ESC
Type to search...
Navigate Open ESC Close

AgentIdentityBlueprintPrincipal.EnableDisable.All

Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated Read All Resources

Allows enabling or disabling agent identity blueprint principals without a signed-in user.

Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access App-Only Access

Permission Details

Application Permission

Enable or disable agent identity blueprint principals.

Allows enabling or disabling agent identity blueprint principals without a signed-in user.

Permission ID: a0bdd23d-8b19-4682-b428-574d96527c6f
Delegated Permission Admin consent required

Enable or disable agent identity blueprint principals.

Allows enabling or disabling agent identity blueprint principals with a signed-in user.

User sees: Allows enabling or disabling agent identity blueprint principals with a signed-in user.
Permission ID: e7475e0a-9f02-43e2-a250-5c2ea74ccd0e

Properties

Microsoft Graph v1.0 exact-category-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property Type Description
accountEnabled BooleanNullable true if the agent identity blueprint principal account is enabled; otherwise, false. If set to false, then no users are able to sign in to this app, even if they're assigned to it. Inherited from servicePrincipal.
appDescription StringNullable The description exposed by the associated agent identity blueprint. Inherited from servicePrincipal.
appDisplayName StringNullable The display name exposed by the associated agent identity blueprint. Maximum length is 256 characters. Inherited from servicePrincipal.
appId StringNullable The appId of the associated agent identity blueprint. Alternate key. Inherited from servicePrincipal.
appOwnerOrganizationId GuidNullable Contains the tenant ID where the agent identity blueprint is registered. This is applicable only to agent identity blueprint principals backed by applications. Inherited from servicePrincipal.
appRoleAssignmentRequired Boolean Specifies whether users or other service principals need to be granted an app role assignment for this agent identity blueprint principal before users can sign in or apps can get tokens. The default value is false. Not nullable. Inherited from servicePrincipal.
appRoles appRole collection The roles exposed by the agent identity blueprint, which this agent identity blueprint principal represents. For more information, see the appRoles property definition on the application entity. Not nullable. Inherited from servicePrincipal.
createdByAppId StringNullable The appId of the application that created this agent identity blueprint principal. Set internally by Microsoft Entra ID. Read-only. Inherited from servicePrincipal.
disabledByMicrosoftStatus StringNullable Specifies whether Microsoft has disabled the registered agent identity blueprint. The possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). Inherited from servicePrincipal.
displayName StringNullable The display name for the agent identity blueprint principal. Inherited from servicePrincipal.
id String The unique identifier for the agent identity blueprint principal. Inherited from entity. Key. Not nullable. Read-only.
info informationalUrl Basic profile information of the acquired application such as app's marketing, support, terms of service and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience. Inherited from servicePrincipal.
publishedPermissionScopes permissionScope collection The delegated permissions exposed by the application. For more information, see the oauth2PermissionScopes property on the agent identity blueprint entity's api property. Not nullable. Inherited from servicePrincipal.
publisherName StringNullable The name of the Microsoft Entra tenant that published the application. Inherited from servicePrincipal.
servicePrincipalNames String collection Contains the list of identifiersUris, copied over from the associated agent identity blueprint. More values can be added to hybrid agent identity blueprint. These values can be used to identify the permissions exposed by this app within Microsoft Entra ID. Not nullable. Property blocked on Agent Identity Blueprint Principal. Inherited from servicePrincipal.

Showing 15 of 64 properties.

JSON Representation

Microsoft Graph v1.0 exact-category-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation 
{
  "@odata.type": "#microsoft.graph.agentIdentityBlueprintPrincipal",
  "id": "String (identifier)",
  "accountEnabled": "Boolean",
  "createdByAppId": "String",
  "appDescription": "String",
  "appDisplayName": "String",
  "appId": "String",
  "appOwnerOrganizationId": "Guid",
  "appRoleAssignmentRequired": "Boolean",
  "disabledByMicrosoftStatus": "String",
  "displayName": "String",
  "publisherName": "String",
  "servicePrincipalNames": [
    "String"
  ],
  "servicePrincipalType": "String",
  "signInAudience": "String",
  "tags": [
    "String"
  ],
  "appRoles": [
    {
      "@odata.type": "microsoft.graph.appRole"
    }
  ],
  "info": {
    "@odata.type": "microsoft.graph.informationalUrl"
  },
  "publishedPermissionScopes": [
    {
      "@odata.type": "microsoft.graph.permissionScope"
    }
  ],
  "verifiedPublisher": {
    "@odata.type": "microsoft.graph.verifiedPublisher"
  }
}

