~/f4n6 $ grep -r "Investigating suspicious AI workflows in Microsoft Entra Agent ID: Assistive agents" ./investigations/ --include="*.md"

Investigating suspicious AI workflows in Microsoft Entra Agent ID: Assistive agents

Jeff Davies 08 Jun 2026 4 min read

Issuer: Adverse Trace Date issued: 2026-06-08 Version: 1.0

1. Executive summary

Threat actors are leveraging the "On Behalf Of" (OBO) flow in Microsoft Entra ID to compromise assistive AI agents, allowing them to execute administrative tasks with the privileges of legitimate users. This technique involves tricking or coercing users into consenting to the access_agent scope of malicious or compromised agent blueprints, effectively delegating authority to the attacker. For EMEA financial services, this presents a critical identity risk where standard MFA controls may be bypassed if the user has already authenticated, leading to unauthorized data access or configuration changes under a valid user context. Immediate validation of consent grants for AI blueprints and monitoring of OBO token exchanges is required.

2. Regulatory framing

Regulation Article / Requirement Practical Impact for Financial Entities
DORA Art. 17 (Protection) Entities must verify that ICT third-party providers (e.g., Microsoft) and internal configurations prevent unauthorized delegation of access rights via AI agents.
DORA Art. 19 (Detection) Monitoring systems must detect anomalous consent patterns and unusual scope requests (e.g., access_agent) within Entra ID logs.
DORA Art. 28-30 (Reporting) If this vector leads to a significant operational incident, it triggers major incident reporting timelines under DORA RTS.
NIS2 Art. 21(2)(d) Mandates policies on supply chain security and identity management, specifically regarding how third-party AI tools interact with core identity providers.
NIS2 Art. 23 (Incident Handling) Requires immediate response procedures to contain identity delegation abuses and revoke compromised consents.

3. Attack chain

The following steps represent the confirmed mechanics of the "Assistive Agent" abuse scenario as described in the source material:

  1. Blueprint Deployment: An adversary registers or compromises an Entra ID Agent Blueprint (e.g., "Dev Agent Identity Blueprint - NOT FOR PROD") configured to support the access_agent scope.
  2. Consent Phishing/Coercion: The adversary induces a privileged user (e.g., matt@ContosoCorp.onmicrosoft.com) to navigate to a specific OAuth2 authorization URI.
  3. Scope Granting: The user authenticates and consents to the access_agent scope for the malicious client ID, granting the agent permission to act on the user's behalf.
  4. Token Exchange: The adversary utilizes the granted consent to initiate an On Behalf Of (OBO) flow, exchanging the user's token for an access token bound to the agent.
  5. Action Execution: The agent performs administrative tasks or data exfiltration using the delegated permissions of the compromised user.

Unconfirmed steps: The specific social engineering vector (e.g., phishing email vs. compromised internal link) used to direct the user to the authorization URI is not detailed in the source material and varies by campaign. Attribution to a specific threat actor group is currently unconfirmed.

4. Mitigation & containment

P1: Immediate Containment (Within 24h) * Audit Consent Grants: Query Entra ID Audit Logs for the Consent to application event. Filter for the access_agent scope and the specific Client ID 14d82eec-204b-4c2f-b7e8-296a70dab67e (identified in the source as the test/malicious app). * Revoke Compromised Sessions: Immediately revoke refresh tokens and sessions for any user who has consented to unverified agent blueprints. Use the PowerShell command: Revoke-AzureADUserAllRefreshToken -ObjectId <UserUPN>. * Disable Malicious Blueprints: If the "Dev Agent Identity Blueprint - NOT FOR PROD" or similar non-production blueprints exist in production tenants, disable the underlying service principal immediately via the Azure Portal or CLI: az ad sp delete --id <Service-Principal-ID>.

P2: Configuration Hardening (Within 72h) * Restrict Agent Blueprint Creation: Enforce policies restricting the creation of custom Agent Blueprints to designated administrative accounts only. * Scope Limitation: Review and restrict the access_agent scope availability. Ensure only verified, production-grade blueprints are permitted to request this scope. * Conditional Access: Implement Conditional Access policies that require re-authentication or step-up verification when high-privilege scopes are requested by AI agents.

