entra-agent-user
Original:🇺🇸 English
Translated
Create Agent Users in Microsoft Entra ID from Agent Identities, enabling AI agents to act as digital workers with user identity capabilities in Microsoft 365 and Azure environments.
7.1kinstalls
Sourcegithub/awesome-copilot
Added on
NPX Install
npx skill4agent add github/awesome-copilot entra-agent-userTags
Translated version includes tags in frontmatterSKILL.md Content
View Translation Comparison →SKILL: Creating Agent Users in Microsoft Entra Agent ID
Overview
An agent user is a specialized user identity in Microsoft Entra ID that enables AI agents to act as digital workers. It allows agents to access APIs and services that strictly require user identities (e.g., Exchange mailboxes, Teams, org charts), while maintaining appropriate security boundaries.
Agent users receive tokens with , unlike regular agent identities which receive .
idtyp=useridtyp=appPrerequisites
- A Microsoft Entra tenant with Agent ID capabilities
- An agent identity (service principal of type ) created from an agent identity blueprint
ServiceIdentity - One of the following permissions:
- (least privileged)
AgentIdUser.ReadWrite.IdentityParentedBy AgentIdUser.ReadWrite.AllUser.ReadWrite.All
- The caller must have at minimum the Agent ID Administrator role (in delegated scenarios)
Important: Themust reference a true agent identity (created via an agent identity blueprint), NOT a regular application service principal. You can verify by checking that the service principal hasidentityParentIdand@odata.type: #microsoft.graph.agentIdentity.servicePrincipalType: ServiceIdentity
Architecture
Agent Identity Blueprint (application template)
│
├── Agent Identity (service principal - ServiceIdentity)
│ │
│ └── Agent User (user - agentUser) ← 1:1 relationship
│
└── Agent Identity Blueprint Principal (service principal in tenant)| Component | Type | Token Claim | Purpose |
|---|---|---|---|
| Agent Identity | Service Principal | | Backend/API operations |
| Agent User | User ( | | Act as a digital worker in M365 |
Step 1: Verify the Agent Identity Exists
Before creating an agent user, confirm the agent identity is a proper type:
agentIdentityhttp
GET https://graph.microsoft.com/beta/servicePrincipals/{agent-identity-id}
Authorization: Bearer <token>Verify the response contains:
json
{
"@odata.type": "#microsoft.graph.agentIdentity",
"servicePrincipalType": "ServiceIdentity",
"agentIdentityBlueprintId": "<blueprint-id>"
}PowerShell
powershell
Connect-MgGraph -Scopes "Application.Read.All" -TenantId "<tenant>" -UseDeviceCode -NoWelcome
Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/beta/servicePrincipals/<agent-identity-id>" | ConvertTo-Json -Depth 3Common mistake: Using an app registration'sor a regular application service principal'sappIdwill fail. Only agent identities created from blueprints work.id
Step 2: Create the Agent User
HTTP Request
http
POST https://graph.microsoft.com/beta/users/microsoft.graph.agentUser
Content-Type: application/json
Authorization: Bearer <token>
{
"accountEnabled": true,
"displayName": "My Agent User",
"mailNickname": "my-agent-user",
"userPrincipalName": "my-agent-user@yourtenant.onmicrosoft.com",
"identityParentId": "<agent-identity-object-id>"
}Required Properties
| Property | Type | Description |
|---|---|---|
| Boolean | |
| String | Human-friendly name |
| String | Mail alias (no spaces/special chars) |
| String | UPN — must be unique in the tenant ( |
| String | Object ID of the parent agent identity |
PowerShell
powershell
Connect-MgGraph -Scopes "User.ReadWrite.All" -TenantId "<tenant>" -UseDeviceCode -NoWelcome
$body = @{
accountEnabled = $true
displayName = "My Agent User"
mailNickname = "my-agent-user"
userPrincipalName = "my-agent-user@yourtenant.onmicrosoft.com"
identityParentId = "<agent-identity-object-id>"
} | ConvertTo-Json
Invoke-MgGraphRequest -Method POST `
-Uri "https://graph.microsoft.com/beta/users/microsoft.graph.agentUser" `
-Body $body -ContentType "application/json" | ConvertTo-Json -Depth 3Key Notes
- No password — agent users cannot have passwords. They authenticate via their parent agent identity's credentials.
