Microsoft Defender: Agent Spans Tenants
Security
Jul 12, 2026 5:13 PM

Microsoft Defender: Agent Spans Tenants

by HubSite 365 about Merill Fernando

Product Manager @ Microsoft 👉 Sign up to Entra.News my weekly newsletter on all things Microsoft Entra | Creator of cmd.ms & idPowerToys.com

Entra Agent ID blueprints can cross tenant boundaries; secure with Entra ID Protection and workload federation

Key insights

  • Agent ID and Agent Blueprint: Microsoft Entra Agent ID separates an agent’s runtime from its identity.
    One blueprint acts as a shared authentication anchor that can create and manage many child agent identities across tenants, making the blueprint part of every consuming tenant’s trust boundary.
  • Blueprint credential blast radius: A single compromised blueprint credential can authenticate as hundreds of agents (commonly cited as up to 250 per tenant) and can be used to cross tenant boundaries.
    The actual impact depends on each child agent’s allowed permissions, not an automatic Global Administrator grant.
  • Cross-tenant compromise attack path: An attacker who controls a blueprint can enumerate agents, request tokens in trusting tenants, inspect agent permissions, add credentials, and create or manage child identities.
    Researchers demonstrated token exchange flows that could produce Temporary Access Passes to bypass MFA in takeover scenarios.
  • Key risk drivers: Vendor-owned or multitenant blueprints, overly broad third-party consent, permissive role assignments, and the use of long-lived client secrets increase exposure.
    Production secrets and credential reuse make compromise easier and more damaging.
  • Mitigations and best practices: Limit blueprint ownership, apply least privilege per agent, group blueprints by risk, and remove or disable unused agent identities.
    Replace client secrets with workload identity federation and choose short-lived credentials where possible.
  • Detect and respond: Improve monitoring of blueprint activity, track token exchange events and abnormal agent behavior, reuse app-registration detection logic, and integrate Entra protection controls into incident playbooks.
    Quick detection and credential revocation reduce the chance of cross-tenant escalation.

Overview of the YouTube discussion

The YouTube episode by Merill Fernando features a deep conversation with Katie Knowles, a Senior Security Researcher at Datadog, about a recent security analysis of Microsoft Entra Agent ID. The video breaks down how a single compromised credential tied to an Agent Blueprint can affect multiple tenants and many agent identities. Merill and Katie walk viewers through the research methods, demonstrate practical abuse paths, and highlight defensive controls that organizations should consider.

Importantly, the hosts stress that the issue is not just theoretical; researchers reproduced cross-tenant attacks and examined real-world privilege escalation techniques. Therefore, the episode serves both as a technical briefing and a call to reassess trust assumptions around multitenant blueprints. As a result, teams that manage cloud identity should pay attention to the operational advice shared in the interview.

How the technology works

Agent ID separates an AI agent’s runtime from its identity by using an Agent Blueprint to issue child Agent Identity objects. Consequently, one blueprint can provision and sign many agents, which simplifies identity lifecycle and orchestration for vendors and large deployments. However, this shared credential model also centralizes trust: the tenant that controls the blueprint effectively becomes part of each consuming tenant’s trust boundary.

Moreover, the blueprint model supports cross-tenant scenarios where a publishing tenant’s credentials authenticate agents in other organizations. This design enables scalability and easier third-party integrations, but it also creates new attack surfaces that differ from traditional single-tenant service principals. Thus, understanding the architectural tradeoffs is key to deciding how to adopt the technology safely.

Key risks and attack patterns

Katie’s research shows that a compromised blueprint credential can expose up to about 250 agent identities per tenant and that attackers can enumerate those agents to find high-value targets. In practice, researchers illustrated cross-tenant token requests, permission inspection, and actions like creating new credentials or invoking privileged roles to escalate access. Consequently, the blast radius is large but not automatic; it depends on the permissions granted to each derived agent identity.

The episode also describes a realistic attack chain where token exchange and Microsoft Graph access were used to issue a Temporary Access Pass, which effectively sidestepped Multi-Factor Authentication and enabled tenant takeover. Because these paths can mimic legitimate automation and third-party behavior, detection becomes difficult and defenders must tune monitoring for subtle signs of misuse. Therefore, defenders should assume that compromise is possible and plan layered responses accordingly.

Tradeoffs and operational challenges

Adopting Agent ID brings clear operational advantages, including unified management and easier credential rotation across many agents, yet those benefits come with a steeper risk profile in multitenant setups. For instance, centralizing credential issuance simplifies deployments but also concentrates power in the publishing tenant; this makes the publishing tenant’s security posture a de facto dependency for all consumers. Thus, organizations must balance convenience with increased exposure when they choose blueprint ownership models.

Another challenge is credential selection: using long-lived client secrets offers simplicity but magnifies risk if leaked, whereas workload identity federation reduces secret exposure but adds configuration complexity. Additionally, detection strategies must evolve because agents often act like first-party applications, which complicates alerts and response playbooks. Therefore, teams must weigh ease of use against long-term security and operational overhead.

Mitigations and recommended controls

The video recommends several practical controls to limit blast radius, including strict blueprint ownership policies, limiting per-agent permissions, grouping blueprints by risk level, and stopping the use of production client secrets where possible. In addition, defenders should apply least privilege to each agent, monitor for unusual credential creation and token exchange events, and use Entra protection features to flag risky behaviors. These steps reduce the chance that a single compromised blueprint leads to widespread compromise.

Furthermore, the hosts emphasize incident readiness: plan for how to disable or rotate blueprints quickly, detect anomalous agent activity, and respond to cross-tenant abuse. They also suggest reusing existing app-registration detections and tuning them for agent-specific patterns. Consequently, combining proactive configuration with improved detection and rapid remediation offers the most practical path to lowering risk.

Implications for organizations

Overall, the episode delivers a clear message: Agent ID can improve AI scale and manageability, but it requires intentional security design to avoid creating a large, multitenant attack surface. Organizations should audit any third-party blueprints they trust, minimize shared credential exposure, and adopt federated identity where feasible. By doing so, teams can keep the operational benefits while reducing the threat of cross-tenant compromise.

Finally, Merill’s interview with Katie Knowles highlights the ongoing tension between innovation and security in cloud identity. As vendors and customers deploy agent-based services, they must balance agility against robust access controls, monitoring, and incident plans. In short, the technology holds promise, yet it demands careful governance to prevent a single compromise from cascading across many tenants.

Security - Microsoft Defender: Agent Spans Tenants

Keywords

compromised agent blueprint, cross-tenant breach, tenant boundary bypass, cross-tenant lateral movement, multi-tenant security risk, Azure AD compromise, agent-based persistence, identity and access compromise