AgentIdentity.CreateAsManager
Export JSON
Export CSV
Copy URL
Print
Application
Full Control
User Scope
Allows the app to create linked agent identities without a signed-in user.
Permission data: May 21, 2026 at 4:34 AM UTC
Delegated Access
App-Only Access
Permission Details
Application Permission
Create agent identities linked to itself.
Allows the app to create linked agent identities without a signed-in user.
Permission ID:
4c390976-b2b7-42e0-9187-c6be3bead001
Properties
Microsoft Graph v1.0
exact-category-docs
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
odata.type |
String |
microsoft.graph.agentIdentity. Distinguishes this object as an agent identity. Can be used to identify this object as an agent identity, instead of another kind of service principal. |
accountEnabled |
BooleanNullable |
true if the agent identity account is enabled; otherwise, false. If set to false, then no users are able to sign in to this app, even if they're assigned to it. Inherited from servicePrincipal. |
agentIdentityBlueprintId |
String |
The appId of the agent identity blueprint that defines the configuration for this agent identity. |
customSecurityAttributes |
customSecurityAttributeValue |
An open complex type that holds the value of a custom security attribute that is assigned to a directory object. Nullable. Requires $select to retrieve. Inherited from servicePrincipal. |
createdByAppId |
StringNullable |
The appId of the application that created this agent identity. Set internally by Microsoft Entra ID. Read-only. Inherited from servicePrincipal. |
createdDateTime |
DateTimeOffsetNullable |
The date and time the agent identity was created. Read-only. Inherited from servicePrincipal. |
disabledByMicrosoftStatus |
StringNullable |
Specifies whether Microsoft has disabled the registered Agent Identity Blueprint. The possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). Inherited from servicePrincipal. |
displayName |
StringNullable |
The display name for the agent identity. Inherited from servicePrincipal. |
id |
String |
The unique identifier for the agent identity. Inherited from directoryObject. Key. Not nullable. Read-only. Inherited from entity. |
servicePrincipalType |
StringNullable |
Set to ServiceIdentity for all agent identities. Inherited from servicePrincipal. |
tags |
String collection |
Custom strings that can be used to categorize and identify the agent identity. Not nullable. The value is the union of strings set here and on the associated Agent Identity Blueprint entity's tags property. Inherited from servicePrincipal. |
addIns |
addIn collection |
Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its 'FileHandler' functionality. This lets services like Microsoft 365 call the application in the context of a document the user is working on. |
alternativeNames |
string collection |
Used to retrieve service principals by subscription, identify resource group and full resource IDs for managed identities. Supports $filter (eq, not, ge, le, startsWith). |
appDescription |
stringNullable |
The description exposed by the associated application. |
appDisplayName |
stringNullable |
The display name exposed by the associated application. Maximum length is 256 characters. |
Showing 15 of 60 properties.
JSON Representation
Microsoft Graph v1.0
exact-category-docs
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
JSON representation
{
"@odata.type": "#microsoft.graph.agentIdentity",
"id": "String (identifier)",
"accountEnabled": "Boolean",
"agentIdentityBlueprintId": "String",
"createdByAppId": "String",
"createdDateTime": "String (timestamp)",
"disabledByMicrosoftStatus": "String",
"displayName": "String",
"servicePrincipalType": "String",
"tags": [
"String"
]
}Relationships
Microsoft Graph v1.0
exact-category-docs
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
appRoleAssignedTo |
appRoleAssignment collection |
App role assignments for this app or service, granted to users, groups, and other agent identities. Supports $expand. Inherited from microsoft.graph.servicePrincipal |
appRoleAssignments |
appRoleAssignment collection |
App role assignment for another app or service, granted to this agent identity. Supports $expand. Inherited from microsoft.graph.servicePrincipal |
createdObjects |
directoryObject collection |
Directory objects created by this agent identity. Read-only. Nullable. Inherited from microsoft.graph.servicePrincipal |
memberOf |
directoryObject collection |
Roles that this agent identity is a member of. HTTP Methods: GET Read-only. Nullable. Supports $expand. Inherited from microsoft.graph.servicePrincipal |
oauth2PermissionGrants |
oAuth2PermissionGrant collection |
Delegated permission grants authorizing this agent identity to access an API on behalf of a signed-in user. Read-only. Nullable. Inherited from microsoft.graph.servicePrincipal |
ownedObjects |
directoryObject collection |
Directory objects that are owned by this agent identity. Read-only. Nullable. Supports $expand and $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1). Inherited from microsoft.graph.servicePrincipal |
