The identity layer for AI agents is more fragmented and risky than Microsoft's marketing suggests. Three overlapping problems β Classic vs Modern agents, OBO token delegation, and Copilot Studio maker credentials β each undermine the agent security story independently. All three coexist in most enterprise deployments today.
The following resources were key sources for this section β combining Microsoft's official documentation with practitioner field research:
Before Entra Agent ID was introduced, Copilot Studio agents were registered as standard Service Principals (Enterprise Applications) in Entra β what are now called Classic Agents. Most organisations with existing Copilot Studio deployments have Classic Agents. This is the most underappreciated structural gap in Microsoft's agent security story.
Classic Agents are completely outside the Entra Agent ID security perimeter. They receive no ID Protection for Agents, no Conditional Access for Agents, no Agent lifecycle governance. The Entra security products that Microsoft markets for agent protection only work with Modern Agents. Microsoft has acknowledged a migration tool is planned β it does not exist yet. The only current workaround is to recreate agents from scratch as Modern Agents, which is impractical at scale.
| Dimension | Classic Agent | Modern Agent |
|---|---|---|
| Entra registration type | Service Principal (Enterprise App) | Agent Identity (Agent Blueprint) |
| ID Protection for Agents | β Not supported | β Supported (preview) |
| Conditional Access for Agents | β Not supported | β Supported (preview) |
| Agent lifecycle governance | β Not supported | β Sponsor model available |
| Owner model | Power Virtual Agent Service + creator as Owner β this introduces credential abuse risk (owner can add client secrets) | Sponsor model β creator in Notes field, not Owner role |
| Name sync with Copilot Studio | Name stays as original Agent # β not updated on rename | Same bug β name not synced on rename |
| Migration path | Recreate from scratch OR await Microsoft migration tool | N/A β is the target state |
| Where most production agents are today | Most existing Copilot Studio agents | Only newly created agents with setting enabled |
For Classic Agents, the user who created the agent is added as an Owner of the Enterprise Application. An Owner can add client secrets, bypassing Conditional Access and MFA, abuse federated credentials for cross-tenant access, and is a high-privilege technical role. For Modern Agents, the creator should be listed as a Sponsor in the Notes field β a business accountability role without these technical powers. Using the Owner option on Classic Agents introduces real credential abuse risk. Field research by Derk van der Woude confirms this is the default behaviour in production environments.
Beyond OBO, Copilot Studio introduces a structurally distinct and in many ways more dangerous authentication pattern: maker credentials. When a Copilot Studio agent is connected to tools (SharePoint, Outlook, Teams, etc.), it authenticates to those services as the person who built the agent β not the person using it.
| Pattern | Who Is Authenticated | Audit Trail | Blast Radius | Mitigation |
|---|---|---|---|---|
| OBO (standard) | Invoking user | Shows user UPN (not agent) | User's own permissions | User PAM hygiene |
| Maker credentials (Copilot Studio) | Agent builder | May show service, not maker | Maker's full permissions Γ all users of agent | Enforce end-user auth; restrict sharing scope |
| No authentication | Anyone in Teams | None | Maker's permissions Γ entire org, no login required | Power Platform admin enforcement; KQL detection |
For agents outside Copilot Studio (Microsoft Foundry, custom agents), OBO remains the primary token mechanism. The agent receives a token derived from the invoking user's access token β it acts on behalf of the user, not as an independent identity.
Both Classic and Modern agents share a documented bug: when an agent is renamed in Copilot Studio after initial creation, the name stored in Entra Agent ID is not updated. The Entra portal continues to show the original name assigned at creation β typically Agent # (a number).
Entra security products β ID Protection for Agents, Conditional Access, and the Agent ID portal β all reference the original names. In any enterprise with more than a handful of agents, this makes per-agent policy management in Entra nearly unworkable. You cannot create a meaningful Conditional Access policy for Agent #47. Microsoft has confirmed this inconsistency and states work is in progress β no fix timeline confirmed. Field workaround: use the Agent ID object-ID (not name) as the primary key for agent identification, cross-referenced via script against the Power Platform Admin Environment URL.
Source: Microsoft Learn β Automatic security scan in Copilot Studio
Before a maker can publish an agent, Copilot Studio automatically runs a security scan and surfaces warnings when any of the following secure defaults have been changed:
| What was changed | Default | Risk |
|---|---|---|
| Authentication set to No authentication | Authenticate with Microsoft | Anyone with the link can interact with agent and all its tools |
| Maker-provided credentials selected for connectors/flows | End user credentials | Agent authenticates as builder β maker credentials blast radius |
| Agent shared with everyone in the organisation | Shared with no one | Org-wide exposure of all tools and data the agent can access |
These are warnings β not hard blocks. A maker can acknowledge and proceed. The scan fires at publish time, not continuously. It does not detect all misconfigurations β for example, it does not warn on App Registration Application Permissions (auth pattern β£) which is very high risk.
