AgentIdentity.CreateAsManager

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the AgentIdentity.CreateAsManager permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	-	-
DisplayText	-	-
Description	-	-
AdminConsentRequired	-	-

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /servicePrincipals/{id}/microsoft.graph.agentIdentity
	DELETE /servicePrincipals/{id}/microsoft.graph.agentIdentity/owners/{id}/$ref
	GET /servicePrincipals/{id}/microsoft.graph.agentIdentity
	GET /servicePrincipals/{id}/microsoft.graph.agentIdentity/memberOf
	GET /servicePrincipals/{id}/microsoft.graph.agentIdentity/ownedObjects
	GET /servicePrincipals/{id}/microsoft.graph.agentIdentity/owners
	GET /servicePrincipals/{id}/microsoft.graph.agentIdentity/transitiveMemberOf
	GET /servicePrincipals/microsoft.graph.agentIdentity
	PATCH /servicePrincipals/{id}/microsoft.graph.agentIdentity
	POST /servicePrincipals/{id}/microsoft.graph.agentIdentity/owners/$ref
	POST /servicePrincipals/microsoft.graph.agentIdentity

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: agentIdentity

Property	Type	Description
odata.type	String	`#microsoft.graph.agentIdentity`. Distinguishes this object as an agent identity. Can be used to identify this object as an agent identity, instead of another kind of service principal.
accountEnabled	Boolean	`true` if the agent identity account is enabled; otherwise, `false`. If set to `false`, then no users are able to sign in to this app, even if they're assigned to it. Inherited from servicePrincipal.
agentIdentityBlueprintId	String	The appId of the agent identity blueprint that defines the configuration for this agent identity.
customSecurityAttributes	customSecurityAttributeValue	An open complex type that holds the value of a custom security attribute that is assigned to a directory object. Nullable. Returned only on `$select`. Inherited from servicePrincipal.
createdByAppId	String	The appId of the application used to create the agent identity. Set internally by Microsoft Entra ID. Read-only. Inherited from servicePrincipal.
createdDateTime	DateTimeOffset	The date and time the agent identity was created. Read-only. Inherited from servicePrincipal.
disabledByMicrosoftStatus	String	Specifies whether Microsoft has disabled the registered Agent Identity Blueprint. Possible values are: `null` (default value), `NotDisabled`, and `DisabledDueToViolationOfServicesAgreement` (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). Inherited from servicePrincipal.
displayName	String	The display name for the agent identity. Inherited from servicePrincipal.
id	String	The unique identifier for the agent identity. Inherited from directoryObject. Key. Not nullable. Read-only. Inherited from entity.
servicePrincipalType	String	Set to ServiceIdentity for all agent identities. Inherited from servicePrincipal.
tags	String collection	Custom strings that can be used to categorize and identify the agent identity. Not nullable. The value is the union of strings set here and on the associated Agent Identity Blueprint entity's **t

Graph reference: agentIdentityBlueprint

Property	Type	Description
api	apiApplication	Specifies settings for an agent identity blueprint that implements a web API. Inherited from application.
appId	String	The unique identifier for the agent identity blueprint that is assigned by Microsoft Entra ID. Not nullable. Read-only. Inherited from application.
appRoles	appRole collection	The collection of roles defined for the agent identity blueprint. With app role assignments, these roles can be assigned to users, groups, or service principals associated with other applications. Not nullable. Inherited from application.
certification	certification	Specifies the certification status of the agent identity blueprint. Inherited from application.
createdByAppId	String	The unique identifier of the application that created this agent identity blueprint. Set internally by Microsoft Entra ID. Read-only. Inherited from application.
createdDateTime	DateTimeOffset	The date and time the agent identity blueprint was registered. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. Read-only. Inherited from application.
createdByAppId	String	The appId (called Application (client) ID on the Microsoft Entra admin center) of the application that created this agent identity blueprint. Set internally by Microsoft Entra ID. Read-only. Inherited from application.
description	String	Free text field to provide a description of the agent identity blueprint to end users. The maximum allowed size is 1,024 characters. Inherited from application.
disabledByMicrosoftStatus	String	Specifies whether Microsoft has disabled the registered agent identity blueprint. Possible values are: `null` (default value), `NotDisabled`, and `DisabledDueToViolationOfServicesAgreement` (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). Inherited from application.
displayName	String	The display name for the agent identity blueprint. Maximum length is 256 characters. Inherited from application.
groupMembershipClaims	String	Configures the `groups` claim issued in a user or OAuth 2.0 access token that the agent identity blueprint expects. To set this attribute, use one of the following string values: `None`, `SecurityGroup` (for security groups and Microsoft Entra roles), `All` (this gets all security groups, distribution groups, and Microsoft Entra directory roles that the signed-in user is a member of). Inherited from application.
id	String	Unique identifier for the agent identity blueprint object. This property is referred to as Object ID in the Microsoft Entra admin center. Key. Not nullable. Read-only. Inherited from directoryObject.
identifierUris	String collection	Also known as App ID URI, this value is set when an agent identity blueprint is used as a resource app. The identifierUris acts as the prefix for the scopes you reference in your API's code, and it must be globally unique across Microsoft Entra ID. Not nullable. Inherited from application.
info	informationalUrl	Basic profile information of the agent identity blueprint, such as it's marketing, support, terms of service, and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience. Inherited from application.
keyCredentials	keyCredential collection	The collection of key credentials associated with the agent identity blueprint. Not nullable. Inherited from application.
optionalClaims	optionalClaims	Application developers can configure optional claims in their Microsoft Entra agent identity blueprints to specify the claims that are sent to their application by the Microsoft security token service. Inherited from application.
passwordCredentials	passwordCredential collection	The collection of password credentials associated with the agent identity blueprint. Not nullable. Inherited from application. You can also add passwords after creating the agent identity blueprint by calling the Add password API.
publisherDomain	String	The verified publisher domain for the agent identity blueprint. Read-only. Inherited from application.
serviceManagementReference	String	References application or service contact information from a Service or Asset Management database. Nullable. Inherited from application.
signInAudience	String	Specifies the Microsoft accounts that are supported for the current agent identity blueprint. The possible values are: `AzureADMyOrg` (default), `AzureADMultipleOrgs`, `AzureADandPersonalMicrosoftAccount`, and `PersonalMicrosoftAccount`. Inherited from application.
tags	String collection	Custom strings that can be used to categorize and identify the agent identity blueprint. Not nullable. Inherited from application.
tokenEncryptionKeyId	Guid	Specifies the keyId of a public key from the keyCredentials collection. When configured, Microsoft Entra ID encrypts all the tokens it emits by using the key this property points to. Inherited from application.
uniqueName	String	The unique identifier that can be assigned to an agent identity blueprint and used as an alternate key. Immutable. Read-only. Inherited from application.
verifiedPublisher	verifiedPublisher	Specifies the verified publisher of the agent identity blueprint. Inherited from application.
web	webApplication	Specifies settings for a web application. Inherited from application.

Graph reference: directoryObject

Property	Type	Description
deletedDateTime	DateTimeOffset	Date and time when this object was deleted. Always `null` when the object hasn't been deleted.
id	String	The unique identifier for the object. For example, `12345678-9abc-def0-1234-56789abcde`. The value of the **i

Table of Contents

AgentIdentity.CreateAsManager

Graph Methods

Resources