Seeing every agent sign-in in one place: an Azure Monitor workbook for Entra Agent ID

The earlier articles in this series (Part 1, Part 2, and Part 3) built the case from first principles: dynamic consent lets an agent earn its access in context, that accumulation quietly turns the agent into a high-value target, and the raw queries to discover what agents have been granted and what they actually exercise already exist in Microsoft Graph and Log Analytics. All of that is useful. None of it is visible unless someone remembers to run the query.

A KQL query in a Log Analytics window is something you execute when you already suspect a problem. An Azure Monitor workbook is a parameterized view you open (or pin to a shared dashboard) to see the shape of agent traffic before suspicion sets in. That is a different posture entirely, and it is the difference between investigation and awareness.

This article walks through an open-source workbook that provides that awareness for every agent identity in the tenant, grouped by the construct that matters most for governance: the Agent Identity Blueprint.

What the workbook shows

The workbook, available on GitHub, queries two log tables from Microsoft Entra: