Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Entra Agent ID is now generally available. This release brings first-class identity and access management to AI agents, enabling organizations to authenticate, authorize, govern, and protect agent identities at enterprise scale. Microsoft Entra Agent ID extends Zero Trust principles to AI workloads with purpose-built identity constructs, specialized OAuth flows, and comprehensive security controls.
This article summarizes the key capabilities and documentation currently available.
Manage AI agents at scale
Microsoft Entra Agent ID introduces new identity constructs and authentication protocols designed specifically for AI agents. Notable updates include:
- Key concepts - New concepts added to further define core agent identity concepts and their relationships.
- Administrative relationships - Deeper definitions and clarified differences between owners, sponsors, and managers of agent identities, blueprints, and agents' user accounts.
- Design patterns (New) - Common architectural patterns for agent identity deployments.
- Best practices (New) - Recommended approaches for agent identity management.
- Plan your agent identity architecture (New) - Guidance for planning agent identity deployment at scale.
- Create an agent identity blueprint and Create an agent identity (Preview) - Use the new "wizard" to create agent identity blueprints and agent identities in the Microsoft Entra admin center.
- AI-guided setup (New) - Automate onboarding with an AI coding agent that walks you through blueprint creation, credential configuration, and agent identity provisioning.
- Agent identity deletion (New) - Learn about the automated cascade cleanup process and soft-delete functionality for agent identities.
- Authentication with the Auth SDK (sidecar) (New) - Overview of the sidecar pattern for agent authentication.
- Configure Entra ID Auth SDK (sidecar) for agent identities - SDK configuration for token acquisition.
- Run the sidecar for local development (New) - Local development setup for the Auth SDK.
- Validate agent tokens in a downstream API (New) - Token validation guidance for APIs that receive agent tokens.
- Configure non-Microsoft agents with Agent ID (New) - Integration patterns (sidecar and federation) for platforms like AWS, GCP, and n8n.
- Secure an Amazon Bedrock agent (New) - Step-by-step guide for securing Bedrock agents with Agent ID.
- Secure an n8n agent (New) - Deploy n8n on Azure with Agent ID integration.
- Migrate custom app registrations (New) - Move agents using standard app registrations to Agent ID.
- Migrate Copilot Studio agents (New) - Move Microsoft Copilot Studio agents to Agent ID.
To simplify agent management across the enterprise, agent registry experiences are converging under Microsoft Agent 365. This change gives customers one place to discover and manage all agents, while Microsoft Entra continues to provide the identity foundation through Agent ID. For more information, see Agent Registry convergence with Microsoft Agent 365.
Govern agent identities and lifecycle
Microsoft Entra ID Governance extends lifecycle and access management capabilities to agent identities:
- Governing agent identities overview - Overview of how Microsoft Entra governs agent identity lifecycle and access.
- Access packages for agent identities - Govern agent access through policy-based access packages and permission assignment for both on-behalf-of (OBO) and autonomous (non-OBO) scenarios.
- Sponsor lifecycle workflows (New) - Automate sponsor maintenance and reassignment for agent blueprints and agent identities.
- Manage your agent identities (New) - View and control agent identities you own or sponsor.
- Agent identity sponsor templates (New) - Two new lifecycle workflow templates for notifying managers and cosponsors, and automatically transfer sponsorship when an agent identity sponsor changes roles or leaves the organization, to prevent orphaned agents.
Protect agent access to resources
Conditional Access and ID Protection features extend Microsoft Entra Agent ID to help secure agent identities and their access to resources:
- Conditional Access for agents (Updated)- Improved guidance and detailed scenarios for Conditional Access policies, plus new templates for agent-specific policies.
- Block access for high-risk agent identities (New) - Conditional Access template to block sign-ins from risky agent identities.
- Autonomous agent access policy (New) - Conditional Access template for autonomous agents without user context.
- On behalf of agent access policy (New) - Conditional Access template for agents acting on behalf of users.