The identity layer for AI agents is more fragmented and risky than Microsoft's marketing suggests. Three overlapping problems β Classic vs Modern agents, OBO token delegation, and Copilot Studio maker credentials β each undermine the agent security story independently. All three coexist in most enterprise deployments today.
The following resources were key sources for this section β combining Microsoft's official documentation with practitioner field research:
Before Entra Agent ID was introduced, Copilot Studio agents were registered as standard Service Principals (Enterprise Applications) in Entra β what are now called Classic Agents. Most organisations with existing Copilot Studio deployments have Classic Agents. This is the most underappreciated structural gap in Microsoft's agent security story.
Classic Agents are completely outside the Entra Agent ID security perimeter. They receive no ID Protection for Agents, no Conditional Access for Agents, no Agent lifecycle governance. The Entra security products that Microsoft markets for agent protection only work with Modern Agents. Microsoft has acknowledged a migration tool is planned β it does not exist yet. The only current workaround is to recreate agents from scratch as Modern Agents, which is impractical at scale.
| Dimension | Classic Agent | Modern Agent |
|---|---|---|
| Entra registration type | Service Principal (Enterprise App) | Agent Identity (Agent Blueprint) |
| ID Protection for Agents | β Not supported | β Supported (preview) |
| Conditional Access for Agents | β Not supported | β Supported (preview) |
| Agent lifecycle governance | β Not supported | β Sponsor model available |
| Owner model | Power Virtual Agent Service + creator as Owner β this introduces credential abuse risk (owner can add client secrets) | Sponsor model β creator in Notes field, not Owner role |
| Name sync with Copilot Studio | Name stays as original Agent # β not updated on rename | Same bug β name not synced on rename |
| Migration path | Recreate from scratch OR await Microsoft migration tool | N/A β is the target state |
| Where most production agents are today | Most existing Copilot Studio agents | Only newly created agents with setting enabled |
For Classic Agents, the user who created the agent is added as an Owner of the Enterprise Application. An Owner can add client secrets, bypassing Conditional Access and MFA, abuse federated credentials for cross-tenant access, and is a high-privilege technical role. For Modern Agents, the creator should be listed as a Sponsor in the Notes field β a business accountability role without these technical powers. Using the Owner option on Classic Agents introduces real credential abuse risk. Field research by Derk van der Woude confirms this is the default behaviour in production environments.
Beyond OBO, Copilot Studio introduces a structurally distinct and in many ways more dangerous authentication pattern: maker credentials. When a Copilot Studio agent is connected to tools (SharePoint, Outlook, Teams, etc.), it authenticates to those services as the person who built the agent β not the person using it.
| Pattern | Who Is Authenticated | Audit Trail | Blast Radius | Mitigation |
|---|---|---|---|---|
| OBO (standard) | Invoking user | Shows user UPN (not agent) | User's own permissions | User PAM hygiene |
| Maker credentials (Copilot Studio) | Agent builder | May show service, not maker | Maker's full permissions Γ all users of agent | Enforce end-user auth; restrict sharing scope |
| No authentication | Anyone in Teams | None | Maker's permissions Γ entire org, no login required | Power Platform admin enforcement; KQL detection |
For agents outside Copilot Studio (Azure AI Foundry, custom agents), OBO remains the primary token mechanism. The agent receives a token derived from the invoking user's access token β it acts on behalf of the user, not as an independent identity.
Both Classic and Modern agents share a documented bug: when an agent is renamed in Copilot Studio after initial creation, the name stored in Entra Agent ID is not updated. The Entra portal continues to show the original name assigned at creation β typically Agent # (a number).
Entra security products β ID Protection for Agents, Conditional Access, and the Agent ID portal β all reference the original names. In any enterprise with more than a handful of agents, this makes per-agent policy management in Entra nearly unworkable. You cannot create a meaningful Conditional Access policy for Agent #47. Microsoft has confirmed this inconsistency and states work is in progress β no fix timeline confirmed. Field workaround: use the Agent ID object-ID (not name) as the primary key for agent identification, cross-referenced via script against the Power Platform Admin Environment URL.
Entra Agent ID remains in limited preview for frontier/large enterprise programs. Even when it reaches GA, it will only apply to Modern Agents β Classic Agents (the majority of existing Copilot Studio deployments) require migration first.
