Key insight

An agent identity is not a user account with a robot label, nor an application registration renamed. It is a distinct construct with its own anatomy: an identifier, no credentials of its own (it borrows tokens through its blueprint), a display name, a human sponsor who is accountable for it, the blueprint it was stamped from, and an optional paired agent’s user account for systems that demand one. Those six parts are precisely what make an agent governable at scale — and what a user account or app registration cannot provide.

When something acts inside your systems, an identity system has to answer one question: who or what is this, and what is it allowed to do? For decades there were only two possible answers — a person or a program. AI agents are a genuine third answer, and Microsoft Entra now has a purpose-built identity type for them. To use it well, you need to know what one is actually made of, and how it differs from the two you already know. That is this whole article.

1 · Three identity types, one question

An identity, in this context, is a record in the directory that stands for something that can act, together with what that something is allowed to do. Microsoft Entra — Microsoft’s identity service — has long recognised two kinds:

An agent identity is the third kind. Microsoft defines it plainly: “An account used by an AI agent is referred to as an agent identity.” It exists because an agent is neither a person nor a fixed program — it decides for itself — so it needs an identity shaped around autonomy, accountability, and scale. The rest of this article opens one up.

2 · The anatomy of an agent identity

Microsoft describes an agent identity as having a small set of key components. Here they are, each in plain terms:

The six parts of an agent identity radiating from a central agent A central box labelled Agent identity is surrounded by six labelled parts: identifier (object ID), no credentials of its own, display name, sponsor (accountable human), blueprint (template), and an optional agent's user account. Agent identityone non-human actor Identifierunique object ID No own credentialsborrows tokens Display name Sponsor (human) Blueprintthe template User accountoptional, 1:1
Figure 1. An agent identity has six parts. Five are always present; the sixth — a paired user account — is added only when an agent must sign in to systems that require one. The most consequential part is what it lacks: credentials of its own.

3 · The biggest difference: no credentials of its own

Of all six parts, one reshapes how you should think about agents: an agent identity holds no credential of its own. A user account has a password. A normal application registration has its own secret or certificate. An agent identity has neither. When it needs a token — a short-lived digital pass that proves it may act — it obtains one through its blueprint, which acquires tokens on its behalf.

Why is that a security improvement rather than a limitation? Because a long-lived secret sitting with each of thousands of agents is exactly the thing attackers hunt for. If every agent carried its own permanent password, you would have thousands of permanent keys scattered across the environment, each one a target and each one easy to forget. By having agents borrow short-lived tokens through a shared, governed template instead of holding standing secrets, the design removes that sprawling pile of keys. The agent still acts; it simply does not hoard the means to act when it is idle.

The plain version

A user keeps a password. A normal app keeps a secret. An agent keeps nothing — it asks its blueprint for a temporary pass each time it acts. Fewer standing secrets means fewer things for an attacker to steal.

A person is accountable for their own actions. An agent cannot be — it is software. So an agent identity records a sponsor: a human user or group that is accountable for it. Microsoft describes the sponsor as recording “the human user or group that’s accountable for an agent,” used for purposes such as contacting a responsible human if a security incident happens.

This single field quietly solves a problem that agent sprawl creates. When an unfamiliar agent turns up doing something odd, the first question is always “whose is this, and who do we call?” Without a sponsor, the answer is a shrug. With one, every agent traces back to a named human who owns its behaviour. Accountability is not a nice-to-have here; it is what turns an anonymous non-human actor into a governed member of the organisation.

5 · The optional agent’s user account

Most agents never need this part, but it is worth understanding because it prevents a common confusion. Some systems are built to accept only a Microsoft Entra user account for sign-in — they simply do not know how to talk to any other kind of identity. For an agent that must reach such a system, Microsoft allows a second, paired account called an agent’s user account: a real user account in the directory that is “decorated as an AI agent.” It has a different identifier from the agent identity, but the two are always kept in a strict one-to-one relationship.

