Detect and Block Risky AI Agents Before They Compromise Your Data
Artificial intelligence is transforming how businesses work—but unmanaged AI agents can become a major security risk. Compromised or misconfigured AI agents may access sensitive data, exfiltrate customer information, or move laterally through your network.
The good news: Microsoft now lets you detect and block high-risk AI agents automatically using Conditional Access (CA) policies.
What Is “Agent Risk”?
Microsoft Entra ID Protection now includes Agent Risk (Preview), which evaluates AI agent identities for signs of compromise, unusual behavior, or policy violations. When an agent is flagged as High Risk, you can automatically block its access to all your cloud resources.
How to Block High-Risk AI Agents with Conditional Access
Follow these steps in the Microsoft Entra admin center:
Sign in as a Conditional Access Administrator
Go to Entra ID > Conditional Access > Policies
Select New policy and give it a clear name (e.g.,
Block-High-Risk-AI-Agents)Under Assignments:
Select Users, agents (Preview) or workload identities
Choose Agents (Preview) → All agent identities (Preview)
Under Target resources:
Select Resources (formerly cloud apps) → All resources
Under Conditions > Agent risk (Preview):
Set Configure to Yes
Select High risk level
Under Access controls > Grant:
Select Block access
Set Enable policy to Report-only first to validate impact
Create the policy, then switch from Report-only to On once confirmed
This policy ensures that any AI agent detected as high risk is immediately blocked from accessing your Microsoft 365, Azure, or other cloud apps.
Why This Matters for Perth SMBs
AI adoption is accelerating, but most small businesses lack AI governance
A single compromised AI agent can expose customer data, financial records, and IP
Conditional Access gives you automatic, policy-driven protection without slowing down legitimate users
As an MSP client, you can roll this out across all your environments from one central location
Next Steps
If your IT setup doesn’t yet include AI-agent risk controls, worth checking this setting in your environment today.
If this sounds like your current setup, I’m happy to help you tighten it up with a secure Conditional Access strategy tailored for Perth SMBs.



