Entra.Chat
Entra.Chat
Entra.Chat·Jul 12, 2026·54m·Episode #66

One Compromised Agent ID Blueprint Can Cross Tenant Boundaries

Show notes

Microsoft Entra Agent ID uses familiar application and service-principal objects under the hood, but its one-to-many hierarchy creates a different security boundary. A blueprint can be associated with many agent identities. When that blueprint belongs to a third-party provider and is trusted across customer tenants, the provider’s credential security becomes part of every customer’s risk model.

In this episode of Entra.Chat, Merill speaks with Katie Knowles, Senior Security Researcher at Datadog, about her three-part security analysis of Microsoft Entra Agent ID. Katie explains the blueprint, blueprint principal, agent identity, and agent-user relationships before walking through a cross-tenant compromise demonstration: compromised blueprint credentials, enumeration of associated agents, token requests in trusting tenants, permission inspection, and selection of a useful target identity.

That path does not automatically grant Global Administrator access. Its impact depends on what the target agent identity has been permitted to do. The important lesson is the control point: one blueprint can sit upstream of many identities, tenants, and permission sets.

Katie and Merill also discuss tenant-owned versus vendor-owned blueprints, the Agent ID Administrator role, first-party agent creation through Microsoft platforms, why production client secrets compound the blast radius, workload identity federation, separating blueprints by risk, reusing app-registration detections, and Microsoft Entra ID Protection for agents.

REGISTER: Hidden Risk of App Permissions in Entra ID

Many Microsoft Entra ID environments contain third-party and custom applications with permissions that are broader than necessary, and most organizations lack visibility into how those permissions are being used. Excessive Microsoft Graph permissions and unused access increase the risk of OAuth abuse and privilege escalation.

Join our live session on July 22 to learn how to:

* Evaluate delegated versus application permissions

* Build an effective app governance strategy

* Reduce unnecessary access without disrupting users

You’ll also see how a free AppGov Score assessment can help identify governance gaps and where unused permissions reporting fit into a least-privilege approach.

Subscribe with your favorite podcast player or watch on YouTube

About Katie Knowles

Katie Knowles is a Senior Security Researcher at Datadog focused on Azure security research, cloud identity, and securing emerging technologies.

* LinkedIn - https://linkedin.com/in/kaknowles

* X/Twitter - https://twitter.com/_sigil

* GitHub - https://github.com/siigil

* Website - https://kknowl.es/

* Microsoft MVP profile - https://mvp.microsoft.com/en-US/MVP/profile/a3547b6a-6a4d-4aa0-840f-23b858c43c8b

Related Links

* Entra Agent ID: The blueprint blast radius (mentioned at 51:39) - https://securitylabs.datadoghq.com/articles/agent-id-blueprint-blast-radius/

* Entra Agent ID: Inside a cross-tenant agent compromise (mentioned at 51:39) - https://securitylabs.datadoghq.com/articles/agent-id-inside-agent-compromise/

* Entra Agent ID: Protect, detect, respond (mentioned at 51:39) - https://securitylabs.datadoghq.com/articles/agent-id-protect-detect-respond/

* Disable agent identities in your tenant (mentioned at 04:00 and 49:33) - https://learn.microsoft.com/entra/agent-id/disable-agent-identities

* Investigating suspicious AI workflows in Microsoft Entra Agent ID: Agent’s user account (mentioned at 05:14) - https://redcanary.com/blog/threat-detection/entra-id-ai-workflows-teams/

* Entra Agent ID from a Security Perspective (mentioned at 20:38) - https://blog.compass-security.com/2026/06/entra-agent-id-from-a-security-perspective/

* Spying On Your ISVs Credential Choices (mentioned at 38:11) - https://ericonidentity.com/2025/01/13/spying-on-your-isvs-credential-choices/

* Who Are the Robots? Uncovering AI Agents Identities (mentioned at 51:39) - https://www.youtube.com/watch?v=mMxACHKIAwY

* AzTier (mentioned at 51:39) - https://aztier.com/

* Microsoft Entra Agent ID key concepts - https://learn.microsoft.com/entra/agent-id/key-concepts

* Workload identity federation - https://learn.microsoft.com/entra/workload-id/workload-identity-federation

* ID Protection for agents - https://learn.microsoft.com/entra/id-protection/concept-risky-agents

Related Entra.Chat Episodes

* If You Manage Entra Permissions, Watch This Before Deploying Agents - https://entra.news/p/if-you-manage-entra-permissions-watch

* From Windows Core to Leading Agent ID: Vince Smith’s Microsoft Story - https://entra.news/p/from-windows-core-to-leading-agent

* Attackers Are Targeting the AI Ecosystem You Cannot See - https://entra.news/p/attackers-are-targeting-the-ai-ecosystem

Chapters

00:00 Intro

01:12 Katie’s Three-Part Agent ID Research

05:40 Agent ID Objects Under the Hood

06:24 One Blueprint, Many Agent Identities

08:43 The Multitenant Trust Boundary

17:33 Cross-Tenant Compromise Walkthrough

28:29 First-Party and Third-Party Blueprints

36:56 Stop Using Client Secrets

38:40 Workload Identity Federation

46:24 Permissions and Privilege Boundaries

49:33 Detecting and Responding to Agent Abuse 51:29 What Comes Next for Agent ID

Podcast Apps

Apple Podcast - https://entra.chat/apple

YouTube - https://entra.chat/youtube

Spotify - https://entra.chat/spotify

Overcast - https://entra.chat/overcast

Pocketcast - https://entra.chat/pocketcast

Others - https://entra.chat/rss

Merill’s socials

YouTube - youtube.com/@merillx

LinkedIn - linkedin.com/in/merill

Twitter - twitter.com/merill

TikTok - tiktok.com/@merillf

Bluesky - bsky.app/profile/merill.net

Mastodon - infosec.exchange/@merill

Threads - threads.net/@merillf

GitHub - github.com/merill



Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe