Key insight
An agent identity is not a user account with a robot label, nor an application registration renamed. It is a distinct construct with its own anatomy: an identifier, no credentials of its own (it borrows tokens through its blueprint), a display name, a human sponsor who is accountable for it, the blueprint it was stamped from, and an optional paired agent’s user account for systems that demand one. Those six parts are precisely what make an agent governable at scale — and what a user account or app registration cannot provide.
When something acts inside your systems, an identity system has to answer one question: who or what is this, and what is it allowed to do? For decades there were only two possible answers — a person or a program. AI agents are a genuine third answer, and Microsoft Entra now has a purpose-built identity type for them. To use it well, you need to know what one is actually made of, and how it differs from the two you already know. That is this whole article.
1 · Three identity types, one question
An identity, in this context, is a record in the directory that stands for something that can act, together with what that something is allowed to do. Microsoft Entra — Microsoft’s identity service — has long recognised two kinds:
- A user account represents a person. It has a sign-in name, a password, and usually a second proof such as a one-time code — together called credentials, the secrets that prove you are you. It assumes a human is present and choosing each action.
- An application registration (often shortened to app registration) represents a piece of software so it can call services on its own. It has its own credential — typically a secret or certificate — and it assumes fixed, pre-written behaviour.
An agent identity is the third kind. Microsoft defines it plainly: “An account used by an AI agent is referred to as an agent identity.” It exists because an agent is neither a person nor a fixed program — it decides for itself — so it needs an identity shaped around autonomy, accountability, and scale. The rest of this article opens one up.
2 · The anatomy of an agent identity
Microsoft describes an agent identity as having a small set of key components. Here they are, each in plain terms:
- Identifier. Every agent identity has an
id, also called an object ID — a long unique code such asaaaaaaaa-1111-2222-3333-bbbbbbbbbbbb. Microsoft Entra generates it, and it uniquely names this one agent inside the organisation’s directory. - Credentials. Here is the headline: agent identities “don’t have credentials of their own.” They rely on the agent identity blueprint to acquire tokens on their behalf. (Section 3 unpacks why this is such a big deal.)
- Display name. The human-friendly name shown across many experiences — the admin centre, the Azure portal, Teams, Outlook, and more. It can be changed, and it is how people recognise the agent.
- Sponsor. A human user or group recorded as accountable for the agent — used, for example, to contact a responsible person if a security incident happens. (Section 4.)
- Blueprint. Every agent identity is created from a reusable template called an agent identity blueprint, which establishes the kind of agent and records metadata shared across all agent identities of that kind.
- Agent’s user account (optional). Some agents must access systems that strictly require a Microsoft Entra user account to authenticate. Such an agent can be given a second account — a real user account “decorated as an AI agent” — always in a one-to-one relationship with the agent identity. (Section 5.)
3 · The biggest difference: no credentials of its own
Of all six parts, one reshapes how you should think about agents: an agent identity holds no credential of its own. A user account has a password. A normal application registration has its own secret or certificate. An agent identity has neither. When it needs a token — a short-lived digital pass that proves it may act — it obtains one through its blueprint, which acquires tokens on its behalf.
Why is that a security improvement rather than a limitation? Because a long-lived secret sitting with each of thousands of agents is exactly the thing attackers hunt for. If every agent carried its own permanent password, you would have thousands of permanent keys scattered across the environment, each one a target and each one easy to forget. By having agents borrow short-lived tokens through a shared, governed template instead of holding standing secrets, the design removes that sprawling pile of keys. The agent still acts; it simply does not hoard the means to act when it is idle.
A user keeps a password. A normal app keeps a secret. An agent keeps nothing — it asks its blueprint for a temporary pass each time it acts. Fewer standing secrets means fewer things for an attacker to steal.
4 · The sponsor: accountability for a non-human
A person is accountable for their own actions. An agent cannot be — it is software. So an agent identity records a sponsor: a human user or group that is accountable for it. Microsoft describes the sponsor as recording “the human user or group that’s accountable for an agent,” used for purposes such as contacting a responsible human if a security incident happens.