Source: Microsoft Learn β Agent runtime protection status
The Copilot Studio Agents page now shows a Protection status column for every published agent with one of three values:
| Status | Meaning | Action |
|---|---|---|
| π‘ Protected | Threat detection active, authentication and policies compliant | No immediate action required |
| β Needs review | Policy violation OR inadequate authentication detected | Drill into summary to see which category failed |
| ? Unknown | Protection state cannot be determined | Check Defender connection and Power Platform setup |
Three categories in the summary dialog: Authentication (is auth required?), Policies (are Power Platform DLP policies complied with?), Content Moderation (content safety levels). Clicking the status opens Security Analytics showing blocked message trends over 7/14/30 days, broken down by threat detection, authentication issues, and policy violations.
Note: All published agents automatically have threat detection enabled and show the Active label β this is independent of whether the full Defender RT protection setup has been completed.
Responsible AI content filtering β always active, operates at conversational level. Message shown: "The content was filtered due to Responsible AI restrictions." Evaluates the nature of the conversation β harmful content, jailbreak attempts, prompt injection in input, copyright infringement.
Real-time threat protection (Defender for Cloud Apps) β must be explicitly configured, operates at action execution level. Message shown: "Blocked by threat protection." Evaluates tool invocations β unauthorized data access, privilege escalation through tool chaining, data exfiltration patterns. Only activates when configured. Has a 1-second timeout: if Defender doesn't respond in time, the agent proceeds regardless.
Entra Agent ID remains in limited preview for frontier/large enterprise programs. Even when it reaches GA, it will only apply to Modern Agents β Classic Agents (the majority of existing Copilot Studio deployments) require migration first.
This is the single most important table for architects deploying Copilot Studio agents. The gap between Classic and Modern is not marginal β it determines whether any Entra security product applies at all.
| Security Product | Classic Agents | Modern Agents | Notes |
|---|---|---|---|
| Defender for Cloud Apps β AI Agent Inventory | β Supported | β Supported | Works for both. Requires Defender + Power Platform admin collaboration. |
| Defender for Cloud Apps β Real-time Protection | β Supported | β Supported | Works for both. Inspects tool invocations before execution. |
| Block Images and URLs | β Supported | β Supported | Works for both. External threat detection must be configured in Copilot Studio. |
| AIAgentsInfo KQL (Advanced Hunting) | β Supported | β Supported | Works for both once AI Agent Inventory is enabled. |
| Entra Agent ID β Identity Registration | β Not supported | β Supported (preview) | Classic agents registered as Service Principals, not Agent Identities. |
| ID Protection for Agents | β Not supported | β Supported (preview) | Requires Entra Agent ID. Classic agents have no risk signal in ID Protection. |
| Conditional Access for Agents | β Not supported | β Supported (preview) | Requires Entra Agent ID. Name sync bug makes policy management difficult at scale. |
| Access Reviews for Agents | β Not supported | β Supported (preview) | Requires Entra Agent ID. |
| Lifecycle Workflows (sponsor model) | β Not supported | β Supported (preview) | Classic agents use Owner role (risky). Modern agents use Sponsor model. |
| Agent Blueprint & Permissions governance | β Not supported | β Supported (preview) | Blueprint-level Graph API permission governance only available for Modern agents. |
Defender for Cloud Apps security controls (RT protection, AI Agent Inventory, Block Images/URLs) provide a meaningful security baseline for all agents β Classic and Modern. Entra Agent ID security products (ID Protection, Conditional Access, Access Reviews, Lifecycle Workflows) only apply to Modern Agents. Most existing Copilot Studio production deployments are Classic. Migrating to Modern Agents is the prerequisite for the full Entra security stack β but the migration tool doesn't exist yet.
Field research by Derk van der Woude (March 2026) identifies four distinct authentication configurations for Copilot Studio agents β each with a very different risk profile. Knowing which pattern your agents use is the first step to securing them.
