All posts
June 15, 20263 min read

Approval workflows for AI agents on Entra

An AI agent decides, at 2am, that the cleanest way to resolve a stuck job is to delete a batch of rows in production. It is confident. It is also wrong. If nothing sits between that decision and the database, the rows are gone before anyone wakes up. The control you want is not a better-behaved agent. It is a human checkpoint on the operations that can hurt. Approval workflows put that checkpoint in the path. This guide adds approval workflows for AI agents whose identity is issued by Microsoft

Free White Paper

AI Agent Security + Access Request Workflows: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

An AI agent decides, at 2am, that the cleanest way to resolve a stuck job is to delete a batch of rows in production. It is confident. It is also wrong. If nothing sits between that decision and the database, the rows are gone before anyone wakes up. The control you want is not a better-behaved agent. It is a human checkpoint on the operations that can hurt.

Approval workflows put that checkpoint in the path. This guide adds approval workflows for AI agents whose identity is issued by Microsoft Entra, enforced on the infrastructure connection by hoop.dev. The roles, up front: Entra is the identity provider that authenticates the agent and asserts its group. hoop.dev is the relying party that verifies the Entra token and routes risky operations to a reviewer before they reach the target. The approval sits on the database or service connection. hoop.dev does not insert approvals into Entra and does not front Entra itself.

Which operations need an approval

Not everything should stop for a human. A read of order status can run freely. A delete, a schema change, or a write to a financial table is where an approval earns its cost. The design goal is to let routine work flow and to gate only the operations whose blast radius justifies a pause. The decision about which is which lives in policy at the gateway, not in the agent, because an agent that can decide it does not need approval has no approval at all.

Setting up approval workflows step by step

Take an agent that maintains a production database and occasionally needs to run a destructive cleanup.

  1. In Entra, put the agent identity in a group such as db-maintenance-agents.
  2. Configure hoop.dev to verify Entra tokens against your tenant.
  3. Create the hoop.dev connection to the database with its credential on the connection.
  4. Bind a policy to the Entra group: reads run directly, writes and deletes route for approval, and every session is recorded.
policy: db-maintenance-agents
  connection: prod-maintenance
  rules:
    - match: SELECT
      action: allow
    - match: DELETE|DROP|UPDATE
      action: require-approval
  record: true

When the agent issues a delete, hoop.dev holds the operation, notifies the reviewer with the identity and the exact statement, and only runs it on approval. The agent waits at the boundary.

Continue reading? Get the full guide.

AI Agent Security + Access Request Workflows: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Verify the gate holds

Have the agent attempt a delete. It should pause, surface to the reviewer, and execute only after a human approves, with the whole exchange in the session record tied to the Entra identity. Then deny one and confirm the operation never reaches the database. One path lets the agent act and reviews the damage after. The other reviews the intent before anything happens. The recorded approvals and denials are the evidence the gate is doing real work.

Pitfalls

  • Do not route everything for approval. Reviewers tune out, and routine reads should not wait on a human.
  • Do not let the agent self-approve or hold a path that skips the gateway. The approval must live where the agent cannot bypass it.
  • Do not approve on identity alone. Show the reviewer the exact operation, not just who asked.

Why the Entra identity makes the review meaningful

An approval is only as good as the context the reviewer gets. A prompt that says "an agent wants to run a delete" is hard to judge. A prompt that says this Entra identity, in the maintenance group, wants to run this exact statement against this connection gives the reviewer something real to decide on. hoop.dev attaches the verified Entra identity to the request, so the human is approving a known actor doing a known thing, not an anonymous job.

It closes the loop on accountability too. The approval, the identity, and the operation all land in the same session record. Later you can show not just that a risky operation ran, but who asked, who approved, and exactly what executed. That is the audit a destructive change against production deserves.

hoop.dev is open source, so the approval logic and what the reviewer sees are auditable in the code rather than asserted. The getting started guide covers enabling approvals on a connection, and the learn material has patterns for approval workflows with agents.

FAQ

Do the approval workflows run inside Entra?

No. Entra provides the identity. hoop.dev runs the approval on the infrastructure operation, gated by the Entra group.

Can the agent skip the approval?

No. The gate runs at the gateway, outside the agent process, on the path to the target.

How do I try it?

Run the gateway from the hoop.dev GitHub repository and add a require-approval rule to one connection.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot