entra-agent-user
par github
Crée des utilisateurs agents dans Microsoft Entra ID pour permettre aux agents IA d'agir comme des travailleurs numériques avec un accès d'identité utilisateur. Provisionne des identités utilisateur spécialisées (jetons idtyp=user) liées aux identités d'agent, permettant aux agents d'accéder aux API réservées aux utilisateurs comme les boîtes aux lettres Exchange, Teams et les organigrammes. Nécessite une identité d'agent parent créée à partir d'un blueprint d'identité d'agent ; prend en charge une relation 1:1 avec attribution facultative de gestionnaire et provisionnement de licence. Inclut des instructions étape par étape HTTP et PowerShell...
npx skills add https://github.com/github/awesome-copilot --skill entra-agent-userSKILL: Creating Agent Users in Microsoft Entra Agent ID
Overview
An agent user is a specialized user identity in Microsoft Entra ID that enables AI agents to act as digital workers. It allows agents to access APIs and services that strictly require user identities (e.g., Exchange mailboxes, Teams, org charts), while maintaining appropriate security boundaries.
Agent users receive tokens with idtyp=user, unlike regular agent identities which receive idtyp=app.
Prerequisites
- A Microsoft Entra tenant with Agent ID capabilities
- An agent identity (service principal of type
ServiceIdentity) created from an agent identity blueprint - One of the following permissions:
AgentIdUser.ReadWrite.IdentityParentedBy(least privileged)AgentIdUser.ReadWrite.AllUser.ReadWrite.All
- The caller must have at minimum the Agent ID Administrator role (in delegated scenarios)
Important: The
identityParentIdmust reference a true agent identity (created via an agent identity blueprint), NOT a regular application service principal. You can verify by checking that the service principal has@odata.type: #microsoft.graph.agentIdentityandservicePrincipalType: ServiceIdentity.
Architecture
Agent Identity Blueprint (application template)
│
├── Agent Identity (service principal - ServiceIdentity)
│ │
│ └── Agent User (user - agentUser) ← 1:1 relationship
│
└── Agent Identity Blueprint Principal (service principal in tenant)
| Component | Type | Token Claim | Purpose |
|---|---|---|---|
| Agent Identity | Service Principal | idtyp=app | Backend/API operations |
| Agent User | User (agentUser) | idtyp=user | Act as a digital worker in M365 |
Step 1: Verify the Agent Identity Exists
Before creating an agent user, confirm the agent identity is a proper agentIdentity type:
GET https://graph.microsoft.com/beta/servicePrincipals/{agent-identity-id}
Authorization: Bearer <token>
Verify the response contains:
{
"@odata.type": "#microsoft.graph.agentIdentity",
"servicePrincipalType": "ServiceIdentity",
"agentIdentityBlueprintId": "<blueprint-id>"
}
PowerShell
Connect-MgGraph -Scopes "Application.Read.All" -TenantId "<tenant>" -UseDeviceCode -NoWelcome
Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/beta/servicePrincipals/<agent-identity-id>" | ConvertTo-Json -Depth 3
Common mistake: Using an app registration's
appIdor a regular application service principal'sidwill fail. Only agent identities created from blueprints work.
Step 2: Create the Agent User
HTTP Request
POST https://graph.microsoft.com/beta/users/microsoft.graph.agentUser
Content-Type: application/json
Authorization: Bearer <token>
{
"accountEnabled": true,
"displayName": "My Agent User",
"mailNickname": "my-agent-user",
"userPrincipalName": "[email protected]",
"identityParentId": "<agent-identity-object-id>"
}
Required Properties
| Property | Type | Description |
|---|---|---|
accountEnabled | Boolean | true to enable the account |
displayName | String | Human-friendly name |
mailNickname | String | Mail alias (no spaces/special chars) |
userPrincipalName | String | UPN — must be unique in the tenant (alias@verified-domain) |
identityParentId | String | Object ID of the parent agent identity |
PowerShell
Connect-MgGraph -Scopes "User.ReadWrite.All" -TenantId "<tenant>" -UseDeviceCode -NoWelcome
$body = @{
accountEnabled = $true
displayName = "My Agent User"
mailNickname = "my-agent-user"
userPrincipalName = "[email protected]"
identityParentId = "<agent-identity-object-id>"
} | ConvertTo-Json
Invoke-MgGraphRequest -Method POST `
-Uri "https://graph.microsoft.com/beta/users/microsoft.graph.agentUser" `
-Body $body -ContentType "application/json" | ConvertTo-Json -Depth 3
Key Notes
- No password — agent users cannot have passwords. They authenticate via their parent agent identity's credentials.
- 1:1 relationship — each agent identity can have at most one agent user. Attempting to create a second returns
400 Bad Request. - The
userPrincipalNamemust be unique. Don't reuse an existing user's UPN.
Step 3: Assign a Manager (Optional)
Assigning a manager allows the agent user to appear in org charts (e.g., Teams).
PUT https://graph.microsoft.com/beta/users/{agent-user-id}/manager/$ref
Content-Type: application/json
Authorization: Bearer <token>
{
"@odata.id": "https://graph.microsoft.com/beta/users/{manager-user-id}"
}
PowerShell
$managerBody = '{"@odata.id":"https://graph.microsoft.com/beta/users/<manager-user-id>"}'
Invoke-MgGraphRequest -Method PUT `
-Uri "https://graph.microsoft.com/beta/users/<agent-user-id>/manager/`$ref" `
-Body $managerBody -ContentType "application/json"
Step 4: Set Usage Location and Assign Licenses (Optional)
A license is needed for the agent user to have a mailbox, Teams presence, etc. Usage location must be set first.
