As organizations rapidly adopt AI agents, securing them against unauthorized access and identity-based threats has become increasingly important. To help organizations secure their AI agents, Microsoft offers Conditional Access for Agents and Identity Protection for Agents access controls and detect identity risks associated with AI agents.
Previously, these capabilities were available through Microsoft Entra ID P1/P2 licensing. Now, Microsoft has introduced two service plans for Agent Conditional Access and Identity Protection under Microsoft 365 Agent and Microsoft 365 E7 licenses. In this blog, we’ll walk through about the licensing changes and explain how organizations can ensure uninterrupted access to these security capabilities.
New Microsoft Entra Service Plans for Agent Conditional Access and ID Protection
The new licensing model introduces dedicated service plans that provide Conditional Access and identity protection capabilities specifically for AI agents.
The new service plans included under Microsoft 365 Agent and Microsoft 365 E7 licenses are:
- Entra Conditional Access for Agents (Part number: ENTRA_CONDITIONAL_ACCESS_FOR_AGENTS)
- Entra ID Protection for Agents (Part number: ENTRA_ID_PROTECTION_FOR_AGENTS)
Conditional Access for agents brings your Conditional Access engine to agent scenarios. Entra evaluates an agent’s access request the same way it evaluates a user’s, then allows, blocks, or challenges it before issuing a token. It covers autonomous agents that run on their own, agents that have their own user account, and agents acting on behalf of a signed-in user.
ID Protection for agents watches agent identities for risk. It surfaces flagged agents in a Risky Agents report and lets you drive risk-based Conditional Access, so a compromised agent can be blocked automatically instead of waiting for someone to notice.
Entra Conditional Access for Agents:
This service plan extends Conditional Access policies to AI agents. When an agent requests access, Microsoft Entra evaluates the request using the same Conditional Access engine used for user sign-ins, then allows, blocks, or challenges the request before issuing a token.
It supports:
- Autonomous agents that operate independently
- Agents with their own identities or user accounts
- Agents acting on behalf of signed-in users
- Blocks high-risk AI agents
Entra ID Protection for Agents:
This service plan brings identity risk detection and protection to agent identities. Microsoft Entra continuously evaluates agent activity, identifies potentially compromised agents, and surfaces them in the Risky Agents report.
Organizations can then apply risk-based Conditional Access policies to automatically block or restrict suspicious agents before they can access resources.
Rather than introducing a standalone license for agent security, Microsoft has delivered these capabilities through new service plans within Microsoft 365 Agent and Microsoft 365 E7 licenses. This allows organizations to continue securing AI agents using familiar Microsoft Entra security features while simplifying license management.
Rollout Timeline
- Microsoft will begin rolling out these new service plans in early July 2026, with completion expected by early August 2026.
- Once the rollout is complete, the service plans will be enabled by default under the Microsoft 365 Agent and Microsoft 365 E7 licenses.
What Admins Need to Do Before Microsoft’s Agent Security Licensing Update
Although the new service plans will be added automatically during the rollout, organizations should review their licensing configuration before the rollout is complete. You can verify this in the Microsoft 365 admin center under Billing → Your products.
Once available, ensure the required users are assigned Microsoft 365 Agent or Microsoft 365 E7 licenses to continue accessing agent security without interruption.
It’s also important to note that existing Agent Conditional Access policies and Identity Protection configurations will continue to work as configured. This update primarily introduces new licensing entitlements and does not require administrators to recreate or modify existing policies.
That’s it! We hope this blog helped you understand the new service plans for Conditional Access for Agents and Identity Protection for Agents. Review the upcoming licensing changes and prepare your organization ahead of the rollout to ensure uninterrupted access to these security capabilities.
If you have any questions, feedback, or suggestions, feel free to share them in the comments section below—we’d love to hear from you. Stay tuned for more Microsoft 365 updates.
