All posts
June 18, 20264 min read

Non-human identity for autonomous agents on Entra

When autonomous agents are granted a non-human identity from Entra, teams often assume the problem of credential sprawl is solved. In practice, the token merely proves who the agent is; it does not control what the agent can do once the request reaches a database, Kubernetes cluster, or SSH host. Organizations typically end up with a static service‑account credential that is shared across pipelines, stored in secret managers, or even baked into container images. The result is a “golden” key that

Free White Paper

Non-Human Identity Management + Single Sign-On (SSO): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

When autonomous agents are granted a non-human identity from Entra, teams often assume the problem of credential sprawl is solved. In practice, the token merely proves who the agent is; it does not control what the agent can do once the request reaches a database, Kubernetes cluster, or SSH host. Organizations typically end up with a static service‑account credential that is shared across pipelines, stored in secret managers, or even baked into container images. The result is a “golden” key that any compromised build job can reuse indefinitely. Because the identity is human‑agnostic, audit logs capture only the service‑account name, not the specific autonomous process that issued the request. High‑impact actions, dropping a production table, opening a privileged shell, or extracting sensitive customer data, can occur without real‑time approval, masking, or granular visibility.

Entra (or any OIDC/SAML provider) can issue tokens for non‑human principals such as service accounts, machine identities, or AI agents. Switching to Entra eliminates the need for long‑lived passwords, but it does not automatically give you the controls required for a secure autonomous workflow. The token proves *who* the agent is, yet the request still travels straight to the target resource. There is no gate that can inspect the payload, enforce just‑in‑time (JIT) approvals, mask personally identifiable information, or record the session for later replay. In short, the setup decides who may start, but it leaves the actual access path wide open.

Why non-human identity alone isn’t enough

Non‑human identity solves credential sprawl, but without a control plane on the data path, several risk vectors remain:

  • Unrestricted command execution: an agent can run any command the underlying service account permits, even if the operation is risky or non‑compliant.
  • No real‑time approval: high‑impact actions, such as dropping a production table or opening a privileged SSH session, cannot be paused for a human reviewer.
  • Missing audit granularity: logs record the service account name, not the specific autonomous process that issued the request, making forensic analysis difficult.
  • Data exposure: query results that contain credit‑card numbers or personal identifiers flow back to the agent unfiltered, increasing leakage risk.

All of these gaps stem from the fact that the enforcement point is missing. The identity provider tells the system *who* the request is, but without a gateway that sits between the identity and the target, the request proceeds unchecked.

How hoop.dev enforces policy on the data path

hoop.dev is a Layer 7 gateway that intercepts traffic after authentication and before it reaches the infrastructure resource. By placing hoop.dev in the data path, it becomes the sole location where policy can be evaluated and actions taken. The gateway can:

  • Apply just‑in‑time access: when an agent presents a non‑human token from Entra, hoop.dev checks the request against a policy store and grants a short‑lived credential only for the duration of the session.
  • Require human approval for risky commands: if a query matches a pattern deemed high‑risk, hoop.dev routes the request to an approver before forwarding it.
  • Mask sensitive fields inline: response payloads are scanned and fields such as SSNs or credit‑card numbers are redacted before they reach the agent.
  • Record every session: hoop.dev logs the full request and response stream, enabling replay and forensic analysis.

Because hoop.dev sits in the path, the enforcement outcomes exist only because the gateway is present. Removing hoop.dev would return the system to the original state where the token is verified but the request is otherwise unrestricted.

Continue reading? Get the full guide.

Non-Human Identity Management + Single Sign-On (SSO): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Implementing the pattern with Entra and hoop.dev

To turn a non‑human Entra identity into a fully governed autonomous workflow, follow these high‑level steps:

  1. Register an OIDC application in Entra that represents your agents. Configure the app to issue tokens with appropriate audience and scopes.
  2. Deploy the hoop.dev gateway using the getting‑started guide. The gateway runs as a Docker Compose service or in Kubernetes, and it includes an agent that lives close to the target resource.
  3. Configure hoop.dev to trust Entra as its identity provider. hoop.dev will validate incoming tokens and extract group membership or custom claims that identify the specific autonomous process.
  4. Define policies that map Entra claims to resource‑level permissions. Policies can specify which databases, Kubernetes namespaces, or SSH hosts an agent may reach, and they can embed JIT windows or approval requirements.
  5. Enable inline masking for fields that must never leave the target unredacted. The policy language lets you list column names or JSON keys to be scrubbed.
  6. Activate session recording. hoop.dev stores a replay‑able log of each interaction, which satisfies audit requirements and aids incident response.

With this architecture, the Entra token determines *who* the agent is, while hoop.dev decides *what* the agent may do, *when*, and *how* the results are handled. The combination gives you a zero‑trust, identity‑aware proxy for autonomous workloads.

Next steps

Review the detailed feature documentation on the learn page to explore policy syntax, masking options, and approval workflows. When you are ready to provision the gateway, the repository provides the full source code and deployment manifests.

FAQ

Q: Do I need to modify my existing agent code to use hoop.dev?
A: No. hoop.dev works with standard client tools (psql, kubectl, ssh, etc.). The agent connects through the gateway just as it would to the target directly.

Q: Can I use multiple Entra applications for different teams?
A: Yes. Each application can issue tokens with distinct claims, and hoop.dev policies can be scoped per‑application, providing granular control.

Q: How does hoop.dev protect credentials?
A: The gateway holds the credential for the target resource; the agent never sees it. Access is granted only for the duration of an approved session.

Explore the source code and contribute on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot