Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
When agents perform operations using their own identity, rather than acting as a delegate of a user, they're called autonomous agents. To perform operations, agents must first authenticate with Microsoft Entra ID and obtain an access token using their agent identity (agent ID). This article walks you through the process of requesting an access token for an agent identity in Microsoft Entra ID using a two-step process. You'll:
- Obtain a token for an agent identity blueprint.
- Exchange the agent identity blueprint token for an agent ID token.
Prerequisites
Before implementing agent token authentication, ensure you have:
- An agent identity. You'll need the agent identity client ID.
- Understand oauth protocols in Microsoft Entra Agent ID
- An agent identity blueprint.
Configure your client credentials
Get your client credential details. This could be your client secret, a certificate or a managed identity that you are using as a federated identity credential.
Warning
Client secrets shouldn't be used as client credentials in production environments for agent identity blueprints due to security risks. Instead, use more secure authentication methods such as federated identity credentials (FIC) with managed identities or client certificates. These methods provide enhanced security by eliminating the need to store sensitive secrets directly within your application configuration.
Proceed to the next step
Request a token for the agent identity blueprint
When requesting the token for the agent identity blueprint, provide the agent ID's client ID in the fmi_path parameter. Provide the client_secret parameter instead of client_assertion and client_assertion_type when using a client secret as a credential during local development. For certificates and managed identities, use client_assertion and client_assertion_type.
POST https://login.microsoftonline.com/<my-test-tenant>/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id=<agent-blueprint-client-id>
&scope=api://AzureADTokenExchange/.default
&grant_type=client_credentials
&client_secret=<client-secret>
&fmi_path=<agent-identity-client-id>
Request an agent identity token
Once you have the agent identity blueprint token (T1), use it to request for the agent identity token.
POST https://login.microsoftonline.com/<my-test-tenant>/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id=<agent-identity-client-id>
&scope=https://graph.microsoft.com/.default
&grant_type=client_credentials
&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
&client_assertion=<agent-blueprint-token-T1>