This single field quietly solves a problem that agent sprawl creates. When an unfamiliar agent turns up doing something odd, the first question is always “whose is this, and who do we call?” Without a sponsor, the answer is a shrug. With one, every agent traces back to a named human who owns its behaviour. Accountability is not a nice-to-have here; it is what turns an anonymous non-human actor into a governed member of the organisation.
5 · The optional agent’s user account
Most agents never need this part, but it is worth understanding because it prevents a common confusion. Some systems are built to accept only a Microsoft Entra user account for sign-in — they simply do not know how to talk to any other kind of identity. For an agent that must reach such a system, Microsoft allows a second, paired account called an agent’s user account: a real user account in the directory that is “decorated as an AI agent.” It has a different identifier from the agent identity, but the two are always kept in a strict one-to-one relationship.
Two things make this safe rather than a loophole. First, it is marked as an agent, so it is never mistaken for an ordinary employee in reports or reviews. Second, the one-to-one pairing means each such user account belongs to exactly one agent identity — there is no shared, floating account that several agents hide behind. It is a compatibility bridge to older systems, built so the agent still shows up as what it truly is.
Because a user account assumes a human with a password — the very model that does not fit an autonomous actor. The agent’s user account is a narrow bridge for systems that demand one, always paired one-to-one and always marked as an agent, not the default way agents are represented.
6 · Side by side: agent vs user vs application
Put the three together and the distinctions become a simple table you can carry with you.
Read down the third column and you can see the whole design intent. An agent identity assumes an actor that decides for itself, so it does not pretend a human is holding a password. It holds no standing secret, so there is nothing to steal when it is idle. It always names a human sponsor, so accountability never goes missing. And it is stamped from a blueprint, so thousands of agents can share consistent policy. None of those properties belong to a user account or an app registration — which is exactly why a third identity type had to exist.
7 · Glossary — every short-form term, spelled out
- Identity
- A directory record that stands for something which can act, together with what it is allowed to do.
- User account
- The identity type for a person; holds its own credentials and assumes a human is present.
- Application registration (app registration)
- The identity type for a piece of software; holds its own secret and assumes fixed, pre-written behaviour.
- Agent identity
- The identity type for an AI agent — an account used by an autonomous agent, shaped for accountability and scale.
- Identifier (object ID)
- The unique code Microsoft Entra generates to name one identity inside a directory.
- Credentials
- The secrets that prove an identity is who it claims to be — a password, a code, a certificate, or an application secret.
- Token
- A short-lived digital pass that proves an identity is currently allowed to perform an action.
- Blueprint (agent identity blueprint)
- A reusable template that an agent identity is created from; it sets the agent’s kind, shared policy, and acquires tokens on the agent’s behalf.
- Sponsor
- The human user or group recorded as accountable for an agent — the person to contact if it misbehaves.
- Agent’s user account
- An optional second, real user account paired one-to-one with an agent identity and marked as an agent, for systems that accept only a user account.
- Display name
- The human-friendly name of an identity, shown across admin and productivity experiences.
An identity answers one question: who or what is acting, and what may it do? There are now three answers — user, application, and agent.
An agent identity has six parts: an identifier, no credentials of its own, a display name, a human sponsor, a blueprint, and an optional paired user account.
The defining property is that it holds no standing secret — it borrows short-lived tokens through its blueprint, removing a pile of keys attackers would otherwise hunt.
The sponsor keeps every agent tied to an accountable human, which is what tames agent sprawl.
The optional agent’s user account is a narrow, one-to-one bridge for systems that accept only a user account — always marked as an agent.
A user account and an app registration cannot provide these properties, which is exactly why agents needed a purpose-built third identity type.
References
- Microsoft Learn, Agent identities in Microsoft Entra Agent ID — anatomy of an agent identity. learn.microsoft.com
- Microsoft Learn, What are agent identities. learn.microsoft.com
- Microsoft Learn, Microsoft Entra Agent ID key concepts. learn.microsoft.com
- Microsoft Learn, Owners, sponsors, and managers of agent identities. learn.microsoft.com