Microsoft Entra: AI Agents, Zero Trust
Product Manager @ Microsoft 👉 Sign up to Entra.News my weekly newsletter on all things Microsoft Entra | Creator of cmd.ms & idPowerToys.com
Microsoft Entra secures AI agents with Conditional Access block, Defender and Purview in a Zero Trust identity model
Key insights
- AI agents are now a core insider threat risk because they act faster than humans and can move laterally without the delay that once helped defenders.
Plan for rapid, automated decisions rather than assuming human-like latency will protect resources. - Agent ID in Entra makes agents first-class identities you can inventory, monitor, and manage across their lifecycle.
Treat agent identities like user accounts: register them, control credentials, and retire them when no longer needed. - Conditional Access can now target agent identities directly, using the same grant/block/challenge model as for users.
Microsoft recommends block as the safe default for risky agents and to validate policies in report-only mode before enforcing. - A unified risk model links Entra, Defender, and Purview so identity, device, and data signals inform access decisions.
Continuous Access Evaluation can interrupt ongoing agent sessions when risk changes in real time. - New attack and usability issues include indirect prompt injection, a missing agent challenge state, and LLMs suggesting insecure defaults like the device code flow for automated access.
Audit agent workflows and fix unsafe authorization patterns. - Immediate actions for admins (next 3–6 months): discover agents centrally, scope Conditional Access to agent types, use the Conditional Access optimization agent and phased rollout with report-only testing, and block high-risk agents while monitoring signals.
Video summary: what Merill Fernando reported
In a recent YouTube episode hosted by Merill Fernando, Microsoft identity veteran Nikhil Boreddy explains how Microsoft Entra is evolving to secure AI agents. The conversation frames agents as nonhuman identities that can act fast and at scale, and it argues that traditional identity defenses need updates. Consequently, Microsoft is extending its identity controls to include agent-specific capabilities.
Fernando and Boreddy detail how Entra, Conditional Access, Microsoft Defender, and Purview work together to detect and act on agent risk. They emphasize that securing agents is a priority because agents can bypass latency-based protections that once helped detect insider threats. Therefore, organizations must rethink policies and operational controls to cover this new threat class.
Agent identities and the Zero Trust shift
Microsoft now treats agents as first-class identities through an effort called Agent ID, which lets administrators identify, inventory, and apply policies to nonhuman actors. This approach aligns with Zero Trust principles by verifying each request explicitly and applying least privilege, even for automated processes. As a result, organizations can centralize lifecycle management for agents and reduce the so-called “shadow AI” that arises from ad hoc scripts and services.
Moreover, Identity Protection feeds risk signals into the policy engine so that anomalous agent activity can trigger remediation or restrictions. This unified view helps teams correlate identity, endpoint, and data signals rather than treating each silo separately. In practice, that means risk scoring can influence access decisions across the estate.
Conditional Access and the "block" recommendation
A central takeaway from the video is that the current default control for high-risk or unknown agents is to block access. Microsoft recommends using a conservative stance because agents cannot respond to interactive challenges the way humans do, and they may execute harmful actions quickly. Thus, blocking reduces the chance of an agent compromising resources while teams investigate.
However, the panel also warns about operational tradeoffs. Blocking agents outright can disrupt legitimate automation and business workflows, so administrators should first run policies in report-only mode and use phased rollouts. This testing reduces false positives and allows teams to scope rules carefully before enforcement.
Technical challenges and tradeoffs
The discussion highlights several technical challenges that make agent governance complex. For example, agents lack a standard “challenge” state, so mechanisms like multi-factor prompts do not map cleanly to automated actors, which forces architects to choose between blocking and weakening controls. Therefore, designers must balance security and availability when selecting controls for agentic identities.
Other issues include indirect prompt injection and insecure defaults suggested by some large language models, such as recommending device code flows that expose tokens. To counter this, Microsoft is emphasizing a unified risk model across Entra, Defender, and Purview and using continuous access evaluation to interrupt in-motion sessions when risk changes. Still, implementing these measures requires careful coordination across identity, endpoint, and data teams, which can be resource intensive.
Practical steps for Entra admins and CISOs
Boreddy and Fernando offer concrete advice for IT leaders who are planning for agent governance in the next 3–6 months. First, teams should inventory their agentic identities and move toward centralized registration so they can monitor and manage lifecycle states. Next, administrators should test Conditional Access rules in report-only mode and leverage tools like the What If simulator to validate impact before enforcement.
Additionally, organizations should adopt a phased rollout that prioritizes high-risk targets and integrate signals from Defender and Purview into a unified decision model. While these steps increase operational overhead initially, they reduce the chance of breaking critical automation and improve long-term security posture by preventing compromise at machine scale.
Conclusion: balancing protection and continuity
The YouTube episode by Merill Fernando frames agent security as an urgent but manageable challenge. On one hand, treating agents as identities and using a Zero Trust approach improves control and visibility. On the other hand, defaulting to block can disrupt automation, so teams must test and roll out controls carefully to avoid preventing legitimate work.
Ultimately, the video stresses that organizations should act now: inventory agents, apply centralized policies, and adopt a phased, report-first approach to enforcement. By balancing strict controls with careful validation, teams can secure agent activity while preserving the business benefits of automation.
Keywords
Microsoft Entra AI security, Entra conditional access for AI agents, Zero Trust AI agents Microsoft, Securing AI agents in Entra, Conditional Access policies for AI, Block debate AI agents Entra, Microsoft AI agent security best practices, Entra autonomous agent security