AgentIdentity.CreateAsManager
Export JSON
Export CSV
Copy URL
Print
Application
Full Control
User Scope
Allows the app to create linked agent identities without a signed-in user.
Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access
App-Only Access
Permission Details
Application Permission
Create agent identities linked to itself.
Allows the app to create linked agent identities without a signed-in user.
Permission ID:
4c390976-b2b7-42e0-9187-c6be3bead001
Properties
Microsoft Graph v1.0
exact-category-docs
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
odata.type |
String |
microsoft.graph.agentIdentity. Distinguishes this object as an agent identity. Can be used to identify this object as an agent identity, instead of another kind of service principal. |
accountEnabled |
BooleanNullable |
true if the agent identity account is enabled; otherwise, false. If set to false, then no users are able to sign in to this app, even if they're assigned to it. Inherited from servicePrincipal. |
agentIdentityBlueprintId |
String |
The appId of the agent identity blueprint that defines the configuration for this agent identity. |
customSecurityAttributes |
customSecurityAttributeValue |
An open complex type that holds the value of a custom security attribute that is assigned to a directory object. Nullable. Returned only on $select. Inherited from servicePrincipal. |
createdByAppId |
StringNullable |
The appId of the application that created this agent identity. Set internally by Microsoft Entra ID. Read-only. Inherited from servicePrincipal. |
createdDateTime |
DateTimeOffsetNullable |
The date and time the agent identity was created. Read-only. Inherited from servicePrincipal. |
disabledByMicrosoftStatus |
StringNullable |
Specifies whether Microsoft has disabled the registered Agent Identity Blueprint. The possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). Inherited from servicePrincipal. |
displayName |
StringNullable |
The display name for the agent identity. Inherited from servicePrincipal. |
id |
String |
The unique identifier for the agent identity. Inherited from directoryObject. Key. Not nullable. Read-only. Inherited from entity. |
servicePrincipalType |
StringNullable |
Set to ServiceIdentity for all agent identities. Inherited from servicePrincipal. |
tags |
String collection |
Custom strings that can be used to categorize and identify the agent identity. Not nullable. The value is the union of strings set here and on the associated Agent Identity Blueprint entity's tags property. Inherited from servicePrincipal. |
addIns |
addIn collection |
Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its 'FileHandler' functionality. This lets services like Microsoft 365 call the application in the context of a document the user is working on. |
alternativeNames |
string collection |
Used to retrieve service principals by subscription, identify resource group and full resource IDs for managed identities. Supports $filter (eq, not, ge, le, startsWith). |
appDescription |
stringNullable |
The description exposed by the associated application. |
appDisplayName |
stringNullable |
The display name exposed by the associated application. Maximum length is 256 characters. |
Showing 15 of 67 properties.
JSON Representation
Microsoft Graph v1.0
exact-category-docs
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
JSON representation
{
"@odata.type": "#microsoft.graph.agentIdentity",
"id": "String (identifier)",
"accountEnabled": "Boolean",
"agentIdentityBlueprintId": "String",
"createdByAppId": "String",
"createdDateTime": "String (timestamp)",
"disabledByMicrosoftStatus": "String",
"displayName": "String",
"servicePrincipalType": "String",
"tags": [
"String"
]
}Relationships
Microsoft Graph v1.0
exact-category-docs
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
appRoleAssignedTo |
appRoleAssignment collection |
App role assignments for this app or service, granted to users, groups, and other agent identities. Supports $expand. Inherited from microsoft.graph.servicePrincipal |
appRoleAssignments |
appRoleAssignment collection |
App role assignment for another app or service, granted to this agent identity. Supports $expand. Inherited from microsoft.graph.servicePrincipal |
createdObjects |
directoryObject collection |
Directory objects created by this agent identity. Read-only. Nullable. Inherited from microsoft.graph.servicePrincipal |
memberOf |
directoryObject collection |
Roles that this agent identity is a member of. HTTP Methods: GET Read-only. Nullable. Supports $expand. Inherited from microsoft.graph.servicePrincipal |
oauth2PermissionGrants |