Relationships

Microsoft Graph v1.0 exact-category-docs

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship Type Description
appManagementPolicies appManagementPolicy collection The appManagementPolicy applied to this agent identity blueprint principal. Inherited from microsoft.graph.servicePrincipal
appRoleAssignedTo appRoleAssignment collection App role assignments for this agent identity blueprint principal, granted to users, groups, and other service principals. Supports $expand. Inherited from microsoft.graph.servicePrincipal
appRoleAssignments appRoleAssignment collection App role assignment for another app or service, granted to this agent identity blueprint principal. Supports $expand. Inherited from microsoft.graph.servicePrincipal
createdObjects directoryObject collection Directory objects created by this agent identity blueprint principal. Read-only. Nullable. Inherited from microsoft.graph.servicePrincipal
memberOf directoryObject collection Roles that this agent identity blueprint principal is a member of. HTTP Methods: GET Read-only. Nullable. Supports $expand. Inherited from microsoft.graph.servicePrincipal
oauth2PermissionGrants oAuth2PermissionGrant collection Delegated permission grants authorizing this agent identity blueprint principal to access an API on behalf of a signed-in user. Read-only. Nullable. Inherited from microsoft.graph.servicePrincipal
ownedObjects directoryObject collection Directory objects that are owned by this agent identity blueprint principal. Read-only. Nullable. Supports $expand and $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1). Inherited from microsoft.graph.servicePrincipal
owners directoryObject collection Directory objects that are owners of this agent identity blueprint principal. The owners are a set of nonadmin users or servicePrincipals who are allowed to modify this object. Supports $expand and $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1). Inherited from microsoft.graph.servicePrincipal
sponsors directoryObject collection The sponsors for this agent identity blueprint principal. Sponsors are users or service principals who can authorize and manage the lifecycle of agent identity instances.
addIns addIn collection Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its 'FileHandler' functionality. This lets services like Microsoft 365 call the application in the context of a document the user is working on.
alternativeNames string collection Used to retrieve service principals by subscription, identify resource group and full resource IDs for managed identities. Supports $filter (eq, not, ge, le, startsWith).
appOwnerOrganizationId uuid Contains the tenant ID where the application is registered. This is applicable only to service principals backed by applications. Supports $filter (eq, ne, NOT, ge, le).
appRoles appRole collection The roles exposed by the application, which this service principal represents. For more information, see the appRoles property definition on the application entity. Not nullable.
claimsMappingPolicies claimsMappingPolicy collection The claimsMappingPolicies assigned to this service principal. Supports $expand.
delegatedPermissionClassifications delegatedPermissionClassification collection The permission classifications for delegated permissions exposed by the app that this service principal represents. Supports $expand.
endpoints endpoint collection Endpoints available for discovery. Services like Sharepoint populate this property with a tenant specific SharePoint endpoints that other applications can discover and use in their experiences.
federatedIdentityCredentials federatedIdentityCredential collection Related federatedIdentityCredentials data exposed by this resource.
homeRealmDiscoveryPolicies homeRealmDiscoveryPolicy collection The homeRealmDiscoveryPolicies assigned to this service principal. Supports $expand.
keyCredentials keyCredential collection The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq, not, ge, le).
licenseDetails licenseDetails collection Related licenseDetails data exposed by this resource.
notificationEmailAddresses string collection Specifies the list of email addresses where Microsoft Entra ID sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Microsoft Entra Gallery applications.

Graph Methods

Delegated access App-only access
Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
PATCH /servicePrincipals(appId='{appId}')
PATCH /servicePrincipals/{id}
PATCH /servicePrincipals/{id}/microsoft.graph.agentIdentityBlueprintPrincipal
Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
PATCH /servicePrincipals(appId='{appId}')
PATCH /servicePrincipals/{id}
PATCH /servicePrincipals/{id}/graph.agentIdentityBlueprintPrincipal
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Update-MgServicePrincipal /servicePrincipals/{id}
Update serviceprincipal
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Update-MgBetaServicePrincipal /servicePrincipals/{id}
Update serviceprincipal
Update-MgBetaServicePrincipal /servicePrincipals/{id}/graph.agentIdentityBlueprintPrincipal
Update agentIdentityBlueprintPrincipal

Code Examples

C# / .NET SDK
Update serviceprincipal
View official example on Microsoft Learn
// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new ServicePrincipal
{
	AppRoleAssignmentRequired = true,
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);
JavaScript
Update agentIdentityBlueprintPrincipal
View official example on Microsoft Learn
const options = {
	authProvider,
};

const client = Client.init(options);

const agentIdentityBlueprintPrincipal = {
  appRoleAssignmentRequired: true
};

await client.api('/servicePrincipals/{id}/microsoft.graph.agentIdentityBlueprintPrincipal')
	.update(agentIdentityBlueprintPrincipal);
PowerShell
Update serviceprincipal
View official example on Microsoft Learn
Import-Module Microsoft.Graph.Applications

$params = @{
	appRoleAssignmentRequired = $true
}

Update-MgServicePrincipal -ServicePrincipalId $servicePrincipalId -BodyParameter $params
Python
Update serviceprincipal
View official example on Microsoft Learn
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ServicePrincipal(
	app_role_assignment_required = True,
)

result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').patch(request_body)

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for AgentIdentityBlueprintPrincipal.EnableDisable.All

4

Grant Admin Consent

Application permissions always require admin consent.