owners |
directoryObject collection |
Directory objects that are owners of this agent identity. The owners are a set of nonadmin users or agent identities who are allowed to modify this object. Supports $expand and $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1). Inherited from microsoft.graph.servicePrincipal |
sponsors |
directoryObject collection |
The sponsors for this agent identity. |
addIns |
addIn collection |
Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its 'FileHandler' functionality. This lets services like Microsoft 365 call the application in the context of a document the user is working on. |
alternativeNames |
string collection |
Used to retrieve service principals by subscription, identify resource group and full resource IDs for managed identities. Supports $filter (eq, not, ge, le, startsWith). |
appManagementPolicies |
appManagementPolicy collection |
The appManagementPolicy applied to this application. |
appOwnerOrganizationId |
uuid |
Contains the tenant ID where the application is registered. This is applicable only to service principals backed by applications. Supports $filter (eq, ne, NOT, ge, le). |
appRoles |
appRole collection |
The roles exposed by the application that's linked to this service principal. For more information, see the appRoles property definition on the application entity. Not nullable. |
claimsMappingPolicies |
claimsMappingPolicy collection |
The claimsMappingPolicies assigned to this service principal. Supports $expand. |
delegatedPermissionClassifications |
delegatedPermissionClassification collection |
Related delegatedPermissionClassifications data exposed by this resource. |
endpoints |
endpoint collection |
Related endpoints data exposed by this resource. |
federatedIdentityCredentials |
federatedIdentityCredential collection |
Federated identities for a specific type of service principal - managed identity. Supports $expand and $filter (/$count eq 0, /$count ne 0). |
homeRealmDiscoveryPolicies |
homeRealmDiscoveryPolicy collection |
The homeRealmDiscoveryPolicies assigned to this service principal. Supports $expand. |
keyCredentials |
keyCredential collection |
The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq, not, ge, le). |
notificationEmailAddresses |
string collection |
Specifies the list of email addresses where Microsoft Entra ID sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Microsoft Entra Gallery applications. |
oauth2PermissionScopes |
permissionScope collection |
The delegated permissions exposed by the application. For more information, see the oauth2PermissionScopes property on the application entity's api property. Not nullable. |
Graph Methods
Delegated access
App-only access
Exact Microsoft Learn match
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn match
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
No Microsoft Learn PowerShell mapping available
Microsoft Graph PowerShell v1.0 commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.
No deterministic PowerShell command map is available for this permission.
Browse PowerShell docs
No Microsoft Learn PowerShell mapping available
Microsoft Graph PowerShell beta commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.
No deterministic PowerShell command map is available for this permission.
Browse PowerShell docsCode Examples
C# / .NET SDK
using Azure.Identity;
using Microsoft.Graph;
var scopes = new[] { "AgentIdentity.CreateAsManager" };
var credential = new InteractiveBrowserCredential(
new InteractiveBrowserCredentialOptions
{
ClientId = "YOUR_CLIENT_ID",
TenantId = "YOUR_TENANT_ID",
RedirectUri = new Uri("http://localhost")
});
var graphClient = new GraphServiceClient(credential, scopes);
var response = await graphClient
.WithUrl("https://graph.microsoft.com/v1.0/servicePrincipals/{id}/microsoft.graph.agentIdentity")
.GetAsync();
JavaScript
Add agentIdentity owners
const options = {
authProvider,
};
const client = Client.init(options);
const directoryObject = {
'@odata.id': 'https://graph.microsoft.com/v1.0/directoryObjects/1511d5e7-c324-4362-ad4b-16c20076e5aa'
};
await client.api('/servicePrincipals/{id}/microsoft.graph.agentIdentity/owners/$ref')
.post(directoryObject);
PowerShell
Connect-MgGraph -Scopes "AgentIdentity.CreateAsManager"
Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/servicePrincipals/{id}/microsoft.graph.agentIdentity"
Python
from azure.identity import InteractiveBrowserCredential
import requests
credential = InteractiveBrowserCredential(
client_id="YOUR_CLIENT_ID",
tenant_id="YOUR_TENANT_ID"
)
token = credential.get_token("AgentIdentity.CreateAsManager")
response = requests.get(
"https://graph.microsoft.com/v1.0/servicePrincipals/{id}/microsoft.graph.agentIdentity",
headers={"Authorization": f"Bearer {token.token}"}
)
print(response.json())App Registration
1
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
2
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
3
Select Permission Type
Choose Application permissions and search for AgentIdentity.CreateAsManager
4
Grant Admin Consent
Application permissions always require admin consent.