Learn how Microsoft Entra Agent ID and the Agent 365 SDK help developers secure AI agents from the start.
Building an AI agent is no longer the hard part. The real challenge begins when that agent must run securely in production and meet identity, access, audit, and security requirements. That’s where many agents get stuck. It’s relatively easy to build a prototype, but much harder to deploy an agent that operates with the security controls required for production. Microsoft Entra Agent ID helps close that gap by giving agents a consistent identity foundation. Together with the Microsoft Agent 365 CLI and SDK, it helps you deploy AI agents that are ready to be managed, governed, and protected within your organization.
What is Microsoft Entra Agent ID?
Microsoft Entra Agent ID, now generally available, is the identity and access platform in Microsoft Entra for AI agents. It introduces a set of identity constructs that match how agents are built and operated. There are three key concepts worth noting when deploying agents in your organization.
Agent blueprint: A blueprint is the reusable identity template for a class of agents. It defines the common configuration, accountability model, credentials, and scopes used when creating agent identities so developers can create them consistently across deployments.
The agent blueprint manifest is a JSON representation of the blueprint, which you can view or edit under developer settings.
Agent identity: Every agent instance gets its own identity in Microsoft Entra. Each identity has its own sign-in history, audit trail, assigned scopes, and targetable principal for Conditional Access. When you need to know what agent #4,712 did at 3:47 a.m. yesterday, the answer is in Microsoft Entra sign-in logs, indexed by the agent identity itself. When you need to retire a single malicious instance without touching the rest of your fleet, there is a kill switch for that agent identity.
The agent identities view in the Microsoft Entra admin center shows you an inventory of the agent identities in your tenant.
Agent sponsors and owners: Every agent needs clear accountability through two distinct roles. Sponsors provide business accountability for the agent’s purpose and lifecycle decisions, such as whether it should retain access or be retired. Owners are responsible for the technical configuration and management of the agent identity.
The overview of the individual agent identity shows the sponsor, blueprint, and granted permissions for the agent.
These concepts matter because they shape how agent onboarding works in practice. Once you understand the blueprint, the agent identity, and the accountability roles around it, the next question is how those pieces are created during deployment.
How an agent gets an agent identity, blueprint, and sponsor
There isn’t one single way to provision an agent identity, and that’s intentional. Microsoft Entra documents the official creation channels through which agent identity blueprints and identities can land in your tenant. Each channel has its own audience and control surface, and every creation event is recorded in Microsoft Entra audit logs with the channel attached. The channels developers use most often are outlined here.
- Microsoft product integrations: Agents built in Microsoft Foundry, Copilot Studio, and Security Copilot get a Microsoft Entra Agent ID automatically as part of platform onboarding. Identity is provisioned from a blueprint and connected without any additional developer effort.
- Microsoft Agent 365 CLI and SDK: For agents built on any other framework (Microsoft Agent Framework, OpenAI Agents SDK, Anthropic Claude Agent SDK, Google ADK, AWS Bedrock, LangChain, LlamaIndex, CrewAI, Semantic Kernel, GitHub Copilot SDK, and others), the Microsoft Agent 365 CLI provisions the agent’s identity through Microsoft Graph, and the Microsoft Agent 365 SDK connects the running agent to the control plane so observability, governance, and security come with the identity.
This is the recommended channel for cross-platform and non-Microsoft agents because one integration delivers Microsoft Entra Agent ID plus the rest of Microsoft Agent 365 as a single bundle.
Get started
For developers who don’t already have an onboarding pipeline, the fastest way to take an agent from a code repository to a managed, governed, and protected agent in your tenant is to use the AI-guided onboarding experience in the Microsoft Agent 365 CLI and SDK documentation. It walks you through the end-to-end steps: running the Microsoft Agent 365 CLI, wrapping your agent entry point with the Microsoft Agent 365 SDK, and configuring the runtime credentials Microsoft Entra will use to issue tokens.
- Learn more about Microsoft Entra Agent ID and how it helps organizations secure access for AI agents
- Learn how to make any agent enterprise-ready with the Agent 365 SDK
- Explore: Microsoft Agent 365
-Arturo Lucatero, Principal Product Manager
Additional resources
- Microsoft Agent 365 CLI and SDK Documentation
- Microsoft Entra Agent ID Documentation
- Microsoft Agent 365 Documentation
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
- Microsoft Entra News and Insights | Microsoft Security Blog
- Microsoft Entra blog | Tech Community
- Microsoft Entra documentation | Microsoft Learn
- Microsoft Entra discussions | Microsoft Community