Add-EntraBetaScopeToAgentIdentityBlueprint
Adds an OAuth2 permission scope to the current Agent Identity Blueprint.
Syntax
Default (Default)
Add-EntraBetaScopeToAgentIdentityBlueprint
[-AgentBlueprintId <String>]
[-AdminConsentDescription <String>]
[-AdminConsentDisplayName <String>]
[-Value <String>]
[<CommonParameters>]
Description
The Add-EntraBetaScopeToAgentIdentityBlueprint cmdlet adds a custom OAuth2 permission scope to the Agent Identity Blueprint, allowing applications to request specific permissions when accessing the agent. Uses the stored AgentBlueprintId from the last New-EntraBetaAgentIdentityBlueprint call.
Examples
Example 1: Add scope with prompts
Connect-Entra -Scopes 'AgentIdentityBlueprint.ReadWrite.All'
New-EntraBetaAgentIdentityBlueprint -DisplayName "My Blueprint" -SponsorUserIds @("user1@contoso.com")
Add-EntraBetaScopeToAgentIdentityBlueprint
This example adds an OAuth2 permission scope to the Agent Identity Blueprint. The cmdlet will prompt for scope details.
Example 2: Add scope with all parameters
Connect-Entra -Scopes 'AgentIdentityBlueprint.ReadWrite.All'
Add-EntraBetaScopeToAgentIdentityBlueprint -AdminConsentDescription "Allow agent access" -AdminConsentDisplayName "Agent Access" -Value "agent_access"
This example adds an OAuth2 permission scope with specified parameters to the current Agent Identity Blueprint.
Example 3: Add scope with specific blueprint ID
Connect-Entra -Scopes 'AgentIdentityBlueprint.ReadWrite.All'
Add-EntraBetaScopeToAgentIdentityBlueprint -AgentBlueprintId "12345678-1234-1234-1234-123456789012" -AdminConsentDescription "Custom agent permission" -AdminConsentDisplayName "Custom Access" -Value "custom.access"
This example adds an OAuth2 permission scope to a specific Agent Identity Blueprint by providing the blueprint ID.
Parameters
-AdminConsentDescription
The description that appears in admin consent experiences. If not provided, will prompt for input. Default: "Allow the agent to act on behalf of the signed-in user".
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-AdminConsentDisplayName
The display name that appears in admin consent experiences. If not provided, will prompt for input. Default: "Access agent on behalf of user".
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-AgentBlueprintId
The ID of the Agent Identity Blueprint to add the scope to. If not provided, uses the stored ID from the last blueprint creation.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Value
The value of the permission scope (used in token claims). If not provided, will prompt for input. Default: "access_agent_as_user".
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Inputs
None
Outputs
System.Object
Returns the updated scope configuration.
Notes
This cmdlet requires the following Microsoft Graph permission:
- Application.ReadWrite.All
The scope is created with type "User" and is enabled by default.