Microsoft Entra Agent ID Logs Reveal Suspicious Assistive Agent Activity
Cybersecurity NewsArchived Jun 09, 2026✓ Full text saved
AI agents built into enterprise platforms are no longer just productivity tools. Security researchers have found that these agents, when configured to act on behalf of real users, can become a quiet but serious risk deep inside an organization’s identity layer. A new investigation reveals how Microsoft Entra Agent ID logs capture suspicious behavior tied […] The post Microsoft Entra Agent ID Logs Reveal Suspicious Assistive Agent Activity appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Microsoft Entra Agent ID Logs Reveal Suspicious Assistive Agent Activity
By Tushar Subhra Dutta
June 9, 2026
AI agents built into enterprise platforms are no longer just productivity tools. Security researchers have found that these agents, when configured to act on behalf of real users, can become a quiet but serious risk deep inside an organization’s identity layer.
A new investigation reveals how Microsoft Entra Agent ID logs capture suspicious behavior tied to what are called assistive agents, also known as interactive agents.
These agents operate through a delegated access flow, meaning they carry out actions using a real user’s permissions rather than their own standalone credentials.
Assistive agents are designed to help users by performing tasks on demand through a chat interface. That might include reading email, pulling calendar data, or answering support questions with minimal human input.
The problem is that, under the wrong circumstances, these agents can be manipulated or compromised and then used to carry out harmful actions while appearing to act as a trusted employee.
Researchers at Red Canary identified this behavior and published a detailed report on how such an attack unfolds inside a real Microsoft 365 environment.
According to Red Canary report shared with Cyber Security News (CSN), the investigation walks through a scenario where an AI agent sent a suspicious email on behalf of a legitimate user, with the entire operation going unnoticed by standard identity monitoring tools.
The case centers on how a user grants an agent access through something called the On Behalf of flow. When that consent is given, the agent receives a token tied to the user’s permissions and can then make requests to Microsoft services like Exchange or the Graph API.
Consent dialog (Source – Red Canary)
The permissions the agent receives represent the intersection between what the agent is allowed to do and what roles the user already holds.
The email in question was addressed to an external CFO-level contact and carried the subject line “Here is your invoice.” From the surface, it looked like a normal message from a regular employee.
Deeper log analysis, however, revealed that the agent identity Agent001, running through the Microsoft Graph API, was the actual sender operating silently on behalf of the user account.
Microsoft Entra Agent ID Logs
Tracing the suspicious email required correlating three separate log sources: the Purview Exchange log, the Microsoft Graph Activity Log, and the non-interactive user sign-in log.
The Purview log initially showed a Microsoft-owned IP address as the source, a detail that could easily mislead an analyst.
Pulling the corresponding Graph API log using the AppAccessContext.UniqueTokenId field surfaced the true originating IP address, 51.3.97.221, along with the exact API call that triggered the email.
The sign-in log confirmed that the agent was operating through an On Behalf of flow. The key indicators were two specific log fields: Agent.agentType set to agenticAppInstance and Agent.agentSubjectType set to notAgentic.
Microsoft does not label these flows explicitly in the logs, so recognizing this pattern requires prior knowledge of how each authentication type appears. The research team noted that defenders must replicate these scenarios in test environments to understand the behavioral differences.
Detecting Agentic Flows Before Damage Is Done
One of the most important takeaways is that defenders cannot rely on a single log source to understand what an AI agent did. Correlation across Purview, Graph Activity Logs, and sign-in logs is essential for building a complete and accurate picture.
Security teams should look for the Add delegated permission grant operation in the AuditLogs table to spot when a user consents to giving an agent access through the access_agent scope. That audit event is the earliest signal available.
Defenders are also advised to track the Agent.parentAppId field in sign-in logs, which connects an agent instance back to its blueprint origin. When something suspicious happens, that field is what ties a specific action to the agent’s original identity.
Teams should keep in mind that even lower-level permissions like Mail.Send can cause serious harm when misused. Building detections around unexpected outbound emails sent through the Graph API remains a practical starting point for catching malicious agent behavior early.
Indicators of Compromise (IoCs):-
Type Indicator Description
IP Address 51.3.97.221 True originating IP from which the agent sent the suspicious email via Microsoft Graph API, located in Ashburn, Virginia, US
IP Address 40.126.23.26 Microsoft infrastructure IP shown in Purview Exchange log as ClientIP; not the true source IP
IP Address 20.106.103.146 IP from which the user consented to the access_agent scope (AuditLogs)
Agent ID (AppId) 8cd0a10f-0be8-413a-9bf2-f44bc568d1e4 Agent identity (Agent001) that sent the suspicious email on behalf of user
Blueprint ID beddadf7-4f3b-4e9b-8443-0b0cf777446e Parent agent blueprint principal (Dev Agent Identity Blueprint – NOT FOR PROD)
Tenant ID adcb5820-70a1-4272-b79c-32f2bba44ddc Entra tenant ID where the suspicious activity occurred
Client App ID 14d82eec-204b-4c2f-b7e8-296a70dab67e Microsoft Graph Command Line Tools app used to initiate the access_agent consent flow
Email Recipient bigwig_CFO@importantcompany.com External recipient of the suspicious “Here is your invoice” email
Graph API Endpoint https://graph.microsoft.com/beta/users/matt@ContosoCorp.onmicrosoft.com/microsoft.graph.sendMail Graph API endpoint called by the agent to send the email
User-Agent String Mozilla/5.0 (Macintosh; macOS 26.4.1; en-US) PowerShell/7.6.1 User-agent present in both Graph API and sign-in logs tied to agent activity
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
New China-Linked Threat Cluster OP-512 Targets IIS Servers With Cryptographically Unique Web Shell Framework
Stock Exchange Executive’s Outlook Account Targeted to Exfiltrate Credentials
Internet Explorer WebBrowser Control Attack Chain Turns Clicks Into RCE
Hackers Use Fake Purchase Orders to Deploy JS.MonoGlyphRAT Targeting US Enterprises
WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks
Latest News
ANY.RUN
How Threat Intelligence Feeds Help Automate SOCs to Reduce MTTR
Cyber Security
Fortinet FortiSandbox Vulnerability Allows Attackers to Execute Unauthorized Commands
Cyber Security
SPF, DKIM, DMARC Passed. Malicious Link Passes Every Authentication Check, But CyberCheck360 Caught It
Cyber Security
Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now
Cyber Security News
New Weedhack Malware-as-a-Service Targets Minecraft Players to Steal Credentials, and Hijack Accounts