Publishing a Copilot Studio agent creates an Entra identity in the same minute. As of March 18, 2026, every Copilot Studio agent in a default-on tenant gets a Microsoft Entra Agent ID: a service principal with the 'Agent' subtype, governable through the same Entra admin center and Microsoft 365 admin center your IAM team already operates. A walkthrough of what the Agent ID is, how Agent 365 governs it, the connected dual-agent pattern from a defensive SecOps PoC, and a 7-step

Three things get called "service account" in Microsoft Entra ID. Most incidents involve only one of them. This article gives security architects and CISOs a framework for picking the right control: PIM-eligible roles for human admins, managed identities and service principals for workloads. Two diagnostic questions, four patterns, and a 5-step checklist for converting a tenant from standing privilege to a controlled model.

App owners can't always answer who has access to their app right now. Mid-market enterprises run about 200 SaaS apps; large enterprises closer to 350. Account Discovery (preview) in Microsoft Entra ID Governance reads each connected app and classifies every account as Local, Unassigned, or Assigned. This post covers the business case, the three categories, and a three-phase rollout worked through SAP.

I've never investigated a breach where Conditional Access failed — only where expectations did. Most CA breakdowns aren't technical. They're architectural: wrong exclusions, forgotten accounts, policies that evaluate risk but never enforce it. This article covers the four most common failure patterns — and the three-phase approach to fix them.