What changed in Microsoft Foundry Hosted Agents on April 22, 2026?

Microsoft re-launched Hosted Agents in Foundry Agent Service as a ground-up rebuild with per-session hypervisor (VM) isolation, persistent $HOME and /files across 30-day sessions, dedicated Microsoft Entra agent identity per hosted agent, scale-to-zero billing, and support for Microsoft Agent Framework v1.0, LangGraph, Semantic Kernel, CrewAI, Claude Agent SDK, OpenAI Agents SDK, and custom Python or C# code.

How much do Foundry Hosted Agents cost?

Compute is billed at $0.0994 per vCPU-hour and memory at $0.0118 per GiB-hour, with billing only during active sessions. Sandboxes are configurable from 0.25 to 2 vCPU and 0.5 to 4 GiB memory. Idle sessions cost nothing after the 15-minute idle timeout. Model tokens, Foundry Memory, and Toolbox usage are billed separately.

Which regions support Foundry Hosted Agents in preview?

During the April 2026 public preview, Hosted Agents are available in Australia East, Canada Central, North Central US, and Sweden Central. The preview is capped at 50 active concurrent sessions per subscription per region and supports Python and C# only. Private-network-secured Azure Container Registry is not yet supported.

Do I need to migrate if I already have agents on the Ignite 2025 preview backend?

Yes. The April 22, 2026 refresh is a fundamentally different backend — the Ignite-era preview is being retired. Microsoft has published a migration guide covering the API surface (threads to conversations, runs to responses, create_agent to create_version) with a tool at aka.ms/agent/migrate/tool that automates code migration but does not migrate past state. A hosted-agent-specific migration guide is expected before Microsoft Build 2026.

How does Entra agent identity change enterprise AI governance?

Each hosted agent automatically gets a dedicated Microsoft Entra agent identity at deploy time. This identity supports On-Behalf-Of (OBO) delegation so agents can act on behalf of a user with full audit trails, replaces shared service accounts, and integrates with Conditional Access and RBAC. IT teams should create agent-specific Conditional Access policies rather than relying on user-targeted MFA policies, because agents cannot satisfy interactive controls like MFA.

Microsoft Foundry Hosted Agents: What Enterprise IT Should Do Now

Microsoft just re-launched Hosted Agents in Foundry Agent Service, and the timing matters. On April 22, 2026, Microsoft replaced its Ignite-era preview with a ground-up rebuild featuring per-session hypervisor isolation, a dedicated Microsoft Entra agent identity for every hosted agent, and true scale-to-zero billing at $0.0994 per vCPU-hour. For enterprise IT teams that have been deferring AI agent production deployments over governance concerns, the governance story just got materially better.

This briefing covers what shipped, what it means for your Azure consulting architecture decisions, and five concrete actions to take in the next two weeks.

What Microsoft Actually Shipped

The headline capabilities of the April 22 refresh, from the official Microsoft Foundry announcement:

Hypervisor-level per-session isolation. Every logical agent session gets its own VM-isolated sandbox. This is not process isolation or container isolation — it is the same class of boundary that separates Azure VMs from each other.
Persistent filesystem across scale-to-zero. $HOME and /files content survive idle periods up to 30 days per session. Idle timeout is 15 minutes, after which compute is deprovisioned and state is saved. The next request for the same session ID spins up new compute in seconds with state restored.
Dedicated Microsoft Entra agent identity per agent. Created automatically at deploy time. Supports On-Behalf-Of (OBO) delegation. RBAC assignments like Azure AI User are handled automatically during deployment.
True scale-to-zero billing. Pay only while compute is active. $0.0994 per vCPU-hour plus $0.0118 per GiB-hour. Sandbox sizes configurable from 0.25 to 2 vCPU and 0.5 to 4 GiB.
Multi-protocol support. Responses (OpenAI-compatible), Invocations (flexible custom payloads), Activity (Teams and M365 channels), and A2A (agent-to-agent). All four protocols can be combined in a single agent.
Immutable versions with traffic splitting. Weighted traffic splits enable blue-green and canary deployments without writing custom routing.
Framework flexibility. Microsoft Agent Framework v1.0, LangGraph, Semantic Kernel, CrewAI, LlamaIndex, Claude Agent SDK, OpenAI Agents SDK, GitHub Copilot SDK, or plain Python/C# code — the platform is framework-agnostic.

