Agents provisioned through Entra Agent ID get governed email out of the box. Domain-verified sender identity, oversight gating, and full audit trails — designed for the same Conditional Access world.
Microsoft announced Entra Agent ID at RSAC 2026 as the identity foundation for Microsoft Agent 365. Each agent gets a unique identity, lifecycle-managed under the same governance primitives that already cover human users, devices, and apps. Microsoft cited that 97% of organizations experienced an identity incident in the past year and 70% were tied to AI activity — framing agent identity as the new control plane.
MultiMail is the email-side counterpart to that control plane. Where Entra Agent ID identifies the agent inside your tenant, MultiMail attaches that identity to every outbound message via the X-MultiMail-Identity header — an ECDSA P-256 signed claim verifiable against a domain-anchored public key. The result is end-to-end agent-action attribution: from the moment Foundry provisions the agent through every email it sends.
MultiMail speaks MCP natively, the same protocol Foundry and Copilot Studio already support. Drop the MCP endpoint into your agent config and you get 41 governed email tools without writing a single line of connector code.
Every outbound email carries an ECDSA-signed identity header tied to the operator domain. Recipients verify the agent cryptographically — no tenant access required. This is the email-domain analog of what Entra Agent ID provides inside the tenant.
Five oversight modes (read_only, gated_all, gated_send, monitored, autonomous) align with the graduated controls Agent 365 Security Policy Templates expect. Approvals route through the same identity-based flows as your existing Conditional Access policies.
MultiMail publishes a remote MCP server at mcp.multimail.dev. Foundry and Copilot Studio agents register it once and pick up 41 governed email tools — send, reply, inbox, contacts, attachments, oversight controls, audit log access.
Every send, approval, and oversight change is logged with the agent's signed identity. Pull audit logs via API to feed your Microsoft Sentinel, Purview, or third-party SIEM — agent email actions become first-class compliance evidence.
{
"swagger": "2.0",
"info": { "title": "MultiMail", "version": "1.0" },
"host": "api.multimail.dev",
"basePath": "/v1",
"schemes": ["https"],
"securityDefinitions": {
"bearer": { "type": "apiKey", "in": "header", "name": "Authorization" }
},
"paths": {
"/send": {
"post": {
"summary": "Send an email (gated by mailbox oversight mode)",
"parameters": [{
"in": "body", "name": "message", "required": true,
"schema": { "$ref": "#/definitions/SendRequest" }
}],
"responses": { "200": { "description": "OK" } }
}
}
}
}Import this OpenAPI definition as a Copilot Studio custom connector and authenticate with your MultiMail API key.
from azure.ai.foundry import AgentClient
from azure.identity import DefaultAzureCredential
"cm"># Foundry agent with MultiMail registered as an MCP tool server
agent = AgentClient(credential=DefaultAzureCredential()).create_agent(
name="customer-comms-agent",
instructions="You handle customer email. Use MultiMail for every outbound message. "
"The mailbox runs in gated_send mode — emails are queued for approval.",
mcp_servers=[{
"name": "multimail",
"url": "https://mcp.multimail.dev/mcp",
"auth": {"type": "oauth2.1"}
}]
)
result = agent.run("Reply to the latest support thread and apologize for the delay.")
print(result.output)Foundry handles the OAuth handshake; MultiMail returns the 41 tools to the agent's tool catalog.
import { importJWK, jwtVerify } from "jose";
"cm"># Pull the domain-anchored public key (cache for 24h)
const jwk = await fetch("https://multimail.dev/.well-known/multimail-signing-key")
.then(r => r.json());
const key = await importJWK(jwk, "ES256");
"cm"># Verify the X-MultiMail-Identity header from an inbound email
const { payload } = await jwtVerify(emailHeaders["x-multimail-identity"], key);
console.log("agent operator:", payload.operator);
console.log("oversight mode:", payload.oversight_mode);
console.log("entra agent id:", payload.agent_ref); "cm"># cross-reference back to your tenantRecipients can independently verify the sender's agent identity without any tenant access. The signed claim is the bridge between Entra Agent ID and the public internet.
Create the agent identity through Microsoft Foundry, Copilot Studio, or your preferred Agent 365 surface. Note the agent's object ID — you'll cross-reference it in the MultiMail signed identity claim.
Sign up at multimail.dev, verify your sending domain (the same one Microsoft uses for tenant DNS), and create a mailbox. Set the initial oversight mode to gated_send so every outbound email requires approval.
In Foundry or Copilot Studio, add MultiMail as an MCP tool server pointing to https://mcp.multimail.dev/mcp. Complete the OAuth 2.1 handshake. The agent now has access to 41 email tools.
Route MultiMail approval requests to the same identity-based approval flows your Entra ID Governance access packages already use. Approvers see who the agent is, what email it wants to send, and the full content before clicking approve.
Once the agent has demonstrated correct behavior in gated_send, flip the oversight mode to monitored (sends without approval, but human can audit) or autonomous. The signed identity header continues to attach to every message.
Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a 38-tool MCP server. Formally verified in Lean 4.