Agent identity deletion

When you delete an agent identity blueprint or its principal, Microsoft Entra automatically cleans up all child agent identities and agents' user accounts with a cascade cleanup process. You don't need to manually query and delete each one. Understanding when and how this cascade cleanup happens helps you plan for restoration if needed.

Agent identity blueprints and their associated objects follow the same soft deletion and hard deletion behavior as other app registrations and service principals in Microsoft Entra. For a full overview of that process, see Deleting and recovering applications FAQ. This article focuses on what's unique to agent identity deletion.

Object relationships

The following objects are involved in the agent identity deletion lifecycle. The cascade cleanup process is based on these relationships.

Disable versus delete

Before deleting a blueprint, consider whether disabling is the right action instead.

• Disable: Prevents the blueprint principal or its agent identities from authenticating, but leaves all objects in place. Use this when you want to temporarily stop agent activity, investigate an issue, or decommission agents gradually. Objects remain in the directory and count toward quota.
• Delete: Removes the agent identity blueprint or its agent identity blueprint principal from the directory and triggers cascade cleanup of child agent identities. Use this when you're permanently retiring a blueprint and all agents created from it. Deletion can't be undone after the 30-day soft-deletion window expires.

For information on disabling agent identities, see Disable agent identities.

Cascade cleanup

When you delete an agent identity blueprint or its agent identity blueprint principal, Microsoft Entra automatically soft deletes all associated child agent identities and agents' user accounts. This cleanup is asynchronous.

The cascade process works as follows:

1. You delete the agent identity blueprint or agent identity blueprint principal: The object is soft deleted and moves to the recycle bin.
2. Microsoft Entra triggers automatic cleanup: A background task soft deletes all child agent identities and agents' user accounts associated with the deleted blueprint.
3. Objects are restorable for 30 days: Soft-deleted objects can be restored within 30 days. After that, they're permanently deleted.

Orphaned objects and quota considerations

When an agent identity blueprint principal is permanently deleted, any associated agent identities and agents' user accounts that weren't deleted become orphaned objects and become soft-deleted. Orphaned objects can't authenticate but continue to count toward directory quota until they're permanently deleted after the 30-day retention period expires.

Agent identity deletion follows the same quota rules as other Microsoft Entra objects. Soft-deleted objects continue to count toward quota limits until permanently deleted. For general quota information, see Microsoft Entra service limits and restrictions.

One consideration specific to agent identities: if you're using app-only permissions and are at the 250 agent identity limit for a blueprint, deleting an agent identity doesn't free up space until it's permanently deleted. By default, permanent deletion happens automatically after the 30-day retention period expires. If you need to free up quota immediately, you can force permanent deletion of soft-deleted agent identities. For steps, see Permanently delete agent identity objects. Agent identity blueprints also follow this 250 limit when using app-only permissions.

Related content

• Create and delete agent identities
• Deleting and recovering applications FAQ
• Microsoft Entra service limits and restrictions