Agents are changing how people work. With Copilot Studio and other agent-authoring solutions, people in your organization can now build and extend their own agents to automate tasks, retrieve data, and connect business workflows. Admins and developers can use Azure AI Foundry, Security Copilot, and other Agent-authoring solutions to build and extend agents. It feels magical the first time you see it at work.
Here is the part many IT and security professionals do not realize:
Those Copilot Studio agents are tied to identities inside Microsoft Entra.
In many implementations, creating or extending an agent results in new Entra-governed identities that behave similarly to Entra enterprise applications (serviceprincipals) as part of Entra Agent ID:
Agents are not just productivity helpers. They typically represent identities inside Entra, which means they come with permissions, access paths, and governance responsibilities.
If these identities are not discovered and managed, they may quietly expand the identity attack surface inside Entra.
The exact way agents are represented in Entra may evolve over time, as Entra Agent ID is currently still in preview, but the core reality remains the same: Agents introduce identities and permissions that must be governed.
When agents are created, installed, or extended, they are represented in Microsoft Entra using identity objects so they can authenticate and request access to resources. Microsoft is now introducing Entra Agent ID, a purpose-built identity platform designed specifically for AI agents. This model introduces new constructs such as agent identity blueprints, agent identity blueprint principals, agent identities, and agent users, which are distinct from application service principals, even though they leverage the same serviceprincipal infrastructure under the hood.
On top of that, Microsoft also offers the Entra Agent Registry, featuring agent instances, that offers an extensive repository of agent metadata and agent sponsors.
Today, depending on the platform, tenant state, developer maturity, and agent creation path:
Over time, Microsoft is shifting toward Entra Agent ID as the native identity model for agents, especially to support scale, ephemerality, impersonation, and clearer auditability.
Here’s a Microsoft overview of key differences between agent principals and nonagentic principals.
Agents result in non-human identities in Entra that request permissions and perform actions across Microsoft 365, Microsoft Azure, Microsoft Graph, and other apps, services, and systems your organization utilizes.
Whether those identities appear as:
they still introduce access, permissions, ownership, and lifecycle considerations that require governance.
The mechanism may change, but the responsibility does not: Agents create identity objects in Entra, and those identities must be reviewed, scoped, monitored, and governed just like any other workload identity. As such, Entra Agent ID is an evolution of the application model already present in Entra.
Let's look at three common scenarios.
Let's start with business users. If you have ever watched a business user discover an agent-authoring solution like Copilot Studio, you know exactly what happens: Ideas start flying, prototypes appear quickly, and suddenly agents are connected to live data.
It is exciting. It also bypasses the traditional software development life cycle (SDLC) and change control guardrails that IT relies on.
Many business users (and citizen developers):
Another common story revolves around team workshops. A team builds an agent during a workshop featuring Copilot Studio, Azure AI Foundry, Security Copilot, or a third-party agent-authoring solution. People change jobs. Now nobody can tell you who owns it, yet the Agent blueprint and its inheritable API-permissions still exist in Entra, and no one knows who's responsible.
Here is another real example: An engineer creates a proof-of-concept agent during an internal project. The pilot is abandoned. The agent resources persist for years. No one notices until an audit.
This is how yesterday’s app sprawl becomes today’s agent sprawl.
The first time many admins go looking for agents in Microsoft Entra, the surprise is not that agents exist, but how many non-human identities are present, and how differently they surface depending on the identity model – the application or the agent model - used.
With Entra Agent ID, Microsoft now provides a dedicated control plane for agent discovery.
Admins can:
These service principals behave like traditional application identities, not agent identities, but they still execute agent actions and carry standing access that must be governed.
Most tenants today contain a mix of agent identity objects and application service principals representing agents.
The Agent ID view makes this distinction explicit for the first time. Once admins can see which agents are using purpose-built Agent ID identities versus legacy service principals, governance conversations shift from “Do we have agents?” to “Which identity model are they using, what access do they have, and who owns them?”
That awareness is often the turning point.
When agents are created without deliberate identity and lifecycle controls, it introduces familiar identity and access risks, but at far greater speed and scale.
Common security risks introduced by agents include:
You do not need to ban agents from your organization to stay secure – although you can in the Settings view in Entra Agent ID. The goal is not to block everything. The goal is to make sure what gets created is visible, owned, and right sized for risk.
Recommended Entra Agent ID governance controls include:
Governance is simply how you prevent yesterday’s tests from becoming tomorrow’s incident.
As agents proliferate, Microsoft has introduced new controls to help manage them. At Ignite, Microsoft announced Agent 365, a control plane focused on AI agent identities. Underneath Agent 365, Entra Agent ID formalizes agents as a new identity type in Entra.
Agent 365 helps organizations with:
Agent 365 does not replace internal governance policies. Instead, it strengthens the native foundation as agent usage grows.
Availability and specific capabilities of Agent 365 and Agent ID will continue to evolve as Microsoft rolls them out across tenants, so organizations should expect the control model to mature over time. This functionality is currently in Public Preview.
Microsoft provides some controls. Security teams still need clarity.
ENow AppGov Score helps organizations:
Instead of chasing applications one at a time, AppGov Score gives you the full picture of app governance in Entra so you can move from reactive cleanup to proactive decision-making.
Agent-authoring solutions like Copilot Studio, Azure AI Foundry and Security Copilot are not just features. Agents are identities that connect to your real users and your real data. They appear in Entra, and they carry permission, ownership, and lifecycle risks.
You do not have to solve everything at once. That may even be overwhelming.
Start by looking. See what already exists. Notice agent and application sprawl. Once you have visibility, governance decisions become far easier and far less political.
The path is straightforward:
Organizations that start this work now reap the benefits of AI while keeping identity and access security strong across Entra.
You’re already ahead if you have an app governance program in place. What is different is how agents are created and how they work under the hood.
Agents are often created using end-user tools like Copilot Studio. That means they can be built by business users outside traditional IT intake. Even mature Entra governance programs may not yet account for:
So, the technology is familiar, but the speed, creators, and scale are vastly different.
Yes, they can expand the identity attack surface if they are not governed.
The most common risk patterns we see include:
It is not hype, it is the same pattern we have already seen with SaaS sprawl, only now it happens faster and more automatically.
Microsoft is taking important steps. Agent 365 and Entra Agent ID add:
What they do not replace is your internal governance responsibilities. Organizations still need to:
Agent 365 helps, but it does not automatically remove abandoned agents or design your governance processes for you. In practice, most enterprises use native controls plus independent oversight and reporting.
Because what matters is permissions and data, not the brand name on the product.
“Microsoft-built” does not automatically mean:
Security teams mainly care about:
That is why agent-authoring solutions still need governance, even though the solution is a Microsoft product.
Yes, you can, but most organizations find that hard blocks create workarounds.
What usually happens if you block:
The approach that works best is governed enablement, not prohibition. That means:
You get the benefit without introducing unnecessary exposure.
That is the most common and reasonable objection we hear. Afterall, we're all entering and navigating this new frontier together!
We've found that the evidence usually shows up as:
Discovery is often the moment when the conversation shifts. Tools like the Entra admin center Agent capabilities, and ENow App Governance Accelerator make it easy to surface what already exists in your environment and separate assumptions from reality so you can have honest conversations about how your tenant and data is accessed and secured.
Stay tuned for additional blogs as Microsoft continues to evolve how we manage non-human identities and agents!