Require Users to Use Entra ID Auth to Interact with Agents

Implementation Effort: Medium – IT must configure agent authentication flows, consent, and app registrations that tie interactive agents to Entra ID, but this is a one‑time project rather than an ongoing program.
User Impact: Medium – Users may be prompted to sign in with Entra ID or grant delegated permissions when interacting with agents, but only those who use these agents are impacted.

Overview

Requiring users to authenticate with Microsoft Entra ID before interacting with an agent ensures that every user action is tied to a verified identity. Interactive agents use the Microsoft Entra Agent Identity platform to perform delegated actions on behalf of real users. To enable this, IT configures the agent to request user tokens via OAuth, validate them, and extract claims for authorization decisions. Doing this also provides IT visiblity of user activity and interaction with AI workloads, and enables implementation of controls such as strong authentication, compliant device, etc.

Without this setup, agents may operate without strong identity assurance, increasing risks such as unauthorized access, misuse of delegated permissions, or inability to enforce Zero Trust controls. This activity supports the Zero Trust principle of Verify explicitly because user identity, tokens, claims, and delegated permissions are validated at every interaction.

Reference

• Authenticate users in interactive agents https://learn.microsoft.com/en-us/entra/agent-id/identity-platform/interactive-agent-authenticate-user

• Request delegated user authorization for interactive agents https://learn.microsoft.com/en-us/entra/agent-id/identity-platform/interactive-agent-request-user-authorization [learn.microsoft.com]

• Agent users in Microsoft Entra Agent ID

• Microsoft Entra ID P1 — feature comparison https://learn.microsoft.com/en-us/entra/agent-id/identity-platform/agent-users [learn.microsoft.com]