The supporting announcements matter too. Foundry Toolbox entered public preview the same day as a managed, MCP-compatible endpoint bundling Web Search, Code Interpreter, File Search, Azure AI Search, custom MCP servers, OpenAPI tools, and A2A. Foundry Memory provides managed long-term memory at $0.25 per 1,000 events, $0.25 per 1,000 stored memories per month, and $0.50 per 1,000 retrievals.

Enterprise Takeaway: The April 22 refresh closes the three governance gaps that have been blocking enterprise agent deployment: isolation is now at the hypervisor boundary, identity is first-class and automatic, and cost is finally predictable at zero when idle. If your AI architecture strategy has been stuck in POC mode, this is the platform inflection point worth revisiting.

Why Hypervisor Isolation Changes the Threat Model

Microsoft’s framing is deliberate: “every single agent session [gets] its own VM-isolated sandbox” rather than shared process or container isolation. For regulated workloads, the delta from container-only runtimes is significant:

Container breakouts (runc-class vulnerabilities): mitigated by the VM boundary as defense-in-depth.
Side-channel and speculative-execution attacks across tenants: the VM boundary is the generally-accepted mitigation.
Cross-session state leakage: prevented — each session has its own $HOME and /files.

For financial services teams, the per-session VM boundary combined with Entra Agent ID + per-user OBO makes it substantially easier to build the audit narrative regulators ask for: “This transaction was processed by this agent on this session with this user’s delegated rights, inside a dedicated VM.”

The caveats are important though. Microsoft has not published HIPAA Business Associate Agreement coverage specifically for Hosted Agents during preview. There is no Azure Government region. Only four commercial regions support Hosted Agents today: Australia East, Canada Central, North Central US, and Sweden Central. And the VM boundary does nothing to stop an agent that exfiltrates data via an MCP tool or OpenAPI connection — you still need egress controls, DLP, and content filtering.

Enterprise Takeaway: The hypervisor boundary is a genuine compliance upgrade, but it is the platform boundary. Your agent’s outbound tool calls still need the same AI governance you would apply anywhere else — network egress controls, tool allow-listing, and data-flow auditing.

Entra Agent Identity: The Governance Story

Two identities are involved in every hosted agent deployment:

Agent Entra identity (per-agent) — the runtime identity the container authenticates with. Used for model invocation, tool access, and downstream Azure services.
Project managed identity (project-wide, system-assigned) — used by the platform for infrastructure operations like pulling the container image from Azure Container Registry.

When you deploy with Azure Developer CLI (azd), the Azure AI User role at account scope is assigned to the agent’s Entra identity automatically. For any external resource you own — Cosmos DB, Blob Storage, Key Vault — you assign RBAC manually.

The practical gotchas are worth flagging because they trip up every early adopter:

Conditional Access still applies to OBO flows. Policies like “All users must use MFA” will reach agent contexts. If a user has a compliant-device-only CA policy, the OBO token will be rejected because the agent cannot satisfy interactive controls. Fix: create agent-specific CA policies with controls agents can actually satisfy (managed identity + named location), and exclude agent identities from user-targeted MFA policies.
OBO only works for user principals. If your agent is called by another service with an app-only token, OBO is not an option — you need a separate agent-to-agent token acquisition flow.
Delegated permissions are not implicit. The agent’s Entra identity must be explicitly granted delegated permissions for each downstream resource, with tenant admin consent. Missing this shows up as AADSTS65001 at runtime, often hours into testing.
RBAC scoping surprises. The platform auto-assigns Azure AI User at account scope. If you need Blob container access for your agent, you still assign that at container scope manually. Confusingly, the platform-assigned role is not visible in the Entra portal unless you drill into the agent identity object directly.

Enterprise Takeaway: Before you pilot Hosted Agents, have your identity team audit existing Conditional Access policies for anything that would block agent OBO flows. Budget 1-2 weeks for your Entra admin team to define agent-specific policies and test them in a pilot tenant. Skip this step and your first production deployment will fail at authentication.

Pricing in Real Numbers

The math for three realistic workloads at the published rates of $0.0994/vCPU-hour + $0.0118/GiB-hour:

Lightly-used enterprise assistant (200 sessions/day × 1 vCPU × 2 GiB × 5 min average session): ~16.7 vCPU-hours/day + 33.3 GiB-hours/day. Monthly compute: ~$62.
Heavy multi-agent orchestration (50 concurrent sessions × 1 vCPU × 2 GiB × 10 active hours/day): ~500 vCPU-hours/day + 1,000 GiB-hours/day. Monthly compute: ~$1,845.
Spiky consumer-facing agent (500-session 2-hour promo burst + near-zero baseline): roughly $1-5/day with true idle cost at zero.

The competitive comparison matters. Google’s Vertex AI Agent Engine is priced at $0.0864 per vCPU-hour and $0.0105 per GiB-hour — roughly 13% cheaper on compute, 11% cheaper on memory. AWS Bedrock AgentCore is GA since October 2025 with per-feature metered pricing across Runtime, Gateway, Memory, Identity, Observability, Browser, Code Interpreter, and Policy components.

Microsoft is charging a modest premium for the combination of per-session hypervisor isolation, first-class Entra identity integration, and one-click Teams and M365 publishing. For Microsoft-shop enterprises, that premium is easy to justify. For greenfield consumer applications with no Microsoft identity footprint, Vertex is the cheaper answer.

Enterprise Takeaway: Model tokens will dominate your agent costs by 10-100× regardless of hosting platform. The compute cost difference between Foundry, Vertex, and Bedrock rarely moves the total bill by more than 2-3%. Optimize for the platform that matches your identity, compliance, and existing tooling investments rather than chasing per-vCPU-hour deltas.

What Breaks: Preview Caps, Known Issues, and the Migration Gap

Two calendar days into preview, the operational picture is still sparse. What has surfaced so far:

50 active concurrent sessions per subscription per region. Adjustable via support request, but the quota process itself is new and lead times during preview are undocumented.
Python and C# only. If your team writes agent logic in TypeScript or Java, you are waiting. Management SDKs support JS and Java; the runtime does not.
Azure Container Registry must be publicly reachable. Private-link-secured ACR is not yet supported. Microsoft has publicly acknowledged this gap and committed to fixing it.
“Hosted Agents are not enabled in this region” (GitHub issue #316 on the microsoft-foundry-for-vscode repo) — users selecting unsupported regions hit a 400 error without helpful guidance.
Model quota dependencies. Hosted agent deployment can fail even with agent infrastructure approved if the required Azure OpenAI model quota is zero in the target region. Check both before deploying.
Classic agent tools are gone. The Azure Functions tool, Connected Agents, and Deep Research as classic tools have no direct carryover. Replacements: Workflow + A2A, Deep Research model with Web Search tool.

The single biggest documentation gap is a hosted-agent-specific migration guide for Ignite-era preview customers. Microsoft has published a strong API-surface migration guide (threads → conversations, runs → responses, create_agent → create_version) with an automated tool at aka.ms/agent/migrate/tool. But the compute-backend swap — re-packaging containers, adopting the new Responses and Invocations protocol libraries, re-deploying through azd ai agent init / provision / deploy — does not yet have dedicated step-by-step documentation. Expect it to land before Microsoft Build 2026 in May.

Enterprise Takeaway: If your organization ran hosted agents on the Ignite preview, plan a one-to-two-sprint re-implementation cycle. The API migration tool handles the code mechanics but not the container-packaging, region-selection, or protocol-library changes. This is not a rolling upgrade — it is a cutover.