oAuth2PermissionGrant collection |
Delegated permission grants authorizing this agent identity to access an API on behalf of a signed-in user. Read-only. Nullable. Inherited from microsoft.graph.servicePrincipal |
ownedObjects |
directoryObject collection |
Directory objects that are owned by this agent identity. Read-only. Nullable. Supports $expand and $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1). Inherited from microsoft.graph.servicePrincipal |
owners |
directoryObject collection |
Directory objects that are owners of this agent identity. The owners are a set of nonadmin users or agent identities who are allowed to modify this object. Supports $expand and $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1). Inherited from microsoft.graph.servicePrincipal |
sponsors |
directoryObject collection |
The sponsors for this agent identity. |
addIns |
addIn collection |
Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its 'FileHandler' functionality. This lets services like Microsoft 365 call the application in the context of a document the user is working on. |
alternativeNames |
string collection |
Used to retrieve service principals by subscription, identify resource group and full resource IDs for managed identities. Supports $filter (eq, not, ge, le, startsWith). |
appManagementPolicies |
appManagementPolicy collection |
The appManagementPolicy applied to this service principal. |
appOwnerOrganizationId |
uuid |
Contains the tenant ID where the application is registered. This is applicable only to service principals backed by applications. Supports $filter (eq, ne, NOT, ge, le). |
appRoles |
appRole collection |
The roles exposed by the application, which this service principal represents. For more information, see the appRoles property definition on the application entity. Not nullable. |
claimsMappingPolicies |
claimsMappingPolicy collection |
The claimsMappingPolicies assigned to this service principal. Supports $expand. |
delegatedPermissionClassifications |
delegatedPermissionClassification collection |
The permission classifications for delegated permissions exposed by the app that this service principal represents. Supports $expand. |
endpoints |
endpoint collection |
Endpoints available for discovery. Services like Sharepoint populate this property with a tenant specific SharePoint endpoints that other applications can discover and use in their experiences. |
federatedIdentityCredentials |
federatedIdentityCredential collection |
Related federatedIdentityCredentials data exposed by this resource. |
homeRealmDiscoveryPolicies |
homeRealmDiscoveryPolicy collection |
The homeRealmDiscoveryPolicies assigned to this service principal. Supports $expand. |
keyCredentials |
keyCredential collection |
The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq, not, ge, le). |
licenseDetails |
licenseDetails collection |
Related licenseDetails data exposed by this resource. |
notificationEmailAddresses |
string collection |
Specifies the list of email addresses where Microsoft Entra ID sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Microsoft Entra Gallery applications. |
Graph Methods
Delegated access
App-only access
Exact Microsoft Learn match
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn match
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Code Examples
C# / .NET SDK
Create serviceprincipal
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new ServicePrincipal
{
AppId = "65415bb1-9267-4313-bbf5-ae259732ee12",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals.PostAsync(requestBody);
JavaScript
Add agentIdentity owners
const options = {
authProvider,
};
const client = Client.init(options);
const directoryObject = {
'@odata.id': 'https://graph.microsoft.com/v1.0/directoryObjects/1511d5e7-c324-4362-ad4b-16c20076e5aa'
};
await client.api('/servicePrincipals/{id}/microsoft.graph.agentIdentity/owners/$ref')
.post(directoryObject);
PowerShell
Create serviceprincipal
Import-Module Microsoft.Graph.Applications
$params = @{
appId = "65415bb1-9267-4313-bbf5-ae259732ee12"
}
New-MgServicePrincipal -BodyParameter $params
Python
Create serviceprincipal
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ServicePrincipal(
app_id = "65415bb1-9267-4313-bbf5-ae259732ee12",
)
result = await graph_client.service_principals.post(request_body)App Registration
1
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
2
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
3
Select Permission Type
Choose Application permissions and search for AgentIdentity.CreateAsManager
4
Grant Admin Consent
Application permissions always require admin consent.