SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: Conditional Access for Agents
description: "Turns an AI agent's risk profile and data tier into a Microsoft Entra Conditional Access policy specification ready for admin review, aligned to Essential Eight."
---
# Conditional Access for Agents
> **TL;DR:** This skill takes an autonomous agent's risk profile, data tier and runtime context and produces a ready-to-review Microsoft Entra Conditional Access policy specification, so an admin can harden the agent before it goes live.
## How do you design Conditional Access for an Entra Agent ID?
The skill produces a Microsoft Entra Conditional Access policy specification scoped to a named agent or agent group, with all conditions, controls and session settings expressed in the same shape an Entra admin configures in the portal. As Agentic AI and Copilot Studio agents take on autonomous actions, each agent identity needs the same identity hardening a human account receives. This skill targets the Entra Agent ID directly, defining who the agent is, the device and network states it may run from, the sign-in risk it may tolerate, and the session limits that constrain its tokens, so the policy is precise, defensible and ready for review.
## When should you run this skill?
- "Design a Conditional Access policy for an AI agent"
- "Write CA policy for agent identities"
- "Harden agent runtime with Conditional Access"
- "Restrict an agent to managed devices only"
## How this skill works, step by step
1. Collect the agent context: Agent ID, owner, data tier (Public, Internal, Confidential, Restricted), runtime locations, parent application.
2. Determine the trust baseline: which device states, networks, and risk levels are acceptable.
3. Define users / workload identities — target the Agent ID directly.
4. Define conditions — locations, device compliance, sign-in risk, client app.
5. Define grant controls — require compliant device, require approved client app, block on high risk.
6. Define session controls — token lifetime, sign-in frequency, app-enforced restrictions.
7. Produce the policy specification below.
## Output format
A JSON-shaped policy specification:
```json
{
"displayName": "CA — Agent <name> — <tier>",
"state": "enabledForReportingButNotEnforced",
"conditions": { "users": {...}, "applications": {...}, "locations": {...} },
"grantControls": { "operator": "AND", "builtInControls": [...] },
"sessionControls": { "signInFrequency": {...} }
}
```
Followed by a plain-English review summary for the approving admin.
## Scope and safety
The skill produces a specification only and defaults to report-only state; the assigning admin promotes it to enforced. This skill does NOT:
- Create or assign the policy (specification only).
- Test the policy in What-If.
- Override existing Conditional Access baselines.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Conditional Access policy authoring and session controls | Microsoft Entra ID P1 |
| Risk-based conditions (sign-in risk, user risk) | Microsoft Entra ID P2 |
| Agent identities targeted by the policy | Microsoft Entra Agent ID |
### Least-privilege roles
- Global Reader — read existing Conditional Access policies, named locations and agent identities to ground the specification.
- Security Reader — read sign-in risk and Identity Protection signals where risk-based conditions are used.
The skill only produces a specification; promoting it to enforced requires a Conditional Access Administrator, which is held by the approving admin rather than the skill.
### Microsoft Graph permissions (read-only)
- `Policy.Read.All` — read existing Conditional Access policies and named locations to align the new specification.
- `Application.Read.All` — read the parent application and agent identity details targeted by the policy.
- `IdentityRiskyUser.Read.All` — read user and sign-in risk signals where risk-based conditions apply.
## Sources and compliance
- Aligned to ASD Essential Eight Control 6: User Application Hardening.
- Supports E8 ML2 evidence for Control 6 and Control 8 (multi-factor authentication where applicable).
- Conditional Access for autonomous agents entered preview in May 2026.
- Reference: [https://learn.microsoft.com/en-us/entra/identity/conditional-access/agent-id](https://learn.microsoft.com/en-us/entra/identity/conditional-access/agent-id)
- Output in Australian English.
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
Conditional Access for Agents
TL;DR: This skill takes an autonomous agent’s risk profile, data tier and runtime context and produces a ready-to-review Microsoft Entra Conditional Access policy specification, so an admin can harden the agent before it goes live.
How do you design Conditional Access for an Entra Agent ID?
The skill produces a Microsoft Entra Conditional Access policy specification scoped to a named agent or agent group, with all conditions, controls and session settings expressed in the same shape an Entra admin configures in the portal. As Agentic AI and Copilot Studio agents take on autonomous actions, each agent identity needs the same identity hardening a human account receives. This skill targets the Entra Agent ID directly, defining who the agent is, the device and network states it may run from, the sign-in risk it may tolerate, and the session limits that constrain its tokens, so the policy is precise, defensible and ready for review.
When should you run this skill?
- “Design a Conditional Access policy for an AI agent”
- “Write CA policy for agent identities”
- “Harden agent runtime with Conditional Access”
- “Restrict an agent to managed devices only”
How this skill works, step by step
- Collect the agent context: Agent ID, owner, data tier (Public, Internal, Confidential, Restricted), runtime locations, parent application.
- Determine the trust baseline: which device states, networks, and risk levels are acceptable.
- Define users / workload identities — target the Agent ID directly.
- Define conditions — locations, device compliance, sign-in risk, client app.
- Define grant controls — require compliant device, require approved client app, block on high risk.
- Define session controls — token lifetime, sign-in frequency, app-enforced restrictions.
- Produce the policy specification below.
Output format
A JSON-shaped policy specification:
{
"displayName": "CA — Agent <name> — <tier>",
"state": "enabledForReportingButNotEnforced",
"conditions": { "users": {...}, "applications": {...}, "locations": {...} },
"grantControls": { "operator": "AND", "builtInControls": [...] },
"sessionControls": { "signInFrequency": {...} }
}Followed by a plain-English review summary for the approving admin.
Scope and safety
The skill produces a specification only and defaults to report-only state; the assigning admin promotes it to enforced. This skill does NOT:
- Create or assign the policy (specification only).
- Test the policy in What-If.
- Override existing Conditional Access baselines.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Conditional Access policy authoring and session controls | Microsoft Entra ID P1 |
| Risk-based conditions (sign-in risk, user risk) | Microsoft Entra ID P2 |
| Agent identities targeted by the policy | Microsoft Entra Agent ID |
Least-privilege roles
- Global Reader — read existing Conditional Access policies, named locations and agent identities to ground the specification.
- Security Reader — read sign-in risk and Identity Protection signals where risk-based conditions are used.
The skill only produces a specification; promoting it to enforced requires a Conditional Access Administrator, which is held by the approving admin rather than the skill.
Microsoft Graph permissions (read-only)
Policy.Read.All— read existing Conditional Access policies and named locations to align the new specification.Application.Read.All— read the parent application and agent identity details targeted by the policy.IdentityRiskyUser.Read.All— read user and sign-in risk signals where risk-based conditions apply.
Sources and compliance
- Aligned to ASD Essential Eight Control 6: User Application Hardening.
- Supports E8 ML2 evidence for Control 6 and Control 8 (multi-factor authentication where applicable).
- Conditional Access for autonomous agents entered preview in May 2026.
- Reference: https://learn.microsoft.com/en-us/entra/identity/conditional-access/agent-id
- Output in Australian English.
Licensed under CC BY 4.0 by Educ4te . Adapted from the open HybridSP skills catalogue.
Last updated on