How To Block AI Agents From Microsoft Entra

Key Takeaways

Microsoft Entra can automatically block AI agents that are flagged as high risk before they gain access to resources.
A Conditional Access policy targeting agent identities provides enforcement at the authentication layer, preventing risky agents from obtaining tokens.
Running the policy in Report-only mode first helps identify false positives and avoid disrupting legitimate AI-driven workflows.
Agent risk evaluations are powered by Microsoft Entra ID Protection, which continuously assesses agent identities and can trigger immediate enforcement when risk levels increase.
This protection applies only to agent identities; agents operating through on-behalf-of (OBO) user permissions require separate user-focused Conditional Access controls.

Autonomous AI agents authenticate with their own identity in your Microsoft Entra tenant, separate from any user, and a compromised or misbehaving one is effectively an attacker holding valid credentials, moving at machine speed.

Microsoft Entra ID Protection scores agent identities for risk the same way it scores users, and you can block high-risk agents at the authentication layer before they ever reach a resource.

This blog is a step-by-step guide on how to configure the right AI agent security policy that will help you block high-risk agents from accessing Microsoft Entra.

Block High-Risk Agents with a Conditional Access Policy

This is the proper technical block. A Conditional Access policy targets to enforce access at the authentication layer and not just the UI.

Note: On-behalf-of agents are not covered by this policy. If a user signs into an agent, the agent can reach resources using that user’s delegated permissions. In this flow, the scope of the Conditional Access policy is the user, not the agent identity, so agent risk doesn’t fire.

Steps:

1. Sign in to entra.microsoft.com as a Global Administrator.

2. Go to Entra ID > Conditional Access > Policies.

3. Click New policy.

4. Name the policy (for example: CA-Block-Entra-Admin-Center-Non-Admins)

5. Click under Users and Agents. Under “what does this policy apply to?” select Agents:

Include: All agent identities

6. Under Target resources, select Resources (formerly cloud apps).

7. Select Include > All resources (formerly ‘All cloud apps’).

8. Click under Conditions.

9. Click under Agent risk (Preview) and select Configure > Yes > High.

10. Click Done.

11. Under Grant, select Block access.

12. Set Enable policy to On (or Report-only for initial testing).

13. Click Create.

Best Practice: Policy Enforcement

Run the policy in Report-only mode for at least a week before switching to On. During that period, monitor Entra ID > Monitoring > Sign-in logs and filter for agent identities to see what would have been blocked.

Look specifically for legitimate agents that are being flagged, as these are your false positives, and you want to resolve them before enforcement starts. Only switch to On once you’re confident the policy is catching the right identities and not breaking real workflows.

Why This Matters

As AI agents gain access to enterprise systems, they effectively become non-human identities within your tenant. A compromised agent can leverage valid credentials to access resources, automate actions, and escalate risk at a pace humans can hardly fathom. Limiting access for high-risk agents provides an important layer of defense for several reasons:

It stops the threat before it reaches your data: Enforcement happens at the authentication layer, so a flagged agent never gets the token in the first place, and you’re not cleaning up after it’s already touched a resource.
It’s automatic and immediate: The block keys off the Identity Protection risk signal, so the moment an agent is scored High, including when you confirm one as compromised, enforcement happens with no human in the loop.
It scales where manual review can’t: Agents appear faster than anyone can inventory them. Blocking the high-risk ones lets the risk engine do the triage instead of you vetting each agent by hand.
It’s precise: A well-targeted policy blocks only agents at high risk, leaving your users and healthy agents untouched, which offers strong protection without a productivity cost.

Frequently Asked Questions

What does “agent risk” mean, and how is it scored?

Agent risk comes from Microsoft Entra ID Protection, which evaluates agent identities the same way it evaluates risky users and sign-ins. You can review flagged agents in the Risky Agents report in the Entra admin center, where risk detections are visible for up to 90 days, with details on the agent’s display name, risk state, risk level, type, and sponsors. An agent can also be manually set to high risk when you confirm an agent is compromised.

What happens to a legitimate agent that gets flagged as high-risk?

It’s blocked from requesting tokens like any other high-risk agent, which is a false positive, and can break a real workflow. That’s why you run the policy in Report-only mode first: enable it in report-only mode for at least a week before enforcement and check the sign-in logs to see what would have been caught.

Does this policy affect agents operating on behalf of a user?

No. In the on-behalf-of (OBO) flow, a user signs into the agent application, and the agent accesses resources using the user’s delegated permissions. The Conditional Access subject in that flow is the user, not the agent identity, so agent risk doesn’t evaluate, and this policy has no effect. To control what OBO agents can access, you need a user-targeted Conditional Access policy scoped to the relevant resources.

About
Latest Posts

Ahona Rudra

Domain & Email Security Expert at PowerDMARC

Ahona is the Marketing Manager at PowerDMARC, with 5+ years of experience in writing about cybersecurity topics, specializing in domain and email security. Ahona holds a post-graduation degree in Journalism and Communications, solidifying her career in the security sector since 2019.

How to Block High-Risk AI Agents in Microsoft Entra