| Pattern | How it authenticates | Risk | Detectable via KQL |
|---|---|---|---|
| β End User Credentials (OBO) Auth with Microsoft β End user credentials |
User authenticates once; agent exchanges token OBO the user. Everything runs in the user's own permission context. Sign-in logs available in Entra for the user. | β Low risk | UserAuthenticationType == "Integrated" |
| β‘ Maker-Provided Credentials Auth with Microsoft β Maker-provided credentials |
Agent authenticates at design time using the maker's identity, then reuses that connection for every user at runtime. Silent authentication β stored credentials. No per-user sign-in logs for the agent. | β οΈ High risk Data oversharing, silent auth |
AgentToolsDetails.mode == "Maker"See KQL below |
| β’ App Registration β Delegated Permissions Authenticate manually β Entra ID V2 (delegated) |
Uses an Entra App Registration but still acts OBO the signed-in user. Effective permissions = intersection of user rights AND app granted scopes. Sign-in logs available in Entra Agent ID portal. | β Low risk Verify scopes are minimal |
HTTP Request to Graph + delegated token |
| β£ App Registration β Application Permissions Authenticate manually β Entra ID V2 (application) |
Agent authenticates as the application itself β no user context, no OBO. Access determined by application permissions (e.g. Mail.Read.All, User.Read.All). Can access data across the entire tenant. Requires admin consent. | β οΈ Very high risk Tenant-wide access, admin consent |
HTTP Request to Graph + client credentials flow |
| β€ Agent's User Account Agent provisioned with a full human user account |
Agent is assigned a real user account with persistent identity β mailbox, calendar, Teams membership, SharePoint access, ability to join meetings and send communications. Agent acts as a human user, not on behalf of one. Can participate in Teams channels, access documents, attend meetings under false pretences if compromised. | β οΈ Very high risk Full human identity β hardest to detect as non-human |
Entra Identity Governance lifecycle management; Access Reviews; assign a human sponsor accountable for the agent account |
Updated April 2026: Conditional Access for Agent ID (Preview) extends CA controls to AI agents as first-class identities. It applies when an Agent Identity or Agent User (both Entra Agent ID constructs) requests a token for any resource.
| Agent type | CA for Agent ID applies? |
|---|---|
| Modern Copilot Studio agents (Entra Agent ID, Frontier) | β Yes β Agent Identity and Agent User token flows protected |
| Microsoft Foundry agents (OAuth 2.0 Agent ID) | β Yes |
| Microsoft-built Security Copilot agents | β Yes |
| Classic Copilot Studio agents (service principals, OBO, maker credentials) | β No β none of patterns β β‘β’β£ trigger CA for Agent ID |
| Custom/partner Security Copilot agents ("Connect with existing user account") | β No β uses configuring user's credentials, not Agent ID |
Note: CA for Agent ID does NOT apply when the Agent Identity Blueprint acquires a token for Microsoft Graph to create agents, or during intermediate token exchange flows (T1 phase). These carve-outs are by design β agentic task flows (T2) are protected.
Critical nuance β Security Copilot custom agents: Custom and partner Security Copilot agents use the "Connect with existing user account" option β the agent runs using the configuring user's credentials, inheriting their access and permissions. This is functionally identical to Copilot Studio's maker credentials risk (pattern β‘) but with a much higher blast radius.
When building a custom or partner Security Copilot agent, the "Connect with existing user account" option stores the configuring user's credentials and uses them every time the agent runs β regardless of who triggers it. This is structurally identical to Copilot Studio's maker credentials risk (pattern β‘) but with a much higher blast radius.
Security Copilot users are typically high-privilege accounts β Security Admins, SOC engineers, Global Admins. An agent configured by a Global Admin silently extends Global Admin-level access to threat intelligence, Sentinel incidents, Defender signals, Entra identity risk data, and more β to every user who runs it. The configuring user's permissions become the agent's permissions, invisibly, for every execution.
What to do: Audit who configures custom Security Copilot agents and what permissions their account holds. Use a dedicated low-privilege service account specifically for agent configuration β not a personal admin account. Treat this account like a shared mailbox: minimal permissions, no interactive login, monitored. Establish an approval gate before any custom Security Copilot agent goes to production.
For Copilot Studio, apply Conditional Access policies targeting the invoking user or the workload identity (service principal) instead. Use ID Protection for Workload Identities as the equivalent control for App Registration patterns.
The following KQL (field-validated by Derk van der Woude) detects maker credentials at the connector level β checking both AgentToolsDetails and AgentTopicsDetails for where maker mode is actually configured. This is more precise than checking only the agent-level auth type.
let base = AIAgentsInfo
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus == "Published";
let directActions = base
| mv-expand detail = AgentToolsDetails
| where detail.action.connectionProperties.mode == "Maker"
| extend ActionType = "FromTools", Action = detail.action
| project-reorder AgentCreationTime, AIAgentId, AIAgentName,
UserAuthenticationType, CreatorAccountUpn;
let topicActions = base
| mv-expand topic = AgentTopicsDetails
| extend topicActionsArray = topic.beginDialog.actions
| mv-expand Action = topicActionsArray
| where Action.connectionProperties.mode == "Maker"
| extend ActionType = "FromTopic"
| project-reorder AgentCreationTime, AIAgentId, AIAgentName,
AgentStatus, CreatorAccountUpn, OwnerAccountUpns, Action;
directActions
| union topicActions
| sort by AIAgentId, Timestamp desc
Finds agents using HTTP Request actions to graph.microsoft.com or management.azure.com β indicating App Registration authentication (pattern β’ or β£). Delegated = low risk. Application permissions = very high risk.
