Edit

Conditional Access for agents operating on-behalf-of a user in Microsoft Entra

Use this guide to configure Conditional Access for agents operating on behalf of a user. This flow is commonly referred to as OBO (On-Behalf-Of). In this model, a user signs into an agent application and receives an access token. When the agent needs to access a downstream resource, such as Microsoft Graph, Work IQ MCP server, or any other service, it can't reuse that token, because it was issued for agent application (audience and permission scope). Instead, the agent uses the OBO flow to exchange the inbound token with a new token scoped to the target resource. If the agent needs to call multiple resources, for example, two different MCP servers, it may obtain a separate token for each one.

In the on-behalf-of flow the scope of the Conditional Access policy includes users, not the agent identities. The users and groups can be included or excluded from Conditional Access policies. Microsoft Entra ID evaluates all policies and ensures all requirements are met before granting access.

Important

Before configuring a Conditional Access policy, read the Conditional Access for agent identities article. It covers the authentication flow, service boundaries, and limitations to ensure you cover all scenarios and your corporate data and services are well protected.

Create a Conditional Access policy

Follow these steps to create a Conditional Access policy that requires multifactor authentication strength to access corporate resources:

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.

  2. Browse to Entra ID > Conditional Access > Policies.

  3. Select New policy.

  4. Give your policy a name. Create a meaningful standard for the names of your policies.

  5. Under Assignments, select Users or workload identities.

    1. Under Include, select All users.
    2. Under Exclude:
      1. Select Users and groups
        1. Choose your organization's emergency access or break-glass accounts.
        2. If you use hybrid identity solutions like Microsoft Entra Connect or Microsoft Entra Connect Cloud Sync, select Directory roles, then select Directory Synchronization Accounts
      2. You might choose to exclude your guest users if you're targeting them with a guest user specific policy.

  6. Under Target resources > Resources (formerly cloud apps) > Include, select the resources the agent may access.

    Tip

    Microsoft recommends all organizations create a baseline Conditional Access policy that targets: All users, all resources without any app exclusions, and requires multifactor authentication.

  7. Under Access controls > Grant, select Grant access.

    1. Select Require authentication strength, then select the built-in Multifactor authentication strength from the list.
    2. Select Select.

  8. Confirm your settings and set Enable policy to Report-only.

  9. Select Create to enable your policy.

After confirming your settings using policy impact or report-only mode, move the Enable policy toggle from Report-only to On.

In the On-Behalf-Of (OBO) flow, the scope of Conditional Access policy enforcement is applied to users. The agent identities are not subject to these policies directly. The following Conditional Access policies can serve as baseline for implementing Zero Trust access controls across your organization's resources.

Investigating policy evaluation using sign-in logs

Admins can use the Sign-in logs to investigate why a Conditional Access policy did or didn't apply as explained in Microsoft Entra sign-in events. These events appear in the User sign-ins (non-interactive).

Related content

  • Last updated on