ESC
Type to search...
Navigate Open ESC Close

AgentIdentity.EnableDisable.All

Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated Read All Resources

Allows the app to enable or disable agent identities without a signed-in user.

Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access App-Only Access

Permission Details

Application Permission

Enable or disable agent identities

Allows the app to enable or disable agent identities without a signed-in user.

Permission ID: 69ee0943-4fa4-4ec8-8e52-d12e4ea661a3
Delegated Permission Admin consent required

Enable or disable agent identities

Allows the client to enable or disable agent identities.

User sees: Allows the client to enable or disable agent identities.
Permission ID: a501206a-e364-4a3f-be6e-765806d0e323

Properties

Microsoft Graph v1.0 exact-category-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property Type Description
odata.type String microsoft.graph.agentIdentity. Distinguishes this object as an agent identity. Can be used to identify this object as an agent identity, instead of another kind of service principal.
accountEnabled BooleanNullable true if the agent identity account is enabled; otherwise, false. If set to false, then no users are able to sign in to this app, even if they're assigned to it. Inherited from servicePrincipal.
agentIdentityBlueprintId String The appId of the agent identity blueprint that defines the configuration for this agent identity.
customSecurityAttributes customSecurityAttributeValue An open complex type that holds the value of a custom security attribute that is assigned to a directory object. Nullable. Returned only on $select. Inherited from servicePrincipal.
createdByAppId StringNullable The appId of the application that created this agent identity. Set internally by Microsoft Entra ID. Read-only. Inherited from servicePrincipal.
createdDateTime DateTimeOffsetNullable The date and time the agent identity was created. Read-only. Inherited from servicePrincipal.
disabledByMicrosoftStatus StringNullable Specifies whether Microsoft has disabled the registered Agent Identity Blueprint. The possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). Inherited from servicePrincipal.
displayName StringNullable The display name for the agent identity. Inherited from servicePrincipal.
id String The unique identifier for the agent identity. Inherited from directoryObject. Key. Not nullable. Read-only. Inherited from entity.
servicePrincipalType StringNullable Set to ServiceIdentity for all agent identities. Inherited from servicePrincipal.
tags String collection Custom strings that can be used to categorize and identify the agent identity. Not nullable. The value is the union of strings set here and on the associated Agent Identity Blueprint entity's tags property. Inherited from servicePrincipal.
addIns addIn collection Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its 'FileHandler' functionality. This lets services like Microsoft 365 call the application in the context of a document the user is working on.
alternativeNames string collection Used to retrieve service principals by subscription, identify resource group and full resource IDs for managed identities. Supports $filter (eq, not, ge, le, startsWith).
appDescription stringNullable The description exposed by the associated application.
appDisplayName stringNullable The display name exposed by the associated application. Maximum length is 256 characters.

Showing 15 of 67 properties.

JSON Representation

Microsoft Graph v1.0 exact-category-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation 
{
  "@odata.type": "#microsoft.graph.agentIdentity",
  "id": "String (identifier)",
  "accountEnabled": "Boolean",
  "agentIdentityBlueprintId": "String",
  "createdByAppId": "String",
  "createdDateTime": "String (timestamp)",
  "disabledByMicrosoftStatus": "String",
  "displayName": "String",
  "servicePrincipalType": "String",
  "tags": [
    "String"
  ]
}

