All posts
June 15, 20263 min read

Just-in-time access for AI agents on Entra

What can your AI agent reach right now, with no human in the loop, while you read this sentence? If the honest answer is "a production database, because we set that up months ago," you have standing access wearing the costume of automation. The fix is to make access something the agent has to ask for and lose again. This post explains just-in-time access for AI agents whose identity is issued by Microsoft Entra, enforced at the infrastructure boundary by hoop.dev. To be precise about the roles:

Free White Paper

Just-in-Time Access + AI Human-in-the-Loop Oversight: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

What can your AI agent reach right now, with no human in the loop, while you read this sentence? If the honest answer is "a production database, because we set that up months ago," you have standing access wearing the costume of automation. The fix is to make access something the agent has to ask for and lose again.

This post explains just-in-time access for AI agents whose identity is issued by Microsoft Entra, enforced at the infrastructure boundary by hoop.dev. To be precise about the roles: Entra is the identity provider that authenticates the agent and asserts its groups. hoop.dev is the relying party that consumes that assertion and grants a temporary, recorded connection to the database, cluster, or internal service the agent needs. hoop.dev governs the connection, not Entra.

How just-in-time access works at the gateway

Start with the mechanism, because the setup only makes sense once you see it. Every connection an agent opens goes through the hoop.dev gateway. When a request arrives, the gateway verifies the Entra token, reads the group claim, and checks whether a just-in-time policy permits this identity to open this connection. If yes, it opens a window with a fixed lifetime, proxies traffic to the target over the native protocol, records the session, and tears the window down when the clock runs out.

The agent holds no database credential. That credential lives on the connection inside hoop.dev and is injected at runtime. So even a fully compromised agent cannot reconnect after its window closes, because there is nothing for it to reuse.

Setting it up

Take an agent that triages incidents and occasionally needs to query a logs cluster.

Continue reading? Get the full guide.

Just-in-Time Access + AI Human-in-the-Loop Oversight: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  1. Create an Entra group, for example incident-triage-agents, and assign the agent identity.
  2. Trust Entra as the OIDC provider in hoop.dev.
  3. Register the cluster as a hoop.dev connection with its credential on the connection.
  4. Bind a just-in-time policy to the Entra group with a short lifetime and recording enabled.
grant prod-logs
  to: group:incident-triage-agents
  when: requested
  lifetime: 15m
  recorded: yes

Confirm the boundary

Trigger a grant, run a read, wait for the lifetime to elapse, and try again. The second attempt should fail at the gateway with no access remaining. Then check the session record: it should attribute every command to the Entra identity, with timestamps that bracket the window. That is the evidence that least-privilege and just-in-time access are enforced where the agent cannot reach to reconfigure them.

Common mistakes

  • Treating a 24 hour window as just-in-time. If the agent can hold access all day, the timer is decorative.
  • Letting the agent cache a connection string. The credential must stay on the gateway connection.
  • Forgetting to record. A grant without a session record gives you control but no audit trail.

How this differs from access inside Entra

It is worth being exact, because the names invite confusion. Entra has its own access concepts, including conditional access and Privileged Identity Management, and those govern what an identity can do within Microsoft's own services. That is a different layer from what this post describes. Here, Entra issues the identity, and the time-boxed grant applies to your own infrastructure: the Postgres replica, the logs cluster, the internal API. hoop.dev reads the Entra identity and gates the connection to those targets.

So you are not replacing anything in Entra. You are extending the reach of the Entra identity to infrastructure that Entra does not front, and adding just-in-time access and recording on that path. The agent authenticates once against Entra and gets a short, recorded window into the specific resource, with no standing credential left behind.

Because the gateway is open source under an MIT license, you can verify the lifetime enforcement in the source rather than taking it on faith. The hoop.dev getting started guide walks through your first connection, and the learn library covers policy patterns for agents.

FAQ

Does just-in-time access change anything inside Entra?

No. Entra remains the identity provider. hoop.dev applies the time-boxed grant to the infrastructure connection based on the Entra identity it receives.

Can an agent extend its own window?

No. The lifetime is enforced by the gateway outside the agent process, so the agent cannot reconfigure it.

How do I try it?

Run the gateway from the hoop.dev GitHub repository and bind a short-lived policy to one connection first.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot