Entra Agent User

Name: Entra Agent User
Author: github

github/awesome-copilot

Create Microsoft Entra agent users so AI agents can call M365 and Azure APIs that require idtyp=user tokens instead of app-only access.

Overview

entra-agent-user is an agent skill for the Build phase that creates Microsoft Entra agent users from agent identities so AI agents can act as digital workers with user-token access to M365 and Azure.

Install

npx skills add https://github.com/github/awesome-copilot --skill entra-agent-user

What is this skill?

Explains agent users versus app-only agent identities (idtyp=user vs idtyp=app)
Requires a true agent identity ServiceIdentity parent, not a regular application SP
Documents least-privilege Graph permissions such as AgentIdUser.ReadWrite.IdentityParentedBy
Caller needs Agent ID Administrator role minimum in delegated scenarios
Architecture-oriented setup for digital workers accessing Exchange, Teams, and org-chart APIs

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 8.4k installs on skills.sh; 34.6k GitHub stars; 3/3 security scanners passed (skills.sh audits).

What problem does it solve?

Your agent can authenticate as an app but hits walls on Exchange, Teams, or other APIs that require a real user identity and idtyp=user tokens.

Who is it for?

Builders integrating autonomous agents into Microsoft 365 or Azure environments where user-scoped APIs are mandatory.

Skip if: Non-Microsoft stacks, simple API keys without Entra, or teams without tenant access to Agent ID capabilities and administrator roles.

When should I use this skill?

Create Agent Users in Microsoft Entra ID from Agent Identities when AI agents must act as digital workers with user identity capabilities in Microsoft 365 and Azure.

What do I get? / Deliverables

You can provision a correctly parented Entra agent user with the right Graph permissions so the agent operates as a bounded digital worker in the tenant.

Entra agent user linked to a verified agent identity parent
Documented permission and role checklist for delegated provisioning
Architecture notes for user-token access to M365 and Azure APIs

Recommended Skills

Microsoft Foundrymicrosoft/azure-skills

Microsoft Foundry skill guides agents through the full Azure AI Foundry lifecycle—containerizing agents, pushing to ACR,…377k installs·1.2k stars

Azure Aimicrosoft/azure-skills

azure-ai is a Prism-oriented quick reference for Microsoft Azure AI work, with the published body centered on the Azure …375k installs·1.2k stars

Azure Hosted Copilot Sdkmicrosoft/azure-skills

Azure Hosted Copilot SDK is Microsoft's entry skill for repos using @github/copilot-sdk—it detects CopilotClient usage, …346k installs·1.2k stars

Lark Eventlarksuite/cli

Lark real-time subscription skill via lark-cli event consume for building bots and streaming webhook-style agent workers…208k installs·13.7k stars

Running Claude Code Via Litellm Copilotxixu-me/skills

Running Claude Code via LiteLLM Copilot walks through pointing Claude Code at a local LiteLLM proxy that forwards Anthro…200k installs·61 stars

Setup Matt Pocock Skillsmattpocock/skills

One-time per-repo setup so Matt Pocock engineering skills share correct issue tracker, triage strings, and domain docume…180k installs·121k stars

Journey fit

Primary fit

BuildIntegrations & version control

Provisioning Entra agent users is integration work you do while wiring an agent into Microsoft 365 and Azure identity surfaces. The skill is API and identity plumbing—agent identity blueprints, Graph permissions, and user-shaped tokens—not generic product brainstorming.

Also useful

OperateInfrastructure & cost

How it compares

Entra Agent ID user provisioning skill—not a generic OAuth tutorial or a Copilot Studio-only marketplace plugin.

Common Questions / FAQ

Who is entra-agent-user for?

Solo and indie developers building Microsoft-integrated agents who need user-shaped Entra identities for M365 and Azure APIs, not only app registrations.

When should I use entra-agent-user?

During Build (integrations) after you have an agent identity blueprint and before wiring Exchange, Teams, or org services that reject app-only tokens.

Is entra-agent-user safe to install?

It guides high-privilege identity changes in your tenant—review every Graph call and role assignment; use the Security Audits panel on this Prism page before installing.

SKILL.md

READMESKILL.md - Entra Agent User

# SKILL: Creating Agent Users in Microsoft Entra Agent ID

## Overview

An **agent user** is a specialized user identity in Microsoft Entra ID that enables AI agents to act as digital workers. It allows agents to access APIs and services that strictly require user identities (e.g., Exchange mailboxes, Teams, org charts), while maintaining appropriate security boundaries.

