Investigating suspicious AI workflows in Microsoft Entra Agent ID: Autonomous agents

**Executive summary:** This report analyzes how Microsoft Entra Agent ID identities can be abused, illustrating a case in which an autonomous agent (Agent001) added a client secret to a production agent identity blueprint—an action that breaks intended blueprint/principal/agent inheritance and can enable privilege escalation and persistent access; the document explains Agent ID concepts, provides an alert example with tenant ID, agent ID, IP and user-agent, and discusses raw logs and detection/investigation guidance for agent-originated threats.