Nota
L-aċċess għal din il-paġna jeħtieġ l-awtorizzazzjoni. Tista’ tipprova tidħol jew tibdel id-direttorji.
L-aċċess għal din il-paġna jeħtieġ l-awtorizzazzjoni. Tista’ tipprova tibdel id-direttorji.
An agent's user account is a specialized identity type provided by Microsoft Entra Agent ID. This identity type is designed to bridge the gap between agents and human user capabilities. The agent's user account enables AI-powered applications to interact with systems and services that require user identities, while maintaining appropriate security boundaries and management controls. It allows organizations to manage the agent's access using similar capabilities as they do for human users.
In contrast to the on-behalf-of flow, where an agent operates within the delegated context of a signed-in user, an agent's user account is actually a user, functioning as a digital worker. For example, digital employees that function as team members with their own mailboxes, chat access and participate in collaborative workflows as a team member.
In this model, an admin creates a user account in the directory and links it to the agent's identity. From there, it’s like any other user account. Licenses can be assigned to access Microsoft 365 resources such as mailbox and calendars, and the account can be added to administrative units and security groups just like a human user account.
Conditional Access works differently in this model. The access token is issued to the user (the token subject), but the policy is evaluated against the user (agent's user account). Today, you can target this with a single scope: "all agents acting as a user."
Important
Before configuring a Conditional Access policy, read the Conditional Access for agent identities article. It covers the authentication flow, service boundaries, and limitations to ensure you cover all scenarios and your corporate data and services are well protected.
Create a Conditional Access policy
Follow these steps to configure a Conditional Access policy that applies to all agents' user accounts, blocking access to any resource when their identity is at risk.
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Entra ID > Conditional Access > Policies.
- Select New policy.
- Give your policy a name. Create a meaningful standard for the names of your policies.
- Under Assignments, select Agents.
- Choose Select agents active as users, and then select All agents' user accounts.
- Under Target resources, select all resources
- Under Conditions, select the Agent risk needed for the policy to be enforced.
- Under Access controls > Grant, select block access.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to enable your policy.
After confirming your settings using policy impact or report-only mode, move the Enable policy toggle from Report-only to On.
Investigating policy evaluation using sign-in logs
Admins can use the Sign-in logs to investigate why a Conditional Access policy did or didn't apply as explained in Microsoft Entra sign-in events. These events appear in the User sign-ins (non-interactive).
Related content
- Manage agent identities in your organization - Overview of agent identity management across the full lifecycle.
- Conditional Access for agent identities
- Conditional Access template policies
- Conditional Access: Users, groups, agents, and workload identities
- Conditional Access: Target resources
- Conditional Access: Conditions
- Conditional Access: Grant
- Security for AI with Microsoft Entra agent identity
- Microsoft Entra ID Protection and agents