AIAgentsInfo
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| mvexpand Topic = AgentTopicsDetails
| where Topic has "HttpRequestAction"
| extend TopicActions = Topic.beginDialog.actions
| mvexpand action = TopicActions
| where action['$kind'] == "HttpRequestAction"
| extend Url = tostring(action.url.literalValue)
| extend ParsedUrl = parse_url(Url)
| extend Host = tostring(ParsedUrl["Host"])
| where Host has_any("graph.microsoft.com", "management.azure.com")
| project-reorder AgentCreationTime, AIAgentId, AIAgentName,
ParsedUrl, Url, Host, AgentStatus,
CreatorAccountUpn, OwnerAccountUpns
Source: Derk van der Woude β Your Copilot Studio agent is acting as someone, do you know who? (March 2026)
Microsoft formally defines agent sprawl as the uncontrolled expansion of agents across an organisation without adequate visibility, management, or lifecycle controls. It emerges when business units create agents without formal IT oversight (shadow AI), when agents created for temporary purposes remain in production indefinitely, and when agent permissions exceed actual requirements and are never reviewed.
Increased security risk from over-privileged agents with unclear ownership. Compliance challenges when auditors expect governance over AI systems. Incident response difficulty when organisations can't quickly identify or isolate compromised agents. The Agent's User Account pattern (β€) is especially prone to sprawl β user accounts created for agents are indistinguishable from human accounts in most tooling.
Microsoft's Entra Agent ID platform now supports agent-to-agent (A2A) discovery and authorisation alongside MCP. A2A is an emerging standard protocol for authenticated communication between agents β enabling orchestration agents to delegate tasks to sub-agents with proper identity verification. Without A2A controls, an adversary can inject a malicious agent into an orchestration chain or intercept inter-agent communications.
| Risk | Description | Control |
|---|---|---|
| Agent-to-agent propagation | Compromised orchestration agent delegates to sub-agents, spreading compromise across the agent chain | Entra Agent ID A2A authentication; audit trails of inter-agent interactions |
| Malicious agent injection | Adversary introduces a rogue agent into an orchestration workflow that impersonates a legitimate sub-agent | A2A identity verification; Entra Agent ID β agent-to-agent discovery based on verified identities |
| Unauthenticated delegation | Orchestrator delegates tasks to agents without verifying their identity β attacker intercepts or substitutes | Require authenticated A2A channels; log all inter-agent calls in Entra audit logs |
Source: Microsoft Entra security for AI overview (April 2026)
Entra Agent ID introduces three distinct accountability roles β Owner, Sponsor, and Approver β plus a new failure mode (orphaned identities) that security architects need to understand separately. The Approver is what operationalises sharing controls; without an explicit IT approval gate, sharing limits become a guideline rather than an enforced control.
Owner answers "is the agent working correctly?" β technical. Sponsor answers "does the agent still need to exist?" β business. Approver answers "should this agent be shared more broadly?" β gatekeeper. All three are required for proper governance; Owner and Sponsor are nominated at agent creation, Approver is invoked at every sharing change. In a high-tier agent, these should be three different people.
When a Blueprint is deleted, two dangerous remnants remain: Orphaned Agent Identities β retain all Graph API permissions, Azure RBAC roles, and Entra directory roles but can no longer authenticate. These are unclaimed permission assignments with no Blueprint, no owner, no accountability. Orphaned Agent Users β appear as completely normal user accounts in the Entra portal with no indication they belonged to a deleted agent. They may hold group memberships, licenses, and resource access. Microsoft does not detect or flag these automatically. Detection requires querying the tenant and cross-referencing Agent Identities against active Blueprint Principals.
AIAgentsInfo KQL covers Copilot Studio agents (Classic and Modern) and Foundry, marketplace, and LOB agents registered with Agent 365. Use the RegistrySource column to distinguish: RegistrySource == "PowerPlatform" for Copilot Studio agents via the Power Platform connector; RegistrySource == "A365" for Agent 365-registered agents. Most existing KQL queries on this page target Copilot Studio (PowerPlatform) β see Playbook 01 Step 8 for A365-specific queries. For Modern agent Owner/Sponsor checks, use PowerShell via Microsoft Graph (Agent ID Administrator role required β Global Reader returns 403).
M365 admin center β Agents β All agents (Agent 365): comprehensive inventory of ALL agents including those without Entra Agent ID. Requires AI Administrator or AI Reader role. No licence needed for inventory view only.
Entra admin center: shows only agents with a Microsoft Entra Agent ID. Use for identity governance, CA policies, blueprint management. Requires Agent ID Administrator role for write operations.
