Microsoft Entra Agent ID Is the Best Agent Identity System That Only Works Inside Microsoft
Microsoft Entra Agent ID is real engineering solving a real problem. That's the first thing to say. The second thing: it only works if every agent in your ecosystem lives inside Microsoft.
For the 42% of large organizations that already run AI agents in production — and the thousands of startups, open-source projects, and indie developers building agents outside Azure — the most important identity product of 2026 has a velvet rope.
Here's what's behind it.
What Entra Agent ID Actually Is
Microsoft treats AI agents as a third identity type in Entra, alongside human users and workload identities (applications, services). Every agent gets its own object ID in the Entra tenant — trackable, auditable, and subject to the same policy framework as human accounts.
This isn't a wrapper around service principals with a new name. Three capabilities are genuinely new:
Agent Identity Blueprints. Reusable templates that define permissions, roles, and governance policies for classes of agents. Approve a blueprint once. Every agent created from it inherits those settings. This solves the "every agent gets admin because nobody wants to configure permissions" problem that plagues most deployments.
Mandatory Human Sponsors. Every agent identity requires a human sponsor — someone accountable for the agent's behavior. When sponsors leave the organization, governance workflows automatically reassign sponsorship or deactivate the agent. The agent can never become an orphan process with no owner.
Behavioral Anomaly Detection. Entra ID Protection extends to agents. If an agent starts accessing resources outside its normal pattern, the system flags it as high-risk and can automatically block access through conditional access policies. This is the same detection engine that catches compromised human accounts, retrained for agent behavior.
The existing Entra machinery — conditional access, entitlement management, access reviews, lifecycle workflows — all extends to agent identities without a new policy engine. If your security team knows Entra, they know how to govern agents. That's a genuine advantage.
What It Costs
Entra Agent ID requires:
- An Azure tenant
- A Microsoft 365 Copilot license
- Enrollment in the Frontier early-access program
When Microsoft Agent 365 reaches general availability on May 1, 2026, the pricing is $15 per user per month standalone, or included in the new Microsoft 365 E7 Frontier Suite at $99 per user per month.
For context: a 500-person enterprise on the standalone plan pays $90,000/year for agent identity management. The E7 suite — $594,000/year.
This pricing makes sense for organizations already deep in the Microsoft ecosystem. It's incremental cost on top of existing licenses. For everyone else, it's a barrier that prices out the majority of agents being built today.
The Timeline
| Date | Event | Status |
|---|---|---|
| May 2025 (Build) | Initial public preview — agent directory | Preview |
| November 2025 (Ignite) | Major expansion — conditional access, blueprints, governance | Preview |
| March 2026 (RSAC) | Shadow AI detection, prompt injection protection | GA March 31 |
| May 1, 2026 | Agent 365 general availability | Planned GA |
Entra Agent ID has been in public preview for ten months. Shadow AI detection and prompt injection protection hit GA on March 31. The identity core — blueprints, governance, the agent registry — remains in preview until at least May 1.
The Architectural Bet
Microsoft made a specific architectural choice: agent identity is a platform service verified by the platform.
Every verification of an Entra Agent ID requires a network call to Microsoft's identity infrastructure. The agent presents a token. The service calls Entra to validate it. This is the OAuth model — proven, well-understood, and it works perfectly inside the perimeter.
The tradeoff: availability depends on Microsoft's infrastructure. Latency adds up at agent-to-agent scale. Privacy requires trusting Microsoft with every verification event. And agents that leave the Microsoft ecosystem — or never entered it — cannot participate.
This is the same architectural tradeoff that distinguished Active Directory from X.509 certificates in the 2000s. AD was easier to manage. Certificates worked everywhere. Both survived because both were needed.
Who Gets Left Out
The agents being built fastest are not being built in Copilot Studio.
LangChain. CrewAI. AutoGen. OpenAI Assistants. Anthropic's agent SDK. Hugging Face Transformers Agents. These frameworks collectively represent the majority of agent deployments in 2026, and none of them can issue or verify an Entra Agent ID without wrapping the agent in an Azure-hosted service principal.
