Microsoft has updated the Microsoft Defender XDR advanced hunting schema for AI agent inventory.

The old preview table, AIAgentsInfo, is transitioning to AgentsInfo. Microsoft says AIAgentsInfo remains accessible until July 1, 2026, and Microsoft Agent 365 customers should use AgentsInfo today.

This is still marked as preview, so I would treat it as an operational signal, not as the only source of truth for AI governance.

Why admins should care

This is a small schema change with a real operational impact.

If you already built Defender XDR advanced hunting queries, saved hunting queries, workbooks, Sentinel content, or export jobs around AIAgentsInfo, those queries need to be reviewed before the July deadline.

The more interesting part is the data model. AgentsInfo is not just a name change. The table gives admins a place to inspect AI agent metadata such as:

• agent name and platform
• Microsoft Entra agent identity references
• permissions and consent state
• deployment scope
• owners and sharing
• declared data sources and tools
• MCP servers and external endpoint information
• guardrails, triggers, skills, and connected agents

For Microsoft 365 admins, that makes this a useful starting point for AI agent inventory and risk review. It does not replace policy design, ownership review, or data access governance, but it gives a practical hunting surface.

What I would check first

I would start by finding anything that still references the old table name.

In Microsoft Defender portal > Hunting > Advanced hunting, check saved queries and custom detection logic for AIAgentsInfo.

A minimal validation query for the new table is:

AgentsInfo
| take 10

Then I would run a small inventory view:

AgentsInfo
| project Timestamp, AgentName, Platform, LifecycleStatus, PublishedStatus, DeploymentScope, Owners
| order by Timestamp desc

For governance review, I would also look at permissions and external connectivity signals:

AgentsInfo
| project AgentName, Platform, Permissions, DeclaredDataSources, DeclaredTools, McpServers, Endpoints
| order by AgentName asc

The exact value is tenant-dependent. In some environments the first useful outcome may simply be confirming that the table is present and whether any agent inventory is visible yet.

Practical rollout / validation steps

My preferred rollout would be simple:

1. Search saved hunting queries, Sentinel content, and documentation for AIAgentsInfo.
2. Copy one query and replace the table with AgentsInfo.
3. Validate that the referenced columns still exist in the Microsoft Learn table schema.
4. Keep the old query only as a temporary fallback during the transition.
5. Update any dashboard or export labels so the owner knows the data comes from the preview AgentsInfo table.
6. Add a reminder before July 1, 2026 to remove the old table reference.

This is also a good moment to decide who owns agent review. AI agent inventory crosses normal boundaries between security, identity, productivity, and data governance.

Watch-outs

A few things I would not overclaim:

• AgentsInfo is marked as preview.
• Inventory visibility is not the same as runtime control.
• A clean query result does not prove that every AI-related risk is governed.
• Permissions and data source fields should be reviewed together with Entra ID, Microsoft 365 admin center, and Purview controls where relevant.

The practical win is reducing blind spots. If AI agents are becoming part of the Microsoft 365 estate, hunting queries and reporting should not break because of an old preview table name.

Official Microsoft sources

• What’s new in Microsoft Defender XDR
• AgentsInfo table in advanced hunting