Security

In my side project (Biotrackr), I have a chat agent that I use to query my data using natural language. This agent has 12 tools that call APIs to retrieve data that provides context to a LLM. I’m using Claude as my LLM provider, so Claude will decide which tool to call, and with what parameters. Let’s pretend that we are bad actors trying to disrupt my agent. Say we decide to prompt inject the agent, and get it to perform an expensive query to retrieve 100 years of data (I’m not that old thankfully!) in an attempt to return a massive payload, consume thousands of Claude API tokens, and hammer my APIM gateway. ...

Can your AI Agent run code? If not, you probably don’t think that unexpected code execution applies to you. However, this goes a lot deeper than eval(). Input validation, container security, static analysis, and runtime monitoring all play a part here. Even an Agent with read-only capabilities and no code interpreter has an execution environment, tool parameters that flow from LLM output, and a CI/CD pipeline that needs to be secure. ...

Introduction: The Identity Problem with AI Agents AI agents are moving beyond simple prompt-and-response. They’re calling APIs, reading databases, writing to storage etc. Doing actions on real resources with real consequences. This raises a question every platform team eventually asks: whose identity should the agent use? Today, most agents authenticate to Azure services one of two ways: Delegated (on-behalf-of-user): The agent acts as the signed-in user. This can work for interactive scenarios, but it means the agent inherits all of the user’s permissions. Which far more than a narrowly-scoped tool call should need. It also falls apart for background or autonomous agents that run without a user session. App-only (managed identity or client credentials): The agent authenticates as the hosting application. This solves the “no user present” problem, but now every agent running on the same compute shares a single identity. You can’t distinguish which agent accessed which resource in your logs. You can’t give one agent read-only access to Cosmos DB while another gets read-write. The agent is the app, as far as Azure is concerned. Neither option gives you what you actually want: a discrete, auditable identity for the agent itself. One that’s separate from the user, separate from the hosting infrastructure, and scoped to exactly the permissions the agent needs. ...

In Microsoft Entra Agent ID, we use agent identity blueprints to create agent identities and request tokens using those agent identities. These agent identities represent AI Agents within your tenant, and is usually provisioned when we create a new AI Agent. In this post, we’ll go through an end-to-end example of creating an agent blueprint using Microsoft Graph PowerShell, then we’ll create an Agent Identity using a ASP.NET Web API that we’ll deploy to Azure Container Apps. ...

As agents become more capable of making decisions, they require own identities to ensure proper governance, security, and accountability. AI Agents are already being used in a variety of different workflows (perhaps you’ve deployed some yourself!). But as they become more capable and make autonomous decisions, there are several concerns and challenges that must be addressed: How do we authenticate and authorize agents? How do we govern them? Probably most important of all, how do we distinguish them from humans?! Microsoft Entra Agent ID extends identity capabilities to agents, which help developers to build, govern, and protect agent identities. In this article, we’re going to explore how Entra Agent ID gives agents security capabilities, such as control access policies, identity protection, and more. ...