Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Entra agent identity inheritance: what it means for IAM controls


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: Microsoft Entra agent identities can combine direct app-only permissions with inheritable delegated scopes, including enumerated or allAllowed inheritance, creating a runtime access model that can expand beyond the original assignment if governance is weak, according to Semperis. The governance issue is not the API call itself, but the assumption that access boundaries stay stable once a blueprint is created.

NHIMG editorial — based on content published by Semperis: Assign permission to the agent identity and configure inheritable permissions in Entra ID

By the numbers:

Questions worth separating out

Q: How should teams govern AI agents that inherit human access rights?

A: Teams should treat inherited access as temporary and bounded to a specific task, owner, and expiry.

Q: Why do blueprint-based permissions increase NHI governance risk?

A: Blueprint-based permissions create reuse and persistence.

Q: What breaks when teams review only the agent object and not the blueprint?

A: They miss inherited access.

Practitioner guidance

  • Map blueprint-level permissions before agent rollout Record every delegated scope and app-only role granted at the blueprint level, then trace which agent identities inherit them in delegated and app-only flows.
  • Test token contents after each permission change Validate issued tokens for both direct and inherited rights after changing appRoleAssignments, oauth2PermissionGrants, or inheritablePermissions settings.
  • Separate blueprint review from identity review Add blueprint inheritance records to access reviews, recertification, and offboarding workflows so inherited permissions are reviewed even when the agent identity itself is unchanged.

What's in the full article

Semperis's full guide covers the operational detail this post intentionally leaves for the source:

  • Step-by-step MS Graph request patterns for appRoleAssignments, oauth2PermissionGrants, and inheritablePermissions.
  • Token validation examples showing how direct and inherited permissions appear in delegated and app-only flows.
  • Blueprint update handling with Patch requests for existing inheritable permissions.
  • Practical lab workflow for building and testing agent identity permissions end to end.

👉 Read Semperis's guide to agent identity permission inheritance in Entra ID →

Entra agent identity inheritance: what it means for IAM controls?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Inherited access is the real control plane for Entra agent identities. The article shows that the effective privilege of an agent is created by both the direct app role and the inherited blueprint permission, not by one setting alone. That means reviewers who inspect only the agent object will miss the true access boundary. Practitioners should treat inheritance as the authoritative entitlement source, not a convenience feature.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

A question worth separating out:

Q: Who is accountable when an inherited permission grants too much access?

A: Accountability sits with whoever owns the blueprint, the permission policy, and the review process, not only the person who created the individual agent. If inherited access was allowed without explicit approval and token validation, then governance failed at the template layer and the operational layer.

👉 Read our full editorial: Inherited permissions in Entra agent identities widen runtime access



   
ReplyQuote
Share: