Entra Agent Id
Provision Microsoft Entra Agent Identity blueprints and per-instance agent principals, then configure OAuth fmi_path and OBO token exchange for production AI agents.
Overview
entra-agent-id is an agent skill for the Ship phase that provisions Microsoft Entra Agent Identity blueprints and configures OAuth token exchange (fmi_path, OBO) for AI agent runtimes.
Install
npx skills add https://github.com/microsoft/azure-skills --skill entra-agent-idWhat is this skill?
- Object model: Blueprint (app) → BlueprintPrincipal (service principal) → per-instance Agent Identity (service principal)
- Microsoft Graph v1.0 APIs with roles such as Agent Identity Developer or Application Administrator
- Two-step fmi_path token exchange for autonomous agents and on-behalf-of (OBO) flows
- .NET helper via Microsoft.Identity.Web.AgentIdentities and polyglot Microsoft Entra SDK for AgentID sidecar
- Explicit routing: not for vanilla app registration (entra-app-registration) or Azure RBAC (azure-rbac)
- Three-layer object model: Blueprint, BlueprintPrincipal, Agent Identity
- API surface: Microsoft Graph https://graph.microsoft.com/v1.0
- Skill metadata version 1.0.1
Adoption & trust: 99.1k installs on skills.sh; 1.2k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your agent shares one app registration with blurry permissions, no per-instance identity, and no supported path for autonomous or OBO Microsoft Graph access.
Who is it for?
Builders deploying Microsoft-connected AI agents who need Graph-provisioned Agent IDs and formal OAuth exchange instead of a single multi-tenant secret.
Skip if: Standard human SSO app registration, Azure resource RBAC only, or Foundry-only agent design without Entra Agent ID requirements.
When should I use this skill?
User needs Agent Identity Blueprint, BlueprintPrincipal, agent OAuth, fmi_path exchange, agent OBO, or Workload Identity Federation for Microsoft-connected agents.
What do I get? / Deliverables
Each agent instance gets its own Entra Agent Identity with blueprint scaffolding and documented fmi_path/OBO exchange, ready to integrate Microsoft.Identity.Web.AgentIdentities or the Entra AgentID sidecar.
- Provisioned Blueprint and BlueprintPrincipal records in Graph
- Per-instance Agent Identity service principals with scoped grants
- Documented fmi_path and OBO exchange configuration for runtime
Recommended Skills
Journey fit
Canonical shelf is Ship/security because the skill governs identity, OAuth grants, and audit-scoped permissions before agents touch production Microsoft APIs. Security subphase reflects Graph-backed Blueprint → BlueprintPrincipal → Agent Identity modeling and runtime token exchange, not app UI or infra provisioning alone.
How it compares
Identity blueprint and token-exchange skill—use entra-app-registration for classic apps and azure-rbac for Azure roles, not this package.
Common Questions / FAQ
Who is entra-agent-id for?
Developers and indie teams building agents on Claude Code, Cursor, or Codex that must authenticate to Microsoft Graph with per-agent Entra identities and audited grants.
When should I use entra-agent-id?
Use it in Ship/security when defining Agent Identity Blueprints before production, and in Build/backend integrations when wiring agent OAuth to Microsoft APIs.
Is entra-agent-id safe to install?
It targets high-privilege Graph operations—confirm tenant roles, least-privilege scopes, and review the Security Audits panel on this page before applying in production tenants.
SKILL.md
READMESKILL.md - Entra Agent Id
# Microsoft Entra Agent ID Create and manage OAuth 2.0-capable identities for AI agents using Microsoft Graph. Every agent instance gets a distinct identity, audit trail, and independently-scoped permission grants. ## Quick Reference | Property | Value | |----------|-------| | Service | Microsoft Entra Agent ID | | API | Microsoft Graph (`https://graph.microsoft.com/v1.0`) | | Required role | Agent Identity Developer, Agent Identity Administrator, or Application Administrator | | Object model | Blueprint (application) → BlueprintPrincipal (SP) → Agent Identity (SP) | | Runtime exchange | Two-step `fmi_path` exchange (autonomous and OBO) | | .NET helper | `Microsoft.Identity.Web.AgentIdentities` | | Polyglot helper | Microsoft Entra SDK for AgentID (sidecar container) | ## When to Use This Skill - Provisioning a new Agent Identity Blueprint and BlueprintPrincipal - Creating per-instance Agent Identities under a Blueprint - Configuring credentials (FIC, Managed Identity, or client secret) on the Blueprint - Implementing the two-step `fmi_path` runtime token exchange (autonomous or OBO) - Cross-tenant agent token flows - Deploying the Microsoft Entra SDK for AgentID sidecar for polyglot agents (Python, Node, Go, Java) - Granting per-Agent-Identity application (`appRoleAssignments`) or delegated (`oauth2PermissionGrants`) permissions - Diagnosing Agent ID errors such as `AADSTS82001`, `AADSTS700211`, or `PropertyNotCompatibleWithAgentIdentity` ## MCP Tools | Tool | Use | |------|-----| | `mcp_azure_mcp_documentation` | Search Microsoft Learn for current Agent ID setup, Graph API shapes, and SDK configuration | There is no dedicated Agent Identity MCP server today. This skill guides direct Microsoft Graph API calls (PowerShell or Python `requests`). Use `mcp_azure_mcp_documentation` to verify request bodies and endpoints against current docs before running. ## Before You Start Use the `mcp_azure_mcp_documentation` tool to search Microsoft Learn for current Agent ID documentation: - "Microsoft Entra Agent ID setup instructions" - "Microsoft Entra SDK for AgentID" Verify request bodies and endpoints against the installed SDK version — Graph API shapes evolve. ## Conceptual Model ``` Agent Identity Blueprint (application) ← one per agent type/project └── BlueprintPrincipal (service principal) ← MUST be created explicitly ├── Agent Identity (SP): agent-1 ← one per agent instance ├── Agent Identity (SP): agent-2 └── Agent Identity (SP): agent-3 ``` | Concept | Description | |---------|-------------| | **Blueprint** | Application object that defines a type/class of agent. Holds credentials (secret, certificate, federated identity). | | **BlueprintPrincipal** | Service principal for the Blueprint in the tenant. Not auto-created. | | **Agent Identity** | Service-principal-only identity for a single agent instance. Cannot hold its own credentials. | | **Sponsor** | A User (or Group, for Agent Identity) who is responsible for the identity. Required on creation. | ## Prerequisites ### Required Entra Roles One of: **Agent Identity Developer**, **Agent Identity Administrator**, or **Application Administrator**. ### PowerShell (interactive setup) ```powershell # Pow