Key insight
A control plane can only govern what has a name. Microsoft Entra Agent ID is the identity and security framework that gives every AI agent its own first-class identity — extending Microsoft’s existing identity service to a new kind of subject, the non-human actor. It exists because the identity types built for humans and for ordinary applications do not fit an actor that decides for itself. Its job is to authenticate, authorise, govern, and protect agents, with least privilege enforced by design — and it does this for agents built on any platform, not just Microsoft’s.
A control plane must unify five things: identity, observability, governance, security, and lifecycle. One of them has to come first, because the other four depend on it. This article is about that one. Everything Agent 365 later does — listing an agent, limiting it, watching it, protecting it, retiring it — assumes the agent already has an identity of its own. The product that gives it one is Microsoft Entra Agent ID, and understanding it is the real start of the climb from beginner to architect.
1 · Why identity is the first pillar, not just one of five
Start with a question that sounds too simple to matter: how do you refer to an agent at all? If your only way to name an agent is “the thing Priya built that runs under Priya’s login,” then every action it takes is recorded as Priya’s action. You cannot tell the agent’s behaviour apart from the human’s. You cannot give the agent narrower permissions than Priya has. And if it misbehaves, your only way to stop it is to disable Priya — punishing the person for the tool.
This is why identity is not merely the first item on a list; it is the precondition for the whole list. To decide what an agent may access, you need something to attach the permissions to. To watch what an agent does, you need a name to record actions against. To switch an agent off, you need an identity to disable. Take identity away and governance, observability, security, and lifecycle all lose the thing they act on. Microsoft puts the same point in product terms: agent identities let organisations “discover, manage, and secure AI agents operating in a tenant, with proper policy enforcement, instead of treating agents as either full users or generic apps.”
You cannot govern, observe, secure, or retire what has no name. Identity is the peg every other capability hangs on.
2 · What Microsoft Entra Agent ID actually is
First, the word underneath it. Microsoft Entra is Microsoft’s identity service — the system that manages who can sign in and what they can reach. It is the same service that already handles your employees’ accounts and passwords. Microsoft Entra Agent ID is an extension of that service to a new kind of subject. In Microsoft’s words, it is “an identity and security framework that extends Microsoft Entra capabilities to AI agents.”
Notice what that framing rules out. Agent ID is not a brand-new, unproven identity system built from scratch. It is the mature identity engine your organisation already trusts, taught to understand agents as first-class subjects. That matters because security teams do not have to learn or trust an entirely separate world; they extend the one they already run. Microsoft Entra Agent ID is now generally available — meaning fully released and supported for production use — and it is available to all Microsoft Entra customers.
The purpose is captured in four verbs you should memorise, because the rest of Level 200 and Level 300 orbit them: Agent ID lets organisations authenticate, authorise, govern, and protect agent identities at enterprise scale. Authenticate means prove an agent is who it claims to be. Authorise means decide what it is allowed to do. Govern means keep it owned, reviewed, and time-bounded. Protect means watch for risk and respond. Hold those four; they are the spine of agent identity.
3 · Why user accounts and app registrations do not fit agents
A fair objection: Microsoft Entra already has two well-worn identity types — a user account for a person, and an application registration (often shortened to app registration) for a piece of software. Why invent a third kind for agents? Because an agent is neither, and forcing it into either box breaks something important.
Microsoft’s own reasoning is direct: “Traditional identity types (like standard app registrations or user accounts) aren’t ideal for autonomous agents. AI agents have unique security concerns because their autonomous decision-making, dynamic learning capabilities, and potentially access to sensitive data can introduce unpredictable behaviours.” Unpack that:
- Autonomous decision-making. A user account assumes a human is choosing each action; an app registration assumes fixed, pre-written behaviour. An agent chooses its own actions and is not fixed — so neither assumption holds.
