

Copilot Wave 3 extends two capabilities that change small-business AI usage:

  1. Create and modify artifacts directly inside Copilot. Documents, decks, and spreadsheets generated end-to-end in chat, then refined in place
  2. In-app agent building. A business user can create a simple agent inside Word, Excel, PowerPoint, or Outlook (for example, an Outlook agent that triages inbound RFQs against a price list in Excel and drafts standard quote replies)

The implications for a NC manufacturer or construction firm are real. An estimating team could build an Outlook agent that reads new RFQs, extracts line items, looks up unit pricing from a shared workbook, and drafts a quote within minutes. The productivity upside is significant. The governance question is also significant: who owns that agent, what data does it access, how is it tested, and who sees its decisions?

What new risk and governance work does Agent 365 introduce?

Every new agent in your tenant is a new actor with credentials, data access, and the ability to take actions. The risk profile expands across five dimensions:

  1. Identity sprawl. A 50-person business that grants every user the ability to build an agent could quickly run 100+ agent identities, each with its own scope and trust relationships
  2. Data exposure. Agents inherit access from their creator or assigned permissions. An agent built by a finance analyst might inadvertently expose payroll context to non-finance users when summoned
  3. Action accountability. Agents that send mail, post to channels, or call external APIs need clear logs and revocation paths if outputs go wrong
  4. Prompt injection. Agents that consume third-party content (email, documents, web pages) can be manipulated via injected instructions, an emerging class of attack we covered in AI agent security risks for small business
  5. License and cost drift. Agent activity can drive consumption-based metering, hidden cost lines, and license-true-up surprises if not actively managed

The NIST AI Risk Management Framework is the closest widely adopted baseline for governing AI agents, and Microsoft's Agent 365 controls map cleanly to those principles.

What is the right small business adoption playbook for May 2026?

A practical, low-risk rollout for a 25 to 250 person NC business looks like:

Phase 1 (next 30 days): Foundations

  1. Inventory current Copilot usage and pilots. Identify users, use cases, and any side-installed AI tools
  2. Establish baseline governance. Designate an "AI owner" (often the IT lead or controller), an acceptable-use policy, and an approval path for new agents
  3. Confirm data classification. Know which SharePoint sites, OneDrive folders, and Teams channels hold sensitive data (HR, finance, IP, CUI for defense contractors)
  4. Lock down sensitive content. Apply Microsoft Purview sensitivity labels and Restricted SharePoint Search before broad Copilot rollout

Phase 2 (next 60 days): Targeted Pilot

  1. Pick 2 to 3 high-value use cases. Estimating, customer service triage, finance close support, RFP response are common SMB winners
  2. Build agents with named owners. Each agent has a creator, an approver, an audit log, and a revocation path
  3. Apply conditional access to agent identities. Restrict where and when agents can run; tie privileged agent actions to PIM/JIT elevation
  4. Measure outcomes. Time saved, errors avoided, exceptions raised; document for ROI

Phase 3 (next 90+ days): Scale with Discipline

  1. Move pilots to production with documented runbooks. Versioned prompts, test cases, change management
  2. Audit agent activity quarterly. Identify zombie agents, scope creep, and excess permissions
  3. Train users on prompt injection awareness. Especially for agents that ingest external email or documents
  4. Re-evaluate licensing. Once Copilot and Agent 365 usage stabilizes, run a license-fit review against E3 / E5 / E7 / Business Premium options

How do CMMC and other compliance frameworks treat AI agents?

For NC defense subcontractors operating under CMMC 2.0 and DFARS 252.204-7012, an AI agent that touches Controlled Unclassified Information (CUI) is in scope of the same access, audit, and protection controls as a human user. Practical implications:

  • GCC High or commercial cloud decision. Confirm with your prime contractor and DCMA assessor whether commercial Copilot is acceptable for your CUI scope or whether GCC High Copilot is required
  • Agent identity must be auditable. NIST SP 800-171 controls around audit, access control, and accountability apply to non-human identities
  • Incident reporting. A misuse or compromise of an agent handling CUI is a reportable cyber incident under DFARS 7012's 72-hour clock

Healthcare practices subject to HIPAA, financial firms subject to GLBA, and any business with PCI DSS scope face equivalent obligations adapted to the agent identity context.

Need a Copilot and Agent 365 governance review? Take our cybersecurity assessment or call (336) 886-3282.

How does Preferred Data help NC SMBs adopt Copilot and Agent 365 safely?

Preferred Data Corporation has been delivering Microsoft solutions to North Carolina small and mid-sized businesses since 1987. Our AI transformation services include Microsoft 365 readiness reviews, Purview sensitivity labeling, agent governance design, and tailored Copilot and Agent 365 pilot programs.

For manufacturers and construction firms across High Point, Greensboro, Charlotte, Raleigh, and Winston-Salem, we pair AI rollout with practical use cases (estimating support, quality control, document processing, customer-service triage) and align the deployment with CMMC, HIPAA, or PCI obligations as applicable. With BBB A+ accreditation and an average client tenure of 20+ years, we help owners get past the hype and into measurable productivity, without inviting new identity, data, and licensing risk.

Ready to adopt Copilot and Agent 365 the right way? Contact Preferred Data at (336) 886-3282 or visit our contact page to schedule a Microsoft 365 readiness review.

Frequently Asked Questions

What is Microsoft 365 E7?

Microsoft 365 E7 is a new Enterprise plan announced for May 1, 2026 availability, bundling M365 E5, the Microsoft Entra Suite, Microsoft 365 Copilot, and Agent 365 at $99 per user per month. It is positioned for organizations that have committed to Copilot and agent-driven workflows and want a single SKU rather than stacked add-ons.

What is Agent 365?

Agent 365 is Microsoft's managed identity, governance, and observability layer for AI agents inside Microsoft 365. It provides agent identities in Microsoft Entra ID, conditional access policies for agents, audit telemetry, an Agent Store, and integration with the in-app agent builders introduced in Copilot Wave 3. It is available as a $15 per user per month add-on or bundled in M365 E7.

Should our small business move from Business Premium to E5 or E7?

For most 25 to 100 user NC SMBs, Business Premium remains the most defensible foundation. Add Copilot and Agent 365 as targeted add-ons where the use case is proven. Move to E5 or E7 only when you can justify Entra Suite, full Purview, and broad Copilot/Agent 365 adoption across the business.

What is changing in Microsoft 365 pricing on July 1, 2026?

Microsoft is updating commercial pricing for Microsoft 365 suite subscriptions effective July 1, 2026, including Business Basic, Business Standard, Office 365 E3, Microsoft 365 E3, E5, and F1/F3. Business Premium pricing is not changing in this update. Confirm specific impacts with your licensing partner.

Are AI agents a security risk?

Yes, if ungoverned. Agents introduce new identities, new data access paths, new action capabilities, and new attack surfaces (notably prompt injection). The risks are manageable with the same controls that apply to human identity (conditional access, least privilege, audit, revocation) plus AI-specific controls like prompt-injection awareness and content provenance.

Does Copilot or Agent 365 satisfy CMMC requirements for CUI?

It depends on tenant configuration and your contractual CUI obligations. Many CMMC-scoped contractors deploy Microsoft 365 GCC High and apply Copilot for GCC High where available. Validate with your prime contractor and CMMC assessor before processing CUI through any Copilot or Agent 365 capability.

Does Preferred Data offer Copilot and Agent 365 rollout support?

Yes. We deliver Microsoft 365 readiness reviews, Purview sensitivity labeling, agent governance design, pilot use-case selection, and adoption training. Call (336) 886-3282 to schedule a Microsoft 365 and AI readiness review.

Support