This year’s Microsoft Build conference arrived with a key new framing from CEO Satya Nadella on the future of enterprise software. In his keynote speech, he made it clear that agents are now the primary unit of enterprise work, and reinforced the need for a full environment and common language across Microsoft’s stack to support this work. That language is now MCP.
The most important technical shift for developers was that the Model Context Protocol is now the default integration layer across Microsoft’s stack: Foundry, Agent 365, the IQ context services, Teams SDK, and Copilot all speak it natively.
MCP went mainstream before Build. Arcade’s State of MCP Tools report found monthly MCP server downloads grew 970x, from roughly 100,000 in November 2024 to 97 million by March 2026. 78% of enterprise AI teams now run at least one MCP-backed agent in production, and over two-thirds of CTOs have named MCP their default agent-integration standard. Gartner projects that this year, 75% of API gateway vendors and 50% of iPaaS vendors will ship MCP features. Microsoft standardizing on MCP confirms a shift already underway.
What did Microsoft announce at Build 2026?
The announcements fall into five layers:
- Microsoft Foundry: the runtime and tooling layer, including hosted agents, Toolboxes, rubric evaluators, and an agent optimizer.
- Agent 365: the enterprise control plane for agent identity, governance, and security.
- Microsoft IQ: the grounding layer, split into Web IQ, Fabric IQ, and Work IQ.
- MAI models: seven new in-house models across reasoning, coding, image, voice, and transcription.
- Project Solara: the chip-to-cloud platform and device ecosystem for secure, enterprise-ready, agent-first hardware, from badges to desk companions, that brings agents into specialized form factors and environments.
Supporting announcements included on-device inference with Surface RTX Spark Dev Box, OS-level agent sandboxing, a new GitHub Copilot app, and Majorana 2 quantum.
What are Foundry Toolboxes?
A Foundry Toolbox, currently in preview, bundles multiple tool types behind a single MCP-compatible endpoint: web search, file search, code interpreter, Azure AI Search, MCP servers, OpenAPI tools, and agent-to-agent connections. You configure tools once, point any MCP client at one URL, and Foundry handles auth, lifecycle, and governance.
Because the endpoint is standard MCP, any MCP-capable runtime can consume it: Foundry Agent Service, Microsoft Agent Framework, LangGraph, the GitHub Copilot SDK, and others. The demo also showed a guardrail, PII blocking, applied once at the Toolbox level and inherited by every connected agent.
Arcade commentary: The architecture confirms where the hard problems are. The action layer, not reasoning, is the real bottleneck: authorization, reliable execution, and governance all at once. A single managed MCP endpoint with policy is the correct shape. That said, there are constraints to evaluate: Toolboxes run inside Azure and Foundry, the auth model is not built for per-user delegated OAuth across many SaaS systems, and the bundled tools lean on community MCP servers that vary in quality. Teams running Claude, Cursor, ChatGPT, or custom frameworks across multiple clouds will need a runtime that is not tied to one stack.
A single endpoint is only as good as the tools behind it. The State of MCP Tools report graded 219,069 tools across 43,400+ servers. Only 0.5% earned an A; 167,333 received an F. Missing tool descriptions are the most common failure and push agents into hallucinations and retry loops that cost an estimated $5 to $8 per task. Bundling tools does not fix tool quality.
What is Microsoft Agent 365?
Agent 365 is the control plane for agents, now generally available. It assigns agents first-class identities through Entra, adds access packages and sponsor lifecycle workflows, applies runtime DLP on prompts through Purview, and maintains a registry that inventories agents across Azure, AWS Bedrock, and Google Cloud. Defender maps each agent to its devices, configured MCP servers, identities, and reachable cloud resources.
Arcade commentary: Treating agents as managed identities is the right call. Agent 365 handles governance at the agent level, but the complementary requirement is governing each action: enforcing least privilege at call time as the intersection of what the agent may do and what the user may do. This is where identity and integration, which were separate categories in the cloud, collapse into a single runtime decision with agents.
Agent identity does not help if the tools underneath use static secrets. Per the State of MCP Tools report, 88% of MCP servers require credentials, but only 8.5% use OAuth. The majority rely on long-lived static keys that never expire and cannot be easily revoked. A compromised agent credential looks like normal agent traffic, which makes detection hard. Governing the identity and brokering scoped, revocable auth at the tool call are two separate jobs.
What are Web IQ and Microsoft IQ?
Microsoft IQ is the context layer that grounds agents. Web IQ is an AI-first search service that is model-agnostic and MCP-native, covering web, news, images, and video, with sub-165ms latency and zero data retention. Fabric IQ exposes enterprise data as a live operational model. Work IQ grounds answers in documents and procedures such as SharePoint content. The consistent design choice is MCP as the retrieval interface rather than a proprietary connector.
What about Open Claw, MXC, and local agents?
MXC, or Microsoft Execution Containers, builds agent sandboxing into Windows, with process, session, and VM-level isolation enforced by policy. The demo showed an agent being blocked from deleting files in a read-only directory, which is a small example, but the right one for illustrating where the guardrails sit. Separately, a popular open-source agent harness shipped an enterprise mode on Windows with bring-your-own model support, per-folder read-only and hidden permissions, clipboard and network toggles, and a backing nonprofit foundation.
Microsoft also used Build to make local agent compute feel less like a side quest. Surface RTX Spark Dev Box puts NVIDIA RTX Spark silicon, 128 GB of unified memory, and up to a petaflop of AI compute into a desk-side Windows developer machine, while DGX Station for Windows pushes the same idea toward larger frontier-class workloads. The point is not that every agent should run locally. It is that the agent stack is becoming tiered: cloud models for the hardest reasoning, local models for lower-cost delegation and fast iteration, and a governed execution layer underneath both.
Combined with the multi-model GitHub Copilot app, the signal is that agent harnesses are multiplying, and each one needs a governed tool and auth layer beneath it.
What do the new MAI models mean?
Microsoft introduced seven MAI models plus frontier tuning, which trains models against private evals and reinforcement-learning environments. The stated value is that your tools, workflows, and data become the differentiator, not the base model. Gartner projects enterprises will spend roughly 17x more on AI software than on the models themselves, which puts the value above the model layer, where agents execute work.
What does Build 2026 mean for MCP and the agent stack?
MCP is now table stakes across the largest enterprise software vendor, which is a tailwind for anyone building on the protocol. But it also means differentiation has shifted as protocol support is a given, and execution quality is where the competition now actually happens.
The operational test for any agent in production is unchanged: can this agent, acting on behalf of this user, perform this action reliably, with a complete audit trail? Build answered the strategic question of whether agents matter. The engineering question, making them production-safe across every model, framework, and cloud, is where the real work begins.
For the ecosystem data behind the callouts above, see Arcade’s State of MCP Tools report. For technical material on agent authorization, reliable MCP tools, and governance, see docs.arcade.dev.
