TL;DR: Microsoft’s Agent ID walkthrough shows how a blueprint, blueprint principal, credentials, and child agent user can be created and logged in Entra, exposing a new identity object model that IAM teams will need to govern, according to Semperis. The real issue is not the creation flow itself but the lifecycle, permission, and logging assumptions it introduces for non-human identities.
NHIMG editorial — based on content published by Semperis: Creating an agent identity blueprint and its blueprint principal
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
Questions worth separating out
Q: How should security teams govern Microsoft Agent ID objects as non-human identities?
A: Treat the blueprint, blueprint principal, credentials, and agent user as a linked identity chain with separate ownership, approval, and retirement steps.
Q: What breaks when an agent identity is managed like a normal service account?
A: You lose the object relationships that make the Agent ID model auditable.
Q: Why do federated credentials matter for Agent ID governance?
A: Federated credentials reduce secret handling exposure because they avoid a long-lived shared secret in many deployment patterns.
Practitioner guidance
- Inventory Agent ID object chains separately Track the blueprint, blueprint principal, agent identity, and agent user as distinct records in your identity inventory so reviews can map authority and accountability correctly.
- Restrict client secret usage for blueprint authentication Prefer federated identity credentials or certificates where possible, and require explicit exception handling when a client secret is used during blueprint setup.
- Split creation, credential, and permission approvals Do not let one approval cover the full Agent ID lifecycle.
What's in the full article
Semperis's full guide covers the operational detail this post intentionally leaves for the source:
- Step-by-step Microsoft Graph request structure for creating the blueprint, principal, and agent identity objects
- Permission and role assignment details for the blueprint and its downstream child objects
- PowerShell 7 token acquisition flow and the exact claims surfaced in the resulting access token
- Graph Explorer examples that show how the identity appears in sign-in logs and object responses
👉 Read Semperis's guide to creating and governing Microsoft Agent ID objects →
Microsoft Agent ID blueprint identities: what IAM teams should check?
Explore further