Deploy Attribute-Based Conditional Access Policies for Agents
Implementation Effort: Medium – Requires custom security attributes to be in place on both agents and resources, and careful policy design to avoid blocking legitimate agent flows.
User Impact: Medium – Unapproved or miscategorized agents will be blocked from accessing resources.
Overview
Once custom security attributes are defined and assigned to both agents and resources, the organization deploys CA policies that match agent attributes to resource attributes. The Conditional Access for Agent ID documentation demonstrates this with Scenario 1: create an attribute like AgentApprovalStatus with values such as HR_Approved or Finance_Approved, assign those to agents, then create corresponding resource attributes like Department with values HR or Finance. A CA policy then blocks all agent identities except those whose approval attribute matches the resource's classification. This is the core enforcement mechanism for the allow only approved agents pattern, but the same approach extends to any attribute-based segmentation the organization requires — by sensitivity tier, by business unit, by external-versus-internal classification, or by agent blueprint grouping.
For agent-to-agent flows, the same CA engine supports targeting "All agent resources" as the resource target, which covers agent blueprints and agent identities acting as resource apps. This prevents lateral movement through agent chains — a compromised orchestration agent cannot call specialized agents unless its attributes authorize it. Organizations should deploy A2A policies alongside general agent-to-resource policies to close this path.
Attribute-based policies must also cover agent users. A policy scoped to "All agent identities" does not apply to agent users, which are a separate identity type with persistent identities, mailboxes, and collaborative system access. Agent users can be tagged with the same custom security attributes and targeted with attribute-based CA policies using the "All agent users" scope. Without this, agent users bypass attribute-based segmentation entirely and can access any resource regardless of classification.
This supports Use least privilege access by restricting each agent to only the resources its classification authorizes, preventing over-broad access. It supports Verify explicitly by evaluating classification attributes on every token acquisition, ensuring access decisions are current. If attribute-based CA is not deployed, all approved agents can access all resources equally — there is no segmentation between an HR agent and a Finance agent. Policies should be deployed in report-only mode first, validated against sign-in logs filtered by agentType, and then moved to enforcement. Organizations can also use the enhanced object picker to manually select specific agent identities instead of attributes, but this approach does not scale and should only be used for exceptions.