TL;DR: Three Microsoft Entra ID agent identity flows show how T1, TC, T2, and TR tokens carry app, user, and delegated claims across autonomous, on-behalf-of, and agent user patterns, according to Semperis. The governance problem is not just access design, but assuming token claims alone define safe agent behaviour.
NHIMG editorial — based on content published by Semperis: Understanding and Preventing Entra ID Agent Identity Attacks: A Comprehensive Guide
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: How should security teams handle agent identity admin roles in Entra ID?
A: Treat agent identity admin roles as privileged until you verify the exact objects they can reach.
Q: Why do agent user and on-behalf-of flows complicate IAM reviews?
A: They complicate IAM reviews because a machine-driven path can produce tokens that resemble normal user activity while carrying inherited or direct non-human privileges.
Q: What breaks when delegated consent is broader than the task actually needs?
A: The access model breaks because the agent can re-express broad consent into runtime privilege that outlives the original approval context.
Practitioner guidance
- Map each Entra ID token flow to an owning identity object Document which principal owns T1, TC, T2, and TR in your tenant, then compare those objects to the permissions actually exercised in Graph.
- Separate agent user activity from human session review Create detection and review rules that classify idtyp, appid, oid, and scp combinations before they enter human access review queues.
- Reassess inherited delegated permissions as blast-radius multipliers Inventory OAuth2 permission grants that allow an agent to act on behalf of a user or agent user, then limit broad scopes such as Group.Read.All where the delegation chain is not operationally required.
What's in the full article
Semperis's full guide covers the operational detail this post intentionally leaves for the source:
- Step-by-step token acquisition sequences for each Entra ID agent identity flow.
- Decoded claim-by-claim examples showing how oid, azp, appid, idtyp, and scp change by flow.
- Configuration steps for blueprint permissions, consent, and inheritable delegated scopes.
- Practice checkpoints that let you validate the model directly in a tenant.
👉 Read Semperis's guide to Entra ID agent identity token flows and protections →
Entra ID agent identity token flows: what security teams need to watch?
Explore further