Identity admins need both portals for complete coverage β the Entra admin center alone misses Classic agents and any agent without an Entra identity.
# Find Modern agents missing Owner or Sponsor
Connect-MgGraph -Scopes "AgentIdentity.Read.All"
$agents = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/beta/servicePrincipals/microsoft.graph.agentIdentity" `
-OutputType PSObject
foreach ($agent in $agents.value) {
$owners = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/beta/servicePrincipals/$($agent.id)/owners" `
-OutputType PSObject
$sponsors = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/beta/servicePrincipals/$($agent.id)/sponsors" `
-OutputType PSObject
$flags = @()
if ($owners.value.Count -eq 0) { $flags += "No Owner" }
if ($sponsors.value.Count -eq 0) { $flags += "No Sponsor" }
if ($flags.Count -gt 0) {
Write-Host "$($agent.displayName) | $($flags -join ', ')" -ForegroundColor Red
}
}
Disconnect-MgGraph
Source: Thalpius β Microsoft Ownerless Agents: The silent risk in your Entra tenant (March 2026)
The Entra Agent ID portal shows three distinct agent categories β not two:
| Category | Description | Entra Coverage |
|---|---|---|
| Modern agents "Agent identities" | Created via Entra Agent ID platform, backed by an Agent Identity Blueprint. Full governance capabilities. | β Full β CA, ID Protection, lifecycle |
| Classic agents "Agents with service principals" | Created before Agent ID platform, registered as standard service principals. Most existing Copilot Studio agents. | β None |
| Agents with no identities "Agents with no identities" | Registered in Agent Registry but have no associated Entra Agent ID at all β not even a service principal. | β None β invisible to security tooling |
Agent Identities do not have credentials of their own. Credentials are configured on the Blueprint and used in the T1 (Exchange Token) phase of authentication. When an agent authenticates, the Blueprint's credential proves trust to Entra (T1), then the Agent Identity's permissions determine what the token can access (T2). If a Blueprint is deleted, the credentials are gone but all permissions assigned to the Agent Identities remain β creating orphaned permission assignments with no authentication path. See the T1/T2 section below for full detail.
The Entra Agent ID platform introduces four distinct object types β not just "agent" and "blueprint". Understanding all four is essential for inventory and governance work.
| Object | What it is | Security significance |
|---|---|---|
| Agent Identity Blueprint Template + credential container |
The template that defines how agent identities are created. Holds credentials. Consists of two parts: a blueprint application (defines configuration) and a Blueprint Principal (the service principal that makes the blueprint usable in the tenant β analogous to the App Registration / Enterprise Application relationship). | Credentials live here. If deleted, credentials gone but all downstream permissions remain. The Blueprint Principal appears in Entra audit logs as the actor when agent identities are provisioned or deprovisioned. |
| Blueprint Principal Token issuance + audit identity |
The service principal object created when a blueprint is added to a tenant. Has exactly one role: it can provision and deprovision agent identities. All blueprint actions β creating agents, deleting agents β are logged in Entra audit logs under this principal's identity. | Source of audit accountability for all agent identity lifecycle events. If the Blueprint is deleted but orphaned Agent Identities remain, the Blueprint Principal is also gone β audit trail for those identities is severed. |
| Agent Identity The agent's service principal |
A special service principal in Entra created by the Blueprint. Has a unique characteristic: the Object ID and App ID always share the same value β making agent identities reliably identifiable for authorization decisions without ambiguity. Has no credentials of its own β the Blueprint's credentials are used for token exchange via an impersonation model: the Blueprint performs the actual token exchange but the Agent Identity appears as the client in the resulting token and in audit logs. Three critical security properties (Modern agents only): β No admin token generation: No one in the tenant β including Global Admins β can generate tokens using the agent identity. Microsoft fully controls the Blueprint and authentication mechanism. This prevents lateral movement via agent identity token theft. β‘ Tenant-bound: Agent identity tokens can only be issued in the tenant where the agent was created. They cannot access resources or APIs in other tenants β no cross-tenant token movement. β’ Impersonation model: Blueprint holds credentials and performs token exchange. Agent Identity holds permissions and appears as the client in audit logs. A compromise of Blueprint credentials affects all agent identities under it β Blueprint count is a security boundary decision. Supports CA for Agents, ID Protection, lifecycle governance. Can be assigned Owner (technical) and Sponsor (business accountable). |
The identity Entra security products see and enforce against. Must be Modern (Blueprint-backed) β Classic agents are standard service principals with none of this governance. |
| Agent User Optional β full human-style identity |
Some agents are paired with a dedicated user object in Entra β giving the agent a full human-style identity: mailbox, Teams presence, SharePoint access. This is authentication pattern β€. The Agent User appears as a completely normal user account in the Entra portal with no visual indicator it belongs to an agent. | VERY HIGH RISK. Agent Users inherit all the access of a human account. If the parent Blueprint is deleted, the Agent User remains β it appears as a normal active user with no flag, may retain group memberships, licenses, and resource access indefinitely. Requires explicit lifecycle management. |
Source: Microsoft Learn β ID Protection for Agents (Preview)
Microsoft Entra ID Protection now includes agent-specific risk detection. It establishes a baseline for each agent's normal activity, then flags anomalies as risky agent detections. Risk signals feed directly into Conditional Access for Agent ID β a CA policy can automatically block access when an agent's risk level hits High.
Licence: Entra P2 (included during preview). Applies to: Modern agents with Entra Agent ID only.
| Detection | What it means | riskEventType |
|---|---|---|
| Unfamiliar resource access | Agent targeted resources it doesn't usually access β potential attacker accessing sensitive resources beyond agent's intended scope | unfamiliarResourceAccess |
| Sign-in spike | Abnormally high sign-in frequency β indicator of automation abuse or attacker toolkit | signInSpike |
| Failed access attempt | Agent attempted resources it's not authorised for β possible token replay attack against unauthorised resource | failedAccessAttempt |
| Sign-in by risky user | Agent signed in on behalf of a risky user (delegated auth) β attacker may be using compromised credentials to exploit the agent | riskyUserSignIn |
| Confirmed compromised | Admin manually confirmed compromise β automatically sets risk to High, triggers CA block policies | adminConfirmedAgentCompromised |
| Threat intelligence | Activity matching known attack patterns from Microsoft threat intelligence | threatIntelligenceAccount |
View Risky Agents report: Security Administrator, Security Operator, or Security Reader
Configure CA risk policies: Conditional Access Administrator
Graph API: riskyAgents and agentRiskDetections collections via ID Protection APIs
From the Risky Agents report in Entra ID Protection:
| Action | What it does |
|---|---|
| Confirm compromise | Sets risk to High, creates risk detection event, triggers CA block policies β use in incident response |
| Confirm safe | Marks as false positive, clears risk state, prevents similar flagging |
| Dismiss risk | Risk no longer relevant but system continues monitoring similar behaviour |
| Disable | Blocks all sign-ins for the agent across Entra and connected apps |
Source: Microsoft Learn β CA for Agent ID (Preview)
The recommended approach for CA policy scoping is to use custom security attributes assigned to agents and resources. This enables precise, scalable policy targeting without manually managing object IDs.
Example pattern: create an attribute set AgentAttributes with attribute AgentApprovalStatus (values: New, In_Review, HR_Approved, Finance_Approved, IT_Approved). Assign attributes to agents and resources. CA policy: block all agents EXCEPT those tagged HR_Approved from accessing resources tagged HR. This is the governance model for agent segmentation at scale.
CA policies can scope agents by: all agent identities in tenant, specific agent identities by object ID, agents by custom security attribute, agents grouped by their Blueprint, or all Agent Users.
Source: Derk van der Woude β Entra Agent ID FIC Deep-Dive (April 2026)
When an agent authenticates, it goes through a two-phase flow:
| Phase | Name | What happens | What controls it |
|---|---|---|---|
| T1 | Exchange Token (trust phase) | The Blueprint presents a credential to Entra to prove it is trusted. Entra verifies this and issues a token to proceed. | Blueprint credential type β secrets/certs or FIC |
| T2 | Access Token (authorisation phase) | Agent Identity inherits permissions from the Blueprint. Entra issues an Access Token used to access resources (Graph API, Azure RBAC, etc.). | Agent Identity permissions β what roles and scopes are assigned |
Microsoft has standardised on new naming for agent access models:
| New name | Former name | What it means |
|---|---|---|
| Agents with delegated access | OBO agents | Agent acts on behalf of a signed-in user using delegated permissions. User tokens. Standard OAuth 2.0 OBO flow. |
| Agents with own access (Autonomous) | Non-OBO agents | Agent acts under its own identity, no user context. App-only permissions, admin-granted. Agent tokens. |
| Agent's User Account | No change | One-to-one pairing for systems requiring a user object (Exchange Online mailbox, Teams channel). Three-stage credential chain: Blueprint β Identity β User Account. |
T1 controls who is trusted to get a token. T2 controls what they are allowed to do once trusted. These are governed independently β you can have tightly scoped T2 permissions on a Blueprint that uses weak T1 credentials, or vice versa.