- Dynamic learning. An agent’s behaviour can shift as it takes in new information, so what it did yesterday does not bound what it may attempt today. Identity types built for static software do not expect that.
- Access to sensitive data at machine speed. If something goes wrong, an agent can act quickly and widely. An identity type that never anticipated an autonomous, fast-moving actor offers no natural brakes.
So Entra treats agent identities differently on purpose. A crucial example: Entra limits what agent identities can do. It “blocks agents from being granted many high-privilege roles or permissions,” and “users and administrators aren’t allowed to consent to those powerful permissions for an agent.” In plain terms, you cannot hand an agent the keys to the kingdom even if you wanted to — the platform itself enforces least privilege, because an unrestrained agent with high privileges could do far-reaching damage before anyone noticed.
Because agents act fast and wide, Entra bakes least privilege into the identity type itself: certain high-privilege roles simply cannot be granted to an agent, and no one can consent to those powerful permissions on an agent’s behalf. The guardrail is in the platform, not just in your policy.
4 · The four things Entra Agent ID does
Microsoft groups Agent ID’s capabilities into a small set of jobs. Read them as the concrete machinery behind the four verbs from section 2.
- Register and manage agents. Agent ID creates and manages the identity constructs agents use, and organises them centrally. It provides “centralized metadata management, secure agent discovery, and automatic organization into security collections” — a security collection being simply a managed grouping that keeps related agent identities together so they can be governed as a set. (The registry itself is a substantial topic in its own right.)
- Assign secure, scalable identities. The underlying agent identity platform lets you give each agent an identity, auto-discover agents across the organisation, and keep all of an agent’s metadata — its capabilities, tasks, and the protocols it speaks — in one place. It also enables one agent to discover and be authorised to talk to another.
- Govern identity and lifecycle. Agent ID ensures an agent has a responsible person providing oversight throughout its life, and that “an agent’s access doesn’t persist longer than needed.” That means ownership, access reviews, and compliance reporting apply to agents just as they do to people. (Governing agent access is a substantial topic in its own right.)
- Protect access to resources. Agent activity is defended with the same advanced controls used for humans: network-level zero-trust access, policy-based Conditional Access (rules that decide whether to allow an action based on conditions and risk), and real-time risk detection with automated response. Every authentication and action an agent performs is logged in Entra and viewable in the admin centre for audit.
These four jobs map cleanly onto the four verbs: registering and assigning identities is how agents authenticate; controlling permissions is how they are authorised; ownership and lifecycle is how they are governed; and the access protections are how they are protected. One framework, four jobs, four verbs.
5 · Any agent, any platform: how it reaches beyond Microsoft
A real control plane must govern agents from any source. Identity is where that promise is kept or broken, so it is worth seeing how Agent ID reaches agents that were not built on Microsoft’s own tools. Microsoft states that Entra Agent ID “works with agents built on Microsoft and non-Microsoft platforms,” and gives concrete examples: organisations can integrate third-party agents from platforms such as AWS Bedrock and n8n.
There are two ways it does this, and you only need the shape of them for now:
- The Microsoft Entra Auth SDK, run as a sidecar. A software development kit (SDK) is a set of code libraries a developer uses; a sidecar is a small helper component that runs alongside the main agent and handles identity for it. The external agent keeps doing its job, while the sidecar gives it a governed Entra identity.
- Workload identity federation. Federation means establishing trust between two identity systems so one will accept identities vouched for by the other. This lets an agent running elsewhere be trusted by Entra without copying secrets around.
Underneath both, Agent ID speaks open, standard protocols — OAuth 2.0 (the widely used standard for granting software permission to act), MCP (the Model Context Protocol, a standard way for agents to connect to tools), and A2A (agent-to-agent, a standard for agents to discover and talk to each other). Standards are the point: they are why “every agent gets a governed identity regardless of where it was built.”
