Every organization is struggling to answer the security questions that accompany the emergence of AI agents. In no arena are these questions more critical than in the identity security infrastructure.
Cyber attackers relentlessly target hybrid Active Directory, Entra ID, and Okta environments because if they can gain control of the identity system, they can gain control of the entire network. Without an operable identity infrastructure, business comes to a halt because users can no longer access critical apps and services.
This practical guide focuses specifically on Entra ID agent identities and the attacks that target them. Developed by the Semperis research team, the guide is broken into browsable chapters intended to help organizations understand how Microsoft approaches both human and non-human identities in Entra ID and how organizations can protect these critical assets from threat actors.
As you progress through the chapters, you’ll see links and references to Practice Checkpoints—short, hands-on, mini-walkthroughs that show the exact objects and behaviors we are discussing. If you’re here for the mental model, feel free to skim them. If you’re validating in your own tenant, they’re the fastest way to follow along. Each checkpoint is self-contained and keeps a running list of IDs (blueprint, principal, agent identity, agent user) so later article in the guide can reference the same objects.
Ready? Let’s get started!
Series contents
- Meet Entra ID Agent Identities (BTW They’re Not People)
- The Taxonomy of Workload Identities in Entra ID: Enterprise Applications, Service Principals, and Other Forms of Organized Confusion
- Understanding Microsoft Agent ID and the Agent Identity Platform
- Agent Identities: Design Deep Dive
- The Agent Registry: Not the Registry You’re Thinking Of
- Where Things Might Go Wrong with Agent Identities in Entra ID—and How to Prevent Disaster
- Practice Checkpoint 1: Building Agent ID with MS Graph
- Practice Checkpoint 2: Setting Agent Identity Permissions
- Practice Checkpoint 3: Registering an agent—with and without Agent ID
- Practice Checkpoint 4: Verifying Tokens and Claims Across Three Authentication Flows
Disclaimer
This guide is based on Microsoft’s official documentation, public presentations, and personal observations. Because Agent ID features are still in public preview, please be aware that some behaviors, APIs, and UI elements might change over time.