An indie developer deploying a LangChain agent on Railway. A defense contractor running agents in an air-gapped network. A startup building multi-agent workflows across AWS and GCP. A security team that needs to verify an unknown agent at an API gateway without calling a third-party identity provider.
None of them are Microsoft's customer. All of them need agent identity.
The Three-Way Race
Microsoft is not alone. This is now a market category.
AWS Bedrock AgentCore Identity launched with a production SLA — already GA while Entra Agent ID is still in preview. Built on Amazon Cognito. Declarative SDK, built-in OAuth for 20+ SaaS tools, and notably, support for Entra ID itself as an identity provider. AWS chose interop over lock-in, at least at the federation layer.
AgentCore's gap: governance. No equivalent to blueprints, no lifecycle management, no behavioral anomaly detection. AWS gives you authentication and authorization. Microsoft gives you governance and compliance. Neither gives you portability.
Open standards are the third player. Google's A2A protocol and Anthropic's Model Context Protocol are converging on OAuth 2.0 and OpenID Connect as the authentication layer for agent-to-agent communication. Microsoft is participating in this standards work — they've announced OAuth identity passthrough for MCP servers. But the standards define how agents authenticate, not how they receive identity in the first place.
The issuance layer — "give this agent a verifiable, portable identity" — remains unsolved by any of the three.
What's Missing From All of Them
Every enterprise solution announced in 2026 shares three limitations:
No offline verification. Entra Agent ID requires a call to Microsoft. AgentCore requires a call to AWS. In air-gapped environments, disrupted networks, or latency-sensitive agent-to-agent chains, verification fails or blocks.
No post-quantum signatures. Both Microsoft and AWS sign agent tokens with classical cryptography — RSA or ECDSA. Agent credentials are long-lived. State-level adversaries are harvesting tokens today for future quantum decryption. Every agent identity issued with classical signatures is a ticking deprecation.
No portability. An Entra Agent ID doesn't work outside Azure. An AgentCore identity doesn't work outside AWS. Switch clouds, switch frameworks, switch anything — you re-issue identity from scratch. The agent's identity is a lease from the platform, not a property of the agent.
These aren't criticisms of engineering quality. They're consequences of the platform model. Identity-as-a-platform-service is valuable inside the platform. The open internet needs identity-as-infrastructure.
Two Models, Not One
The agent economy will not be served by a single identity model. It needs two:
Platform identity for agents operating inside enterprise ecosystems. Entra Agent ID and AgentCore Identity are the right tools here — deep governance, policy integration, compliance controls. If your agents live in Azure, use Entra Agent ID. If they live in AWS, use AgentCore. The integration depth is worth the platform dependency.
Infrastructure identity for everything else. Agents that cross cloud boundaries. Agents in open-source frameworks. Agents in air-gapped environments. Agents that need to prove identity to services that have never heard of their operator's cloud provider. This layer needs to be standards-based, offline-verifiable, and cryptographically portable.
The two models are complementary, not competitive. An agent can have an Entra Agent ID for accessing Microsoft Graph and a W3C Verifiable Credential for everything else. The question is whether the infrastructure layer exists.
Where We Fit
The Aethyr Agent Registry is the infrastructure layer.
W3C Decentralized Identifiers. W3C Verifiable Credentials. Post-quantum signatures (ML-DSA-65, NIST FIPS 204). Offline verification — no network call, no vendor account, no platform dependency. One dollar.
We don't replace Entra Agent ID. We fill the gap it can't reach. The indie developer, the multi-cloud enterprise, the defense deployment, the open-source framework — every agent that needs identity outside a vendor's walls.
Microsoft built the best agent identity system inside Microsoft. The open internet still needs one too.
The Aethyr Agent Registry issues W3C-compliant, post-quantum signed credentials for AI agents. The verification library @aethyrai/ssi-verify is MIT-licensed and open source. Registration starts at $1.