6 · What you need to turn it on
Two practical facts close the article. First, the base capability is broadly available: creating and managing agent identities and their blueprints through Agent ID is available to all Microsoft Entra customers. Giving an agent an identity is not gated behind the most expensive edition.
Second, the advanced pieces follow a consistent licensing shape. Having agents operate across Microsoft 365 services requires a per-user Microsoft Agent 365 licence. Extending Entra’s advanced security features to agents — the protections in section 4 — requires either Microsoft 365 E7 (which includes Agent 365 and the Entra Suite) or Microsoft 365 E5 paired with a Microsoft Agent 365 licence. For organisations without E5 or E7, Microsoft offers standalone options alongside an Agent 365 licence: for example, Conditional Access for agents maps to Microsoft Entra ID P1, and identity protection for agents to the higher P2 tier. The pattern is consistent: identity itself is foundational and widely available; the advanced protections ride on the premium editions.
This article established why agents get their own identity and what Entra Agent ID is. The next article opens the identity itself — its parts, and how it compares, piece by piece, to a user account and an app registration. After that we cover blueprints, the registry, registry convergence, and how agent access is governed.
7 · Glossary — every short-form term, spelled out
- Microsoft Entra
- Microsoft’s identity service — the system that manages who can sign in and what they can reach, including employees and now agents.
- Microsoft Entra Agent ID
- An identity and security framework that extends Microsoft Entra to AI agents, so each agent has its own first-class identity that can be authenticated, authorised, governed, and protected.
- Non-human actor
- An actor that is neither a human user nor a passive application, but acts on its own — Microsoft’s term for an agent.
- User account
- The identity type built for a person, assuming a human chooses each action.
- Application registration (app registration)
- The identity type built for a piece of software, assuming fixed, pre-written behaviour.
- Least privilege
- Giving any actor only the smallest set of permissions its job needs, and nothing more.
- Conditional Access
- Rules that decide whether to allow an action based on conditions and risk — for example, blocking an unusual request.
- Security collection
- A managed grouping that keeps related agent identities together so they can be governed as a set.
- SDK (software development kit)
- A set of code libraries a developer uses to build on a platform.
- Sidecar
- A small helper component that runs alongside a main application — here, one that gives an external agent a governed Entra identity.
- Workload identity federation
- A trust link between two identity systems so one will accept identities vouched for by the other, without copying secrets around.
- OAuth 2.0
- The widely used open standard for granting software permission to act on a resource.
- MCP (Model Context Protocol)
- A standard way for an agent to connect to tools and data sources.
- A2A (agent-to-agent)
- A standard that lets agents discover and communicate with one another.
- Generally available (GA)
- Fully released and supported for production use, rather than in preview.
Identity comes first because you cannot govern, watch, secure, or retire an agent that has no name of its own.
Microsoft Entra Agent ID extends Microsoft’s existing identity engine to agents; it is generally available and open to all Entra customers.
Its purpose is four verbs: authenticate, authorise, govern, and protect agent identities at scale.
User accounts and app registrations do not fit agents, because agents decide for themselves, learn as they go, and move fast — so Entra enforces least privilege by blocking high-privilege roles for agents.
It governs agents from any platform — Microsoft or not — via an Auth SDK sidecar or workload identity federation, over open standards (OAuth 2.0, MCP, A2A).
Giving an agent an identity is broadly available; the advanced protections ride on Microsoft 365 E5 or E7 with an Agent 365 licence.
References
- Microsoft Learn, What is Microsoft Entra Agent ID? learn.microsoft.com
- Microsoft Learn, Authorization in Microsoft Entra Agent ID — why agent identities are limited and least privilege is enforced. learn.microsoft.com
- Microsoft Learn, What is the Microsoft agent identity platform — capabilities and licensing. learn.microsoft.com
- Microsoft Learn, Microsoft Entra security for AI overview. learn.microsoft.com
- Microsoft Learn, Protect agent identities with Microsoft Entra (Agent 365 admin). learn.microsoft.com