Block access by high-risk agent identities (Preview)

This Conditional Access policy template blocks agent identities that are detected as high risk by Microsoft Entra ID Protection, helping prevent potentially compromised AI agents from accessing your organization's resources.

Template deployment

Organizations can deploy this policy by following the steps outlined below or by using the Conditional Access templates.

Create a Conditional Access policy

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Entra ID > Conditional Access > Policies.
3. Select New policy.
4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
5. Under Assignments, select Users, agents (Preview) or workload identities.
   1. Under What does this policy apply to?, select Agents (Preview).
      1. Under Include, select All agent identities (Preview).
6. Under Target resources, select the following options:
   1. Select what this policy applies to Resources (formerly cloud apps).
   2. Include, All resources (formerly 'All cloud apps').
7. Under Conditions > Agent risk (Preview), set Configure to Yes.
   1. Under Configure agent risk levels needed for policy to be enforced, select High. This guidance is based on Microsoft recommendations and might be different for each organization.
8. Under Access controls > Grant.
   1. Select Block.
   2. Select Select.
9. Confirm your settings and set Enable policy to Report-only.
10. Select Create to enable your policy.

After confirming your settings using policy impact or report-only mode, move the Enable policy toggle from Report-only to On.

Related Content

• Conditional Access templates
• Determine effect using Conditional Access report-only mode
• Use report-only mode for Conditional Access to determine the results of new policy decisions.