Microsoft launches hosted agent sandboxes in Foundry Agent Service
Microsoft has released hosted agents in Foundry Agent Service into public preview, giving every agent session its own hypervisor-isolated sandbox with a persistent filesystem and scale-to-zero economics.
Score breakdown
Teams deploying AI agents in enterprise environments can now get per-session VM isolation, persistent filesystems, and governed identity out of the box — removing the need to build custom sandboxing infrastructure before going to production.
- 01Hosted agents in Foundry Agent Service are now in public preview, announced April 22, 2026.
- 02Every agent session gets its own dedicated, hypervisor-isolated VM sandbox — not just process or code-execution isolation.
- 03Filesystem state, disk state, and session identity persist across scale-to-zero events, so agents resume exactly where they left off.
Microsoft Foundry has put hosted agents in its Foundry Agent Service into public preview, positioning the offering as production-grade compute purpose-built for enterprise AI agents. The core argument is that traditional compute primitives — containers, web apps, and serverless functions — were designed for web services where multiple users safely share the same instance. Agents, however, write files, execute arbitrary code, and hold sensitive credentials, making shared-instance architectures a security liability. Hosted agents solve this by giving every individual session its own VM-isolated sandbox with a persistent filesystem, so Customer A and Customer B can never touch each other's state.
Operators can use isolation keys to namespace end-user sessions, route outbound traffic through a BYO VNet, and manage agent versions via stable endpoints with weighted rollouts.
The feature set includes predictable cold starts, scale-to-zero economics (agents cost nothing while idle and scale down automatically), and filesystem persistence across scale-to-zero events so an agent resumes with its full working directory intact. Operators can use isolation keys to namespace end-user sessions, route outbound traffic through a BYO VNet, and manage agent versions via stable endpoints with weighted rollouts. On the protocol side, the service ships with OpenResponses support (with automatic mapping to/from Activity Protocol for one-click Microsoft 365 publishing), a Flexible Invocations protocol for custom integrations, and AG-UI support. Microsoft notes this is a fundamentally different experience from the hosted agents preview first shown at Microsoft Ignite.
Key facts
- 01Hosted agents in Foundry Agent Service are now in public preview, announced April 22, 2026.
- 02Every agent session gets its own dedicated, hypervisor-isolated VM sandbox — not just process or code-execution isolation.
- 03Filesystem state, disk state, and session identity persist across scale-to-zero events, so agents resume exactly where they left off.
- 04Scale-to-zero billing means agents incur no cost while idle.
- 05BYO VNet support lets operators route agent outbound traffic through their own virtual network.
- 06Built-in agent versioning supports stable endpoints and weighted rollouts across versions.
- 07Multi-protocol support includes OpenResponses (with automatic Activity Protocol mapping for Microsoft 365), Flexible Invocations, and AG-UI.