Agent users receive tokens with `idtyp=user`, unlike regular agent identities which receive `idtyp=app`.

---

## Prerequisites

- A **Microsoft Entra tenant** with Agent ID capabilities
- An **agent identity** (service principal of type `ServiceIdentity`) created from an **agent identity blueprint**
- One of the following **permissions**:
  - `AgentIdUser.ReadWrite.IdentityParentedBy` (least privileged)
  - `AgentIdUser.ReadWrite.All`
  - `User.ReadWrite.All`
- The caller must have at minimum the **Agent ID Administrator** role (in delegated scenarios)

> **Important:** The `identityParentId` must reference a true agent identity (created via an agent identity blueprint), NOT a regular application service principal. You can verify by checking that the service principal has `@odata.type: #microsoft.graph.agentIdentity` and `servicePrincipalType: ServiceIdentity`.

---

## Architecture

```
Agent Identity Blueprint (application template)
    │
    ├── Agent Identity (service principal - ServiceIdentity)
    │       │
    │       └── Agent User (user - agentUser) ← 1:1 relationship
    │
    └── Agent Identity Blueprint Principal (service principal in tenant)
```

| Component | Type | Token Claim | Purpose |
|---|---|---|---|
| Agent Identity | Service Principal | `idtyp=app` | Backend/API operations |
| Agent User | User (`agentUser`) | `idtyp=user` | Act as a digital worker in M365 |

---

## Step 1: Verify the Agent Identity Exists

Before creating an agent user, confirm the agent identity is a proper `agentIdentity` type:

```http
GET https://graph.microsoft.com/beta/servicePrincipals/{agent-identity-id}
Authorization: Bearer <token>
```

Verify the response contains:
```json
{
  "@odata.type": "#microsoft.graph.agentIdentity",
  "servicePrincipalType": "ServiceIdentity",
  "agentIdentityBlueprintId": "<blueprint-id>"
}
```

### PowerShell

```powershell
Connect-MgGraph -Scopes "Application.Read.All" -TenantId "<tenant>" -UseDeviceCode -NoWelcome
Invoke-MgGraphRequest -Method GET `
  -Uri "https://graph.microsoft.com/beta/servicePrincipals/<agent-identity-id>" | ConvertTo-Json -Depth 3
```

> **Common mistake:** Using an app registration's `appId` or a regular application service principal's `id` will fail. Only agent identities created from blueprints work.

---

## Step 2: Create the Agent User

### HTTP Request

```http
POST https://graph.microsoft.com/beta/users/microsoft.graph.agentUser
Content-Type: application/json
Authorization: Bearer <token>

{
  "accountEnabled": true,
  "displayName": "My Agent User",
  "mailNickname": "my-agent-user",
  "userPrincipalName": "my-agent-user@yourtenant.onmicrosoft.com",
  "identityParentId": "<agent-identity-object-id>"
}
```

### Required Properties

| Property | Type | Description |
|---|---|---|
| `accountEnabled` | Boolean | `true` to enable the account |
| `displayName` | String | Human-friendly name |
| `mailNickname` | String | Mail alias (no spaces/special chars) |
| `userPrincipalName` | String | UPN — must be unique in the tenant (`alias@verified-domain`) |
| `identityParentId` | String | Object ID of the parent agent identity |

### PowerShell

```powershell
Connect-MgGraph -Scopes "User.ReadWrite.All" -TenantId "<tenant>" -UseDeviceCode -NoWelcome

$body = @{
  accountEnabled    = $true
  displayName       = "My Agent User"
  mailNickname      = "my-agent-user"
  userPrincipalNa

What is this skill?

Explains agent users versus app-only agent identities (idtyp=user vs idtyp=app)

Requires a true agent identity ServiceIdentity parent, not a regular application SP

Documents least-privilege Graph permissions such as AgentIdUser.ReadWrite.IdentityParentedBy

Caller needs Agent ID Administrator role minimum in delegated scenarios

Architecture-oriented setup for digital workers accessing Exchange, Teams, and org-chart APIs

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 8.4k installs on skills.sh; 34.6k GitHub stars; 3/3 security scanners passed (skills.sh audits).

What do I get? / Deliverables

You can provision a correctly parented Entra agent user with the right Graph permissions so the agent operates as a bounded digital worker in the tenant.

Entra agent user linked to a verified agent identity parent

Documented permission and role checklist for delegated provisioning

Architecture notes for user-token access to M365 and Azure APIs

Journey fit

Primary fit

BuildIntegrations & version control

Also useful

OperateInfrastructure & cost

SKILL.md

READMESKILL.md - Entra Agent User

# SKILL: Creating Agent Users in Microsoft Entra Agent ID

## Overview

An **agent user** is a specialized user identity in Microsoft Entra ID that enables AI agents to act as digital workers. It allows agents to access APIs and services that strictly require user identities (e.g., Exchange mailboxes, Teams, org charts), while maintaining appropriate security boundaries.

Agent users receive tokens with `idtyp=user`, unlike regular agent identities which receive `idtyp=app`.

---

## Prerequisites

- A **Microsoft Entra tenant** with Agent ID capabilities
- An **agent identity** (service principal of type `ServiceIdentity`) created from an **agent identity blueprint**
- One of the following **permissions**:
  - `AgentIdUser.ReadWrite.IdentityParentedBy` (least privileged)
  - `AgentIdUser.ReadWrite.All`
  - `User.ReadWrite.All`
- The caller must have at minimum the **Agent ID Administrator** role (in delegated scenarios)

> **Important:** The `identityParentId` must reference a true agent identity (created via an agent identity blueprint), NOT a regular application service principal. You can verify by checking that the service principal has `@odata.type: #microsoft.graph.agentIdentity` and `servicePrincipalType: ServiceIdentity`.

---

## Architecture

```
Agent Identity Blueprint (application template)
    │
    ├── Agent Identity (service principal - ServiceIdentity)
    │       │
    │       └── Agent User (user - agentUser) ← 1:1 relationship
    │
    └── Agent Identity Blueprint Principal (service principal in tenant)
```

| Component | Type | Token Claim | Purpose |
|---|---|---|---|
| Agent Identity | Service Principal | `idtyp=app` | Backend/API operations |
| Agent User | User (`agentUser`) | `idtyp=user` | Act as a digital worker in M365 |

---

## Step 1: Verify the Agent Identity Exists

Before creating an agent user, confirm the agent identity is a proper `agentIdentity` type:

```http
GET https://graph.microsoft.com/beta/servicePrincipals/{agent-identity-id}
Authorization: Bearer <token>
```

Verify the response contains:
```json
{
  "@odata.type": "#microsoft.graph.agentIdentity",
  "servicePrincipalType": "ServiceIdentity",
  "agentIdentityBlueprintId": "<blueprint-id>"
}
```

### PowerShell

```powershell
Connect-MgGraph -Scopes "Application.Read.All" -TenantId "<tenant>" -UseDeviceCode -NoWelcome
Invoke-MgGraphRequest -Method GET `
  -Uri "https://graph.microsoft.com/beta/servicePrincipals/<agent-identity-id>" | ConvertTo-Json -Depth 3
```

> **Common mistake:** Using an app registration's `appId` or a regular application service principal's `id` will fail. Only agent identities created from blueprints work.

---

## Step 2: Create the Agent User

### HTTP Request

```http
POST https://graph.microsoft.com/beta/users/microsoft.graph.agentUser
Content-Type: application/json
Authorization: Bearer <token>

{
  "accountEnabled": true,
  "displayName": "My Agent User",
  "mailNickname": "my-agent-user",
  "userPrincipalName": "my-agent-user@yourtenant.onmicrosoft.com",
  "identityParentId": "<agent-identity-object-id>"
}
```

### Required Properties

| Property | Type | Description |
|---|---|---|
| `accountEnabled` | Boolean | `true` to enable the account |
| `displayName` | String | Human-friendly name |
| `mailNickname` | String | Mail alias (no spaces/special chars) |
| `userPrincipalName` | String | UPN — must be unique in the tenant (`alias@verified-domain`) |
| `identityParentId` | String | Object ID of the parent agent identity |

### PowerShell

```powershell
Connect-MgGraph -Scopes "User.ReadWrite.All" -TenantId "<tenant>" -UseDeviceCode -NoWelcome

$body = @{
  accountEnabled    = $true
  displayName       = "My Agent User"
  mailNickname      = "my-agent-user"
  userPrincipalNa

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is entra-agent-user for?

When should I use entra-agent-user?

Is entra-agent-user safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is entra-agent-user for?

When should I use entra-agent-user?

Is entra-agent-user safe to install?

SKILL.md