Where Foundry Hosted Agents Fits vs Alternatives

Microsoft’s own field guide positions Hosted Agents as the sweet spot between managed-platform simplicity and custom-code flexibility. Here is the practical decision framework for the Microsoft agent stack:

Copilot Studio — front door for business-facing copilots; low-code orchestration with governance built in. Choose when business users own the lifecycle and speed-to-prototype dominates.
Microsoft 365 Copilot agents — business-user agents inside the M365 experience with deep Graph and Teams integration.
Prompt (declarative) agents in Foundry (GA since March 2026) — schema-driven agents, no custom runtime code.
Foundry Hosted Agents (preview, refreshed April 22, 2026) — your containerized code, hypervisor-isolated, managed runtime, framework-agnostic.
In-process SDK agents (Microsoft Agent Framework v1.0) — agents running inside your own process, service, or container. Lowest latency, full runtime control, you operate the infrastructure.
Azure Container Apps with dynamic sessions — general containerized agent workloads with code-interpreter sandboxing. More control, less agent-native tooling.
Azure Kubernetes Service — multi-cluster federation, maximum networking flexibility, highest operational cost. Right answer when you need a service mesh or compliance framework beyond what Foundry currently certifies.

For most enterprise IT teams deploying agentic AI for IT operations in 2026, the realistic shortlist is Foundry Hosted Agents (for fast time-to-production with identity and isolation built in), in-process SDK agents running on Windows 365 Cloud PCs or dedicated VMs (for full runtime control), and Copilot Studio (for business-user-owned workflows). Your decision criterion is usually: who owns the agent’s lifecycle, and how much runtime control do you need?

Enterprise Takeaway: Hosted Agents replaces the “build a managed runtime ourselves on ACA or AKS” option for most enterprise use cases. It does not replace in-process SDK agents for latency-sensitive work, and it does not replace Copilot Studio for business-user-owned flows. Match the tool to the lifecycle owner.

What to Do This Week

Five concrete actions for IT leaders based on this week’s release:

Audit your Ignite-preview hosted agents. If you ran hosted agents on the pre-April-22 preview backend, inventory them and plan a cutover sprint. The old backend is being retired. Do not wait for the migration guide to do the inventory work.
Run one sanctioned Hosted Agents pilot. Pick a well-scoped IT-operations workflow — log-triage, configuration audit, Intune policy drift detection — and deploy it in North Central US or Canada Central with a 1 vCPU / 2 GiB sandbox. Scale-to-zero means your pilot cost is effectively zero when idle.
Brief your identity team. Have your Entra admin review existing Conditional Access policies for anything that would block agent OBO flows, and draft agent-specific CA policies using managed-identity + named-location controls. This is the most common production blocker.
Decide your framework allegiance. Microsoft Agent Framework v1.0 hit GA on April 2, 2026. If your team is still on Semantic Kernel or AutoGen, migrate to Agent Framework now — the SK and AutoGen codebases are in long-tail maintenance mode. If you are already on LangGraph or CrewAI, Hosted Agents supports them natively; no migration required.
Update your vendor comparison matrix. Refresh your AI platform matrix with the April 22 capabilities: hypervisor isolation, $0.0994/vCPU-hour pricing, 50-session preview cap, four-region availability. Use this to revisit any multi-cloud agent strategy decisions you made before Q2 2026.

The governance story finally matches the marketing story on Hosted Agents. For organizations that have been waiting for identity, isolation, and auditability to reach enterprise-grade before production deployment, the wait is largely over. The remaining gaps — migration documentation, private-network ACR, additional languages, broader regional coverage — all have active Microsoft roadmap signals and are likely resolved before general availability.

If your organization needs help evaluating Microsoft Foundry Hosted Agents for a production workload — including identity architecture, Conditional Access design for agent OBO flows, migration from the Ignite preview, or platform selection across Foundry, Azure Container Apps, and in-process SDK agents — Big Hat Group specializes in enterprise AI consulting that bridges what Microsoft ships and what your organization actually needs to operate safely at scale. Contact us to scope a pilot.

Kevin Kaminski is Principal Architect at Big Hat Group, where he helps enterprises deploy Azure AI, Windows 365, and Microsoft Intune solutions that work in the real world. Connect with Big Hat Group for Azure consulting, Windows 365 consulting, and AI agent consulting.