Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
ID Protection for agents
As organizations adopt, build, and deploy autonomous AI agents, the need to monitor and protect those agents becomes critical. Microsoft Entra ID Protection helps protect your organization by automatically detecting and responding to identity-based risks on agents that have agent identities provided by Microsoft Entra Agent ID.
Prerequisites
Roles
To use our Risky Agent reports, you must have one of the following administrator roles assigned.
To configure policies that use Agent Risk as a condition, you must have the Conditional Access Administrator role assigned.
Licensing
Starting soon, ID Protection for agents will require a Microsoft Agent 365 license to extend protection to agents through Microsoft Entra Agent ID.
How it works
Because agents can operate autonomously and on behalf of a user, they can display unique sign-in behavior. Agents can take initiative, interact with sensitive data, and operate at scale. Microsoft Entra ID Protection for agents identifies and mitigates risks associated with these capabilities. Learning Mode automatically suppresses behavioral alerts for agents that lack sufficient activity history, preventing false positives during onboarding and after periods of inactivity. A separate detection runs in parallel to ensure genuinely malicious early-life behavior is still caught. Once an agent exhibits suspicious behavior, ID Protection flags the activity as risky.
Activities contributing to risk
The following table provides the anomalous activities that can contribute to the agent being flagged for risk. At this time, all risk detections for risky agents are offline.
Note
In on-behalf-of (OBO) flows, where an agent acts using a user's delegated permissions, risky activity is attributed to the user rather than the agent. This approach targets remediation at the compromised user session without disrupting the agent for other users. Unless noted otherwise, risk detections in this table apply only to autonomous agent activity.
| Agent risk detection | Description | riskEventType |
|---|---|---|
| Confirmed compromised | Admin confirmed agent compromised | adminConfirmedAgentCompromised |
| Early life malicious activity | Newly created agent immediately exhibited multiple suspicious behavior patterns, acting like an attacker. | earlyLifeMaliciousActivity |
| Entra Directory Reconnaissance | Agent performed suspicious reconnaissance or high-risk directory operations. | entraDirectoryReconnaissance |
| Failed access attempt | Agent attempted and failed to access resources for which it isn't authorized. This detection can indicate an attacker is attempting to replay an agent's token against an unauthorized resource. | failedAccessAttempt |
| Microsoft Entra threat intelligence | Microsoft identified activity that is consistent with known attack patterns based on its internal and external threat intelligence sources. | threatIntelligenceAccount |
| Sign-in spike | Agent made a higher number of sign-ins compared to its usual sign-in frequency. This spike can be an indicator that an attacker is using automation or a toolkit. | signInSpike |
| Suspicious credential usage | This detection flags when new credentials are added to agent blueprints and then actually used. | suspiciousCredentialUsage |
| Unfamiliar resource access | Agent targeted resources that it doesn't usually access. This detection can mean that an attacker is trying to access sensitive resources beyond the agent's intended purpose. | unfamiliarResourceAccess |
View the risky agent report
The Risky Agents report provides a list of all agents that were flagged for risky behavior. A summary of risky agents appears on the ID Protection Dashboard. This snapshot view provides an overview of the number of agents flagged for risk by risk level. Select View risky agents to open the full report.
You can also navigate directly to the Risky Agents report from the ID Protection navigation menu. Filter and sort to find specific agents, risk states, or risk levels.
👁 Screenshot showing the Risky agents report.
You can take action on agents directly from the report, including:
- Confirm compromise: Select after manual investigation or automated detection confirms the account is compromised. This step is useful as part of incident response to prevent further damage. Confirm compromise automatically sets the risk level to High and creates an event in the agent's Risk detections. This action triggers risk-based Conditional Access policies that are configured to block access on High Agent Risk.
- Confirm safe: Marks the user as safe after investigation and clears any active risk state for that user by setting risk level to None. Use this option when you want to mark a false positive and for the system to avoid flagging similar activity.
- Dismiss risk: Tells the system that the detected risk for an agent is no longer relevant after investigation, or is a benign true positive where you want the system to continue to flag similar activity.
- Disable: Prevents all sign-ins for that agent across Microsoft Entra ID and connected apps.
View the risky agent details
In the risky agent report, select an entry to view the full details including the corresponding risk detections for that agent. Just like with all ID Protection risk reports, you can take action on the agent directly from the report or from the details view.
Risky agent details include:
- Agent display name and ID
- Risk state and risk level
- Agent type and sponsors (if specified)
You can also navigate to the Risk Detections report and select the Agent detections tab to view a full list of the detection risk events from up to the past 90 days. Risk detections are retained for up to 90 days for investigation purposes.
👁 Screenshot showing the Risky agent details.
Risk-based Conditional Access for agents
Use Conditional Access for agents to set risk policies that block risky agents from accessing resources or other agents. Use this Conditional Access template to simplify deploying this policy in your organization.
Microsoft Graph
You can also query risky agents using the Microsoft Graph API. There are two collections in the ID Protection APIs.
riskyAgentsagentRiskDetections
Export risk data
You can export data by configuring diagnostic settings in Microsoft Entra ID to send risk data to a Log Analytics workspace, archive it to a storage account, stream it to an event hub, or send it to a SIEM solution.
Related content
- Manage agent identities in your organization - Overview of agent identity management across the full lifecycle.
- Conditional Access for Agent ID - Enforce Zero Trust policies across agent identity token acquisition flows.
- Governing Agent Identities - Preventive governance approaches including access packages and sponsor oversight.
Feedback
Was this page helpful?