A Blueprint can use one of three credential types to complete T1. Source: Carlos Suarez (Microsoft) β Entra Agent ID Architecture.
| Type | How it works | Security posture |
|---|---|---|
| Managed Identity (via FIC) | Azure Managed Identity token serves as the FIC credential for the Blueprint. The managed identity token is platform-issued β no secret to store, rotate, or leak. Standard MSI protocols apply for credential acquisition. | Most preferred β Microsoft-recommended for production. No stored secret anywhere. Platform handles credential lifecycle entirely. |
| Federated Identity Credentials (FIC) | No stored secret. An external identity presents a short-lived OIDC token that Entra verifies dynamically against trust rules (issuer, subject, audiences β case-sensitive). Broader than Managed Identity β any OIDC-capable IdP can be used. | Preferred β no secret ever leaves the workload's hosting platform. Use when Azure Managed Identity is not available (e.g. GitHub Actions, external platforms). |
| Secrets / Certificates | Static credential β a client secret or certificate stored somewhere. Presented to Entra at authentication. | Least preferred β must be stored, rotated, and protected. Risk of theft, reuse, or exfiltration. Acceptable only for dev/test scenarios. |
Agent entities authenticate as confidential clients only β none use redirect URIs or the /authorize endpoint. There is no browser-based OAuth flow for agents. Supported grant types for delegated access: client_credentials, jwt-bearer, refresh_token.
Every FIC is defined by three properties that must exactly match claims in the inbound token. The match is case-sensitive β a mismatch on any of these will silently fail authentication:
iss claim. For an Azure Managed Identity: https://login.microsoftonline.com/<tenantId>/v2.0sub claim. For an MI: the MI's principal ID (GUID)aud claim. For Entra token exchange: api://AzureADTokenExchangeBlueprint creation and credential management requires specific scopes beyond the read-only AgentIdentity.Read.All scope used for inventory queries:
| Operation | Required scope |
|---|---|
| Create an Agent Identity Blueprint | AgentIdentityBlueprint.Create |
| Add or remove Blueprint credentials (secrets, certs, FIC) | AgentIdentityBlueprint.AddRemoveCreds.All |
| Create the Blueprint Principal (service principal) | AgentIdentityBlueprintPrincipal.Create |
| Create Agent Identities from a Blueprint | AgentIdentity.ReadWrite.All |
| Read Agent Identities (inventory/audit) | AgentIdentity.Read.All |
Creating blueprints and managing credentials requires the Agent ID Administrator role (or Global Admin for lab/testing). Global Reader returns 403 on all Blueprint and AgentIdentity write endpoints. This is a separate role from standard Entra admin roles β it must be explicitly assigned.
Source: Carlos Suarez (Microsoft) β Entra Agent ID Govern and Secure (April 2026)
Agent identities are subject to the same governance and security controls as human identities. Microsoft Entra provides seven pillars for agent governance β each addressing a distinct layer of the identity security stack.
| # | Pillar | What it does for agents | Key detail |
|---|---|---|---|
| 1 | Conditional Access | Evaluates agent token requests β same Zero Trust enforcement as human users. Applies when an agent identity or agent user account requests a token for any resource. | Does NOT apply to Blueprint token exchanges or Blueprint-to-Graph flows for creating agent identities. Scope by object ID, custom security attributes, Blueprint, or all agent identities. |
| 2 | ID Governance | Lifecycle management for agent identities β access reviews, owner/sponsor assignment, entitlement management, deprovisioning. | Sponsor is required to request or approve Access Packages on behalf of the agent. Without a Sponsor, lifecycle reviews have no accountable party. |
| 3 | Access Packages | Time-bound, reviewable permission grants for agent identities via Entra ID Governance. Define what permissions an agent holds, for how long, and who must approve renewals. | Prevents permanent over-permissioning. Access packages enforce the least privilege principle at the entitlement layer β not just at assignment time but throughout the agent's lifecycle via scheduled reviews. |
| 4 | ID Protection | Automated risk detection across six detection types. Generates Risky Agents report. Risk signals feed directly into CA policies for auto-block on High risk. | Applies to Modern agents (Entra Agent ID) only. Requires Entra P2. |
| 5 | Network Controls | Named locations, compliant network conditions, and Entra Internet Access prompt injection protection at the network layer. | Entra Internet Access prompt injection protection GA March 31 2026 β blocks malicious prompts across apps and agents at the network layer before they reach the model. |
| 6 | Sign-in & Audit Logs | All authentication and actions performed by agent identities are logged in Microsoft Entra ID and viewable in the admin center. Blueprint Principal appears in T1 logs; Agent Identity appears in T2 access token logs. | Deletion of Blueprint Principal severs the audit trail for all child agent identities. Export to Sentinel via Diagnostic Settings for long-term retention and cross-signal correlation. |
| 7 | Consent & Sign-in | Standard OAuth 2.0 consent framework applies. Users control which delegated permissions they grant to agent identities. Admin consent covers application permissions. | Agent entities authenticate as confidential clients only β no redirect URIs, no browser-based flows. Certain high-privilege Graph permissions are blocked for agents by design. |
CA policies control whether an agent can access a resource at a given moment. Access Packages control what permissions the agent holds over time. An agent can pass every CA check and still hold excessive permissions if no Access Package policy governs its entitlements. Use both: CA for real-time access decisions, Access Packages for lifecycle and periodic review of what the agent is authorised to do.