Two things make this safe rather than a loophole. First, it is marked as an agent, so it is never mistaken for an ordinary employee in reports or reviews. Second, the one-to-one pairing means each such user account belongs to exactly one agent identity — there is no shared, floating account that several agents hide behind. It is a compatibility bridge to older systems, built so the agent still shows up as what it truly is.

Why not just give every agent a user account?

Because a user account assumes a human with a password — the very model that does not fit an autonomous actor. The agent’s user account is a narrow bridge for systems that demand one, always paired one-to-one and always marked as an agent, not the default way agents are represented.

6 · Side by side: agent vs user vs application

Put the three together and the distinctions become a simple table you can carry with you.

Three columns comparing user account, application registration, and agent identity Three labelled columns. User account: represents a person, holds its own password, assumes a human present. Application registration: represents software, holds its own secret, assumes fixed behaviour. Agent identity: represents an autonomous agent, holds no credential of its own, always has a human sponsor and a blueprint. User account represents a person holds its own password assumes a human is present accountable = itself App registration represents software holds its own secret assumes fixed behaviour accountable = its owner Agent identity represents an autonomous agent holds NO credential of its own borrows tokens via a blueprint always has a human sponsor
Figure 2. The three identity types at a glance. The agent identity is the only one that holds no credential of its own and always carries a human sponsor — the two properties that make agents governable at scale.

Read down the third column and you can see the whole design intent. An agent identity assumes an actor that decides for itself, so it does not pretend a human is holding a password. It holds no standing secret, so there is nothing to steal when it is idle. It always names a human sponsor, so accountability never goes missing. And it is stamped from a blueprint, so thousands of agents can share consistent policy. None of those properties belong to a user account or an app registration — which is exactly why a third identity type had to exist.

7 · Glossary — every short-form term, spelled out

Identity
A directory record that stands for something which can act, together with what it is allowed to do.
User account
The identity type for a person; holds its own credentials and assumes a human is present.
Application registration (app registration)
The identity type for a piece of software; holds its own secret and assumes fixed, pre-written behaviour.
Agent identity
The identity type for an AI agent — an account used by an autonomous agent, shaped for accountability and scale.
Identifier (object ID)
The unique code Microsoft Entra generates to name one identity inside a directory.
Credentials
The secrets that prove an identity is who it claims to be — a password, a code, a certificate, or an application secret.
Token
A short-lived digital pass that proves an identity is currently allowed to perform an action.
Blueprint (agent identity blueprint)
A reusable template that an agent identity is created from; it sets the agent’s kind, shared policy, and acquires tokens on the agent’s behalf.
Sponsor
The human user or group recorded as accountable for an agent — the person to contact if it misbehaves.
Agent’s user account
An optional second, real user account paired one-to-one with an agent identity and marked as an agent, for systems that accept only a user account.
Display name
The human-friendly name of an identity, shown across admin and productivity experiences.
Key takeaways

An identity answers one question: who or what is acting, and what may it do? There are now three answers — user, application, and agent.
An agent identity has six parts: an identifier, no credentials of its own, a display name, a human sponsor, a blueprint, and an optional paired user account.
The defining property is that it holds no standing secret — it borrows short-lived tokens through its blueprint, removing a pile of keys attackers would otherwise hunt.
The sponsor keeps every agent tied to an accountable human, which is what tames agent sprawl.
The optional agent’s user account is a narrow, one-to-one bridge for systems that accept only a user account — always marked as an agent.
A user account and an app registration cannot provide these properties, which is exactly why agents needed a purpose-built third identity type.

References

  1. Microsoft Learn, Agent identities in Microsoft Entra Agent ID — anatomy of an agent identity. learn.microsoft.com
  2. Microsoft Learn, What are agent identities. learn.microsoft.com
  3. Microsoft Learn, Microsoft Entra Agent ID key concepts. learn.microsoft.com
  4. Microsoft Learn, Owners, sponsors, and managers of agent identities. learn.microsoft.com