Microsoft Entra Agent ID Blueprint Model Expands Cross-Tenant Compromise Risk
New research warns that Microsoft Entra Agent ID can significantly widen the impact of a single credential compromise because authentication is anchored to an agent blueprint while privileges can be distributed across many child agent identities. Security researchers found that one blueprint principal can authenticate up to 250 agent identities per tenant, optionally span multiple tenants, and inherit a mix of service principal permissions, user-like capabilities, Entra role assignments, and delegated permissions. Datadog and Compass Security both reported that this design creates a larger blast radius than traditional Entra applications, especially when third-party or multitenant blueprints are used, because the publishing tenant controls the credential material trusted by consuming tenants.
Researchers also demonstrated practical abuse paths. Compass Security showed that attackers who gain blueprint ownership or credential-management access could add credentials, create child agent identities through the AgentIdentity.CreateAsManager role claim, and potentially escalate privileges up to Global Administrator; it also described consent-phishing with a foreign multitenant blueprint to inherit permissions such as Application.ReadUpdate.All. Separately, Red Canary documented a suspicious non-interactive Microsoft Graph sign-in tied to an assistive agent, where the application Agent001 authenticated with a federated identity credential, satisfied MFA via token claims rather than user interaction, and requested broad scopes including Group.Read.All, Mail.ReadWrite, Mail.Send, MailboxSettings.ReadWrite, and User.Read, underscoring how Agent ID workflows can blur the line between application and user access.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Datadog details Entra Agent ID blueprint blast radius risks
Datadog Security Labs published an analysis warning that Entra Agent ID's blueprint-based identity model can create a larger compromise blast radius than the traditional Entra application model. The post highlighted that a single compromised blueprint credential could expose up to 250 agent identities per tenant, optional agent users, and cross-tenant identities with accumulated privileges.
Suspicious Entra Agent ID sign-in to Microsoft Graph observed
On 2026-05-08, an Azure AD non-interactive sign-in recorded successful authentication for user Matt Graeber to Microsoft Graph via the application Agent001 using a federated identity credential. The event originated from IP 51.3.97.221, used a PowerShell/7.6.1 user agent on macOS, and requested broad Microsoft Graph scopes including Group.Read.All, Mail.ReadWrite, Mail.Send, MailboxSettings.ReadWrite, and User.Read.
Compass Security publishes Agent ID security analysis
Compass Security published research describing Microsoft Entra Agent ID's security model and attack paths, including blueprint credential compromise, blueprint ownership abuse, and consent phishing with foreign multitenant blueprints. The analysis also reported that dangerous Graph permissions and Azure RBAC role assignments remained assignable in testing despite some Microsoft restrictions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Entra Agent ID: Inside a cross-tenant agent compromise | Datadog Security Labs
securitylabs.datadoghq.com
Open sourceEntra Agent ID: The blueprint blast radius | Datadog Security Labs
securitylabs.datadoghq.com
Open sourceInvestigating suspicious AI workflows in Microsoft Entra Agent ID: Assistive agents | Red Canary
redcanary.com
Open sourceEntra Agent ID from a Security Perspective - Compass Security Blog
blog.compass-security.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Entra ID Flaw Let Agent Admins Take Over Service Principals
Microsoft fixed a privilege escalation flaw in **Entra ID** that allowed users with the built-in **Agent ID Administrator** role to take over arbitrary service principals, including identities unrelated to AI agents. Silverfort reported that the role could assign ownership over a target service principal, add new credentials, and then authenticate as that principal, effectively enabling full service principal takeover. The weakness stemmed from a scoping gap in Microsoft’s Agent Identity Platform, where a role intended to manage agent-related objects could also affect standard directory components. The exposure was especially serious in tenants with highly privileged service principals, where attackers could inherit sensitive API access, integrations, or directory-level roles and potentially reach **Global Administrator-equivalent** power. Silverfort said the abuse path was broadly relevant because most customer tenants it analyzed had at least one privileged service principal, while ownership changes could blend in with normal administrative activity and evade detection. Microsoft addressed the issue with a backend fix that restricted the **Agent ID Administrator** role to agent-related objects and said the remediation was fully rolled out by April 9.
Apr 28, 2026
Critical Azure SRE Agent Token Flaw Exposed Cross-Tenant AI Sessions
Researchers at Enclave disclosed a critical improper authentication flaw in Microsoft's Azure SRE Agent that allowed an outsider with only a free Azure account to observe another organization's AI operations agent in real time. The cross-tenant exposure stemmed from a token issuance process that accepted accounts from any Microsoft cloud tenant and a communication channel that verified token validity but not tenant ownership, enabling unauthorized access to live agent sessions. Microsoft confirmed the issue, assigned `CVE-2026-32173`, rated it critical with a `CVSS` score of `8.6`, and remediated it server-side. According to the disclosure, exposed data could include user prompts, agent responses, step-by-step reasoning, executed commands, command output, and even plaintext credentials, while generating no logs visible to the victim organization, underscoring wider concerns that enterprise AI agent deployments are outpacing governance and security controls.
Apr 20, 2026
Microsoft Entra Conditional Access Bypasses Exposed in Brokered and Resource-Exclusion Flows
Researchers disclosed two separate Microsoft Entra Conditional Access bypasses that could let attackers obtain **Microsoft Graph** access without the intended controls, including MFA in some cases. NetSPI reported that **Nested App Authentication (NAA)**, also called **BroCI**, allowed certain brokered application flows to exchange an Azure Portal refresh token for Graph access tokens without Conditional Access enforcement. The issue affected specific clients, including `ADIbizaUX` and two Microsoft Intune portal extension clients, and was primarily useful as a persistence mechanism after an attacker had already stolen an Azure Portal refresh token through methods such as phishing or adversary-in-the-middle collection. Microsoft classified that issue as medium severity and deployed a fix; post-patch testing returned `AADSTS53003` access-blocked errors for the previously successful exchanges. A separate disclosure showed that Entra policies configured for **all resources** but with at least one excluded resource could also be bypassed to obtain Graph tokens without the expected Conditional Access checks. The researcher said the gap was broader than Microsoft had publicly documented and warned that some Microsoft first-party applications appeared able to reach Entra ID data through Graph beyond the scopes visible in issued tokens, enabling tenant enumeration and potentially modification where user privileges allowed it. Microsoft later acknowledged the problem and began rolling out **baseline scope enforcement** changes, with enforcement starting June 15 and an early opt-in option available through the Entra Admin Center; according to the researcher, enabling that enforcement closes the Graph token bypass and restores proper Conditional Access evaluation.
Jun 22, 2026