
One Compromised Agent ID Blueprint Can Cross Tenant Boundaries
Show notes
Microsoft Entra Agent ID uses familiar application and service-principal objects under the hood, but its one-to-many hierarchy creates a different security boundary. A blueprint can be associated with many agent identities. When that blueprint belongs to a third-party provider and is trusted across customer tenants, the provider’s credential security becomes part of every customer’s risk model.
In this episode of Entra.Chat, Merill speaks with Katie Knowles, Senior Security Researcher at Datadog, about her three-part security analysis of Microsoft Entra Agent ID. Katie explains the blueprint, blueprint principal, agent identity, and agent-user relationships before walking through a cross-tenant compromise demonstration: compromised blueprint credentials, enumeration of associated agents, token requests in trusting tenants, permission inspection, and selection of a useful target identity.
That path does not automatically grant Global Administrator access. Its impact depends on what the target agent identity has been permitted to do. The important lesson is the control point: one blueprint can sit upstream of many identities, tenants, and permission sets.
Katie and Merill also discuss tenant-owned versus vendor-owned blueprints, the Agent ID Administrator role, first-party agent creation through Microsoft platforms, why production client secrets compound the blast radius, workload identity federation, separating blueprints by risk, reusing app-registration detections, and Microsoft Entra ID Protection for agents.
REGISTER: Hidden Risk of App Permissions in Entra ID
Many Microsoft Entra ID environments contain third-party and custom applications with permissions that are broader than necessary, and most organizations lack visibility into how those permissions are being used. Excessive Microsoft Graph permissions and unused access increase the risk of OAuth abuse and privilege escalation.
Join our live session on July 22 to learn how to:
* Evaluate delegated versus application permissions
* Build an effective app governance strategy
* Reduce unnecessary access without disrupting users
You’ll also see how a free AppGov Score assessment can help identify governance gaps and where unused permissions reporting fit into a least-privilege approach.
Subscribe with your favorite podcast player or watch on YouTube
About Katie Knowles
Katie Knowles is a Senior Security Researcher at Datadog focused on Azure security research, cloud identity, and securing emerging technologies.
* LinkedIn - https://linkedin.com/in/kaknowles
* X/Twitter - https://twitter.com/_sigil
* GitHub - https://github.com/siigil
* Website - https://kknowl.es/
* Microsoft MVP profile - https://mvp.microsoft.com/en-US/MVP/profile/a3547b6a-6a4d-4aa0-840f-23b858c43c8b
Related Links
* Entra Agent ID: The blueprint blast radius (mentioned at 51:39) - https://securitylabs.datadoghq.com/articles/agent-id-blueprint-blast-radius/
* Entra Agent ID: Inside a cross-tenant agent compromise (mentioned at 51:39) - https://securitylabs.datadoghq.com/articles/agent-id-inside-agent-compromise/
* Entra Agent ID: Protect, detect, respond (mentioned at 51:39) - https://securitylabs.datadoghq.com/articles/agent-id-protect-detect-respond/
* Disable agent identities in your tenant (mentioned at 04:00 and 49:33) - https://learn.microsoft.com/entra/agent-id/disable-agent-identities
* Investigating suspicious AI workflows in Microsoft Entra Agent ID: Agent’s user account (mentioned at 05:14) - https://redcanary.com/blog/threat-detection/entra-id-ai-workflows-teams/
* Entra Agent ID from a Security Perspective (mentioned at 20:38) - https://blog.compass-security.com/2026/06/entra-agent-id-from-a-security-perspective/
* Spying On Your ISVs Credential Choices (mentioned at 38:11) - https://ericonidentity.com/2025/01/13/spying-on-your-isvs-credential-choices/
* Who Are the Robots? Uncovering AI Agents Identities (mentioned at 51:39) - https://www.youtube.com/watch?v=mMxACHKIAwY
* AzTier (mentioned at 51:39) - https://aztier.com/
* Microsoft Entra Agent ID key concepts - https://learn.microsoft.com/entra/agent-id/key-concepts
* Workload identity federation - https://learn.microsoft.com/entra/workload-id/workload-identity-federation
* ID Protection for agents - https://learn.microsoft.com/entra/id-protection/concept-risky-agents
Related Entra.Chat Episodes
* If You Manage Entra Permissions, Watch This Before Deploying Agents - https://entra.news/p/if-you-manage-entra-permissions-watch
* From Windows Core to Leading Agent ID: Vince Smith’s Microsoft Story - https://entra.news/p/from-windows-core-to-leading-agent
* Attackers Are Targeting the AI Ecosystem You Cannot See - https://entra.news/p/attackers-are-targeting-the-ai-ecosystem
Chapters
00:00 Intro
01:12 Katie’s Three-Part Agent ID Research
05:40 Agent ID Objects Under the Hood
06:24 One Blueprint, Many Agent Identities
08:43 The Multitenant Trust Boundary
17:33 Cross-Tenant Compromise Walkthrough
28:29 First-Party and Third-Party Blueprints
36:56 Stop Using Client Secrets
38:40 Workload Identity Federation
46:24 Permissions and Privilege Boundaries
49:33 Detecting and Responding to Agent Abuse 51:29 What Comes Next for Agent ID
Podcast Apps
Apple Podcast - https://entra.chat/apple
YouTube - https://entra.chat/youtube
Spotify - https://entra.chat/spotify
Overcast - https://entra.chat/overcast
Pocketcast - https://entra.chat/pocketcast
Others - https://entra.chat/rss
Merill’s socials
YouTube - youtube.com/@merillx
LinkedIn - linkedin.com/in/merill
Twitter - twitter.com/merill
TikTok - tiktok.com/@merillf
Bluesky - bsky.app/profile/merill.net
Mastodon - infosec.exchange/@merill
Threads - threads.net/@merillf
GitHub - github.com/merill
Get full access to Entra.News - Your weekly dose of Microsoft Entra at entra.news/subscribe