This is the single most important table for architects deploying Copilot Studio agents. The gap between Classic and Modern is not marginal β it determines whether any Entra security product applies at all.
| Security Product | Classic Agents | Modern Agents | Notes |
|---|---|---|---|
| Defender for Cloud Apps β AI Agent Inventory | β Supported | β Supported | Works for both. Requires Defender + Power Platform admin collaboration. |
| Defender for Cloud Apps β Real-time Protection | β Supported | β Supported | Works for both. Inspects tool invocations before execution. |
| Block Images and URLs | β Supported | β Supported | Works for both. External threat detection must be configured in Copilot Studio. |
| AIAgentsInfo KQL (Advanced Hunting) | β Supported | β Supported | Works for both once AI Agent Inventory is enabled. |
| Entra Agent ID β Identity Registration | β Not supported | β Supported (preview) | Classic agents registered as Service Principals, not Agent Identities. |
| ID Protection for Agents | β Not supported | β Supported (preview) | Requires Entra Agent ID. Classic agents have no risk signal in ID Protection. |
| Conditional Access for Agents | β Not supported | β Supported (preview) | Requires Entra Agent ID. Name sync bug makes policy management difficult at scale. |
| Access Reviews for Agents | β Not supported | β Supported (preview) | Requires Entra Agent ID. |
| Lifecycle Workflows (sponsor model) | β Not supported | β Supported (preview) | Classic agents use Owner role (risky). Modern agents use Sponsor model. |
| Agent Blueprint & Permissions governance | β Not supported | β Supported (preview) | Blueprint-level Graph API permission governance only available for Modern agents. |
Defender for Cloud Apps security controls (RT protection, AI Agent Inventory, Block Images/URLs) provide a meaningful security baseline for all agents β Classic and Modern. Entra Agent ID security products (ID Protection, Conditional Access, Access Reviews, Lifecycle Workflows) only apply to Modern Agents. Most existing Copilot Studio production deployments are Classic. Migrating to Modern Agents is the prerequisite for the full Entra security stack β but the migration tool doesn't exist yet.
Field research by Derk van der Woude (March 2026) identifies four distinct authentication configurations for Copilot Studio agents β each with a very different risk profile. Knowing which pattern your agents use is the first step to securing them.
| Pattern | How it authenticates | Risk | Detectable via KQL |
|---|---|---|---|
| β End User Credentials (OBO) Auth with Microsoft β End user credentials |
User authenticates once; agent exchanges token OBO the user. Everything runs in the user's own permission context. Sign-in logs available in Entra for the user. | β Low risk | UserAuthenticationType == "Integrated" |
| β‘ Maker-Provided Credentials Auth with Microsoft β Maker-provided credentials |
Agent authenticates at design time using the maker's identity, then reuses that connection for every user at runtime. Silent authentication β stored credentials. No per-user sign-in logs for the agent. | β οΈ High risk Data oversharing, silent auth |
AgentToolsDetails.mode == "Maker"See KQL below |
| β’ App Registration β Delegated Permissions Authenticate manually β Entra ID V2 (delegated) |
Uses an Entra App Registration but still acts OBO the signed-in user. Effective permissions = intersection of user rights AND app granted scopes. Sign-in logs available in Entra Agent ID portal. | β Low risk Verify scopes are minimal |
HTTP Request to Graph + delegated token |
| β£ App Registration β Application Permissions Authenticate manually β Entra ID V2 (application) |
Agent authenticates as the application itself β no user context, no OBO. Access determined by application permissions (e.g. Mail.Read.All, User.Read.All). Can access data across the entire tenant. Requires admin consent. | β οΈ Very high risk Tenant-wide access, admin consent |
HTTP Request to Graph + client credentials flow |
| β€ Agent's User Account Agent provisioned with a full human user account |
Agent is assigned a real user account with persistent identity β mailbox, calendar, Teams membership, SharePoint access, ability to join meetings and send communications. Agent acts as a human user, not on behalf of one. Can participate in Teams channels, access documents, attend meetings under false pretences if compromised. | β οΈ Very high risk Full human identity β hardest to detect as non-human |
Entra Identity Governance lifecycle management; Access Reviews; assign a human sponsor accountable for the agent account |
CA for Agents and ID Protection for Agents are triggered only during modern Agent ID authentication (OAuth 2.0) β used by Security Copilot and AI Foundry agents. Copilot Studio agents authenticate via OBO (pattern β ), maker credentials (pattern β‘), or service principal (patterns β’ and β£) β none of which trigger CA for Agents. For Copilot Studio, apply Conditional Access policies targeting the invoking user or the workload identity (service principal) instead. Use ID Protection for Workload Identities as the equivalent control for App Registration patterns.
The following KQL (field-validated by Derk van der Woude) detects maker credentials at the connector level β checking both AgentToolsDetails and AgentTopicsDetails for where maker mode is actually configured. This is more precise than checking only the agent-level auth type.
let base = AIAgentsInfo
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus == "Published";
let directActions = base
| mv-expand detail = AgentToolsDetails
| where detail.action.connectionProperties.mode == "Maker"
| extend ActionType = "FromTools", Action = detail.action
| project-reorder AgentCreationTime, AIAgentId, AIAgentName,
UserAuthenticationType, CreatorAccountUpn;
let topicActions = base
| mv-expand topic = AgentTopicsDetails
| extend topicActionsArray = topic.beginDialog.actions
| mv-expand Action = topicActionsArray
| where Action.connectionProperties.mode == "Maker"
| extend ActionType = "FromTopic"
| project-reorder AgentCreationTime, AIAgentId, AIAgentName,
AgentStatus, CreatorAccountUpn, OwnerAccountUpns, Action;
directActions
| union topicActions
| sort by AIAgentId, Timestamp desc
Finds agents using HTTP Request actions to graph.microsoft.com or management.azure.com β indicating App Registration authentication (pattern β’ or β£). Delegated = low risk. Application permissions = very high risk.
AIAgentsInfo
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| mvexpand Topic = AgentTopicsDetails
| where Topic has "HttpRequestAction"
| extend TopicActions = Topic.beginDialog.actions
| mvexpand action = TopicActions
| where action['$kind'] == "HttpRequestAction"
| extend Url = tostring(action.url.literalValue)
| extend ParsedUrl = parse_url(Url)
| extend Host = tostring(ParsedUrl["Host"])
| where Host has_any("graph.microsoft.com", "management.azure.com")
| project-reorder AgentCreationTime, AIAgentId, AIAgentName,
ParsedUrl, Url, Host, AgentStatus,
CreatorAccountUpn, OwnerAccountUpns
Source: Derk van der Woude β Your Copilot Studio agent is acting as someone, do you know who? (March 2026)
Microsoft formally defines agent sprawl as the uncontrolled expansion of agents across an organisation without adequate visibility, management, or lifecycle controls. It emerges when business units create agents without formal IT oversight (shadow AI), when agents created for temporary purposes remain in production indefinitely, and when agent permissions exceed actual requirements and are never reviewed.
Increased security risk from over-privileged agents with unclear ownership. Compliance challenges when auditors expect governance over AI systems. Incident response difficulty when organisations can't quickly identify or isolate compromised agents. The Agent's User Account pattern (β€) is especially prone to sprawl β user accounts created for agents are indistinguishable from human accounts in most tooling.
Microsoft's Entra Agent ID platform now supports agent-to-agent (A2A) discovery and authorisation alongside MCP. A2A is an emerging standard protocol for authenticated communication between agents β enabling orchestration agents to delegate tasks to sub-agents with proper identity verification. Without A2A controls, an adversary can inject a malicious agent into an orchestration chain or intercept inter-agent communications.
| Risk | Description | Control |
|---|---|---|
| Agent-to-agent propagation | Compromised orchestration agent delegates to sub-agents, spreading compromise across the agent chain | Entra Agent ID A2A authentication; audit trails of inter-agent interactions |
| Malicious agent injection | Adversary introduces a rogue agent into an orchestration workflow that impersonates a legitimate sub-agent | A2A identity verification; Entra Agent ID β agent-to-agent discovery based on verified identities |
| Unauthenticated delegation | Orchestrator delegates tasks to agents without verifying their identity β attacker intercepts or substitutes | Require authenticated A2A channels; log all inter-agent calls in Entra audit logs |
Source: Microsoft Entra security for AI overview (April 2026)
| Control | What It Does | Status | Limitation |
|---|---|---|---|
| Enforce end-user authentication per agent | Require users to authenticate with their own credentials β prevents maker credential blast radius | Available now (Power Platform admin) | Must be set per agent; not default |
| Restrict org-wide sharing | Use Managed Environments to set numerical sharing limits or restrict to security groups | Available now (Managed Environments) | Requires Power Platform admin |
| Detect no-auth agents via KQL | AIAgentsInfo | where UserAuthenticationType == "None" | Available (requires AI Agent Inventory enabled) | AI Agent Inventory requires Defender + Power Platform admin collaboration |
| Detect ownerless agents via KQL | AIAgentsInfo | where isempty(OwnerAccountUpns) | Available (requires AI Agent Inventory enabled) | Same setup requirement |
| Migrate Classic β Modern Agents | Enables Entra security product coverage; requires recreating agents from scratch | Manual only β migration tool not yet available | Impractical at scale; migration tool planned |
| User PAM hygiene | Least-privileged makers β least-privileged agent credentials | Available via PAM tooling | Indirect; does not change the structural authentication problem |
| Entra Workload Identity | App-level service principal scoping for non-Copilot-Studio agents | GA | Not purpose-scoped per agent-instance |
| Defender for Cloud Apps real-time protection | Blocks tool invocations during suspicious prompt activity (XPIA, UPIA) for Copilot Studio agents | Preview Β· requires both Defender + Power Platform admin setup | Complex 3-step setup; if no decision in 1 second, tool executes anyway |