Frequently asked questions about Microsoft Entra Agent ID

Microsoft Graph APIs that support relationships involving agent identities such as /ownedObjects, /deletedItems, and /owners don't support filtering by entity type. Use the existing APIs and filter results on the client side using the odata.type property to identify agent identity objects in the response.

When an agent identity blueprint or agent identity is deleted, any associated agents' user accounts remain in the tenant. They aren't shown as disabled or deleted, though they can't authenticate. Delete orphaned agents' user accounts manually using Microsoft Graph API or Microsoft Entra PowerShell.

When creating agent identity objects in quick succession using Microsoft Graph APIs, requests might fail with errors like 400 Bad Request: Object with id {id} not found. Common sequences that trigger this behavior include:

• Creating an agent identity blueprint, then immediately creating a blueprint principal.
• Creating a blueprint principal, then immediately using the blueprint to create an agent identity.
• Creating an agent identity, then immediately creating an agent's user account.

These failures are more common when using app-only permissions. Use delegated permissions where possible, and add retry logic with exponential backoff to your requests.

Yes. Non-Microsoft platforms using app-only permissions are limited to 250 active agent identity blueprints per tenant, and each of those blueprints is limited to 250 active agent identities. Delegated-permission requests from admin users don't count toward this limit. Microsoft-owned platforms like Microsoft Agent 365 aren't subject to this limit.

For more information, see Microsoft Entra service limits and restrictions. Contact your Microsoft representative if your scenario requires exceeding these limits.

There are no built-in notification mechanisms for agent identity blueprint approval. When a tenant admin creates or approves an agent identity blueprint for your agent, you aren't notified through Microsoft Entra or Microsoft Graph.

To check whether your blueprint has been approved in a specific tenant, query the Microsoft Graph API for blueprint principal objects associated with your application. If an admin hasn't approved the blueprint yet, the query returns no results for that tenant.

Custom role definitions don't support actions for managing agent identities. Use the built-in Agent ID Administrator and Agent ID Developer roles for all agent identity management.

Agent identities, agent identity blueprints, and agent identity blueprint principals can't be added to administrative units. Use the owners property of agent identities to limit which users can manage specific objects.

The Agent ID Administrator role doesn't have permission to update photos for an agent's user account. Use the User Administrator role for this task.

Dynamic group membership rules don't support targeting an agent's user account. Use assigned groups to manage an agent's user account's group memberships.

Agent identities can't sign in to Microsoft Entra ID sign-in pages, which means they can't use single sign-on with OpenID Connect or SAML protocols. Use available web APIs to integrate agents with workplace apps and services.

The Microsoft Entra ID admin consent workflow doesn't work correctly for permissions requested by agent identities. Users should contact their Microsoft Entra tenant admin to request that permissions be granted directly to the agent identity.

Risk-based step-up is enforced for agent identity consent flows. If a user's consent is blocked, there's no workaround. The user must resolve the flagged risk before consent can proceed.

Audit logs don't distinguish agent identities from other Microsoft Entra identity types by default:

• Operations on agent identities, blueprints, and blueprint principals are logged in the ApplicationManagement category.
• Operations on agents' user accounts are logged in the User Management category.
• Operations initiated by agent identities appear as service principals.
• Operations initiated by agents' user accounts appear as users.

To identify Agent ID-related activity, use object IDs from audit logs to query Microsoft Graph and determine the entity type. You can also use the sign-in logs correlation ID to locate the identity of the actor or subject involved in the activity.

Microsoft Graph activity logs don't currently separate agent identities from other identity types:

• Requests from agent identities are logged as applications, with the agent identity included in the appID column.
• Requests from agents' user accounts are logged as users, with the agent user ID in the UserID column.

Join with Microsoft Entra sign-in logs to determine the entity type.

The SDK you use depends on your scenario:

Microsoft Agent 365 CLI and SDK are the recommended starting point for most developers. The CLI handles agent identity provisioning, blueprint creation, and permission wiring in a single command. The SDK handles token acquisition at runtime. For more information, see Microsoft Entra Agent 365 SDK documentation.

Microsoft.Identity.Web provides higher-level APIs for acquiring tokens for agent identities in .NET applications. Use the Microsoft.Identity.Web.AgentIdentities package to simplify managing agent identities.

The Microsoft Entra SDK container wraps Microsoft.Identity.Web as a web service deployed as a sidecar container. Use this option when your agent runs on Kubernetes and/or isn't built in .NET. For more information, see Microsoft Entra SDK for Agent ID.

Microsoft Graph APIs provide agent identity management when the other options don't fit your scenario. For more information, see Microsoft Graph API for agent identity blueprints.