Set Usage Location
PATCH https://graph.microsoft.com/beta/users/{agent-user-id}
Content-Type: application/json
Authorization: Bearer <token>
{
"usageLocation": "US"
}
List Available Licenses
GET https://graph.microsoft.com/beta/subscribedSkus?$select=skuPartNumber,skuId,consumedUnits,prepaidUnits
Authorization: Bearer <token>
Requires Organization.Read.All permission.
Assign a License
POST https://graph.microsoft.com/beta/users/{agent-user-id}/assignLicense
Content-Type: application/json
Authorization: Bearer <token>
{
"addLicenses": [
{ "skuId": "<sku-id>" }
],
"removeLicenses": []
}
PowerShell (all in one)
Connect-MgGraph -Scopes "User.ReadWrite.All","Organization.Read.All" -TenantId "<tenant>" -NoWelcome
# Set usage location
Invoke-MgGraphRequest -Method PATCH `
-Uri "https://graph.microsoft.com/beta/users/<agent-user-id>" `
-Body '{"usageLocation":"US"}' -ContentType "application/json"
# Assign license
$licenseBody = '{"addLicenses":[{"skuId":"<sku-id>"}],"removeLicenses":[]}'
Invoke-MgGraphRequest -Method POST `
-Uri "https://graph.microsoft.com/beta/users/<agent-user-id>/assignLicense" `
-Body $licenseBody -ContentType "application/json"
Tip: You can also assign licenses via the Entra admin center under Identity → Users → All users → select the agent user → Licenses and apps.
Provisioning Times
| Service | Estimated Time |
|---|---|
| Exchange mailbox | 5–30 minutes |
| Teams availability | 15 min – 24 hours |
| Org chart / People search | Up to 24–48 hours |
| SharePoint / OneDrive | 5–30 minutes |
| Global Address List | Up to 24 hours |
Agent User Capabilities
- ✅ Added to Microsoft Entra groups (including dynamic groups)
- ✅ Access user-only APIs (
idtyp=usertokens) - ✅ Own a mailbox, calendar, and contacts
- ✅ Participate in Teams chats and channels
- ✅ Appear in org charts and People search
- ✅ Added to administrative units
- ✅ Assigned licenses
Agent User Security Constraints
- ❌ Cannot have passwords, passkeys, or interactive sign-in
- ❌ Cannot be assigned privileged admin roles
- ❌ Cannot be added to role-assignable groups
- ❌ Permissions similar to guest users by default
- ❌ Custom role assignment not available
Troubleshooting
| Error | Cause | Fix |
|---|---|---|
Agent user IdentityParent does not exist | identityParentId points to a non-existent or non-agent-identity object | Verify the ID is an agentIdentity service principal, not a regular app |
400 Bad Request (identityParentId already linked) | The agent identity already has an agent user | Each agent identity supports only one agent user |
409 Conflict on UPN | The userPrincipalName is already taken | Use a unique UPN |
| License assignment fails | Usage location not set | Set usageLocation before assigning licenses |
References
Plus de skills de github
console-rendering
github
Instructions pour utiliser le système de rendu console basé sur les tags de struct en Go
official
acquire-codebase-knowledge
github
Utilisez cette compétence lorsque l'utilisateur demande explicitement de cartographier, documenter ou s'intégrer dans une base de code existante. Déclenchez-la pour des requêtes comme "cartographier cette base de code", "documenter…
official
acreadiness-assess
github
Run the AgentRC readiness assessment on the current repository and produce a static HTML dashboard at reports/index.html. Wraps `npx github:microsoft/agentrc…
official
acreadiness-generate-instructions
github
Génère des fichiers d'instructions d'agent IA personnalisés via la commande d'instructions AgentRC. Produit .github/copilot-instructions.md (par défaut, recommandé pour Copilot dans VS…
official
acreadiness-policy
github
Aider l'utilisateur à choisir, rédiger ou appliquer une politique AgentRC. Les politiques personnalisent le score de préparation en désactivant les vérifications non pertinentes, en remplaçant l'impact/niveau, en définissant…
official
add-educational-comments
github
Ajouter des commentaires pédagogiques aux fichiers de code pour les transformer en ressources d'apprentissage efficaces. Adapte la profondeur et le ton des explications à trois niveaux de connaissances configurables : débutant, intermédiaire et avancé. Demande automatiquement un fichier si aucun n'est fourni, avec une liste numérotée pour une sélection rapide. Étend les fichiers jusqu'à 125 % en utilisant uniquement des commentaires pédagogiques (limite stricte : 400 nouvelles lignes ; 300 pour les fichiers de plus de 1 000 lignes). Préserve l'encodage du fichier, le style d'indentation, la correction syntaxique et...
official
adobe-illustrator-scripting
github
Rédigez, déboguez et optimisez des scripts d'automatisation Adobe Illustrator en utilisant ExtendScript (JavaScript/JSX). Utilisez lors de la création ou de la modification de scripts qui manipulent…
official
agent-governance
github
Politiques déclaratives, classification d'intention et pistes d'audit pour contrôler l'accès et le comportement des outils d'agents IA. Des politiques de gouvernance composables définissent les outils autorisés/bloqués, les filtres de contenu, les limites de débit et les exigences d'approbation — stockées en tant que configuration, pas de code. La classification d'intention sémantique détecte les invites dangereuses (exfiltration de données, escalade de privilèges, injection d'invite) avant l'exécution des outils à l'aide de signaux basés sur des motifs. Le décorateur de gouvernance au niveau des outils applique les politiques au niveau de la fonction...
official