- 1:1 relationship — each agent identity can have at most one agent user. Attempting to create a second returns .
400 Bad Request - The must be unique. Don't reuse an existing user's UPN.
userPrincipalName
Step 3: Assign a Manager (Optional)
Assigning a manager allows the agent user to appear in org charts (e.g., Teams).
http
PUT https://graph.microsoft.com/beta/users/{agent-user-id}/manager/$ref
Content-Type: application/json
Authorization: Bearer <token>
{
"@odata.id": "https://graph.microsoft.com/beta/users/{manager-user-id}"
}PowerShell
powershell
$managerBody = '{"@odata.id":"https://graph.microsoft.com/beta/users/<manager-user-id>"}'
Invoke-MgGraphRequest -Method PUT `
-Uri "https://graph.microsoft.com/beta/users/<agent-user-id>/manager/`$ref" `
-Body $managerBody -ContentType "application/json"Step 4: Set Usage Location and Assign Licenses (Optional)
A license is needed for the agent user to have a mailbox, Teams presence, etc. Usage location must be set first.
Set Usage Location
http
PATCH https://graph.microsoft.com/beta/users/{agent-user-id}
Content-Type: application/json
Authorization: Bearer <token>
{
"usageLocation": "US"
}List Available Licenses
http
GET https://graph.microsoft.com/beta/subscribedSkus?$select=skuPartNumber,skuId,consumedUnits,prepaidUnits
Authorization: Bearer <token>Requires permission.
Organization.Read.AllAssign a License
http
POST https://graph.microsoft.com/beta/users/{agent-user-id}/assignLicense
Content-Type: application/json
Authorization: Bearer <token>
{
"addLicenses": [
{ "skuId": "<sku-id>" }
],
"removeLicenses": []
}PowerShell (all in one)
powershell
Connect-MgGraph -Scopes "User.ReadWrite.All","Organization.Read.All" -TenantId "<tenant>" -NoWelcome
# Set usage location
Invoke-MgGraphRequest -Method PATCH `
-Uri "https://graph.microsoft.com/beta/users/<agent-user-id>" `
-Body '{"usageLocation":"US"}' -ContentType "application/json"
# Assign license
$licenseBody = '{"addLicenses":[{"skuId":"<sku-id>"}],"removeLicenses":[]}'
Invoke-MgGraphRequest -Method POST `
-Uri "https://graph.microsoft.com/beta/users/<agent-user-id>/assignLicense" `
-Body $licenseBody -ContentType "application/json"Tip: You can also assign licenses via the Entra admin center under Identity → Users → All users → select the agent user → Licenses and apps.
Provisioning Times
| Service | Estimated Time |
|---|---|
| Exchange mailbox | 5–30 minutes |
| Teams availability | 15 min – 24 hours |
| Org chart / People search | Up to 24–48 hours |
| SharePoint / OneDrive | 5–30 minutes |
| Global Address List | Up to 24 hours |
Agent User Capabilities
- ✅ Added to Microsoft Entra groups (including dynamic groups)
- ✅ Access user-only APIs (tokens)
idtyp=user - ✅ Own a mailbox, calendar, and contacts
- ✅ Participate in Teams chats and channels
- ✅ Appear in org charts and People search
- ✅ Added to administrative units
- ✅ Assigned licenses
Agent User Security Constraints
- ❌ Cannot have passwords, passkeys, or interactive sign-in
- ❌ Cannot be assigned privileged admin roles
- ❌ Cannot be added to role-assignable groups
- ❌ Permissions similar to guest users by default
- ❌ Custom role assignment not available
Troubleshooting
| Error | Cause | Fix |
|---|---|---|
| | Verify the ID is an |
| The agent identity already has an agent user | Each agent identity supports only one agent user |
| The | Use a unique UPN |
| License assignment fails | Usage location not set | Set |