When the InheritDelegatedPermissions property is enabled on an Agent Identity, it can inherit permissions from its parent Blueprint β but within tenant boundaries only. This enables simpler permission management at scale (set permissions once at Blueprint level, all child identities inherit) but increases the blast radius of a compromised Blueprint. Disabled by default. Consider carefully before enabling in production.
Agent identities are always single-tenant, even when the parent Blueprint supports multi-tenancy. Each agent identity belongs to exactly one Blueprint and can only be issued tokens in the tenant where it was created. This is a hard constraint β it cannot be overridden by Blueprint configuration. A multi-tenant Blueprint can create agent identities in multiple tenants, but each identity operates entirely within its own tenant boundary.
Source: Microsoft Learn β Secure Web and AI Gateway for Copilot Studio agents (Preview)
Global Secure Access for agents extends the same network security policies you apply to users to Copilot Studio agent traffic β web content filtering, threat intelligence filtering, and network file filtering. Agent traffic is forwarded to Global Secure Access's globally distributed proxy service and evaluated against your security policies before reaching external resources.
Agent traffic forwarding applies to: HTTP Node traffic, Custom connectors, and MCP Server Connector traffic. This means all three of the most common Copilot Studio external connectivity patterns are in scope β including MCP tool calls.
| Configuration | Detail |
|---|---|
| Where to configure | Power Platform Admin Center β per-environment or per-environment-group basis |
| Policy applied via | Global Secure Access baseline profile β applies at tenant level, consistent across all agent traffic |
| Prerequisite | Microsoft Entra Agent ID (Frontier programme) + M365 Copilot licence |
| Relationship to Entra Internet Access | Global Secure Access is the underlying platform for Entra Internet Access β this extends those controls to agent-initiated outbound traffic, not just user browser traffic |
Microsoft Foundry: Automatically provisions agent identities throughout the agent lifecycle. When the first agent in a Foundry project is created, Foundry provisions a default Blueprint and Agent Identity for the project β agents authenticate via the shared project identity. Publishing an agent automatically creates a dedicated Blueprint and Agent Identity for that agent. Foundry supports Agent ID for authentication in both MCP and A2A tools. Source: Microsoft Learn β ID Governance for Agents.
Azure App Service / Azure Functions: Can be configured to use the Entra Agent Identity Platform to securely connect to resources as an agent. This means existing serverless workloads can gain Agent ID governance without rebuilding. Source: Microsoft Learn β Agent Identity in App Service and Azure Functions.
Copilot Studio auto-assignment: Agents created in Copilot Studio can be configured to automatically be assigned to an agent identity. When an agent identity is first created in a Power Platform environment after enabling this setting, a Copilot Studio agent identity Blueprint and Blueprint Principal are automatically created. Path: Microsoft Learn β Automatically create Entra agent identities for Copilot Studio agents (Preview).
| Control | What It Does | Status | Limitation |
|---|---|---|---|
| Enforce end-user authentication per agent | Require users to authenticate with their own credentials β prevents maker credential blast radius | Available now (Power Platform admin) | Must be set per agent; not default |
| Restrict org-wide sharing | Use Managed Environments to set numerical sharing limits or restrict to security groups | Available now (Managed Environments) | Requires Power Platform admin |
| Detect no-auth agents via KQL | AIAgentsInfo | where UserAuthenticationType == "None" | Available (requires AI Agent Inventory enabled) | AI Agent Inventory requires Defender + Power Platform admin collaboration |
| Detect ownerless agents via KQL | AIAgentsInfo | where isempty(OwnerAccountUpns) | Available (requires AI Agent Inventory enabled) | Same setup requirement |
| Migrate Classic β Modern Agents | Enables Entra security product coverage; requires recreating agents from scratch | Manual only β migration tool not yet available | Impractical at scale; migration tool planned |
| User PAM hygiene | Least-privileged makers β least-privileged agent credentials | Available via PAM tooling | Indirect; does not change the structural authentication problem |
| Entra Workload Identity | App-level service principal scoping for non-Copilot-Studio agents | GA | Not purpose-scoped per agent-instance |
| Defender for Cloud Apps real-time protection | Blocks tool invocations during suspicious prompt activity (XPIA, UPIA) for Copilot Studio agents | Preview Β· requires both Defender + Power Platform admin setup | Complex 3-step setup; if no decision in 1 second, tool executes anyway |