Key insight

A control plane can only govern what has a name. Microsoft Entra Agent ID is the identity and security framework that gives every AI agent its own first-class identity — extending Microsoft’s existing identity service to a new kind of subject, the non-human actor. It exists because the identity types built for humans and for ordinary applications do not fit an actor that decides for itself. Its job is to authenticate, authorise, govern, and protect agents, with least privilege enforced by design — and it does this for agents built on any platform, not just Microsoft’s.

A control plane must unify five things: identity, observability, governance, security, and lifecycle. One of them has to come first, because the other four depend on it. This article is about that one. Everything Agent 365 later does — listing an agent, limiting it, watching it, protecting it, retiring it — assumes the agent already has an identity of its own. The product that gives it one is Microsoft Entra Agent ID, and understanding it is the real start of the climb from beginner to architect.

1 · Why identity is the first pillar, not just one of five

Start with a question that sounds too simple to matter: how do you refer to an agent at all? If your only way to name an agent is “the thing Priya built that runs under Priya’s login,” then every action it takes is recorded as Priya’s action. You cannot tell the agent’s behaviour apart from the human’s. You cannot give the agent narrower permissions than Priya has. And if it misbehaves, your only way to stop it is to disable Priya — punishing the person for the tool.

This is why identity is not merely the first item on a list; it is the precondition for the whole list. To decide what an agent may access, you need something to attach the permissions to. To watch what an agent does, you need a name to record actions against. To switch an agent off, you need an identity to disable. Take identity away and governance, observability, security, and lifecycle all lose the thing they act on. Microsoft puts the same point in product terms: agent identities let organisations “discover, manage, and secure AI agents operating in a tenant, with proper policy enforcement, instead of treating agents as either full users or generic apps.”

The one-line reason

You cannot govern, observe, secure, or retire what has no name. Identity is the peg every other capability hangs on.

2 · What Microsoft Entra Agent ID actually is

First, the word underneath it. Microsoft Entra is Microsoft’s identity service — the system that manages who can sign in and what they can reach. It is the same service that already handles your employees’ accounts and passwords. Microsoft Entra Agent ID is an extension of that service to a new kind of subject. In Microsoft’s words, it is “an identity and security framework that extends Microsoft Entra capabilities to AI agents.”

Notice what that framing rules out. Agent ID is not a brand-new, unproven identity system built from scratch. It is the mature identity engine your organisation already trusts, taught to understand agents as first-class subjects. That matters because security teams do not have to learn or trust an entirely separate world; they extend the one they already run. Microsoft Entra Agent ID is now generally available — meaning fully released and supported for production use — and it is available to all Microsoft Entra customers.

The purpose is captured in four verbs you should memorise, because the rest of Level 200 and Level 300 orbit them: Agent ID lets organisations authenticate, authorise, govern, and protect agent identities at enterprise scale. Authenticate means prove an agent is who it claims to be. Authorise means decide what it is allowed to do. Govern means keep it owned, reviewed, and time-bounded. Protect means watch for risk and respond. Hold those four; they are the spine of agent identity.

Microsoft Entra as the identity engine, extended by Entra Agent ID to serve four capabilities for agents A base box labelled Microsoft Entra identity engine supports an upper box labelled Entra Agent ID, from which four labelled pillars rise: authenticate, authorise, govern, and protect. An agent icon sits above, connected to all four. Microsoft Entra — the identity engine you already run Microsoft Entra Agent ID Authenticate Authorise Govern Protect agent
Figure 1. Entra Agent ID is not a new identity world — it extends the identity engine you already run, and expresses it as four capabilities for agents: authenticate, authorise, govern, protect.

3 · Why user accounts and app registrations do not fit agents

A fair objection: Microsoft Entra already has two well-worn identity types — a user account for a person, and an application registration (often shortened to app registration) for a piece of software. Why invent a third kind for agents? Because an agent is neither, and forcing it into either box breaks something important.

Microsoft’s own reasoning is direct: “Traditional identity types (like standard app registrations or user accounts) aren’t ideal for autonomous agents. AI agents have unique security concerns because their autonomous decision-making, dynamic learning capabilities, and potentially access to sensitive data can introduce unpredictable behaviours.” Unpack that:

So Entra treats agent identities differently on purpose. A crucial example: Entra limits what agent identities can do. It “blocks agents from being granted many high-privilege roles or permissions,” and “users and administrators aren’t allowed to consent to those powerful permissions for an agent.” In plain terms, you cannot hand an agent the keys to the kingdom even if you wanted to — the platform itself enforces least privilege, because an unrestrained agent with high privileges could do far-reaching damage before anyone noticed.

Least privilege is not optional here

Because agents act fast and wide, Entra bakes least privilege into the identity type itself: certain high-privilege roles simply cannot be granted to an agent, and no one can consent to those powerful permissions on an agent’s behalf. The guardrail is in the platform, not just in your policy.

4 · The four things Entra Agent ID does

Microsoft groups Agent ID’s capabilities into a small set of jobs. Read them as the concrete machinery behind the four verbs from section 2.

These four jobs map cleanly onto the four verbs: registering and assigning identities is how agents authenticate; controlling permissions is how they are authorised; ownership and lifecycle is how they are governed; and the access protections are how they are protected. One framework, four jobs, four verbs.

