Blog Post

Microsoft Entra Blog
6 MIN READ

Microsoft’s perspective on agentic identity standards

Pamela Dingle's avatar
Pamela Dingle
Icon for Microsoft rankMicrosoft
Apr 24, 2026

Why MCP, A2A, OAuth, and SPIFFE are the backbone of agentic identity.

A new identity inflection point

If you’ve gotten past the headline to this first sentence, you’re probably my kind of people. You’re probably a professional in the world of IAM (Identity and Access Management) who’s looking after their own enterprise; and you may even have opinions about what the future holds that range from salty to optimistic. In the world of granting access to enable productivity while preventing fraud, we’ve been supporting impulsive humans and predictable non-human identities… and now we are in the wild and wooly world where the software could be way more YOLO than the employees.

In the last year, AI agents have moved quickly from experimentation into real business roles, and identity infrastructure is necessarily along for the ride, absorbing new constructs and adapting old ones.  The landscape of standards has been evolving rapidly as well, and I believe it's important to share updates with those who may not be immersed in these discussions day-to-day. In this fast-changing environment, staying informed about developments is crucial. My goal here is to talk about what is changing in the industry at large, why it is changing, and how we at Microsoft view this critical architectural identity layer.

From a standards perspective, I think the biggest industry change has been mental.  There were always entities in the standards world that were non-human and needed resource access, but a clear line in the sand existed as to what those non-human entities would be allowed to accomplish. Different kinds of non-human entities were described by their task orientation and given different names that seemed separate – OAuth Clients, SPIFFE workloads, Token Exchange Actors. These standards had different taxonomies partly so that the security promise of non-human and human interactions could be kept straight.  If software needed an access token to act on behalf of “something”, the aligned delegation request flows presumed that the “something” in that sentence was a real person; the idea of “user present” transactions became a critical part of our access management threat model and vocabulary.  In the absence of a user, different flows and standards apply. Because consent is a human concept, software cannot grant access on behalf of other software, and a separate decision-making mechanism is required. Yet here we are in a world where agents are delegating, because they have enough reasoning capability to make choices.  

You may come to the logical conclusion that the agentic revolution therefore must have caused a standards revolution to match – but no.  The mindset change was pretty quick. In my opinion it has been aided in great part by the community developing the Model Context Protocol (MCP). MCP developed an incredible amount of momentum, and their choice to adopt OAuth for MCP authorization created a forcing function that all of us in the Enterprise world will be benefitting from for a long time to come. 

Identity standards innovation

There’s a growing set of identity standards we’re paying close attention to, and each merits deeper discussion. For now, I’ll anchor on three broad areas of interest that are shaping how identity standards are evolving for agentic systems: bootstrapping of trust, delegation, and shared secrets. As a broad statement, a lot of work is going on to connect the agentic dots between families of standards, especially in areas for which manual processes could previously bridge automation gaps.

The first area of work is the bootstrapping of trust between non-human entities. If you are wondering what a non-human entity is, it could be anything from an infrastructure endpoint like an OAuth authorization server to a directory-based service principal representing an application, to a workload identity working within in a hypervisor context, or now an agentic identity such as an LLM harness or an autonomous business agent. In the federation world, SAML standardized an IDP discovery protocol in 2008, OpenID Connect v1 included a discovery spec in 2014 and OAuth 2.0 Protected Resource Metadata became RFC 9728 in 2025.  Despite widespread ratification, IAM admins typically uploaded metadata manually from installation guides or app galleries. The data was static, and admins themselves served as the explicit trigger that established a clear starting point of authority for each federation contract. Agents, however, operate at different scale, and the incentive is finally in place to consistently automate a non-human entity announcing itself and requesting access, not just in one identity silo but across the entire technical landscape.  The result will be a much more connected and consolidated embrace of all sorts of secure non-human onboarding options, including OAuth CIMD (ClientID Metadata Document), a lot of work in the WIMSE working group at IETF that help SPIFFE and OAuth work better (SPIFFE is an open standard that operates similarly to Managed Identities for Azure).  It’s also worth calling out IoT and identity wallet standards, but those deserve a deeper dive, which we’ll save for later.

In addition to bootstrapping, the standards world is debating the question of delegation. This is another place where bifurcation between human and non-human identity is breaking down.  We have multiple existing concepts in identity standards like token exchange, identity chaining, transaction tokens, OBO (on behalf of), token upscoping/downscoping, and a slew of new IETF proposals all occupying everyone’s minds.  Take a look through Khaled Zaky’s blog on this topic, and stay tuned – this debate has not yet concluded in any way.

One quieter thread of work is worth calling out here. The standards world is filling those connective tissue gaps around eliminating shared secrets from agentic use.  We are already seeing abuse (and perhaps a blurring of the line between what is use and what is abuse) of shared secrets such as API keys in agent contexts – for anyone taking the time to look, bearer token abuse will be next.  Looking ahead, there will be a follow-up blog where my colleagues will explore how we’re building critical standards in this area and what that enables next.

Perspective on agentic identity standards

The deep nature of our Microsoft agentic investment is clear for all to see, but it isn’t always obvious just how much of that investment lies in collaborative spaces such as the standards community. We have already created a foundational identity layer built on open standards, with a continued commitment to a standards‑based approach to trust for AI authentication, authorization, and management - one that can scale across the many industries we work with every day. Participation in communities of interest for agentic identity such as AAIF, MCP, IETF, FIDO Alliance and OpenID Foundation are ways in which we stay relevant, and they are communities I’d encourage you to follow as well.  We have a lot of learnings about what works and does not work in our very large environment and I look forward to the writing of my brilliant colleagues as they share that hard-won wisdom. In addition, for anyone who does enjoy the technical complexity of agentic standards, follow me on LinkedIn for much deeper content.  One last important perspective – while I have a job title that sounds lofty in this area, the truth is that many people are working on this goal all over the company.  It is those contributions, those daily decisions to care about whether any given identity standard serves its purpose, that mean a lasting success.  Cheers to them.

 

-P. Dingle, Director of Identity Standards

Additional resources

 

Learn more about Microsoft Entra Agent ID:

 

Updated Apr 22, 2026
Version 1.0
agent id
security for ai
No CommentsBe the first to comment