AgentIdentityBlueprintPrincipal.Read.All
Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated
Read
All Resources
Allows reading agent identity blueprint principals without a signed-in user.
Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access
App-Only Access
Permission Details
Application Permission
Read agent identity blueprint principals.
Allows reading agent identity blueprint principals without a signed-in user.
Permission ID:
9361dea9-4524-493d-941d-f1b65aaf6c7c
Delegated Permission
Admin consent required
Read agent identity blueprints principals.
Allows reading agent identity blueprint principals with a signed-in user.
User sees: Allows reading agent identity blueprint principals with a signed-in user.
Permission ID:
88c856a2-de61-4632-b2d4-ac503cbc8dd2
Properties
Microsoft Graph v1.0
exact-category-docs
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
accountEnabled |
BooleanNullable |
true if the agent identity blueprint principal account is enabled; otherwise, false. If set to false, then no users are able to sign in to this app, even if they're assigned to it. Inherited from servicePrincipal. |
appDescription |
StringNullable |
The description exposed by the associated agent identity blueprint. Inherited from servicePrincipal. |
appDisplayName |
StringNullable |
The display name exposed by the associated agent identity blueprint. Maximum length is 256 characters. Inherited from servicePrincipal. |
appId |
StringNullable |
The appId of the associated agent identity blueprint. Alternate key. Inherited from servicePrincipal. |
appOwnerOrganizationId |
GuidNullable |
Contains the tenant ID where the agent identity blueprint is registered. This is applicable only to agent identity blueprint principals backed by applications. Inherited from servicePrincipal. |
appRoleAssignmentRequired |
Boolean |
Specifies whether users or other service principals need to be granted an app role assignment for this agent identity blueprint principal before users can sign in or apps can get tokens. The default value is false. Not nullable. Inherited from servicePrincipal. |
appRoles |
appRole collection |
The roles exposed by the agent identity blueprint, which this agent identity blueprint principal represents. For more information, see the appRoles property definition on the application entity. Not nullable. Inherited from servicePrincipal. |
createdByAppId |
StringNullable |
The appId of the application that created this agent identity blueprint principal. Set internally by Microsoft Entra ID. Read-only. Inherited from servicePrincipal. |
disabledByMicrosoftStatus |
StringNullable |
Specifies whether Microsoft has disabled the registered agent identity blueprint. The possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). Inherited from servicePrincipal. |
displayName |
StringNullable |
The display name for the agent identity blueprint principal. Inherited from servicePrincipal. |
id |
String |
The unique identifier for the agent identity blueprint principal. Inherited from entity. Key. Not nullable. Read-only. |
info |
informationalUrl |
Basic profile information of the acquired application such as app's marketing, support, terms of service and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience. Inherited from servicePrincipal. |
publishedPermissionScopes |
permissionScope collection |
The delegated permissions exposed by the application. For more information, see the oauth2PermissionScopes property on the agent identity blueprint entity's api property. Not nullable. Inherited from servicePrincipal. |
publisherName |
StringNullable |
The name of the Microsoft Entra tenant that published the application. Inherited from servicePrincipal. |
servicePrincipalNames |
String collection |
Contains the list of identifiersUris, copied over from the associated agent identity blueprint. More values can be added to hybrid agent identity blueprint. These values can be used to identify the permissions exposed by this app within Microsoft Entra ID. Not nullable. Property blocked on Agent Identity Blueprint Principal. Inherited from servicePrincipal. |
Showing 15 of 64 properties.