5 · Any agent, any platform: how it reaches beyond Microsoft

A real control plane must govern agents from any source. Identity is where that promise is kept or broken, so it is worth seeing how Agent ID reaches agents that were not built on Microsoft’s own tools. Microsoft states that Entra Agent ID “works with agents built on Microsoft and non-Microsoft platforms,” and gives concrete examples: organisations can integrate third-party agents from platforms such as AWS Bedrock and n8n.

There are two ways it does this, and you only need the shape of them for now:

Underneath both, Agent ID speaks open, standard protocols — OAuth 2.0 (the widely used standard for granting software permission to act), MCP (the Model Context Protocol, a standard way for agents to connect to tools), and A2A (agent-to-agent, a standard for agents to discover and talk to each other). Standards are the point: they are why “every agent gets a governed identity regardless of where it was built.”

Agents from Microsoft and non-Microsoft platforms all resolving to one governed Entra Agent ID Three source boxes on the left — a Microsoft-built agent, an AWS Bedrock agent joined via an Auth SDK sidecar, and an n8n agent joined via workload identity federation — all point right into a single box labelled Entra Agent ID, governed identity, which lists the protocols OAuth 2.0, MCP, and A2A. Microsoft-built agent AWS Bedrock agent+ Auth SDK sidecar n8n agent+ workload identity federation Entra Agent ID one governed identity, whatever the source OAuth 2.0 · MCP · A2A
Figure 2. A Microsoft-built agent, a Bedrock agent joined via the Auth SDK sidecar, and an n8n agent joined via federation all resolve to one governed Entra Agent ID, speaking open standards.

6 · What you need to turn it on

Two practical facts close the article. First, the base capability is broadly available: creating and managing agent identities and their blueprints through Agent ID is available to all Microsoft Entra customers. Giving an agent an identity is not gated behind the most expensive edition.

Second, the advanced pieces follow a consistent licensing shape. Having agents operate across Microsoft 365 services requires a per-user Microsoft Agent 365 licence. Extending Entra’s advanced security features to agents — the protections in section 4 — requires either Microsoft 365 E7 (which includes Agent 365 and the Entra Suite) or Microsoft 365 E5 paired with a Microsoft Agent 365 licence. For organisations without E5 or E7, Microsoft offers standalone options alongside an Agent 365 licence: for example, Conditional Access for agents maps to Microsoft Entra ID P1, and identity protection for agents to the higher P2 tier. The pattern is consistent: identity itself is foundational and widely available; the advanced protections ride on the premium editions.

Where this fits in the journey

This article established why agents get their own identity and what Entra Agent ID is. The next article opens the identity itself — its parts, and how it compares, piece by piece, to a user account and an app registration. After that we cover blueprints, the registry, registry convergence, and how agent access is governed.

7 · Glossary — every short-form term, spelled out

Microsoft Entra
Microsoft’s identity service — the system that manages who can sign in and what they can reach, including employees and now agents.
Microsoft Entra Agent ID
An identity and security framework that extends Microsoft Entra to AI agents, so each agent has its own first-class identity that can be authenticated, authorised, governed, and protected.
Non-human actor
An actor that is neither a human user nor a passive application, but acts on its own — Microsoft’s term for an agent.
User account
The identity type built for a person, assuming a human chooses each action.
Application registration (app registration)
The identity type built for a piece of software, assuming fixed, pre-written behaviour.
Least privilege
Giving any actor only the smallest set of permissions its job needs, and nothing more.
Conditional Access
Rules that decide whether to allow an action based on conditions and risk — for example, blocking an unusual request.
Security collection
A managed grouping that keeps related agent identities together so they can be governed as a set.
SDK (software development kit)
A set of code libraries a developer uses to build on a platform.
Sidecar
A small helper component that runs alongside a main application — here, one that gives an external agent a governed Entra identity.
Workload identity federation
A trust link between two identity systems so one will accept identities vouched for by the other, without copying secrets around.
OAuth 2.0
The widely used open standard for granting software permission to act on a resource.
MCP (Model Context Protocol)
A standard way for an agent to connect to tools and data sources.
A2A (agent-to-agent)
A standard that lets agents discover and communicate with one another.
Generally available (GA)
Fully released and supported for production use, rather than in preview.
Key takeaways

Identity comes first because you cannot govern, watch, secure, or retire an agent that has no name of its own.
Microsoft Entra Agent ID extends Microsoft’s existing identity engine to agents; it is generally available and open to all Entra customers.
Its purpose is four verbs: authenticate, authorise, govern, and protect agent identities at scale.
User accounts and app registrations do not fit agents, because agents decide for themselves, learn as they go, and move fast — so Entra enforces least privilege by blocking high-privilege roles for agents.
It governs agents from any platform — Microsoft or not — via an Auth SDK sidecar or workload identity federation, over open standards (OAuth 2.0, MCP, A2A).
Giving an agent an identity is broadly available; the advanced protections ride on Microsoft 365 E5 or E7 with an Agent 365 licence.

References

  1. Microsoft Learn, What is Microsoft Entra Agent ID? learn.microsoft.com
  2. Microsoft Learn, Authorization in Microsoft Entra Agent ID — why agent identities are limited and least privilege is enforced. learn.microsoft.com
  3. Microsoft Learn, What is the Microsoft agent identity platform — capabilities and licensing. learn.microsoft.com
  4. Microsoft Learn, Microsoft Entra security for AI overview. learn.microsoft.com
  5. Microsoft Learn, Protect agent identities with Microsoft Entra (Agent 365 admin). learn.microsoft.com