Extend Sign-In Log Monitoring to Cover Agent Identity Traffic
Implementation Effort: Low – Requires updating existing sign-in log filters, workbooks, and alert rules to recognize new agent identity types; no new logging infrastructure needed.
User Impact: Low – Monitoring activity; no impact on agents or end users.
Overview
Microsoft Entra sign-in logs already capture authentication and authorization events across the organization, and most security teams already monitor them. With the introduction of Agent ID, these same logs now carry agent identity traffic — but under new agentType values that existing monitoring rules, workbooks, and alerts do not recognize. If the organization does not extend its existing sign-in log monitoring to include these new signals, agent authentication events go undetected despite flowing through the same infrastructure that already monitors human and workload identity sign-ins.
Agent identity traffic appears in two existing log locations. Agent identities accessing resources appear in service principal sign-in logs under agentType "agent ID user." Agent users — non-human identities with mailbox and Teams access — appear in non-interactive user sign-ins under agentType "agent user." Human users accessing agents appear in standard user sign-ins. Each log entry includes Conditional Access evaluation details showing which policies applied, which were in report-only mode, and whether access was granted or blocked. Existing monitoring that filters only on traditional service principal types or interactive user sign-ins will miss agent traffic entirely.
Organizations must update their existing sign-in log monitoring to filter on agentType, add these filters to existing workbooks and dashboards, and extend alert rules to trigger on agent-specific patterns such as unexpected CA policy blocks, high-risk agent sign-ins, or agent identities accessing resources outside their normal scope. This is also essential for the report-only-then-enforce deployment model that all CA policies for agents should follow — before moving any CA policy from report-only to enforcement, administrators must review sign-in logs filtered by agentType to validate impact. This supports Assume breach by ensuring agent activity is visible through the same monitoring infrastructure that already protects human identities, and Verify explicitly by confirming that CA policies evaluate every agent token acquisition as intended. If existing monitoring is not extended, organizations have a blind spot in their sign-in log coverage where agent traffic flows unmonitored — despite the telemetry already being present in the logs.