P3: Long-term Remediation (Within 7 days) * Governance Framework: Establish a formal governance process for AI agent deployment, requiring security review of all access_agent scope requests before consent. * Monitoring Integration: Integrate Entra ID sign-in and audit logs into SIEM solutions with specific alerting rules for OBO flow anomalies (see Section 6).

5. Indicators of compromise

Type Value Confidence Source
URL Parameter (Scope) api://beddadf7-4f3b-4e9b-8443-0b0cf777446e/access_agent High Red Canary
GUID (Tenant ID Example) adcb5820-70a1-4272-b79c-32f2bba44ddc Medium (Example) Red Canary
GUID (Client ID Example) 14d82eec-204b-4c2f-b7e8-296a70dab67e Medium (Example) Red Canary
String Dev Agent Identity Blueprint - NOT FOR PROD High Red Canary
String access_agent High Red Canary 
url_param  api://beddadf7-4f3b-4e9b-8443-0b0cf777446e/access_agent
string  Dev Agent Identity Blueprint - NOT FOR PROD
string  access_agent
guid  14d82eec-204b-4c2f-b7e8-296a70dab67e
guid  adcb5820-70a1-4272-b79c-32f2bba44ddc

6. Detection

The following YARA rule detects the presence of the specific scope and blueprint names identified in the attack pattern within log files or memory dumps.

rule Entra_AI_Assistive_Agent_Abuse {
    meta:
        author = "Adverse Trace"
        date = "2026-06-08"
        reference = "https://redcanary.com/blog/threat-detection/entra-id-ai-workflows-assistive-agents/"
        description = "Detects indicators related to suspicious Microsoft Entra Assistive Agent OBO flows"

    strings:
        $scope_uri = "api://beddadf7-4f3b-4e9b-8443-0b0cf777446e/access_agent" nocase
        $blueprint_name = "Dev Agent Identity Blueprint - NOT FOR PROD" nocase
        $scope_keyword = "access_agent" nocase
        $oauth_path = "/oauth2/v2.0/authorize" nocase

    condition:
        ($scope_uri) or ($blueprint_name) or (2 of ($scope_keyword, $oauth_path))
}

The following Sigma rule targets Entra ID audit logs for the specific consent and OBO patterns described.

title: Suspicious Entra ID Assistive Agent Consent and OBO Flow
id: 8a9b2c3d-4e5f-6789-0123-456789abcdef
status: experimental
description: Detects user consent to 'access_agent' scope or OBO flows involving suspicious blueprints.
author: Adverse Trace
date: 2026/06/08
references:
    - https://redcanary.com/blog/threat-detection/entra-id-ai-workflows-assistive-agents/
logsource:
    category: application
    service: azure-ad
detection:
    selection_consent:
        EventID: 'Consent to application' # Conceptual mapping; actual EventID may vary by connector
        Scope: 'access_agent'
    selection_blueprint:
        AppDisplayName: 'Dev Agent Identity Blueprint - NOT FOR PROD'
    selection_client_id:
        ClientId: '14d82eec-204b-4c2f-b7e8-296a70dab67e'
    condition: selection_consent or selection_blueprint or selection_client_id
falsepositives:
    - Legitimate development testing in production environments (should be rare)
level: high

7. Sources

  • Red Canary, "Investigating suspicious AI workflows in Microsoft Entra Agent ID: Assistive agents", 2026-06-08, https://redcanary.com/blog/threat-detection/entra-id-ai-workflows-assistive-agents/
  • Red Canary, "Investigating suspicious AI workflows in Microsoft Entra Agent ID: Autonomous agents", https://redcanary.com/blog/threat-detection/entra-id-ai-workflows/

8. Adverse Trace position

We assess the severity of this vector as High for financial institutions heavily invested in Microsoft 365 Copilot and custom Entra agents, as it effectively bypasses traditional perimeter defenses by leveraging valid user credentials and delegated permissions. The impact is compounded by the potential for lateral movement if high-privilege users consent to malicious agents. While the specific IOCs provided in the source appear to be from a test environment ("NOT FOR PROD"), the technique is reproducible with arbitrary Client IDs. Adverse Trace will continue to monitor for wild exploitation of the access_agent scope and update this advisory if specific threat actor attribution is established. Clients should assume their development tenants may bleed into production if governance is lax.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies