Identity-aware AI agents: where directory identity stops and policy starts

TL;DR: Azure AI Foundry and Entra can register agents, apply directory controls, and federate third-party identities, but per-request authorisation, credential vaulting, and approval flows still sit outside the native stack, according to Descope. The governance gap is not agent identity itself, but the assumption that pre-granted scopes are enough for dynamic agent behaviour.

NHIMG editorial — based on content published by Descope: Build Identity-Aware Agents With Azure AI Foundry and Descope

By the numbers:

• Only 44% have implemented any policies to govern AI agents, despite 92% agreeing that governing them is critical to enterprise security.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams govern agent access when directory identity is not enough?

A: They should treat directory identity as the starting point, not the decision.

Q: Why do AI agents create problems for traditional access review models?

A: Because traditional reviews assume privileges persist long enough to be observed, certified, and recertified.

Q: How can teams reduce secret exposure in agent workflows?

A: Use a vault for third-party OAuth tokens and static API keys, then retrieve credentials only when a tool call needs them.

Practitioner guidance

• Separate registration from authorisation: Record every agent in the directory, but move the actual allow or deny decision to issuance time using user, tenant, resource, and scope as inputs.
• Centralise policy for agent token minting: Define request-level rules once and apply them before tokens are issued, rather than replicating scope checks in each MCP server or backend API.
• Vault non-Microsoft credentials outside the runtime: Move third-party OAuth tokens and static API keys into a controlled vault, then fetch them at call time with scoped exchange.

What's in the full article

Descope's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step setup for Descope projects, clients, resources, and connections across Azure AI Foundry and MCP tools
• Code-level examples for token exchange, resource-level scopes, and per-run Authorization headers
• Configuration guidance for CIBA, dynamic client registration, and approval flows for headless agents
• Operational logging and audit behaviour for issuance-time policy decisions and approval outcomes

👉 Read Descope's analysis of Azure AI Foundry and agent identity governance →

Identity-aware AI agents: where directory identity stops and policy starts?

Explore further

View Full Forum →  |  NHI Foundation Course →