JSON Representation
Microsoft Graph v1.0
exact-category-docs
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
JSON representation
{
"@odata.type": "#microsoft.graph.agentIdentityBlueprintPrincipal",
"id": "String (identifier)",
"accountEnabled": "Boolean",
"createdByAppId": "String",
"appDescription": "String",
"appDisplayName": "String",
"appId": "String",
"appOwnerOrganizationId": "Guid",
"appRoleAssignmentRequired": "Boolean",
"disabledByMicrosoftStatus": "String",
"displayName": "String",
"publisherName": "String",
"servicePrincipalNames": [
"String"
],
"servicePrincipalType": "String",
"signInAudience": "String",
"tags": [
"String"
],
"appRoles": [
{
"@odata.type": "microsoft.graph.appRole"
}
],
"info": {
"@odata.type": "microsoft.graph.informationalUrl"
},
"publishedPermissionScopes": [
{
"@odata.type": "microsoft.graph.permissionScope"
}
],
"verifiedPublisher": {
"@odata.type": "microsoft.graph.verifiedPublisher"
}
}Relationships
Microsoft Graph v1.0
exact-category-docs
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
appManagementPolicies |
appManagementPolicy collection |
The appManagementPolicy applied to this agent identity blueprint principal. Inherited from microsoft.graph.servicePrincipal |
appRoleAssignedTo |
appRoleAssignment collection |
App role assignments for this agent identity blueprint principal, granted to users, groups, and other service principals. Supports $expand. Inherited from microsoft.graph.servicePrincipal |
appRoleAssignments |
appRoleAssignment collection |
App role assignment for another app or service, granted to this agent identity blueprint principal. Supports $expand. Inherited from microsoft.graph.servicePrincipal |
createdObjects |
directoryObject collection |
Directory objects created by this agent identity blueprint principal. Read-only. Nullable. Inherited from microsoft.graph.servicePrincipal |
memberOf |
directoryObject collection |
Roles that this agent identity blueprint principal is a member of. HTTP Methods: GET Read-only. Nullable. Supports $expand. Inherited from microsoft.graph.servicePrincipal |
oauth2PermissionGrants |
oAuth2PermissionGrant collection |
Delegated permission grants authorizing this agent identity blueprint principal to access an API on behalf of a signed-in user. Read-only. Nullable. Inherited from microsoft.graph.servicePrincipal |
ownedObjects |
directoryObject collection |
Directory objects that are owned by this agent identity blueprint principal. Read-only. Nullable. Supports $expand and $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1). Inherited from microsoft.graph.servicePrincipal |
owners |
directoryObject collection |
Directory objects that are owners of this agent identity blueprint principal. The owners are a set of nonadmin users or servicePrincipals who are allowed to modify this object. Supports $expand and $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1). Inherited from microsoft.graph.servicePrincipal |
sponsors |
directoryObject collection |
The sponsors for this agent identity blueprint principal. Sponsors are users or service principals who can authorize and manage the lifecycle of agent identity instances. |
addIns |
addIn collection |
Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its 'FileHandler' functionality. This lets services like Microsoft 365 call the application in the context of a document the user is working on. |
alternativeNames |
string collection |
Used to retrieve service principals by subscription, identify resource group and full resource IDs for managed identities. Supports $filter (eq, not, ge, le, startsWith). |
appOwnerOrganizationId |
uuid |
Contains the tenant ID where the application is registered. This is applicable only to service principals backed by applications. Supports $filter (eq, ne, NOT, ge, le). |
appRoles |
appRole collection |
The roles exposed by the application, which this service principal represents. For more information, see the appRoles property definition on the application entity. Not nullable. |
claimsMappingPolicies |
claimsMappingPolicy collection |
The claimsMappingPolicies assigned to this service principal. Supports $expand. |
delegatedPermissionClassifications |
delegatedPermissionClassification collection |
The permission classifications for delegated permissions exposed by the app that this service principal represents. Supports $expand. |
endpoints |
endpoint collection |
Endpoints available for discovery. Services like Sharepoint populate this property with a tenant specific SharePoint endpoints that other applications can discover and use in their experiences. |
federatedIdentityCredentials |
federatedIdentityCredential collection |
Related federatedIdentityCredentials data exposed by this resource. |
homeRealmDiscoveryPolicies |
homeRealmDiscoveryPolicy collection |
The homeRealmDiscoveryPolicies assigned to this service principal. Supports $expand. |
keyCredentials |
keyCredential collection |
The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq, not, ge, le). |
licenseDetails |
licenseDetails collection |
Related licenseDetails data exposed by this resource. |
notificationEmailAddresses |
string collection |
Specifies the list of email addresses where Microsoft Entra ID sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Microsoft Entra Gallery applications. |
Graph Methods
Delegated access
App-only access
Exact Microsoft Learn match
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn match
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Code Examples
C# / .NET SDK
Get servicePrincipal
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].GetAsync();
JavaScript
Get agentIdentityBlueprintPrincipal
const options = {
authProvider,
};
const client = Client.init(options);
let agentIdentityBlueprintPrincipal = await client.api('/servicePrincipals/{id}/microsoft.graph.agentIdentityBlueprintPrincipal')
.get();
PowerShell
Get servicePrincipal
Import-Module Microsoft.Graph.Applications
Get-MgServicePrincipal -ServicePrincipalId $servicePrincipalId
Python
Get servicePrincipal
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').get()App Registration
1
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
2
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
3
Select Permission Type
Choose Application permissions or delegated permissions and search for AgentIdentityBlueprintPrincipal.Read.All
4
Grant Admin Consent
Application permissions always require admin consent.