Relationships

Microsoft Graph v1.0 exact-category-docs

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship Type Description
appRoleAssignedTo appRoleAssignment collection App role assignments for this app or service, granted to users, groups, and other agent identities. Supports $expand. Inherited from microsoft.graph.servicePrincipal
appRoleAssignments appRoleAssignment collection App role assignment for another app or service, granted to this agent identity. Supports $expand. Inherited from microsoft.graph.servicePrincipal
createdObjects directoryObject collection Directory objects created by this agent identity. Read-only. Nullable. Inherited from microsoft.graph.servicePrincipal
memberOf directoryObject collection Roles that this agent identity is a member of. HTTP Methods: GET Read-only. Nullable. Supports $expand. Inherited from microsoft.graph.servicePrincipal
oauth2PermissionGrants oAuth2PermissionGrant collection Delegated permission grants authorizing this agent identity to access an API on behalf of a signed-in user. Read-only. Nullable. Inherited from microsoft.graph.servicePrincipal
ownedObjects directoryObject collection Directory objects that are owned by this agent identity. Read-only. Nullable. Supports $expand and $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1). Inherited from microsoft.graph.servicePrincipal
owners directoryObject collection Directory objects that are owners of this agent identity. The owners are a set of nonadmin users or agent identities who are allowed to modify this object. Supports $expand and $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1). Inherited from microsoft.graph.servicePrincipal
sponsors directoryObject collection The sponsors for this agent identity.
addIns addIn collection Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its 'FileHandler' functionality. This lets services like Microsoft 365 call the application in the context of a document the user is working on.
alternativeNames string collection Used to retrieve service principals by subscription, identify resource group and full resource IDs for managed identities. Supports $filter (eq, not, ge, le, startsWith).
appManagementPolicies appManagementPolicy collection The appManagementPolicy applied to this service principal.
appOwnerOrganizationId uuid Contains the tenant ID where the application is registered. This is applicable only to service principals backed by applications. Supports $filter (eq, ne, NOT, ge, le).
appRoles appRole collection The roles exposed by the application, which this service principal represents. For more information, see the appRoles property definition on the application entity. Not nullable.
claimsMappingPolicies claimsMappingPolicy collection The claimsMappingPolicies assigned to this service principal. Supports $expand.
delegatedPermissionClassifications delegatedPermissionClassification collection The permission classifications for delegated permissions exposed by the app that this service principal represents. Supports $expand.
endpoints endpoint collection Endpoints available for discovery. Services like Sharepoint populate this property with a tenant specific SharePoint endpoints that other applications can discover and use in their experiences.
federatedIdentityCredentials federatedIdentityCredential collection Related federatedIdentityCredentials data exposed by this resource.
homeRealmDiscoveryPolicies homeRealmDiscoveryPolicy collection The homeRealmDiscoveryPolicies assigned to this service principal. Supports $expand.
keyCredentials keyCredential collection The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq, not, ge, le).
licenseDetails licenseDetails collection Related licenseDetails data exposed by this resource.
notificationEmailAddresses string collection Specifies the list of email addresses where Microsoft Entra ID sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Microsoft Entra Gallery applications.

Graph Methods

Delegated access App-only access
Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
PATCH /servicePrincipals(appId='{appId}')
PATCH /servicePrincipals/{id}
PATCH /servicePrincipals/{id}/microsoft.graph.agentIdentity
Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
PATCH /servicePrincipals(appId='{appId}')
PATCH /servicePrincipals/{id}
PATCH /servicePrincipals/{id}/microsoft.graph.agentIdentity
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Update-MgServicePrincipal /servicePrincipals/{id}
Update serviceprincipal
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Update-MgBetaServicePrincipal /servicePrincipals/{id}
Update serviceprincipal

Code Examples

C# / .NET SDK
Update serviceprincipal
View official example on Microsoft Learn
// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new ServicePrincipal
{
	AppRoleAssignmentRequired = true,
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);
JavaScript
Update serviceprincipal
View official example on Microsoft Learn
const options = {
	authProvider,
};

const client = Client.init(options);

const servicePrincipal = {
  appRoleAssignmentRequired: true
};

await client.api('/servicePrincipals/{id}')
	.update(servicePrincipal);
PowerShell
Update serviceprincipal
View official example on Microsoft Learn
Import-Module Microsoft.Graph.Applications

$params = @{
	appRoleAssignmentRequired = $true
}

Update-MgServicePrincipal -ServicePrincipalId $servicePrincipalId -BodyParameter $params
Python
Update serviceprincipal
View official example on Microsoft Learn
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ServicePrincipal(
	app_role_assignment_required = True,
)

result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').patch(request_body)

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for AgentIdentity.EnableDisable.All

4

Grant Admin Consent

Application permissions always require admin consent.