Agents provisioned through Entra Agent ID get governed email out of the box. Domain-verified sender identity, oversight gating, and full audit trails — designed for the same Conditional Access world.
Microsoft announced Entra Agent ID at RSAC 2026 as the identity foundation for Microsoft Agent 365. Each agent gets a unique identity, lifecycle-managed under the same governance primitives that already cover human users, devices, and apps. Microsoft cited that 97% of organizations experienced an identity incident in the past year and 70% were tied to AI activity — framing agent identity as the new control plane.
MultiMail is the email-side counterpart to that control plane. Where Entra Agent ID identifies the agent inside your tenant, MultiMail attaches that identity to every outbound message via the X-MultiMail-Identity header — an ECDSA P-256 signed claim verifiable against a domain-anchored public key. The result is end-to-end agent-action attribution: from the moment Foundry provisions the agent through every email it sends.
MultiMail speaks MCP natively, the same protocol Foundry and Copilot Studio already support. Drop the MCP endpoint into your agent config and you get 41 governed email tools without writing a single line of connector code.
Every outbound email carries an ECDSA-signed identity header tied to the operator domain. Recipients verify the agent cryptographically — no tenant access required. This is the email-domain analog of what Entra Agent ID provides inside the tenant.
Five oversight modes (read_only, gated_all, gated_send, monitored, autonomous) align with the graduated controls Agent 365 Security Policy Templates expect. Approvals route through the same identity-based flows as your existing Conditional Access policies.
MultiMail publishes a remote MCP server at mcp.multimail.dev. Foundry and Copilot Studio agents register it once and pick up 41 governed email tools — send, reply, inbox, contacts, attachments, oversight controls, audit log access.
Every send, approval, and oversight change is logged with the agent's signed identity. Pull audit logs via API to feed your Microsoft Sentinel, Purview, or third-party SIEM — agent email actions become first-class compliance evidence.
Copilot Studio custom connector calling MultiMail REST — Import this OpenAPI definition as a Copilot Studio custom connector and authenticate with your MultiMail API key.
Foundry agent calling the MultiMail MCP server — Foundry handles the OAuth handshake; MultiMail returns the 51 tools to the agent's tool catalog.
Verify the agent's signed identity downstream — Recipients can independently verify the sender's agent identity without any tenant access. The signed claim is the bridge between Entra Agent ID and the public internet.
Create the agent identity through Microsoft Foundry, Copilot Studio, or your preferred Agent 365 surface. Note the agent's object ID — you'll cross-reference it in the MultiMail signed identity claim.
Sign up at multimail.dev, verify your sending domain (the same one Microsoft uses for tenant DNS), and create a mailbox. Set the initial oversight mode to gated_send so every outbound email requires approval.
In Foundry or Copilot Studio, add MultiMail as an MCP tool server pointing to https://mcp.multimail.dev/mcp. Complete the OAuth 2.1 handshake. The agent now has access to 51 email tools.
Route MultiMail approval requests to the same identity-based approval flows your Entra ID Governance access packages already use. Approvers see who the agent is, what email it wants to send, and the full content before clicking approve.
Once the agent has demonstrated correct behavior in gated_send, flip the oversight mode to monitored (sends without approval, but human can audit) or autonomous. The signed identity header continues to attach to every message.
Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a 51-tool MCP server. Formally verified in Lean 4.